---
title: Configure endpoint protection with Elastic Defend
description: Install and configure Elastic Defend to protect endpoints against malware, ransomware, and behavioral threats.
url: https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/configure-elastic-defend
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Configure endpoint protection with Elastic Defend
Elastic Defend is Elastic's endpoint protection integration. It prevents and detects malware, ransomware, memory threats, and malicious behavior on Windows, macOS, and Linux hosts. When a threat is detected, Elastic Defend can generate an alert or block the activity outright, depending on your protection settings.
Elastic Defend runs as part of [Elastic Agent](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/fleet), which you deploy to each host you want to protect. Once installed, Elastic Agent communicates with Fleet for centralized policy management and sends security data to Elastic Security, where you can investigate alerts, manage exceptions, and respond to threats.

## How Elastic Defend, Elastic Agent, and Elastic Endpoint work together

Elastic Defend relies on three components that each play a distinct role in endpoint protection:
- **Elastic Defend** is the integration that defines your protection policy — which threat protections are active, which events to collect, and which exceptions to apply. You add it to an Elastic Agent policy and configure it through the Elastic Security UI or API.
- **Elastic Agent** is the unified agent you install on each host. It manages integrations (including Elastic Defend), handles enrollment and communication with Fleet, and ships collected data to Elasticsearch.
- **Elastic Endpoint** is the component that Elastic Agent installs on the host when the Elastic Defend integration is added. It performs the actual threat monitoring, prevention, and response actions at the operating system level.

In practice, you add the Elastic Defend integration from the **Integrations** page, assign it to an Elastic Agent policy, and deploy Elastic Agent to your hosts. Elastic Agent installs Elastic Endpoint, which immediately begins monitoring the host according to your policy settings.

## Where to start


| Your goal                                              | Start here                                                                                                                                                                                                                                                                                         |
|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Deploy Elastic Defend for the first time               | [Requirements](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/configure-elastic-defend/elastic-defend-requirements) → [Install Elastic Defend](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/configure-elastic-defend/install-elastic-defend) |
| Configure protection and event collection settings     | [Configure an integration policy](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend)                                                                                                            |
| Control which users can access Elastic Defend features | [Feature privileges](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges)                                                                                                                                          |
| Set up endpoints in restricted networks                | [Configure offline endpoints and air-gapped environments](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/configure-elastic-defend/configure-offline-endpoints-air-gapped-environments)                                                                                   |
| Remove Elastic Agent from a host                       | [Uninstall Elastic Agent](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/configure-elastic-defend/uninstall-elastic-agent)                                                                                                                                               |


## Next steps

After installing and configuring Elastic Defend, you can:
- [Manage endpoints, policies, and exceptions](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/manage-elastic-defend) to tune protection for your environment.
- Read [Optimize Elastic Defend](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/manage-elastic-defend/optimize-elastic-defend) to understand different Elastic Endpoint configuration settings.
- [Set up endpoint response actions](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/endpoint-response-actions) to isolate hosts, run commands, or take other actions on protected endpoints.
- [Troubleshoot Elastic Defend](https://www.elastic.co/elastic/docs-builder/docs/3028/troubleshoot/security/elastic-defend) if you run into installation, connectivity, or policy issues.