diff --git a/pkg/edrRecon/edrdata.go b/pkg/edrRecon/edrdata.go
index d2379f1..5a867bf 100644
--- a/pkg/edrRecon/edrdata.go
+++ b/pkg/edrRecon/edrdata.go
@@ -284,6 +284,11 @@ var EdrList = []string{
 	"threat",
 	"xagt.exe",
 	"xagtnotif.exe",
+	"Elastic Agent",
+	"elastic-agent.exe",
+	"elastic-endpoint.exe",
+	"elastic-endpoint-driver",
+	"ElasticEndpoint",
 }
 
 var ReconList = []string{
@@ -300,6 +305,7 @@ var ReconList = []string{
 	"SystemProductName",
 	"LocalAccountTokenFilterPolicy",
 	"LsaCfgFlags",
+	"elastic",
 }
 
 var McafeeList = []string{
diff --git a/pkg/resources/scan_edr.go b/pkg/resources/scan_edr.go
index ddcdb3e..0298400 100644
--- a/pkg/resources/scan_edr.go
+++ b/pkg/resources/scan_edr.go
@@ -9,13 +9,14 @@ type EDRDetection interface {
 type EDRType string
 
 var (
-	WinDefenderEDR EDRType = "defender"
-	KaskperskyEDR  EDRType = "kaspersky"
-	CrowdstrikeEDR EDRType = "crowdstrike"
-	McafeeEDR      EDRType = "mcafee"
-	SymantecEDR    EDRType = "symantec"
-	CylanceEDR     EDRType = "cylance"
-	CarbonBlackEDR EDRType = "carbon_black"
-	SentinelOneEDR EDRType = "sentinel_one"
-	FireEyeEDR     EDRType = "fireeye"
+	WinDefenderEDR  EDRType = "defender"
+	KaskperskyEDR   EDRType = "kaspersky"
+	CrowdstrikeEDR  EDRType = "crowdstrike"
+	McafeeEDR       EDRType = "mcafee"
+	SymantecEDR     EDRType = "symantec"
+	CylanceEDR      EDRType = "cylance"
+	CarbonBlackEDR  EDRType = "carbon_black"
+	SentinelOneEDR  EDRType = "sentinel_one"
+	FireEyeEDR      EDRType = "fireeye"
+	ElasticAgentEDR EDRType = "elastic_agent"
 )
diff --git a/pkg/scanners/scan_elastic.go b/pkg/scanners/scan_elastic.go
new file mode 100644
index 0000000..b44f55c
--- /dev/null
+++ b/pkg/scanners/scan_elastic.go
@@ -0,0 +1,31 @@
+package scanners
+
+import "github.com/FourCoreLabs/EDRHunt/pkg/resources"
+
+type ElasticAgentDetection struct{}
+
+func (w *ElasticAgentDetection) Name() string {
+	return "Elastic Endpoint Security"
+}
+
+func (w *ElasticAgentDetection) Type() resources.EDRType {
+	return resources.ElasticAgentEDR
+}
+
+var ElasticAgentHeuristic = []string{
+	"Elastic Endpoint Security",
+	"Elastic Agent",
+	"elastic-agent.exe",
+	"elastic-endpoint.exe",
+	"elastic-endpoint-driver",
+	"ElasticEndpoint",
+}
+
+func (w *ElasticAgentDetection) Detect(data resources.SystemData) (resources.EDRType, bool) {
+	_, ok := data.CountMatchesAll(ElasticAgentHeuristic)
+	if !ok {
+		return "", false
+	}
+
+	return resources.ElasticAgentEDR, true
+}
diff --git a/pkg/scanners/scanner.go b/pkg/scanners/scanner.go
index 5e713ce..96163d3 100644
--- a/pkg/scanners/scanner.go
+++ b/pkg/scanners/scanner.go
@@ -13,5 +13,6 @@ var (
 		&SymantecDetection{},
 		&SentinelOneDetection{},
 		&WinDefenderDetection{},
+		&ElasticAgentDetection{},
 	}
 )