We published The Forrester Wave™: Extended Detection And Response Platforms, Q2 2024 earlier this week! This is the second Forrester Wave evaluation on the extended detection and response (XDR) platforms market. It’s a big moment for the XDR market, as Forrester officially retired the endpoint detection and response (EDR) Wave and replaced it with the XDR Wave late last year.

This Wave evaluates all traditional EDR features as well as XDR capabilities, such as additional detection surfaces beyond the endpoint. It breaks down the product capabilities and strategy across 22 different criteria for 11 vendors: Bitdefender, Broadcom, Cisco, CrowdStrike, Fortinet, Microsoft, Palo Alto Networks, SentinelOne, Sophos, Trellix, and Trend Micro. The inclusion criteria and scoring criteria are available in the full report.

When we published the previous XDR evaluation in 2021, the market was immature. Vendors had offerings that were a jumble of features and shared a vision to ultimately replace security information and event management (SIEM) as the principal technology in the security operations center but were not close to fulfilling that vision.

Now, many XDR providers have reached a point of integration and product capability where customers can start realizing the SIEM replacement vision, even if XDR still can’t compete for more niche SIEM use cases such as compliance, federated search, and heavy customization.

Recent SIEM market upheaval, such as Cisco’s acquisition of Splunk, the merger between LogRhythm and Exabeam, and IBM selling off QRadar software-as-a-service assets to Palo Alto Networks, has created opportunities for XDR vendors to show customers hungry for change what a new approach looks like. But finding a vendor in this market — especially given the many marketing promises being made — is challenging.

Because of this, we focused on the following in the evaluation and recommend that clients:

  • Look for vendors that prioritize endpoint expertise and visualization. XDR vendors gained prominence because of their dedication to high-quality detections, which came from their presence and strength on the endpoint. Vendors that continue to prioritize endpoint expertise, manifesting in accurate, timely detections and better investigative workflows with endpoint context, continue to provide value in the face of increasing data volumes. Importantly, gathering this data is not enough; it’s also about how the vendor visualizes and explains endpoint telemetry that makes it most actionable.
  • Target additional detection surfaces that provide more effective investigation. As XDR vendors shift to bring in additional telemetry, maintaining detection quality (especially from third-party telemetry sources) becomes challenging; data normalization and prioritization are nontrivial. Vendors that take in too much data risk losing detection accuracy, and no amount of magical AI and machine learning can solve that problem. Clients must look to limit additional detection surfaces to those that are most valuable for analyst experience, such as endpoint, identity, and email. The SIEM or SIEM replacement tool is the best fit for additional telemetry that doesn’t have a place in XDR, dependent on what the vendor supports.
  • Treat vision, innovation, and roadmap as intertwined and symbiotic. A vision without the steps, roadmap, and investment to implement it is useless. Almost every vendor in this evaluation has a vision that involves AI. In fact, vendors mentioned AI in the responses for the vision, innovation, and roadmap criteria alone over 75 times — over eight times per participating vendor. It’s difficult to find a unique vision in this market, and many are driven by the hype of the moment, which, in this case, is AI. Vendors with a unique vision for where the product should go and how the market is changing must be backed by actionable steps to achieve it and the investment to execute those steps for success. Look for vendors with a realistic roadmap and adequate investment to achieve their stated vision.

The XDR market is the first market that shows true promise to significantly augment, if not outright replace, the SIEM market. It promises big changes for security operations (SecOps) to reduce SIEM costs, enhance detection, and improve analyst experience.

Every security leader and SecOps professional needs to keep up with this market, so read the full report and let us know your feedback! Forrester clients can schedule a guidance session or inquiry with me to talk through these market changes or discuss vendor selection.