XDR
Security category integrating endpoint, network, cloud and identity telemetry.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for XDR
Extended detection category whose procurement diligence shifts with vendor breaches
Cybersecurity: Threats and Defences: Trellix discloses 21-day-old breach of source-code repositoryWhat is XDR in security?
What is the difference between EDR and XDR?
What is native XDR versus open XDR?
Background
Extended Detection and Response (XDR) is a security architecture and product category that aggregates telemetry from multiple control planes — endpoint (EDR), network, cloud workloads, email, and identity — into a unified detection and response platform. Where EDR gives analysts a view of a single host, XDR correlates activity across the entire attack surface so that a lateral-movement chain spanning three hosts and an identity provider can be reconstructed as a single incident. Leading vendors offering XDR platforms include CrowdStrike Falcon, Microsoft Defender XDR (formerly Microsoft 365 Defender), SentinelOne Singularity, Trellix XDR, Palo Alto Cortex XDR, and Trend Micro Vision One.
XDR emerged as a marketing and architectural category around 2018-2020, initially as vendor-proprietary "native XDR" platforms. Open XDR (or "hybrid XDR") approaches followed, allowing integration of third-party telemetry sources. The category is now the dominant framing for enterprise security platform procurement, often replacing separate SIEM, SOAR, and EDR tooling in mid-market organisations.
The Trellix source-code breach disclosed in U#3 affects both Trellix's EDR and XDR product lines. Trellix positions its platform as a unified XDR offering; exposure of detection logic, data-collection modules, and evasion-countermeasure code could allow sophisticated adversaries to tune attack tooling to reduce XDR detection rates before Trellix can push updated rules.