Now That EDR Is Obvious, What Comes Next?


Endpoint detection and response (EDR) is a cybersecurity staple. The EDR market is still growing at an impressive rate, with a compound annual growth rate projected to exceed 20% through 2027. Additionally, EDR leaders CrowdStrike and SentinelOne’s latest ARR growth rates are at 59% and 122%, respectively.

However, at the same time, security professionals are realizing that endpoint detection alone isn’t enough. True end-to-end visibility requires accounting for all devices, servers, containers, cloud platforms, and network data flows. Incidents like the Black Basta ransomware attacks have made the point loud and clear that organizations need to be constantly watching what is happening on the network.

In addition to the limited scope of EDR visibility and protection, there are operational challenges. Tool sprawl and complexity make it difficult for EDR to scale and increase the chances of human error that can lead to security oversights.

Extended detection and response (XDR) and managed detection and response (MDR) are rapidly emerging as more holistic solutions for security-conscious organizations. XDR expands on the capabilities of EDR by providing visibility into other attack vectors on the corporate network, rapidly growing cloud resources, sensitive identities, and unmanaged data. XDR enables SOCs to detect, proactively hunt for threats, and contain sophisticated threats from a centralized user interface.

MDR — which involves a third party providing threat hunting, alert triaging, and incident response — is useful for organizations that don’t have a dedicated security operations center (SOC) or sufficient in-house cybersecurity expertise. By providing XDR-like functionality while offloading the operational complexity, MDR platforms can help these organizations drastically improve their security posture quickly.

MDR and XDR both provide the holistic threat detection and response capabilities EDR lacks, and we can expect to see more and more organizations adopt MDR or XDR instead of EDR-only in the years to come. That’s good news for key players in the XDR/MDR market, like Cisco, Microsoft, CrowdStrike, SentinelOne, and Cybereason.

Beyond XDR

What’s even more interesting than the evolution from EDR to XDR/MDR is the general consolidation of functionality we’re seeing with XDR/MDR and other security tooling. For example, by aggregating network security data, XDRs are effectively competing with existing security information and event management (SIEM) tools.

This “federated logging” trend, where the tool aggregating the data also analyzes it, is becoming more popular. That may be bad news for legacy SIEMs, but it is an opportunity for vendors that can get it right. Performing the aggregation and analysis of cloud, network, and endpoint data in a single platform, these next-gen tools are paving the way for life after EDR for what remains of this year and beyond.

Uptycs’ unified XDR and CNAPP platform is a prime example and inspiration of where we can expect the XDR market to go. Windows, macOS, and Linux endpoints are just one piece of the puzzle. What used to take multiple discrete tools for EDR, cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), asset management, and compliance can all be managed with one data model.

In the years to come, we can expect to see more vendors attempt to consolidate functionality into XDR-like tools and MDR services. While integrations aren’t going away anytime soon, the solutions that do the best job of limiting tool sprawl without limiting functionality will be well-positioned to become market leaders in the mid-2020s.