The scenario

An attacker exploits a command injection vulnerability in your application. The injected command spawns a shell process on the host. From there, the attacker downloads tools, establishes persistence, and begins lateral movement. Contrast ADR sees the injection at the application layer. Your EDR sees the suspicious process activity at the OS layer. Neither tool alone gives you the full kill chain.