Blog post

Endpoint Threat Indication & Response?

By Anton Chuvakin | July 18, 2013 | 11 Comments

securityincident responseendpoint

As I mentioned in my previous posts (Endpoint Visibility Tool Use Cases and On Endpoint Sensing), the tools that I am researching now need a category name. This space/segment has really no accepted name: vendors call them “endpoint visibility”, “endpoint intelligence”, “endpoint analytics”, “host investigations”,”compromise assessment”, etc. The name “endpoint forensics” is typically reserved to a much more in-depth analysis of an individual system and likely won’t be used for this.

Other choices suggested are “endpoint malware and attack investigation tools”, “endpoint investigation and assessment tools”, “endpoint reconnaissance”, “endpoint security Inspection”, “endpoint compromise assessment”, “endpoint incident triage”, etc.

My current favorite is “Endpoint Threat Indication & Response” – what do you think?

Vendors, you MUST comment on this one (either here or via email or other means). After all, you need a good name for your segment more than I do for my research 🙂

P.S. The waters are muddier since some vendors offer a degree of action, prevention, mitigation or management, not just detection and collection/investigation. Assuming this is a secondary capability for the tool, we can probably ignore it for now…

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Added:


  • Chad says:

    I’m partial to ‘endpoint compromise assessment’ because we have a tool … ECAT .. you get the idea.

    Endpoint Threat Indication & Response seems like a mouthful. Endpoint Analytics, while not as exact, seems catchier and get the spirit of it.

    Alternately, Endpoint Incident Reponse – EIR.

    – Chad

  • @chad

    Thanks a lot for the ideas. I am extremely happy that you are not exclusively married to “endpoint compromise assessment” name (which I actually like)…

  • Friv 10 says:

    Thank you, I’ve recently been looking for info about this subject for a while and yours is the best I’ve discovered till
    now. But, what about the conclusion? Are you positive concerning the supply?

  • Deepayan Chanda says:

    Hello Anton,

    I Like the term “Endpoint Threat Response”, because this category deals with all different areas of security issues related to endpoint and then responding to it is the final goal. Let me know. you may respond to me via my email.

  • End Point Inteligence Collection (EPIC)

  • Dave, thanks for the epic idea 🙂

  • Greg Pergament says:

    There are a number of these tools in the market. Some have protection capabilities while others are strictly for investigative purposes. Is the mission of these tools to identify IOCs and trace originator and root cause? I’m partial to host rather than endpoint.
    Host Compromise Analysis Tools

    Although, if you want to include remediation then…
    Host Incident & Response Tools

  • Greg, thanks for the comment. Endpoint -> host sort of makes sense as some people think that endpoints = desktops/laptops

  • Bob West says:

    I like endpoint analytics or endpoint visibility – the fewer words the better!!

  • @bob Thanks – but these are too vague (short is good, but vague is bad)