Gartner Blog Network


EDR Tool Wins – Only For The Enlightened?

by Anton Chuvakin  |  April 25, 2016  |  5 Comments

We are nearing the end of our Endpoint Detection and Response (EDR) research project; we just pushed our first paper – on EDR operational practices – into review and are concentrating on a technology comparison paper, a more difficult effort.

One thing has emerged from many of the recent conversations with EDR vendors and users. The thing we secretly suspected, but feared to explicitly say – until we have more data.

What IS this thing?

So far in our experience, EDR tool WINS (= examples of wildly successful deployments) tend to be concentrated at a highly mature, “Type A of Type A”, lean-forward, advanced security organizations.

Huh? Are you simply saying that “if you are better at something, things tend to be better for you”? Or are you saying “warning: EDR is a tool for security 1%-ers?”

Not exactly! We are a bit more careful here and we are not branding EDR “a 1%-er tool.” However, success with EDR is found more often in the land of 10+ person SOCs and full-time standing CIRTs, rather than in the land of “we just hired our 1st security person.”

When buying an EDR tool, please be aware of that!

Blog posts related to our current EDR research:

Category: edr  endpoint  etdr  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on EDR Tool Wins – Only For The Enlightened?


  1. Matthew Gardiner says:

    Don’t think it is uncommon or surprising that innovations start to be adopted by innovators. After all innovators are people that understand the need, have the capabilities to address, and take chances with new approaches….by definition. The trick of course with the vendors of the innovations is not to stop with the innovators, just to start with them.

  2. Paul Jaramillo says:

    I could make this same statement in regards to the majority of security technologies. In fact, most organizations can’t even maximize the value of native data sources like DNS logs. Many aren’t even applying good egress filtering rules to their firewalls. Most still are behind the curve on the patching treadmill. This is more an indictment of the majority of organizations security leadership and staff effectiveness and expertise. Who is responsible for closing that gap?

    • THanks for the comment — sure, “good people are usually good” and “most people aren’t.” Agreed! :-)

      Still, IMHO with EDR we see a bit more of a skew to success requires good, mature sec ops / IR, rather than just is more likely

  3. […] first EDR paper is about to be published, but I wanted to draw your attention to my favorite topic – the use […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.