Market Guide for Endpoint Detection and

Response Solutions
Published: 23 December 2019 ID: G00380177

Analyst(s): Paul Webber, Prateek Bhajanka, Mark Harris, Brad LaPorte

EDR and EPP tools are merging to address new threats, so security and risk
management leaders must revise related strategies. Leading vendors have
created holistic tools in a single portal. These platforms can displace existing
endpoint toolsets with faster detection and optional automated response.

Key Findings
■ Older antivirus solutions offer insufficient protection against today’s advanced threats and lack
speed of response, nor do they provide the capability to show the root cause or damage done.
■ Leading EDR vendors combine modern prevention techniques with detect and response
capabilities in a single lightweight agent. The best of these feature cloud-hosted infrastructure
that unifies many tools in one console and offers further integration options.
■ Automation is a major differentiator where security staff are scarce and there is a need for rapid
detection of advanced persistent threats and to provide the fastest remediation of these.
■ EDR tools must handle vast amounts of data, so cloud hosting of back-end compute, storage
and reporting consoles is optimum. This also provides scalability and cost-effective hosting/
storage, and offers more opportunities to automate and integrate with other services.

Recommendations
Security and risk management leaders responsible for endpoint security must:

■ Prepare for periodic change to be the new “normal,” ensuring maximum flexibility in licensing
and support contracts. Budget for regular upgrades to tools, processes and resources needed
to detect evasive threats in time, identify and remediate the root cause, and prevent recurrence.
■ Check, when selecting combined EPP and EDR solutions, that these can detect fileless exploits
and “living off the land” style attacks. Ensure tools don’t rely solely on machine learning
techniques and favor those that employ multiple additional detection methods.
 ■ Use threat modelling and penetration testing to show where current tools and skills are
inadequate. Plug any gaps by updating to cloud-hosted EDR tools that have automation and
integration options. Defenders need training to correctly deploy and fully exploit all capabilities.
■ Select vendors that submit their tools to nonsponsored public testing. Prefer those that mapped
their controls to MITRE’s ATT&CK framework and performed well in MITRE evaluations.

Strategic Planning Assumption

By the end of 2023, more than 50% of enterprises will have replaced older antivirus products with
combined EPP and EDR solutions that supplement prevention with detect and response
capabilities.

Market Definition
This document was revised on 9 January 2020. The document you are viewing is the corrected
version. For more information, see the Corrections page on gartner.com.

EDR solutions must provide four primary capabilities:

■ Detect security incidents

■ Investigate security incidents
■ Contain the exploit at the endpoint
■ Provide guidance for remediation

In addition, EDR solutions should enable enterprises and smaller organizations to deploy a single
solution that also protects against attacks and allows the collection and analysis of log and
configuration data. The visibility of user, device and application activity should be combined with
advanced reporting and direct intervention when abnormal activity is detected. The detection
methods used must be frequently updated. Integration and automation with other tools and services
are paramount. Cloud hosting is preferred, with alternative hosting options available.

Market Description
Since the complexity of attacks and threats have both continued to develop at a pace that exceeds
the ability of the tools and defenders to protect against them, security solution providers have
developed more flexible tools with an “assume breach” mindset. EDR tools focus on the
postinfection stage of the kill chain, providing the ability to detect and respond to advanced threats
in a timely and effective manner.

The techniques used by attackers and methods used to evade detection have also expanded,
requiring detection engines and controls to identify them and produce alerts that also inform
defenders how they should respond to the event and what remediation is possible. Increasingly,
these controls and remediations are aligned to the MITRE ATT&CK framework, and many vendors

Page 2 of 20 Gartner, Inc. | G00380177

 now catalog their detection routines against ATT&CK controls, using MITRE terminology in alerts
and reporting.

Endpoint security vendors now combine the features of EPP and EDR solutions into a single
capability (see Figure 1). This is usually achieved by unifying the agents and/or sensors used, as
well as establishing a single holistic management and reporting portal. Some EPP features
previously provided as add-ons, such as device control and application control, may not be offered
by the combined EDR tool, but are often now included in part of the host operating system (for
example, Microsoft Windows 10).

Gartner, Inc. | G00380177 Page 3 of 20

 Figure 1. From Separate EPP and EDR to Combined EPP and EDR

Page 4 of 20 Gartner, Inc. | G00380177

 Market Direction
The controls and focus of endpoint security tools have evolved to reflect the way in which exploits
have changed and the need to provide a different set of detection and remediation facilities to
match (see Figure 2). Over time, since attackers have developed more stealthy exploits that evade
traditional antivirus and anti-malware tools, vendors have adapted from solely using file-based
scanning of storage media and hard disks, adding the use of more sophisticated behavior-based
techniques. These more evolved tools distinguish between expected or “normal” activity and
anomalous actions that may indicate the presence of malware, a compromised device or attackers
using techniques to conceal their activity under the guise of “regular” administrative activity.

2019 Market Consolidation Activity and Vendor Competitiveness

Over the last 12 months, the EDR market and broader endpoint security market have seen multiple
mergers and acquisitions. The EDR market has observed the industry trend for acquisitions, not
only within the EDR market, but also in adjacent markets. To provide more of a solution-based
approach for organizations, EDR vendors have been acquiring MDR service providers from the
wider market. Emerging platform players are adding EDR to integrate with their prevention,
detection and response capabilities and with easy provisioning for their customers and an
opportunity to upsell.

Mergers and acquisitions are expected to continue through 2020, as there are over 30 vendors
offering credible EDR products, and the top nine vendors currently account for more than 80% of
the market share. At the same time, end users are realizing they have too many point solutions/
individual vendor tools in place, and consequently it will be tougher for smaller security vendors with
a single capability to get organizations to buy their products. See Table 1 for some of the notable
mergers and acquisitions in 2019.

Table 1. Notable Mergers and Acquisitions

Vendor Acquired Company/Service Vendor Acquired Company/Service

Sophos DarkBytes, Rook Security (MDR), Avid Secure Broadcom Symantec (all enterprise
(Cloud) products)

Palo Alto Networks Zingbox, Twistlock, Demisto, PureSec and VMware Carbon Black
Aporeto

Fortinet enSilo Elastic Endgame

Source: Gartner (December 2019)

Gartner, Inc. | G00380177 Page 5 of 20

 Figure 2. The Evolution of Endpoint Protection Tools

Since there is also a need to detect and respond to unknown, fileless and advanced persistent
threats (including those associated with state-sponsored attackers), there must also be an
assumption that simply trying to prevent all exploits is unrealistic. This has led to the emergence of
EDR tools that provide the ability to detect exploits and malicious activity post infection. These tools
also allow defenders to then respond with suitable measures to isolate or contain the threat and the
facility to directly intervene at the endpoint itself (usually via remote access) should the need arise.

The evolution of EDR tools has reached the stage where some vendors include threat intelligence
feeds into consoles where response teams can investigate an incident with telemetry and analytics
gathered together for them. This adds to the usual facility to perform threat hunting against the
database of managed endpoints for a view of both current activity and a forensic facility to examine
historic data.

The speed of detection and response are critical, and many organizations lack the resources and
skills to respond effectively. Therefore, the more advanced vendors in this segment are also
providing expert managed detection and response (MDR) services to augment the customer’s own
teams and provide alerting and monitoring.

Automated response and remediation are the most recent developments in EDR tools. These have
the facility to use advanced AI analysis, with automated workflow and agents that can roll back
activity to a former state.

Page 6 of 20 Gartner, Inc. | G00380177

 Automation and AI is also possible at the console level to both enhance alerting with suggested
remediation and offer the facility to generate scripts and automated actions. In the most advanced
tools administrators can also opt devices into fully automated remediation policies.

Go to Market and Execution

EDR products have developed to fill the security gap left unaddressed by the endpoint protection
platform (EPP) products. As an industry, organizations have been primarily focusing on prevention,
and detection. Response capabilities were used only by a few highly mature organizations. As
100% prevention is unattainable, EDR products started offering detection and response capabilities
to complement EPP to detect the attacks that have bypassed prevention/protection. Organizations
deploying security tools are wary of:

■ Having to install another agent on the endpoints

■ Investment in and reliance on detection and response tools alone
■ Vendor consolidation objectives that may affect investment plans
■ The overheads to deploy and manage multiple consoles and siloed capabilities

EDR vendors started adding prevention capabilities using one single agent and management
console. A single agent, SaaS-based application delivery and management features covering
prevention, detection and response has become the preferred standard in the EDR market.

In addition, in order to offer best-of-breed solutions to highly mature organizations, the EDR players
continue to offer coexistence alongside an existing EPP product. The primary route to market for
EDR has been through channel partners (resellers/VARs) and MSSPs/MDRs. Currently, EDR is
primarily being sold as a technology in more mature markets like North America, Europe and in
other emerging markets through MSSPs or MDRs.

In emerging markets like Asia/Pacific and the Middle East, EDR vendors have partnered with
security service firms in the region to deliver EDR technologies as a part of an MDR offering. In
markets, regions or verticals that are late or reluctant adopters of cloud hosting, EDR vendors offer
on-premises versions of the product as an alternative to their SaaS delivery. Some also provide a
three-tier model in which EDR agents don’t talk to the internet directly but do so via an on-premises
virtual or physical relay that is connected to the EDR application in the cloud. Other vendors offer
private cloud hosting in the customer’s own tenant, for organizations not wishing to utilize public
cloud or SaaS.

With growing concern over data sovereignty, plus data localization and privacy regulations, EDR
vendors have started offering cloud hosting in regional locations.

Market Analysis
The following sections of this Market Guide are organized into subcategories that allow the reader
to identify several discrete categories of vendor solutions that address specific use cases, device

Gartner, Inc. | G00380177 Page 7 of 20

 types and that group solutions by their respective endpoint protection, detection and response
capabilities.

In order to separate controls that are collectively associated with protection of the endpoint, Gartner
uses the term EPP to describe the approaches and controls that aim to prevent an exploit or block
attacks.

In Figure 2, these are listed in the bottom half of the controls hierarchy, as they are regarded as
highly important controls but may increasingly be part of operating system security facilities. This is
especially the case with the latest Windows 10/Server 2019 releases, Server 2016 and Apple
macOS.

The core detect and response capabilities at the top show the critical capabilities associated with
EDR agents, and these are now recommended as must-have capabilities for effective endpoint
protection.

Additional layers of security controls are desirable to realize a blended or layered approach. These
are listed at the foot of the diagram and include network-, infrastructure- or hardware-level
technologies that generally do not involve an agent or EDR tool functionality.

Figure 3. Endpoint Security Controls Hierarchy

Operational IT controls, including vulnerability management and hardening of the OS, are critical
parts of the overall endpoint protection strategy for all organizations. They can protect against a

Page 8 of 20 Gartner, Inc. | G00380177

 wide range of risks and vulnerabilities, without having to rely on endpoint protection alone as a final
level of protection.

Hardware virtualization and BIOS protection have recently evolved rapidly and become universally
available (previously the preserve of enterprise device SKUs) as well as easier to deploy. These
should be enabled at the hardware and OS level to protect and isolate encryption keys,
authentication providers and to remove a large array of OS vulnerabilities and attack techniques.

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.

The sections below describe distinct groups of capabilities that are evident in the EDR marketplace.
The associated industry direction, characteristics and features of each category of solution are
introduced, along with sample vendors representing each group.

Market Introduction
The sections below provide some examples of specific attributes, use cases and some
representative vendors that demonstrate the capabilities listed in each section. Security and risk
management leaders should consider what specific needs their chosen solution must address and
identify the device types, skills and resources available to leverage the tools. When aligning
requirements with individual or multiple subsections in this guide, it is also recommended to refer to
the additional reading list at the foot of this document to see a more extensive list of vendors,
solutions and the scenarios in which these should be considered.

EDR Tools With Added Automated Remediation

The once limited response part of EDR solutions is increasing in its scope, adding not just isolation
of devices and quarantining of threats, but also allowing for complex exploits to be removed and
devices reverted to a previous state. As solutions mature, even greater levels of integration and
automation should be expected. For example, if a user opens a weaponized document in an email
that is detected, part of the integrated remediation process could include identifying other users
that received the document and removing the email (via the mail server) before they open it. As
these playbooks of actions improve, automatic remediation and the removal of complex attacks will
be possible. This includes restoring systems, files and, if necessary, reissuing user credentials.

Some EDR vendors are applying logic-driven processes to allow the administrator to enable
semiautomated and fully automated remediation where an exploit can be clearly identified and
where the remediation is known (or activity has been identified that is easily reversed) (see Table 2).

Automated response not only provides a tempting solution for organizations that lack the in-house
skills to decide on the appropriate course of action, but it also allows for much faster response to

Gartner, Inc. | G00380177 Page 9 of 20

 known or recognizable events. It is expected that this trend will continue while resources are scarce
and in-house expertise is lacking.

Security and risk management leaders must look for:

■ Solutions that have granular options to block or isolate suspect activity proactively, pending
administrator intervention and investigation.
■ Automated sandbox detonation or other integrated internet services that will provide additional
attestation/identification or threat context.
■ Options to consume additional managed services to add expert assessment and rapid
response capabilities to augment in-house staff or plug gaps in current (infosec) teams.
■ A solution with automated playbooks for the most common remediation scenarios. Ensure that
new customized playbooks can be easily created specific to the organization.
Table 2. Sample Vendors

Vendor Product, Service or Solution Name

CrowdStrike Falcon Endpoint Protection

Cybereason Cybereason Defense Platform

Cynet Cynet 360

Malwarebytes Endpoint Protection & Response

Sophos Intercept X

SentinelOne SentinelOne

Symantec Symantec Endpoint Security (SES) Complete

Source: Gartner (December 2019)

EDR Vendors Directly Providing MDR Services

The goal of MDR services is to rapidly identify and limit the impact of security incidents to
customers. These services are focused on remote 24/7 threat monitoring, detection and targeted
response activities. MDR providers may use a combination of host and network-layer technologies,
as well as advanced analytics, threat intelligence, forensic data and human expertise for
investigation, threat hunting and response to detected threats (see Table 3).

Security and risk management leaders must:

■ Use MDR services to add 24/7 threat detection, incident investigation and response
capabilities, when unavailable or immature in-house. Internal resources are still needed for

Page 10 of 20 Gartner, Inc. | G00380177

 some response activities, and upfront incident response retainers may be necessary for
additional support.
■ Embrace threat disruption and containment as an incident response (IR) feature of MDR service
providers when there are no 24/7 in-house teams to respond to threats needing immediate
attention.

MSSPs are slowly adding MDR-type offerings that supplement their existing services. There are
some MSSPs with credible offerings that include their own proprietary host and network
technologies, supported by threat intelligence and advanced analytics capabilities (see “Magic
Quadrant for Managed Security Services, Worldwide” and “Market Guide for Managed Detection
and Response Services”).

Table 3. Sample Vendors

Vendor Product, Service or Solution Name

Arctic Wolf Managed Detection and Response

CRITICALSTART Managed Detection & Response

Expel Expel

FireEye Managed Defense

IBM Managed Detection and Response

Rapid7 Managed Detection and Response Services

Secureworks Managed Detection and Response

Source: Gartner (December 2019)

EDR Vendors With Combined Network Analytics and Threat Intelligence

The analysis of increasingly complex IOCs has resulted in solutions integrating threat intelligence
data to attempt to attribute attacks to threat actors. As this integration matures, further guided
threat-hunting capabilities will evolve, allowing operations teams to carry out complex analysis of
events. Many of these tools will be driven by vendors’ own MDR services.

As threats and attacks become more sophisticated and targeted, security and risk management
leaders must:

■ Ensure EDR solutions include prioritized vulnerability assessment capabilities to identify where
attacks may start and to take preventative measures.
■ Seek solutions that can automatically integrate threat intelligence data feeds to quickly
differentiate between attacks and false positives.

Gartner, Inc. | G00380177 Page 11 of 20

 ■ Consider an integrated approach to perimeter, network and endpoint security where integration
and shared telemetry can offer improved visibility across these previously siloed capabilities.

As can be seen from 2019 consolidation and acquisition activity (see the following section), several
well-known network security vendors have made considerable investments into EDR and endpoint
technologies and have combined them into an integrated threat protection platform (see Table 4).

Table 4. Sample Vendors

Vendor Product, Service or Solution Name

Cisco Advanced Malware Protection (AMP) for Endpoints

FireEye Endpoint Security and Helix

Fortinet FortiClient

Palo Alto Networks Traps and Cortex

Source: Gartner (December 2019)

EDR Vendors With MITRE ATT&CK Categorized Controls

The MITRE ATT&CK framework has become a common and unifying language for security vendors
and solution providers to categorize the attack methods used by advanced persistent threat (APT)
groups and identifiable techniques used by state-sponsored actors. The resultant categories of
controls that illustrate the kill chain stages and the wide range of exploits and how these can be
remediated are publicly available, along with a methodology for testing security tools’ ability to
detect and respond to these.

Similarly, security and risk management leaders can now also utilize the MITRE framework to
assess the capabilities in their own tools, processes and skills to meet all the categories and kill
chain stages that are covered. This is necessary to understand where gaps exist and where tools,
skills and resources are inadequate to protect.

Security and risk management leaders should:

■ Perform their own threat modelling and assessment of applicable controls and methods from
the MITRE ATT&CK framework. Produce a heatmap of gaps and threats with MITRE
terminology.
■ Engage vendors, infosec teams and process owners using the MITRE derived gap analysis and
identify areas for improvement for all the gaps in tools, processes and skills.
■ Prefer vendors who have submitted their tools for Phase 1 or 2 MITRE evaluations, review the
results against the gap analysis already captured, and shortlist vendors who can plug the gaps.

Prior to 2019, only 12 vendors had submitted their products for MITRE evaluation. Since then, a
further 21 vendors have completed Phase 2 testing. Many of these vendors have also categorized

Page 12 of 20 Gartner, Inc. | G00380177

 the detection routines and controls in their software to match the MITRE ATT&CK framework and to
use common MITRE terminology in the alerting and reporting of their products (see Table 5).

Table 5. Sample Vendors

Vendor Product, Service or Solution Name

Bitdefender Bitdefender

BlackBerry Cylance

Endgame Endgame

F-Secure F-Secure Rapid Detection & Response

GoSecure GoSecure

Microsoft Defender Advanced Threat Protection (ATP)

RSA NetWitness Platform

Source: Gartner (December 2019)

EDR Vendors Providing SIEM and SOAR Integration

SOAR solutions are gaining visibility and real-world use, to improve the maturity of security
operations centers (see Table 6). The SOAR technology market converges security orchestration
and automation (SOA), security incident response (SIR) and threat intelligence platform (TIP)
capabilities into single solutions. SOC analysts are often working with multiple tools and having to
alternate between these, including:

■ A variety of SIEM console alerts.

■ Threat intelligence (TI) service portals for information about the entities involved.
■ EDR for context on what is happening on the affected endpoint.

They may even be using workflow tools to orchestrate the triage and investigation processes.
Security and risk management leaders should:

■ Evaluate how these solutions can support and optimize broader security operations capabilities.
■ Integrate EDR as part of the overall SOAR architecture, as this will act as a productivity
multiplier.

Gartner, Inc. | G00380177 Page 13 of 20

 Table 6. Sample Vendors

Vendor Product, Service or Solution Name

Cyberbit EDR (SOC 3D)

IBM Resilient Security Orchestration, Automation and Response

Palo Alto Networks Demisto

Secureworks Red Cloak Threat Detection and Response (TDR), CTPx

Source: Gartner (December 2019)

Vendors Providing Unified Endpoint Security Platforms

Security and risk management leaders have been gravitating toward a more unified approach to
EDR. Less well-resourced organizations typically view technology as an expense or operational
necessity. Investment in these companies is being made in a unified endpoint security platform
versus prioritizing just EDR.

Security and risk management leaders in these organizations must:

■ Evaluate what type of endpoint security capabilities are essential and consider not only the cost
of the tools and hosting, but also the skills and resources needed for each.
■ Consider the pros and cons of investing in a best-of-breed solution versus a total cost of
ownership approach where multiple solutions are purchased together to minimize management
overheads.

As the cost of security solutions continues to rise, strains on staffing become more difficult and the
threat landscape becomes more complex, security and risk management leaders will move more
toward a unified solution (see Table 7).

Table 7. Sample Vendors

Vendor Product, Service or Solution Name

Cisco Advanced Malware Protection (AMP) for Endpoints

Check Point Software Technologies Sandblast

FireEye Endpoint Security and Helix

Trend Micro Apex One

Source: Gartner (December 2019)

Page 14 of 20 Gartner, Inc. | G00380177

 EDR for Incident Response and Forensics
Attacks and exploits affect systems, whether they are servers, workstations, mobile devices or
cloud workloads. If deployed across many enterprise endpoints, EDR tools allow security
operations staff to answer questions like “Which of our systems have been exposed to the
executable file that we have recently identified as a threat?” and “Does this process run on any of
our critical servers?” Ideally, EDR would be operational at the time of an incident, thus providing
valuable historical information, though EDR is still an important part of an incident responder’s
toolkit, even if not present when an incident begins. It can also provide containment of an incident
as part of the response by defenders or IR teams.

Increasingly, EDR vendors can offer an alternative or complementary capability to traditional e-

discovery and forensic tools because they are deployed to all managed devices (see Table 8). They
also provide a large database of historic data for analysis as well as a controlled and audited ability
to extract files and information from the devices themselves. Controlling risk and cost remain the
primary business drivers for seeking comprehensive and more effective e-discovery solutions.
Forensic data collection capabilities need to extend to the collection of information from various
data sources (email, document, application, website content) to endpoints and host systems and
storage media (server, hard drive, cloud, mobile devices). During the data collection process, data
must be secured and data integrity protected to ensure no tampering or interference is possible.
This process must be extremely accurate and auditable, especially when collecting device images/
files, which can be intrusive, time-consuming and costly.

Security and risk management leaders must:

■ Prioritize solutions that have built-in continuous monitoring and automation capabilities.
■ Integrate EDR as part of an e-discovery and/or forensic service to greatly reduce identification,
collection and analysis time as well as provide the initial steps to associated processes.
■ Utilize EDR to speed up IR activities. Have it in place before an incident occurs and have an
incident response retainer (IRR) in place to greatly reduce dwell time.
■ Use EDR to provide faster understanding of threat context, allow for real-time remote
investigations and provide a facility to examine historical information gathered from devices.

Tighter integration between regular MDR and active IR processes is needed in the future, as
organizations will need to seamlessly elevate their activity state from normal to incident level when
more frequent attacks are experienced.

Gartner, Inc. | G00380177 Page 15 of 20

 Table 8. Sample Vendors

Vendor Product, Service or Solution Name

1E Tachyon

Carbon Black CB ThreatHunter, CB Response

Kaspersky* Kaspersky Endpoint Detection and Response (EDR)

OpenText EnCase Endpoint Security

Tanium Tanium Endpoint Detection and Response (EDR)

*See Note 2

Source: Gartner (December 2019)

Combined Mobile Device and Desktop/Laptop EDR

As the use of mobile and smartphone technology continues to grow, these devices will increasingly
become a target for attackers to gain entry into an organization. Given that most users read email
on mobile devices and the limitations of the email clients, this makes it potentially harder to spot
phishing emails. Adding endpoint protection and security capabilities to mobile devices is
increasingly important.

“Market Guide for Mobile Threat Defense” describes the current state of the market, but at present
most deployments use MTD as a security add-on to unified endpoint management (UEM); however,
there are emerging use cases for mobile EDR. Given the current maturity of the market, security and
risk management leaders should include mobile devices in their long-term EDR strategy, but not
necessarily make it a hard requirement in their evaluation of solutions.

See“Magic Quadrant for Unified Endpoint Management Tools” and “The Long-Term Evolution of
Endpoints Will Reshape Enterprise Security.”

Some EDR vendors are already looking to integrate mobile into their solutions, but at present these
are relatively limited (see Table 9).

Table 9. Sample Vendors

Vendor Product, Service or Solution Name

CrowdStrike Falcon for Mobile

McAfee MVISION Mobile

Trend Micro Mobile Security

Source: Gartner (December 2019)

Page 16 of 20 Gartner, Inc. | G00380177

 Security Protection of Operational Technology
Devices that reside in manufacturing, operations and other isolated environments often require an
alternative approach to endpoint protection because these devices may not be visible from internet
or campus network management consoles and they may not have agents installed.

Gartner maintains a separate Market Guide covering solutions and vendors in this space (see
“Market Guide for Operational Technology Security”).

Market Recommendations
Traditional EPP products and modern EDR solutions have converged, and now nearly every vendor
not only includes EDR capabilities such as isolation, root cause analysis and threat hunting but also
uses a variety of protection and detection capabilities. Most vendors now include machine learning
(ML) detection of files to reduce the reliance on traditional signatures and combine this with
reputation services in the cloud to identify known malware as well as known good applications.

The result of the merging of EPP and EDR capabilities allows security and risk management leaders
to select a single vendor solution for both purposes and negates the need to deploy two solutions.
EDR should be deployed to all PC endpoints and to servers where these reside on shared networks
and/or are internet facing.

In addition, the core functionality of EDR tools is now more focused on the detection of and
response to advanced threats, fileless exploits and “living off the land” style attacks, with decreased
emphasis on older definition-based antivirus/anti-malware and blacklist/whitelist-based application
control.

The sophistication of EDR tools has been raised to meet the wave of more advanced threats and
stealthy attackers. Equally, the fact that detection is tuned to identify more suspect events, means
the skills and resources required to configure and operate these capabilities has also increased
significantly. This will require many organizations to resort to MSSP or MDR services to provide the
alerting, monitoring and proactive threat-hunting capabilities they lack.

This market is currently in a period of consolidation activity with many new acquisitions, mergers
and other destabilizing factors. This makes it essential for security and risk management leaders to
keep their strategy and investment plans as flexible as possible and to opt for shorter license terms
to match.

While it is not practical to switch vendors on an annual basis due to the large amount of project
effort associated with this, the trend toward cloud hosting of all infrastructure will, nonetheless,
allow for more frequent changing of vendors. This allows companies to take advantage of the
consolidation of vendors and affords the opportunity to deploy a single capability that provides
multiple integrated capabilities with unified management and reporting. All businesses will
appreciate the savings in management overhead and deployment time.

Gartner, Inc. | G00380177 Page 17 of 20

 With the need for increasingly sophisticated detection and response features, organizations will
stipulate more detailed and exacting specifications for vendors to meet. This will require more
precise and focused testing with a matching need for the proving of the capabilities. More use of
the MITRE ATT&CK framework will be made, to permit the alignment and verification of detection
and remediation capabilities.

Acronym Key and Glossary Terms

AI Artificial Intelligence (especially when used to identify and alert on unknown threats)

API Application Programming Interface (used to integrate separate services)

C2 Command and Control (a server or website used to direct malware on devices)

EPP Endpoint Protection Platform (provides prevention of malware and exploits)

EDR Endpoint Detection and Response (for postinfection stages of an attack or exploit)

MDR Managed Detection and Response (a managed service for EDR tools)

ML Machine Learning (e.g., where agents use mathematical determination of threats)

MSSP Managed Security Service Provider

SIEM Security Information and Event Management (gathers and analyses device logs)

SOAR Security Orchestration, Automation and Response (joins solutions with workflow)

SOC Security Operations Center (or also the team that works in it)

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

“Market Guide for Cloud Workload Protection Platforms”

“Select Endpoint Security Products With Confidence”

“Magic Quadrant for Endpoint Protection Platforms”

“How to Address the Skills Gap in Endpoint Security”

“Protecting Against ‘Living Off the Land’ Attacks”

“Critical Capabilities for Endpoint Protection Platforms”

“Market Guide for Vulnerability Assessment”

Page 18 of 20 Gartner, Inc. | G00380177

 “Market Guide for Managed Detection and Response Services”

“Magic Quadrant for Unified Endpoint Management Tools”

“Market Guide for Operational Technology Security”

Evidence
The Market Guide team referenced data from the following sources to complete this iteration:

■ Gartner analysts responded to more than 1,200 endpoint-security-related client inquiries since 2
January 2019.
■ More than 5,000 Peer Insights reviews and related search data on Gartner.com was referenced.
■ Data from a 260-question survey and one-hour demonstrations provided by 24 EPP/EDR
vendors conducted in 2Q19.

Note 1 Representative Vendor Selection

The sample vendors listed in each subsection of the Market Analysis section are representative only,
and each list is not intended to be exhaustive. The vendors and solutions provided are those that
most closely illustrate the marketplace trends described and provide the individual capabilities
described in each section. Vendors are listed in alphabetical order only, and the overall list of
representative vendors has been validated using Gartner.com search statistics as well as data from
Gartner’s Peer Insights website to ensure that the most frequently mentioned vendors/solutions are
represented.

Note 2 Kaspersky
In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky’s
software from their systems. Several media reports, citing unnamed intelligence sources, made
additional claims. Gartner is unaware of any evidence brought forward in this matter. At the same
time, Kaspersky’s initial complaints have been dismissed by a U.S. District of Columbia court.
Kaspersky has launched a transparency center in Zurich where trusted stakeholders can inspect
and evaluate product internals. Kaspersky has also committed to store and process customer data
in Zurich, Switzerland. Gartner clients, especially those who work closely with U.S. federal agencies,
should consider this information in their risk analysis and continue to monitor this situation for
updates.

Gartner, Inc. | G00380177 Page 19 of 20

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of
Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication
has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner Usage Policy.
Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."

Page 20 of 20 Gartner, Inc. | G00380177