XDR: An Alliance and a Mission

XDR — Extended detection and response — is a hot cyber security category these days. It is popular with end user organizations because it (theoretically) aggregates and integrates several cyber security capabilities, giving them a holistic approach to detection and response only. TAG Cyber has advocated integration and orchestration in the past so we’re fully on board with this notion.

However, as with all things cyber, XDR is not so straightforward. The definition of XDR changes depending on with whom you are speaking. Some security professionals argue that XDR is an eXtension of EDR — endpoint detection and response — notably, the EDR and endpoint vendors. Other security pros argue that XDR is an eXtended single vendor offering, bundling endpoint and network detection and response capabilities, notably, some larger security vendors with the ability to cover edge to core. Then, of course, there are the vendor companies that are molding the term to mean whatever best befits them. (It’s akin to what we’re hearing from the market about SASE. Every company now claims to be a “SASE company” if they in any way integrate cloud-based protection capabilities from distributed collection points. We also heard this same claim about zero trust a few years back, as well as plenty of other buzzwords and acronyms in preceding years. Long live the so-called hype cycle!)

From this analyst’s point of view, the best definition of XDR is the middle one: a capability that eXtends from edge to core. Although time will tell what the market bears out and I will thus adjust accordingly.

One organization that agrees with me on the edge-to-core concept is the aptly named XDR Alliance. The Alliance, formed at the beginning of August 2021 and led by founding members Exabeam, Armis, Expel, Extrahop, Google Cloud Platform, Mimecast, Netskope, and SentinelOne, aims to bring awareness to XDR, help standardize on a definition, and gain buy-in for the idea that a true XDR capability requires integration of many components of threat detection, investigation, and response (TDIR), ranging from collecting the right data (e.g., via your endpoint and network tools) to correlation (e.g., your SIEM) and analysis (e.g., security analytics). Other XDR components represented by the member companies are security analytics, identity management, email, cloud, OT/IoT, and network detection and response (NDR) as well as managed security service providers (MSSPs), managed detection and response services (MDRs) and systems integrators (SIs).

During a recent meeting with Gorka Sadowski, XDR Alliance founder and Exabeam chief strategy officer, he explained that the group was formed with the mission to “collectively and collaboratively deliver on the promise of easier and better threat detection, investigation, and response through XDR.” The group, he said, doesn’t focus on selling individual technologies (although each member company clearly sells a product that would fit into “XDR" if you’re using the edge-to-core definition). Nor does it necessarily promote buying from all the companies as a bundled solution. Instead, the idea of the XDR Alliance is to define a true XDR model that benefits enterprise end users and makes them aware of how each technology fits and plays a role within the model. It’s also an educational tool, talking about integrations that already exist within the model as well as new and future integrations based on each member companies’ continuous innovations and collaborations.

Unlike with the SASE movement, the XDR Alliance is not promoting the idea that enterprises should buy into a single vendor that provides all the technological capabilities in one platform. In fact, none of the founding member companies currently offers that type of product portfolio. Further, thus far, from what we’ve heard at TAG, none has plans to build out or scoop up complementary tech to become the one behemoth XDR provider to rule them all.

Collaboration at the core

Collaboration stands at the center of the Alliance’s plans. Sadowski said, “We are organizing so that we can explain how an open XDR approach that focuses on collaboration and integration benefits enterprises in their ongoing efforts toward better SOC operations. Tools integration and extracting value from those tools with an orchestrated approach shouldn’t be relegated to only the most mature companies with the biggest budgets. Vendors must get better at working together and at developing solutions that allow for enhanced threat detection, investigation, and response.”

Together, the Alliance has developed a three-tier model that focuses on what they consider the essential elements of the XDR stack:

  • Data sources/control points: the IT and security technology that produces IT/security telemetry, logs, and alerts that feed security decisions for SOC teams, and which implement and enforce decisions/responses that need to be performed as part of the TDIR.
  • XDR engine: the analysis engine for all collected data which allows for automated TDIR.
  • Content: Pre-packaged content, such as playbooks and workflows, that allow SOC operators to triage alerts and incidents with ease.

The group is extremely nascent and we’ve yet to see a significant amount from them, but it is certain that cyber security needs more collaboration to promote highly secure ecosystems — from both vendors and enterprise end user teams. Today, any technology vendor that tries to stand alone, cannot/will not integrate, and is not making constant improvements to their product or platform is not one this analyst would like to see remain viable.

End users, too, should be collaborating on best practices with colleagues and focusing on training and education for everything from tools optimization to skills building to indicator of compromise awareness.

The XDR Alliance appears to be in the right place to promote this effort around XDR, and we look forward to seeing how they progress over time. If you interested in learning more or becoming a member, contact the industrywide collaborative at