Blog post

Reality Check on EDR / ETDR

By Anton Chuvakin | July 23, 2015 | 6 Comments


How exciting is Endpoint Detection and Response (EDR) technology? — Sorry to piss on your parade, but for many organizations it is NOT exciting at all.

Look, it is hard for me write this since personally I am super-excited about EDR / ETDR [hey, I came up with the original name]. Also, given the open source EDR-like options (GRR, MIG, El Jefe and the new one, Lima Charlie [updated Jan 2016]), the level of excitement is clearly high enough for some organizations to write and open-source their own. Also, there are now dozens (!) of vendors that promise EDR tools, EDR-like functionality, etc [some are new, some are “intruding” on the security domain from system management domain; even some SIEM tools that have flexible collection agents can sometimes be used in a pinch as a “toy EDR”]

Still, despite all this e-x-c-i-t-e-m-e-n-t, I see a lot of snoozing faces in the crowd … and why is that?

What are some of the EDR / ETDR headwinds:

  • Agent-based approach of most EDR tools: while we are seeing a bit of a revival of the agents, a lot of organizations hate security-focused agents with such passion that nothing (literally – not metaphorically, BTW!) will make them deploy yet another agent. You may have the smallest, safest, “effective-est” EDR in the galaxy … yet your prospective customers will still hate you with a passion [only because some stupid fat agent killed their dear Excel or slowed the system to a crawl 5 years ago]. Of course, I am watching the attempts to create a decent “agentless EDR” with much elation …
  • Woeful immaturity of monitoring and IR practices at many organizations: given the fact that EDR tooling makes certain tasks (like checking what is running on all your machines, etc) easier, there is an implication that there is a desire to perform those tasks and that there is somebody to actually do those tasks…
  • It seems like there are more skilled network security analysts than – eh … see, there isn’t even a name for it – “endpoint security analysts”: lots of people can say “this packet looks weird”, but much fewer can credibly say “this process looks weird” [I dunno…this one may be a stretch. What do you think?]

As I said to somebody “focus on the endpoint” may be a trend, but it does not mean it is operationally feasible for a lot of companies.

Finally, what about the stinking elephant in the room? The ANTI-VIRUS. My recent EDR-related clients calls (and there, BTW, very few of those) seem to be all about the blocking/prevention/mitigation features of the EDR tools, so the clients were not looking for endpoint visibility and better situational awareness, but for a less-abominable AV.

To me, that is nice, but entirely separate, and (IMHO) we need both:

  • Better AV, “NG AV” that focuses on better prevention (e.g. see this excellent GTP document), but also …
  • Better endpoint visibility, “EDR proper” that focuses on knowing what the hell is happening on your endpoints.

Yes, there will be some cross-over and hybridization, but the needs ARE separate. If you deploy an EDR tool while secretly hoping for a “better AV” tool, you are going to FAIL TWICE.

FYI, all Gartner papers on EDR / ETDR are listed below [2 require Gartner access and 1 requires Gartner GTP access]:


Possibly related posts on EDR / ETDR:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Glenn says:


    Glad to see you tackle this as it as the time has arrive.

    Some major clients make heavy investments in state of the art (AV) if there is such a thing, however they have made the same level of investments in EDR as they need to rely on both as neither one will do all.

  • Matthew Gardiner says:

    The sweet spot buyer of ETDR from RSA (ECAT) are organizations with IR practices (SOC/CIRC) that they need to make more efficient. Usually led by the malware analyst (or the guy that usually handles the malware related investigations)that would really like most investigations to not come to him and be resolved by lower level analysts. But agreed if organizations are still stuck in a purely preventive security mindset, the value of better detective and investigative capabilities will be lost on them.

    • Thanks a lot for your comment, Mattew. Indeed, the enlightened orgs do know what to do with their EDR / ETDR tools, but the interesting question is how low towards the mainstream can it spread?

  • Neil MacDonald says:

    er, some amount of disillusionment is normal as new technologies move through Gartner Hype Cycle… reflects relative immaturity of the technology, don’t mistake that for irrelevance or failure. Most go on to the “plateau of productivity”

    • Thanks a lot for the comment, Neil. Indeed, ERD is new and “fresh”, and we need to figure out [eventually] how much down into the mainstream it can/will go….

      No need to mention irrelevance – if people write their own, it is definitely relevant for some 🙂