This talk is a feedback from our CERT Team about how and why we use an XDR for responding to security incidents. We will show how it is different from traditional techniques, i.e. with a DFIR tool. A real-life example is a response after a ransomware attack against a hospital. When time is critical, using proper tools, easy to deploy and with technical functionalities, is paramount. We will explain how an XDR answers to these needs. The forensics part will be explained. This function is rarely directly implemented in open frameworks for incident response. We will demonstrate how it is used and useful. The XDR allows one unique agent to be deployed on the hosts; another advantage. With support of an integrated tactical SIEM, collecting events and logs on the hosts is fast and easier. The use of an EDR allows a vaccine to be created and deployed efficiently for malware eradication. What it is and how to configure it will be explained. It blocks malware from spreading and allows for quick return to production, one thing that traditional frameworks don't allow. It matches with victim's expectations and covers end-to-end incident response.