In Forrester’s defining report on extended detection and response (XDR), we predicted that endpoint detection and response (EDR) as we know it was dead and replaced by XDR. That day has finally come: Forrester is retiring The Forrester Wave™: Endpoint Detection And Response Providers.

The Forrester Wave™: Endpoint Detection And Response Providers Is Retired

From now on, the EDR market will be evaluated as part of the XDR market — including in the latest landscape report on extended detection and response platforms, which published this month, and The Forrester Wave™: Extended Detection And Response Platforms, which will publish in Q2 of 2024.

Read the report: The Extended Detection And Response Platforms Landscape, Q4 2023.

We arrived at this conclusion because the XDR market is settling down. Most security information and event management (SIEM) vendors cosplaying as XDR have (finally) reverted their messaging back to SIEM/security analytics platforms. EDR vendors have embraced adding additional telemetry, and more XDR vendors have added general-availability features. And importantly, practitioners at large enterprises now refer to EDR and XDR synonymously.

The XDR Market Includes EDR By Default

As you can see in the landscape, the top core use case of XDR is the native detection surface: endpoint (aka, EDR). Therefore, any evaluation of XDR will include a thorough evaluation of what was formerly EDR. As such, the Forrester definition of XDR is:

The evolution of endpoint detection and response, which unifies security-relevant detections from the endpoint and other detection surfaces such as email, identity, and cloud. It is a cloud-native platform built on big data infrastructure that prioritizes analyst experience for high-quality detection, complete investigation, and fast and effective response.

XDR Vendors Are Driven By Avoiding SIEM’s Mistakes

The XDR market is still experiencing a series of growing pains, as some vendors build out new offerings while more mature vendors struggle to address common complaints around data ingest. Some of the less mature vendors are incorporating as many integrations and capabilities as possible to catch up, sacrificing detection quality in the process. Security pros have a lot of options, and because of that, there are a few things to consider:

  • XDR vendors are moving away from a hybrid XDR approach and toward a native XDR approach. Hybrid XDR — integrating with third-party vendors for detection telemetry — is a challenging ecosystem to maintain and conflicts with security analytics platform data ingestion. Because of this, many XDR vendors are moving to provide a native XDR product instead of a hybrid one or are providing hybrid XDR only as a managed service such as managed detection and response.
  • More mature XDR vendors are facing questions from security pros who want to consolidate or limit data movement. Storing data twice in two places isn’t popular with CISOs. This is causing XDR vendors to examine how they can simplify their offerings by providing additional SIEM alternatives (see graphic below).
  • XDR vendors have an opportunity to avoid the sins of the past by not defaulting to a security analytics platform mindset. These sins include not understanding the practitioner doing the work, trying to solve every problem instead of solving key challenges well, and giving too much flexibility in lieu of building features that solve practitioner problems. XDR vendors must stay focused on providing the best detection and response quality to succeed in this market.

To learn more about the XDR market, if you’re a Forrester client, schedule a guidance session or inquiry with me or read the full landscape on extended detection and response vendors here.