Dazed and Confused by the XDR Telenovela?

Gorka Sadowski
4 min readJul 28, 2021

Confusing drama? Intrigue? Passion? Cliffhangers? Look no further than the XDR Telenovela and its never-ending stream of episodes.

New episodes — the plot thickens

If you are a technology buyer for the SOC I bet the XDR Telenovela is programming you could do without. Every day, there seems to be a new dramatic episode. Yet another definition for what XDR is, needs to be, should be, could be, and would like to be. And with them, new characters, and story lines for viewers to chew on.

If you are looking at an XDR solution, this is a tough spot to be in. I know I would be frustrated.

It is not all doom and gloom, and there is some good news. A couple of recent blogs have highlighted the drama and, interestingly, made a good case for an XDR definition that emphasizes the need for a more open approach. For example, Omer Singer in his “The shortest XDR definition”, or Oliver Rochford in his “The great XDR versus X-EDR debate”. And I have been blogging about this for a while now, for example in this discussion of pros and cons of native XDR versus open XDR.

Each of our blogs also points to the same problem, most XDR definitions cannot agree on what exactly XDR is. This creates confusion in the marketplace for end users who are already overwhelmed managing and integrating an average of more than 19 SOC tools. And along with this … trying to provide efficient threat detection, investigation, and response (TDIR) to their organizations.

Here are some thoughts that most people can agree with:

  • Yes, EDR is an essential element of XDR.

o But is EDR enough? Today’s attack surface is extraordinarily complex. We have a post-Covid workforce evolving remotely, many workers using unmanaged devices, and most organizations are considering or embracing cloud-first initiatives.

  • Yes, the pre-integration that single-vendor ecosystems offer is interesting and valuable.

o But are these single-vendor offerings well integrated (or is this more Telenovela drama)? What about the organizations concerned with vendor lock-in and want a best-of-breed approach?

  • Yes, XDR use cases can be covered by some of the leading SIEMs (e.g., Exabeam)

o But what if organizations do not want to persist their data? What if compliance is not needed? For those organizations afraid to be overwhelmed by a SIEM, and who just need TDIR, an XDR is an interesting and relevant alternative.

Overcoming the Telenovela — finding a common definition

From my Gartner days, I know that the ideal definition for XDR, or any emerging category, is not necessarily the simplest or the most complete, but the one that is:

  • Simple and clearly understood by everyone
  • Precise enough to differentiate XDR from adjacent technologies such as SIEM
  • Yet federative enough to be embraced by key stakeholders and promote collaboration among the broader community of vendors, service providers, end-clients, press and analysts.

Because the goal of XDR is focused on detection and response (let’s not forget investigation, and threat hunting…) across an extended set of technologies in organizations, it does take a community to promote an acceptable XDR definition. It is this community that needs to come together and agree on a definition, promote it in the marketplace, and work to make it a reality.

If we do not reboot the XDR Telenovela and start to collaborate, the attackers win, and the industry and our customers lose.

Exploring an XDR definition — let’s focus on expectations and outcomes

Why can’t we produce a definition that is end-user focused, results-oriented and rooted in the mission of XDR? Do we really need to place an emphasis on specific tools or create an arbitrary requirement for all pieces to be from the same vendor? Sounds dramatic to me …

Let’s make an XDR definition that is simple and encompassing yet captures the unique characteristics of the XDR approach. I think we can all agree that XDR is about solving organizations’ TDIR problems as best as possible. This means offering coverage against a wide set of threats, delivering short time-to-value, and performing efficiently using advanced analytics and automation to maximize human capital.

Here are some thoughts after much research and many conversations with clients, vendors, and industry analysts:

“XDR is a set of technologies required to easily deliver on threat detection, investigation, and response outcomes for common use cases, with the following characteristics:

  • Cloud-delivered and cloud-ready
  • Focused on TDIR
  • Offers coverage for threat-centric use cases (trivial to sophisticated)
  • Accommodates today’s heterogenous environments
  • Enables immediate time-to-value as a turnkey solution”

Millions of people love their Telenovelas, and we support viewing habits of every kind, but we think it is time to simplify the XDR Telenovela, work on a definition that many vendors have already embraced and leave the drama where people want it.

Stay tuned for more from us on this topic.



Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.