Last week, Forrester released The Forrester Wave™: Extended Detection And Response Platforms, Q2 2026. This is the third iteration of the extended detection and response (XDR) Wave, with prior versions published in 2021 and 2024. This Wave differs significantly from the past, especially because of:

  • The number of vendors. This year, only seven vendors were invited to participate in the Wave: Bitdefender, CrowdStrike, Elastic, Microsoft, Palo Alto Networks, SentinelOne, and TrendAI. It was very important to us to prioritize the vendors that have the most significant traction and differentiation in this year’s evaluation, which is why we included so few compared to previous years (11 in the most recent and 14 before that). The smaller vendor list also allowed us to get a better sense for true differentiation in the market.
  • The addition of new detection surfaces. This year, we added new criteria such as detection surface: identity; detection surface: cloud; and threat intelligence. The addition of the new detection surfaces, and the specificity of them, is crucial, as Forrester sees identity and cloud as two of the most important domains where detection can identify attacks that would otherwise be missed or downgraded in importance. Many XDR vendors have adopted the same approach — for example, Palo Alto Networks has consolidated its Prisma Cloud capability into its Cortex platform.
  • The prioritization of threat intelligence. XDR vendors are rightly prioritizing timely, accurate, and native threat intelligence more than ever, especially given the geopolitical changes taking place. The best threat intelligence presented in the cleanest and most accessible way can make the difference between seeing or missing an attack, which makes it a core detection and response feature.
  • The increased focus on SIEM replacement features. In previous years, security information and event management (SIEM) replacement was an experimental capability for XDR vendors. This year, it’s a reality. For example, Microsoft has now merged Defender XDR and Sentinel into one unified analyst experience.
  • A separate criteria for AI agents and agentic systems. Previously, the Wave combined AI and machine learning into one criteria; in this Wave, the criteria are separate. The value of AI in security operations is picking up speed through AI agents, which are supporting security operations center functions, particularly for triage and investigation. When it comes to comparing these capabilities, however, the most important differentiation comes from the testing and validation strategies that vendors use to do so. Read more about how vendors test and validate their AI capabilities in Panning For Gold: How To Evaluate Generative AI Capabilities In Security Tools.

These changes also enabled us to get a better sense of where the bleeding-edge innovations were taking place in the market. XDR vendors are definitively building detection and response platforms to cover more domains with more specificity in detection capabilities than has been done before, certainly at a single vendor.

Read the full report for all the insights we were able to garner thanks to months of research: The Forrester Wave™: Extended Detection And Response Platforms, Q2 2026.

If you’re a Forrester client, book an inquiry or guidance session with me if you have questions about the results.