News, news analysis, and commentary on the latest trends in cybersecurity technology.

Now That EDR Is Obvious, What Comes Next?

First in our series addressing the top 10 unanswered questions in security: What's going to replace EDR?

Will Lin, Managing Director, Forgepoint Capital

November 1, 2022

3 Min Read
Abstract close-up of yellow line in the middle of a paved road.
Source: Jes2ufoto via Alamy Stock Photo

Endpoint detection and response (EDR) is a cybersecurity staple. The EDR market is still growing at an impressive rate, with a compound annual growth rate projected to exceed 20% through 2027. Additionally, EDR leaders CrowdStrike and SentinelOne's latest ARR growth rates are at 59% and 122%, respectively.

However, at the same time, security professionals are realizing that endpoint detection alone isn't enough. True end-to-end visibility requires accounting for all devices, servers, containers, cloud platforms, and network data flows. Incidents like the Black Basta ransomware attacks have made the point loud and clear that organizations need to be constantly watching what is happening on the network.

In addition to the limited scope of EDR visibility and protection, there are operational challenges. Tool sprawl and complexity make it difficult for EDR to scale and increase the chances of human error that can lead to security oversights.

Extended detection and response (XDR) and managed detection and response (MDR) are rapidly emerging as more holistic solutions for security-conscious organizations. XDR expands on the capabilities of EDR by providing visibility into other attack vectors on the corporate network, rapidly growing cloud resources, sensitive identities, and unmanaged data. XDR enables SOCs to detect, proactively hunt for threats, and contain sophisticated threats from a centralized user interface.

MDR — which involves a third party providing threat hunting, alert triaging, and incident response — is useful for organizations that don't have a dedicated security operations center (SOC) or sufficient in-house cybersecurity expertise. By providing XDR-like functionality while offloading the operational complexity, MDR platforms can help these organizations drastically improve their security posture quickly.

MDR and XDR both provide the holistic threat detection and response capabilities EDR lacks, and we can expect to see more and more organizations adopt MDR or XDR instead of EDR-only in the years to come. That's good news for key players in the XDR/MDR market, like Cisco, Microsoft, CrowdStrike, SentinelOne, and Cybereason.

Beyond XDR

What's even more interesting than the evolution from EDR to XDR/MDR is the general consolidation of functionality we're seeing with XDR/MDR and other security tooling. For example, by aggregating network security data, XDRs are effectively competing with existing security information and event management (SIEM) tools.

This "federated logging" trend, where the tool aggregating the data also analyzes it, is becoming more popular. That may be bad news for legacy SIEMs, but it is an opportunity for vendors that can get it right. Performing the aggregation and analysis of cloud, network, and endpoint data in a single platform, these next-gen tools are paving the way for life after EDR for what remains of this year and beyond.

Uptycs' unified XDR and CNAPP platform is a prime example and inspiration of where we can expect the XDR market to go. Windows, macOS, and Linux endpoints are just one piece of the puzzle. What used to take multiple discrete tools for EDR, cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), asset management, and compliance can all be managed with one data model.

In the years to come, we can expect to see more vendors attempt to consolidate functionality into XDR-like tools and MDR services. While integrations aren't going away anytime soon, the solutions that do the best job of limiting tool sprawl without limiting functionality will be well-positioned to become market leaders in the mid-2020s.

About the Author

Will Lin

Managing Director, Forgepoint Capital

William (“Will”) Lin is a Managing Director and Founding Member at Forgepoint Capital (FPC)

Forgepoint was founded in 2015 and is investing $770M dedicated to startups protecting the digital future; FPC is currently the largest and most active team in the category.

Will is honored to be a coach for entrepreneurs at multiple companies including: Attivo Networks, Bishop Fox, Concourse Labs, Cyberhaven, LoginRadius, Remediant, Sphere, Symmetry Systems, Uptycs and a Stealth Investment.

Will is also a Co-Founder & President of the Security Tinkerers, a non-profit organization that brings together information security professionals to share learnings, provide mentorship, and generate opportunities for the security community and its next generation of leaders. He is a Visiting Fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School. He also is a regular contributor to SecurityWeek, was named a Venture Capital Journal Rising Star, and is an avid connector in the cybersecurity entrepreneur, investor, and practitioner ecosystems.

Will holds a BA from the University of California, Berkeley, and found his calling at the intersection of IT and entrepreneurship after starting businesses to help pay for college. When not in the office, you’ll find Will on the hunt for up-and-coming restaurants or talking about startups at home with his VC spouse.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights