ThreatLocker Detect is a policy-based Endpoint Detection and Response (EDR) solution that monitors endpoints for unusual events and Indicators of Compromise (IoCs). The solution leverages telemetry data collected from other ThreatLocker modules and Windows Event logs to identify potential cyber threats. The platform enables IT teams to create custom rules and policies for detection and response rather than relying on AI or undisclosed criteria. Policies are evaluated in real-time by the ThreatLocker agent on endpoints, with enforcement occurring in milliseconds regardless of internet connectivity. When conditions are met, ThreatLocker Detect can execute automated responses including sending alerts, enforcing rules, disconnecting machines from the network, or activating lockdown mode. Lockdown mode blocks all activities including task execution, network access, and storage access. The solution monitors for various security events including remote access tools, PowerShell elevation, abnormal RDP traffic, multiple failed login attempts, event log erasure, and Windows Defender malware detections. It also extends monitoring to Microsoft 365 cloud environments, identifying unexpected behavior that could indicate cyberattacks. ThreatLocker Detect includes a dashboard that compiles incident and alert data into visualizations, providing insights on top alerts, impacted assets, incidents cleared, false positives, and affected computer groups. The platform offers recommended policies based on frameworks such as MITRE and CISA IoCs, and includes a community platform where IT experts can share policies.