Gartner Blog Network

Named: Endpoint Threat Detection & Response

by Anton Chuvakin  |  July 26, 2013  |  9 Comments

After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.

So, to summarize:

  • Category name: Endpoint Threat Detection & Response
  • Capabilities: see On Endpoint Sensing
  • Use cases: see Endpoint Visibility Tool Use Cases
  • Examples: Mandiant (MIR and MSO tools), CarbonBlack, Guidance Software (EnCase Cybersecurity [yes, that really is the name of the tool] and EnCase Analytics tools), RSA ECAT, CounterTack, CrowdStrike, etc.

The tools do have somewhat differing capabilities (such as the extent of data analysis performed on the agent vs the backend, collection timing and scope, integration of OOB indicators/intelligence, etc), but IMHO belong under the same general label.

By the way, a few other related tools may have broader functions and thus may justify a broader name – in their case the name “Endpoint Threat Detection & Response” can be applied to relevant tool capabilities and not to the entire toolset. Examples include Tanium, Bit9, HBGary, etc.

This name reflects the endpoint (as opposed to the network), threats (as opposed to just malware and officially declared incidents) and tools’ primary usage for both detection and incident response. While some may argue that “endpoint” label may be seen as applicable to workstations and not to servers, this minor loss of precision seems acceptable for the sake of brevity (others will say that four words is already too long).

These tools usually do not focus on full disk image acquisition and analysis (traditional computer forensics), but some can acquire such data as well as perform other forensic functions. On the other hand, the “next gen” endpoint prevention/blocking/isolation-focused tools should get their own category – but they are not my problem at this point 🙂

There you have it! Thanks to everybody who participated in this discussion.

UPDATE (2015): these tools are now known as “EDR”; more research Gartner research refers to them as EDR tools. In essence, ETDR (2013) = EDR (2015).

Posts related to the same project:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Named: Endpoint Threat Detection & Response

  1. Meghan Risica says:

    I think this title sums up the space pretty well. Thanks for your agonizing research efforts here!

  2. Naresh says:


    Thanks for the excellent research work on this. I am eager to learn to understand how the market is growing and the future holds for this market.

    Quick question for you – Do you see products such as Invincea and Bromium fall in this category or do they fit better in a different endpoint security category?

    The primary difference I see is that Bromium and Invincea specialize in protection and CB, Mandiant etc. specialize in detection and aid with IR.


  3. @naresh The purpose of this effort is to analyze the tools that are focused on investigations (primarily) and detection (somewhat) and NOT on blocking/isolation. So, these tools you mention do not full under the same label. Another analyst is looking at NG EPP and other advanced endpoint protection while I have my hands full with investigative tools.

  4. Naresh says:

    @Anton, thanks for the clarification. Could you tell me who is looking at that space?

  5. >who is looking at that space?

    What do you mean? What types of organizations? Who at Gartner does? Or something else?

  6. […] ← Named: Endpoint Threat Detection & Response […]

  7. Naresh says:

    I mean, who at Gartner is researching that area? Who can I talk to, to learn more about that specific market?

  8. @Naresh At this point, primarily myself – and to a lesser extent 2 other analysts (email me for the names)

  9. […] that we have a name [ETDR], let’s talk deployment strategies. On what systems in your organization do you want to deploy the […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.