Not All XDR is Created Equal

June 29, 2022 | 4 minute read

The global Extended Detection and Response (XDR) market is expected to grow considerably over the next decade. World Wide Technology reported that it will grow at a compound annual growth rate of nearly 20% between 2021 to 2028, reaching a value of $2.06 billion by that time. 

Over this projected period of growth, security vendors that already have an XDR offering will no doubt refine their solutions, and new players will also likely throw their hat into the ring. But all this variety isn’t necessarily a good thing for organizations. 

With so many XDR solutions available on the market today, organizations need to be careful about which one they choose. That’s because not all XDR platforms are created equal or deliver the same type of value. Here’s how to sort it all out.

Data Filtering: The Lowest of the Low

It’s important to note that some companies do not have the ability to ingest all available telemetry for their Endpoint Detection and Response (EDR) offerings. As a result, they resort to a technique known as “data filtering.” This is where they eliminate telemetry even though it might be useful for detection. They have no choice; their model involves sending all data to the cloud for analysis before they can return a detection. 

Even so, it calls into question whether these companies’ platforms can keep organizations safe. Indeed, if their platforms cannot currently handle all available endpoint telemetry to make detections via EDR, how will they ever be able to effectively ingest even more telemetry from non-endpoint sources? 

An effective XDR solution needs to be able to ingestat of telemetry from not just endpoints, but also cloud workloads/containers, user identities, an array of business application suites, etc. So can they deliver effective XDR? No, they can’t, and that’s just reality based on platform capabilities.

Native XDR vs. Open XDR

After data filtering, it’s important to distinguish “native” XDR from “open” XDR. The former performs XDR functionality by integrating with “native” solutions that belong to the same vendor portfolio. This type of offering spares security teams from needing to spend lots of time on configuring their XDR platforms and from needing to go through a complicated buying process for all their different solutions. But the advantages end there. 

With native XDR, organizations might find themselves in a state of “vendor lock-in” where they’re stuck with a single company’s solutions that don’t fulfill all their security requirements. Organizations might also need to replace some of their existing technologies to make full use of a native XDR product, thus cutting down on the ROI of their current investments.

These drawbacks don’t apply to open (also known as “hybrid”) XDR. This approach enables organizations to integrate their XDR platforms with whichever best-of-breed solutions work for them. Yes, they’ll need to go through separate buying processes for these tools, and the integrations might not be as tight as they would be under a native XDR platform. 

Even so, organizations can use open XDR to work with tools that fulfill their security requirements as they continue to evolve. They also won’t need to replace any of their existing investments (if they’re still working for them) under an open XDR platform.

Traditional XDR vs. Advanced XDR

A step up from native XDR vs. open XDR is the difference between traditional XDR and Advanced XDR. This distinction has to do with how an XDR platform gathers data and what types of security incidents it can help to illuminate as a result. 

Traditional XDR is straightforward. It integrates with threat intelligence to spot Indicators of Compromise (IOCs) from already-known attacks. The XDR platform then helps security teams to respond to those incidents, but the analysts must manually triage all relevant alerts and then begin the task of trying to correlate them to determine which are related to an actual security event and try to answer the question “are we under attack?” This can take time, giving digital attackers an opportunity to further infiltrate organizations’ systems.

Advanced XDR takes this approach one step further by automating the time consuming triage and correlation tasks. Not only does it integrate with threat intelligence, but it also uses artificial intelligence (AI) and machine learning (ML) to deliver context-rich correlations based on telemetry from disparate sources across organizations’ assets.

Advanced XDR thereby not only provides visibility across the kill chain, but it also provides automated predictive response, elevating Tier 1-2 analyst capabilities to be on par with Tier 3 skill sets, as a result increasing both efficiency as well as efficacy.

AI-Powered XDR

Fortunately, organizations don’t need to settle for incomplete XDR solutions. There is the option to go with an AI-driven XDR solution that delivers the complete attack story in real-time and extends continuous threat detection and monitoring, along with automated response beyond endpoints to protect applications, identity and access tools, containerized cloud workloads and more.

AI-driven XDR also ingests threat intelligence streams to allow organizations to defend against known attacks and uses AI and machine learning (ML) to automatically correlate telemetry from across these different assets to deliver the complete attack story in real-time. This functionality frees security analysts from needing to triage every generated alert, enabling them to address actual threats faster.

Over half (52%) of executives at U.S. companies told PwC that they had accelerated their AI/ML adoption plans, and even more (86%) said that AI/ML would be a “mainstream technology” in their environments by the end of 2021. What’s more, AI/ML can enable security teams to cut through the noise produced by a constant flood of threat alerts and false positives.

AI-driven XDR also leverages behavioral analytics and Indicators of Behavior (IOBs) to provide a more in-depth perspective on how attackers conduct their campaigns. This operation-centric approach is far superior at detecting attacks earlier–especially highly targeted attacks that employ never before seen tools and tactics that evade traditional endpoint security software.

Finding one component of an attack via chains of potentially malicious behavior allows defenders to see the entire operation from the root cause across every impacted user, device, and application. This is where AI-driven XDR is essential to automatically correlate data at a rate of millions of events per second versus analysts manually querying data to validate individual alerts over several hours or even days. 

Such visibility enables security teams to respond to an event before it becomes a major security issue and introduce measures designed to increase the burden on attackers going forward.


Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven  XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security for increased efficiency and efficacy.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed