Blog post

EDR Tool Wins – Only For The Enlightened?

By Anton Chuvakin | April 25, 2016 | 4 Comments


We are nearing the end of our Endpoint Detection and Response (EDR) research project; we just pushed our first paper – on EDR operational practices – into review and are concentrating on a technology comparison paper, a more difficult effort.

One thing has emerged from many of the recent conversations with EDR vendors and users. The thing we secretly suspected, but feared to explicitly say – until we have more data.

What IS this thing?

So far in our experience, EDR tool WINS (= examples of wildly successful deployments) tend to be concentrated at a highly mature, “Type A of Type A”, lean-forward, advanced security organizations.

Huh? Are you simply saying that “if you are better at something, things tend to be better for you”? Or are you saying “warning: EDR is a tool for security 1%-ers?”

Not exactly! We are a bit more careful here and we are not branding EDR “a 1%-er tool.” However, success with EDR is found more often in the land of 10+ person SOCs and full-time standing CIRTs, rather than in the land of “we just hired our 1st security person.”

When buying an EDR tool, please be aware of that!

Blog posts related to our current EDR research:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Matthew Gardiner says:

    Don’t think it is uncommon or surprising that innovations start to be adopted by innovators. After all innovators are people that understand the need, have the capabilities to address, and take chances with new approaches….by definition. The trick of course with the vendors of the innovations is not to stop with the innovators, just to start with them.

  • Paul Jaramillo says:

    I could make this same statement in regards to the majority of security technologies. In fact, most organizations can’t even maximize the value of native data sources like DNS logs. Many aren’t even applying good egress filtering rules to their firewalls. Most still are behind the curve on the patching treadmill. This is more an indictment of the majority of organizations security leadership and staff effectiveness and expertise. Who is responsible for closing that gap?

    • THanks for the comment — sure, “good people are usually good” and “most people aren’t.” Agreed! 🙂

      Still, IMHO with EDR we see a bit more of a skew to success requires good, mature sec ops / IR, rather than just is more likely