10 Hot XDR Security Companies You Should Watch In 2023
These XDR (extended detection and response) vendors are enabling businesses to collect and correlate data feeds across their security tools and environments — ultimately providing an improved way to prioritize threats.
XDR Takes Off
When it comes to threat detection and response, just looking at the endpoint or the network are no longer enough. The approach that many of the world’s biggest cybersecurity companies have been moving toward in this sphere is XDR, or extended detection and response. One of the fastest-growing categories in cybersecurity today, XDR aims to provide enhanced security by correlating data from across in organizations environment’s and devices, and then prioritizing the most serious threats for a response. Major security companies that have embraced the XDR architecture in their detection and response offerings include CrowdStrike, Microsoft, Palo Alto Networks, SentinelOne, Trellix and many more.
There are now dozens of XDR vendors in all, and Gartner has forecast that 40 percent of organizations will have deployed an XDR platform by 2027, up from 5 percent in 2021. As a still-early trend in cybersecurity, however, XDR still sees a lot of variation in terms of approach and capabilities. What are some of the XDR players that are worth a closer look? We’ve tried to nail down a solid list of the XDR security companies that we’ve been following, who have shared details over the past year about each of their distinct approaches to the XDR concept.
For those who are not familiar, here are a few FAQ answers on XDR. First off: Why “extended”? The acronym builds upon EDR, or endpoint detection and response, which became a huge focus for security teams over the past decade (and continues to be today). The idea is that threat detection needs to extend past the endpoint — or any other device or environment for that matter — in order to give an accurate picture of the threats that an organization is actually facing.
What are some of the differences between the different approaches to XDR? A big one is the difference between so-called “native” XDR and “open” or “hybrid” XDR. A few large vendors that offer a wide enough range of security tools that they can power an XDR just by utilizing data feeds from their own first-party products. Those vendors are known as native XDR providers. XDR platforms that can correlate and analyze data from third-party tools are known as open/hybrid XDR, and make up the bulk of XDR platforms at this point. Many native XDR players are also offering a way to combine their detections with data from third-party tools (and, for that matter, many open/hybrid XDR vendors have their own first-party tools, as well).
Regardless of exactly how they define themselves, XDR platforms all share a focus on giving a boost to shorthanded security teams, with the aim of improving the quality of threat detection while also reducing the overload in alerts. “XDR lets you really drill down yourself to see what’s going on in an attack,” said Ron Brown, co-founder and CTO of solution provider White Rock Cybersecurity. With XDR, you’re able to know, “What did it touch? Where did it go? What were they trying to do? How did it get in?” he said. “So you really start to analyze the threat itself, to see where the vector was, then you can go back and address that. So you mitigate the threat, analyze where it came from and go close that hole.”
What follows are our picks for 10 XDR security companies worth watching in 2023.
Cisco says it already offers “the broadest XDR functionality available” via its SecureX platform, with the ability to tie together data from its wide array of first-party security tools spanning network, endpoint, cloud, applications and email. That puts Cisco on the short list of vendors that is capable of delivering a true “native” XDR platform — which experts say can have advantages, since an XDR vendor using native tools deeply understands all of the environments and telemetry that’s being utilized. SecureX also can leverage feeds from numerous third-party tools and analyze that data alongside feeds from its own products, according to the company.
There’s more to come on Cisco’s approach to XDR, too, as the company begins rolling out its unified platform for modern cybersecurity, the Cisco Security Cloud. Tom Gillis (pictured), senior vice president and general manager of the Cisco Security Business Group, said that XDR will be a focus for the company at the RSA Conference in April. Cisco’s approach to XDR brings “the ability to span all these domains and tie it together,” Gillis noted — something that is especially powerful for a vendor that covers so many different areas in security. “I think there are few if any companies in the world that have the breadth of offering in security” that Cisco has, he said.
The largest vendor in EDR by market share, CrowdStrike expanded into XDR in the fall of 2021 and has been focusing heavily on the category since then. In fact, the company’s flagship Falcon EDR product is now offered under the XDR umbrella, as part of the CrowdStrike Falcon Insight XDR platform. The idea, according to the company, is that customers can “start with the endpoint and easily activate extended capabilities to unlock cross-domain detections, investigations and response.”
CrowdStrike has also taken a distinctive approach to making XDR possible for customers with its CrowdXDR Alliance, which consists of a group of major cybersecurity and software vendors that have agreed upon a standardized XDR schema for data-sharing between tools. The alliance enables partners and customers to tap into an integrated XDR solution where security data “all works the same” regardless of which vendor it’s from, according to Michael Sentonas (pictured), who was recently named president of CrowdStrike. For the purposes of using machine learning-driven analytics, “it all looks the same,” Sentonas said last year. “The language between all the vendors, if you will, is exactly the same.”
Along with major vendors such as Okta, Zscaler and Proofpoint, the CrowdXDR Alliance has grown to include a number of security vendors that also compete with CrowdStrike in the XDR sphere — such as Cisco and Fortinet. Additionally, in September 2022, CrowdStrike announced that Falcon Insight XDR should become even more useful as a “hybrid” XDR tool with the ability to support security data feeds from two major competitors, Microsoft and Palo Alto Networks, which are also top players in XDR.
Like Cisco, Microsoft is another vendor that is considered to have a compelling native XDR solution thanks to the fact that the company has such a wide range of its own security tools. The company’s XDR platform, Microsoft 365 Defender, can collect and correlate data from Microsoft’s endpoint, email, application and identity security tools.
The idea, according to Rob Lefferts (pictured), corporate vice president for Microsoft 365 Security, is to do more than just generate alerts — which security teams are overloaded with on a continual basis. “We won’t just feed you a spew of alerts — we will turn it into an incident,” Lefferts said last year. “And when we say ‘incident,’ we actually mean that story across the whole kill chain of exactly this picture what happened. And we’ll give you the timeline, and we’ll show all the devices and users that were impacted, and we’ll even show you the automated investigation that we ran to pull this picture together.”
Ultimately, “it’s really designed to supercharge the security team in their investigation,” he said. “We give you the end-to-end story. And so you are fully prepared to then go interdict, disrupt and block everything. That’s how I think we’ll make a difference for security teams.”
Meanwhile, for a broader vantage point beyond just Microsoft security tools, the Microsoft Sentinel platform can be used to factor in data from third-party products, the company says.
Palo Alto Networks
Nir Zuk, who founded Palo Alto Networks in 2005 and remains its CTO, coined the term XDR in 2018. And the company’s Cortex XDR platform continues to rank among the most well-regarded native XDR platforms, on account of the company’s ability to bring together data from its own security tools in network, endpoint, cloud and application security.
The approach generates superior detections to those of open XDR platforms which, ultimately, “are not being honest when they say that they have the third-party data,” Zuk said last year. For example, while Palo Alto Networks has some of the most widely used next-generation firewalls on the market, “none of these [open XDR] vendors is using our data,” he said.
With XDR, Palo Alto Networks was “really hot out of the gate in bringing that capability to market,” said Brad Davenport, vice president of technical architecture for cybersecurity, networking and collaboration at Logicalis US. “That has been a huge differentiator for them.”
Rapid7 CEO Corey Thomas
Rapid7 says that it has been working in the area of what’s now known as XDR, well before it was an actual category, with its InsightIDR platform. The company describes the platform as both an XDR and a cloud security event and information management (SIEM) solution, with SIEM as the “foundation” and XDR as a broader set of capabilities that customers can move to when they’re ready. Key capabilities include “trustworthy, curated out-of-the box detections” that help security teams to battle alert fatigue.
Recent updates to the Rapid7 Insight platform have included the introduction of improved cloud detection and response, used to natively identify the most serious cloud threats with greater accuracy. The company also recently rolled out enhanced vulnerability assessment, which offers continuous visibility into vulnerabilities and is easier to deploy thanks to its being an agentless technology.
ReliaQuest offers the GreyMatter security operations platform that features an open XDR architecture — and the company says that it stands out by taking a neutral stance on what tools a customer should use to monitor their environments and devices. In fact, the GreyMatter platform can actually identify gaps in a customer’s product usage and make recommendations about tools that would be useful to adopt, according to ReliaQuest COO Colin O’Connor (pictured).
For instance, “we are not an endpoint detection response solution, but we know how important it is to have that level of visibility on the endpoint,” he said. “And so if a customer doesn’t have that today, one of the first things that we’re going to do as part of our solution is say, ‘Hey, we’ve noticed you have a critical gap on endpoint, for [stopping threats] like ransomware. So you should look at getting an EDR solution so we can help you continue to mature and grow your security operations platform.’”
This represents a major opportunity for partners, O’Connor said, because “a lot of times partners don’t have that same level of visibility” as ReliaQuest is able to have. A huge need for customers currently is gaining the ability to better sift through their security data and alerts to find the threats that really matter, said Justin Domachowski, founder and CEO of solution provider Defy Security.
“People want to know: How do we tone down the noise?” Domachowski said. GreyMatter helps tremendously with figuring out what is a real issue, and what is not, he said — and can then answer the question, “where do we go from there? Where do we start?”
Secureworks has aimed to stand out by offering a “true” open XDR platform that utilizes security data feeds from across a customer’s entire environment, not just endpoints and networks, according to Secureworks President and CEO Wendy Thomas (pictured). The company offers a “holistic” approach to XDR, and its platform, Taegis, was built “from the ground up, from the first line of code,” Thomas said. That’s in contrast to the many XDR vendors that started as SIEM providers or EDR providers, she said.
For many of those XDR vendors, “what they’re really doing is they come from their point of strength, and then they use a SIEM-like approach to just aggregating the other telemetry. That is not cross-correlating and distilling that telemetry into the alerts that matter. It’s really just a new version of a SIEM under an XDR label,” she said. “And that’s probably the biggest fundamental difference. [Most other vendors are] either not open, so you’ve got to move to their proprietary stack, or they are really just aggregating like a SIEM.”
A fundamental approach that’s different with the company’s Taegis XDR platform is that offers a more “holistic” detection and response approach that offers “full coverage” for customers, Thomas said. The Taegis platform is “not just aggregating the alerts from the individual point products,” she said. “It’s really distilling those into the one alert that matters, so that you can focus your resources on the things that really matter and reduce your risk and reduce your time to response.”
SentinelOne has been looking to stand apart on its XDR offering with a greater level of automation than was previously available, building on the company’s work in making EDR more autonomous. “If you look at what we do differently — which goes back to our roots — it’s that we wanted to build a fully autonomous platform that would actually detect and disrupt attackers in real time, with no human intervention. That’s how we designed our platform,” SentinelOne co-founder and CEO Tomer Weingarten (pictured) said last year. “We knew it could only happen on the back of monitoring every workload in the enterprise environment, and we started with endpoints. Then we apply artificial intelligence or machine learning to create real-time responses that are based on algorithms, not based on humans trying to sift through alerts.”
While endpoint protection is still the company’s core market, the company can leverage its cloud workload protection and identity protection capabilities as part of offering customers an XDR solution. “XDR is the foundational technology and stack that would allow you to gain that control over all of these devices,” Weingarten said. “And then, once you see them — once you get the telemetry, once you know what’s in your network — the next step is [to] apply machine learning at scale, so you can now control these devices and protect these devices.”
Many XDR vendors come up short on the “R” in XDR, which is the “response” part of the equation, said Nicholas Warner, SentinelOne advisor and former president of security, last year. “That is the difference between XDR and SIEM,” he said. “Anyone can generate an alert. Not just anyone can actually orchestrate a response — and then make that an automatic response and an effective response.”
Positioning its open XDR as “the security operations platform for lean security teams,” Stellar Cyber is a notable startup that’s challenging many of the cybersecurity giants that are focused on the XDR space. The company, which says it was early to the concept of open XDR, has aimed to stand out in part through offering hundreds of “turnkey” integrations from the get-go as well as liberal use of AI to power its detections. “If we can automatically add context and piece things together for the security analyst, it makes their work much more efficient,” said Aimei Wei (pictured), founder and CTO at Stellar Cyber, last year.
On the integrations front, recently added integrations have included Netskope, Deep Instinct and Malwarebytes. Stellar Cyber has also heavily emphasized its work with partners such as managed services providers, and last year launched an education and training program meant to help with the MSP talent shortage.
Partners using Stellar Cyber include Solutions Granted, which told CRN that Stellar Cyber’s XDR is the “backbone” of its organization. “It’s where we live and die in our security operations center,” said Solutions Granted CEO Michael Crean.
Meanwhile, at managed security services provider BlueAlly, the open XDR approach taken by Stellar Cyber has been pivotal in terms of serving customers and providing them with transparency into how they are being served by the XDR, said Blake Langston, BlueAlly’s director of managed services. “When we provide SOC-SIEM services to our customers, whatever technology stack they have, we can support and ingest those logs. They get full-blown access to whatever product we’re using,” Langston said. “We’d like the customer to be able to see the same thing that we’re seeing.”
Since the rebranding from McAfee Enterprise and FireEye in 2022, Trellix has been seeking to build upon its strong presence in the endpoint security market to move into XDR. “Where we’re going is to be the market leader in XDR,” said Trellix CEO Bryan Palma (pictured) last year.
A key differentiator is that the Trellix platform supports both native and open XDR approaches, Palma said. Another is that the company has a history in both security operations and endpoint protection, he said. “A lot of the [XDR] competitors play in the security ops market or the endpoint market, but not in both,” Palma said.
The platform’s support for open XDR also helps the cybersecurity industry to move past its history of “warring factions,” and toward becoming an “adaptable, flexible ecosystem,” Palma said.