Blog post

Booming $500 Million EDR market faces stiff challenges

By Avivah Litan | January 12, 2017 | 1 Comment

My colleague Lawrence Pingree and I just published a Competitive Landscape on the EDR market  (see Competitive Landscape: Endpoint Detection and Response Tools ) and found a booming market that more than doubled in 2016, from $238 million in 2015 revenue to about $500 million in 2016.  Just four vendors – Tanium, FireEye, CrowdStrike and Carbon Black – account for over half of the EDR revenues.


Nonetheless, these and other EDR vendors face stiff market challenges they must meet if they are to remain competitive going forward. Here’s a summary of the challenges and trends that we discuss in our research note:

  1. Endpoint Security Functionality
  • Protection: Legacy EPP vendors in the $3.2 billion (2015) market are adding detection and response functionality to their products, and conversely EDR vendors must add endpoint protection to keep up. (Many already have).
  • User behavior analytics: EDR applications examine processes but enterprises want user context and user roll ups for more meaningful and actionable alerts. Already, Gartner clients are using UEBA applications like E8 Security and Exabeam to ingest EDR data to make more sense of the reams of records therein.  See Market Guide for User and Entity Behavior Analytics .  Likewise, EDR vendors are planning to add UEBA functionality to their products so clients don’t have to go elsewhere.
  • Data and information analytics: Vendors like ThinAir use endpoint agents to offer protection and detection capabilities around data and information, giving enterprises actionable information that goes well beyond and above the system process view. Indeed there’s an entire endpoint security market budding around information and data protection – see Market Guide for Information-Centric Endpoint and Mobile Protection

    2. Managed Endpoint Security Services

  • Time-stretched and resource-constrained CISOs and Security units simply don’t have the bandwidth to proactively wade through reams of EDR data hunting for threats and figuring out how to respond to them. Many CISOs are turning to managed threat hunting and response services, and EDR vendors need to offer these to stay competitive. Many already do, either on their own or through partnerships, e.g. Crowdstirke, Cybereason, and CarbonBlack.
  • Our recent survey on buyer behavior shows that almost 60% of enterprises surveyed with an on premise EPP/MDM platforms plan to move to a managed endpoint security service in the next 24 months. See Survey Analysis: Trends in End-user Security Spending, 2017 for more information on this trend.


     3. Market Consolidation

  • We expect to see considerable consolidation in the endpoint security market going forward. Organizations with security budgets of $10 million or more use an average of 13 security vendors (the average across all enterprises is about 9 vendors), too high a number for most organizations. Indeed, about 90% of surveyed enterprises plan to consolidate the number of security vendors they use in the next 12 to 18 months.

Bottomline– As we point out in our Competitive Landscape report, the endpoint security market is growing but providers face increasing pressure from many corners of the market. In the end, users want simple-to-use products with actionable information that don’t require highly skilled staff to manage. That means endpoint security products need to elevate the information and alerts they provide to the user and data level and further automate their response and remediation capabilities.  And even after they do all that, many enterprises will still prefer managed services.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

1 Comment

  • Avivah, with the sale of IDC to a Chinese firm, I would like to explore the possibility of working for Gartner.

    After retiring from the Department of Defense and
    Distinguished Professorship at the George Mason University, I held the position as a leading security researcher at IDC.

    I was the global CIO of Xerox, Director of Defense Information of the DoD (DoD CIO) and CIO of NASA.

    You may be interested to know that I have a MS from the MIT Sloan School and was a good friend of Gideon Gartner.

    Can be reached at 203-966-5505.

    Best regards, Paul