XDR
Security category integrating endpoint, network, cloud and identity telemetry.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for XDR
Extended detection category whose procurement diligence shifts with vendor breaches
Cybersecurity: Threats and Defences: Trellix discloses 21-day-old breach of source-code repository- What is XDR in security?
- XDR (Extended Detection and Response) is a security platform that unifies telemetry from endpoints, networks, cloud workloads, identity, and email to detect and investigate threats across the full attack surface, rather than one domain at a time.
- What is the difference between EDR and XDR?
- EDR (Endpoint Detection and Response) monitors and responds to threats on individual devices. XDR extends this to cover network traffic, cloud environments, identity systems, and email, correlating signals across all sources into unified incidents.
- What is native XDR versus open XDR?
- Native XDR uses a single vendor's telemetry sources, delivering tighter integration but less flexibility. Open XDR (hybrid XDR) ingests data from third-party tools as well, giving broader coverage at the cost of more integration work.
Background
Extended Detection and Response (XDR) is a security architecture and product category that aggregates telemetry from multiple control planes — endpoint (EDR), network, cloud workloads, email, and identity — into a unified detection and response platform. Where EDR gives analysts a view of a single host, XDR correlates activity across the entire attack surface so that a lateral-movement chain spanning three hosts and an identity provider can be reconstructed as a single incident. Leading vendors offering XDR platforms include CrowdStrike Falcon, Microsoft Defender XDR (formerly Microsoft 365 Defender), SentinelOne Singularity, Trellix XDR, Palo Alto Cortex XDR, and Trend Micro Vision One.
XDR emerged as a marketing and architectural category around 2018-2020, initially as vendor-proprietary "native XDR" platforms. Open XDR (or "hybrid XDR") approaches followed, allowing integration of third-party telemetry sources. The category is now the dominant framing for enterprise security platform procurement, often replacing separate SIEM, SOAR, and EDR tooling in mid-market organisations.
The Trellix source-code breach disclosed in U#3 affects both Trellix's EDR and XDR product lines. Trellix positions its platform as a unified XDR offering; exposure of detection logic, data-collection modules, and evasion-countermeasure code could allow sophisticated adversaries to tune attack tooling to reduce XDR detection rates before Trellix can push updated rules.