Experts debate XDR market maturity and outlook

Is extended detection response still all buzz and no bite? Experts disagree on whether XDR qualifies as a legitimate market yet or still has a ways to go.

In the classic British children's book The Velveteen Rabbit, a little boy's stuffed toy dreams of becoming a real rabbit. Through the power of a child's love, the bunny's wish eventually comes true, and he starts a new chapter living in the forest among his peers.

For a buzzy new technology on the precipice of becoming its own standalone market, the critical moment of transformation is less clear.

Take extended detection response (XDR), an emerging cybersecurity concept that has generated a lot of excitement, a fair bit of confusion and even some minor controversy among industry analysts. But, while some experts say the XDR market is already in full swing, others argue it's just a promising stuffed bunny.

"It might seem like a funny question, 'Is XDR a real market?'" said Dave Gruber, analyst at Enterprise Strategy Group (ESG), a division of TechTarget. But not every shiny new IT object has enough oomph and staying power to disrupt existing spending patterns in a significant and lasting way, living up to expectations and rising to the level of markethood.

"We've seen it before," agreed Jon Oltsik, also an analyst at ESG. "A few years ago, user and entity behavior analytics, or UEBA, was supposed to be the disruptive market that changed the dynamics of security operations and security analytics." That, of course, didn't happen. Instead, SIEM came along and swallowed UEBA.

What is a market?

ESG categorizes the four stages of a disruptive new technology's market development in the following way:

  1. Noise. Vendor hype swirls around a new, potentially disruptive technology, but real-world users haven't started buying.
  2. Hope. Some early adopters invest in the products or services in question.
  3. Legitimacy. Customers wake up with a problem and seek out this technology to solve it. (Note that adoption must be primarily problem-driven, not sales- or marketing-driven.)
  4. Maintenance. The market is now well established, and commoditization gradually drives down prices.

What is XDR?

ESG defined XDR as an integrated suite of security tools that spans IT infrastructures, with the goal of providing coordinated threat prevention, detection and response across networks, servers, endpoints and the cloud. The typical security stack includes an overwhelming number of controls, Gruber added. XDR stitches some or all of them together to offer greater simplicity and clarity to the user.

Many experts describe XDR as an expansion of endpoint detection and response (EDR) technology, which scans endpoint devices looking for breaches in real time. An XDR platform applies EDR principles across the IT environment, pulling information from discrete security tools into a unified, comprehensive view of the threat intelligence landscape. Because XDR consumes and correlates multiple data streams, it can theoretically weigh information in context and minimize false positives. It also uses machine learning and automation to perform root cause analysis and suggest or execute responses to security alerts.

Grand View Research valued the current XDR market at $577.9 million and predicted revenue will rise to $2.06 billion by 2028.

Is the XDR market 'real?'

As anyone working in IT knows all too well, vendors sometimes try to drum up artificial demand where it doesn't organically exist. But, when it comes to the forces driving XDR market buzz, experts said it's complicated. On the one hand, a vendor -- Palo Alto Networks -- coined the term in 2018 and promoted early conversations around XDR. On the other hand, analysts agreed the concept adds up to far more than just empty marketing hype.

Jon OltsikJon Oltsik

Oltsik and Gruber have collaborated extensively on XDR research at ESG, yet even they disagree on whether the XDR market has achieved maturity and legitimacy today.

"I was kind of bullish on this early on; I think XDR solves a really compelling problem," said Gruber, who is in the affirmative camp. "XDR is well recognized by the majority of security organizations, and there's been a ton of early validation."

Dave GruberDave Gruber

Oltsik said the cybersecurity industry has thus far failed to agree on a clear definition of XDR and added that many users still don't even know what the acronym stands for. ESG's research showed just 24% of security professionals describe themselves as "very familiar" with XDR concepts.

"We, as analysts -- along with the market itself -- have to clarify what XDR is before we can say it's a 'real' market," Oltsik said. Right now, he added, "it's an immature market that has the potential to become a real market."

Gruber countered by suggesting EDR's past progression to clear market maturity has fast-tracked XDR's own trajectory. Many security vendors have already waded into the space, he added, and ESG's research showed 70% of organizations plan to make room in their budgets for XDR by 2022. "All these characteristics say to me, 'Yeah, this is a real market.'"

Even so, Gruber cautioned security vendors not to get carried away by XDR market excitement. "I think it could be a big distraction," he said, warning against "getting sucked into the vortex of the XDR conversation." Manufacturers and providers should be able to articulate their positions on XDR and how their products or services support the technology, Gruber added. But not everyone needs to offer an explicit XDR play.

Despite his belief that the XDR market hasn't quite reached maturity and legitimacy, Oltsik is also bullish on its potential. "XDR could be extremely disruptive to all security controls, analytics and operations tools," he said. "Everyone should pay attention."

Dig Deeper on Security operations and management