diff --git a/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-add-agent-detail.png b/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-add-agent-detail.png
index 965a8a26d3..f34563c789 100644
Binary files a/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-add-agent-detail.png and b/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-add-agent-detail.png differ
diff --git a/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-add-agent.png b/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-add-agent.png
index 648bede150..052c3d0114 100644
Binary files a/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-add-agent.png and b/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-add-agent.png differ
diff --git a/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-integrations-page.png b/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-integrations-page.png
index 4907115648..d3ab5668a4 100644
Binary files a/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-integrations-page.png and b/docs/getting-started/images/install-endpoint/endpoint-cloud-sec-integrations-page.png differ
diff --git a/docs/getting-started/images/install-endpoint/endpoint-cloud-security-configuration.png b/docs/getting-started/images/install-endpoint/endpoint-cloud-security-configuration.png
index f78df946b5..87361fe530 100644
Binary files a/docs/getting-started/images/install-endpoint/endpoint-cloud-security-configuration.png and b/docs/getting-started/images/install-endpoint/endpoint-cloud-security-configuration.png differ
diff --git a/docs/getting-started/install-endpoint.asciidoc b/docs/getting-started/install-endpoint.asciidoc
index b25c8885f1..9f719b697b 100644
--- a/docs/getting-started/install-endpoint.asciidoc
+++ b/docs/getting-started/install-endpoint.asciidoc
@@ -1,7 +1,7 @@
 [[install-endpoint]]
 = Configure and install the {elastic-defend} integration
 
-Like other Elastic integrations, {elastic-defend} can be integrated into the {agent} through {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the {agent} to monitor for events on your host and send data to the {security-app}.
+Like other Elastic integrations, {elastic-defend} can be integrated into the {agent} using {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the {agent} to monitor events on your host and send data to the {security-app}.
 
 NOTE: To configure the {elastic-defend} integration on the {agent}, you must have permission to use {fleet} in {kib}. You must also have admin permissions in {kib} to access the **Endpoints** page in the {security-app}.
 
@@ -30,8 +30,32 @@ image::images/install-endpoint/endpoint-cloud-sec-integrations-page.png[Search r
 image::images/install-endpoint/endpoint-cloud-security-configuration.png[Add {elastic-defend} integration page,75%]
 +
 . Configure the {elastic-defend} integration with an **Integration name** and optional **Description**.
+. Select the type of environment you want to protect, either *Traditional Endpoints* or *Cloud Workloads*.
+. Select a configuration preset. Each preset comes with different default settings for {agent} — you can further customize these later. To learn more, refer to <<configure-endpoint-integration-policy, configure Elastic Defend integration policies>>.
++
+[cols="2"]
+|===
+|*Traditional Endpoint presets*
+| All traditional endpoint presets have the following preventions enabled by default: machine learning malware, ransomware, memory threat, malicious behavior, and credential theft. Each preset collects the following events:
+
+*Next-Generation Antivirus (NGAV):* Process
+
+*Essential EDR (Endpoint Detection & Response):* Process, Network, File
+
+*Complete EDR (Endpoint Detection & Response):* All
+
+|*Cloud Workloads presets*
+|Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, <<session-view,session data>> collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events.
+
+*All events:* Includes data from automated sessions.
+
+*Interactive only:* Filters out data from non-interactive sessions by creating an <<event-filters,event filter>>.
+
+|===
+
+
 . Enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
-. When the configuration is complete, click **Save and continue**.
+. When you're ready, click **Save and continue**.
 . To complete the integration, continue to the next section to install the {agent} on your hosts.
 
 [discrete]
@@ -87,4 +111,4 @@ image::images/install-endpoint/endpoint-cloud-sec-add-agent-detail.png[Add agent
 +
 The host will now appear on the **Endpoints** page in the {security-app}. It may take another minute or two for endpoint data to appear in {elastic-sec}.
 
-. For macOS, continue with <<deploy-elastic-endpoint, these instructions>> to grant {elastic-endpoint} the access it needs.
+. For macOS, continue with <<deploy-elastic-endpoint, these instructions>> to grant {elastic-endpoint} the required permissions.