There was once a time when endpoint protection was the primary focus for cyber security, but those days are long past.

While protecting end points remains critical, this task has been swamped by a miasma of additional considerations, meaning many of the core tasks required for defending end points are now embedded in more capable tools.

Over time however even these are often being incorporated into yet more powerful platforms. One example is endpoint detection and response (EDR), which became a critical source of detailed telemetry, capturing high-fidelity information on process execution, user behaviour, and system activity.

In recent years however EDR has been incorporated into extended detection and response (XDR). While EDR is a foundational capability, providing deep endpoint visibility, forensic investigation, and the host-level detection and response that broader platforms rely on, it is now only a component of what is required for threat detection and response.

This is even reflected in the work of the analyst firms, with Forrester retiring its Endpoint Security Wave report series altogether in 2026. Forrester’s reasoning was that while EDR had provided a way to watch for potentially malicious actions on endpoints, over time these capabilities had been assumed by XDR.

While effective EDR capabilities are critical, its value now comes through its ability to operate seamlessly within XDR or SIEM platforms, sharing data in a consistent format and enabling cross-domain analysis. In this model, the endpoint is no longer the primary control point, but one of several critical sensors contributing to a unified security posture.

While the market for EDR has evolved, there are still numerous pockets of more traditional end point protection that are fighting on. One of these is antivirus protection, which has undergone its own evolution from matching signatures to monitoring behaviour. According to the Business Research Company, the global antivirus software market reached US$4.19 billion ($6.01 billion) in 2025, and is expected to grow to US$5.75 billion ($8.25 billion) in 2030.

Host-based firewalls also continue to play a critical role in controlling inbound and outbound traffic at the device level and enforcing segmentation and policy locally, and are now seeing greater integration with identity and device posture capabilities as part of zero trust enforcement.

Device control and data loss prevention (DLP) also sits within the realm of endpoint protection and has experienced tighter alignment with identity and classification systems, as the focus moves from protecting devices to protecting data through the devices. DLP is a small but fast-growing market, whose value is estimated by Markets and Markets as being worth US$8.9 billion ($12.8 billion) by 2028.

Unified endpoint management (UEM) tools also remain prominent, performing tasks such as device provisioning and configuration, policy enforcement, patching and updates, and application deployments, and supporting zero trust programs through device posture. The market for UEM is estimated by Mordor Intelligence to be worth US$8.85 billion ($12.7 billion) in 2026, rising sharply to US$27.83 billion ($39.94 billion) in 2031.

However, while these technologies are still critical, they are increasingly being evaluated and deployed as part of broader platforms.

Endpoint protection has not diminished in importance, but it has been redefined, and functions as a critical source of telemetry within broader, integrated security platforms rather than being the primary line of defence.

As much as endpoint security might be disappearing in its traditional form, it is actually becoming more valuable, precisely because it is no longer standing alone.

Case Study: Cleanaway Waste Management

Australian waste, recycling, and resource recovery services company Cleanaway Waste Management is consolidating its sprawling mix of cybersecurity tools in response to a rapidly changing threat landscape.

According to Cleanaway’s chief security officer James Court, the company’s global expansion has altered its threat exposure, and he has also witnessed a recent significant change in threat actor behaviour. These factors have forced a rethink of how Cleanaway protects an environment that includes well over 15,000 assets.

“Up until recently (threat actor activity) was all about gaining access to systems and ransomware,” Court said.

“But now it is purely destructive. We’ve had to pause and ask if we have the right business continuity and resiliency processes in place.”

Cleanaway operates a highly distributed and mixed technology environment, including corporate IT and mobile devices (many of which are fitted directly to its fleet of 4800 trucks), as well as numerous unmanaged devices, and operational technology (OT) assets including fuel bowsers and weather stations.

Court said that while thousands of endpoints were covered by modern detection and response tools, a subset of devices remained difficult to secure using standard approaches.

Although Cleanaway was not included under the Security of Critical Infrastructure (SOCI) Act of 2018, Court said the company’s involvement in complex supply chains, particularly in industries such as healthcare, meant he was sensitive to third party risk. The company’s endpoint challenge had also been further complicated by the company’s expansion into New Zealand and the Middle East.

According to Court, this complexity has led the company to take a layered approach.

“One endpoint capability doesn’t tick all of the boxes for us,” Court said.

“There is a varying mix of technologies we use, so not one (cyber) capability fits every situation for us.”

Cleanaway’s platform currently includes endpoint protection from CrowdStrike and Microsoft, as well as OT protection from Claroty.

While its cybersecurity stack has consisted of more than 20 suppliers, Court said this was being consolidated around five strategic vendors. While this would deliver cost and efficiency benefits, Court said the company would maintain its commitment to defence in depth and would carefully examine how these changes influenced its long-term security posture.

“I hate platform-isation, because it locks you into a vendor, and you then have to think about their roadmap,” Court said.

“But we need to do more with less - it’s not going to be an endless, bottomless bucket of money.”

Court said Cleanaway was also 18 months into a Zero Trust transformation, with investments in identity and access management (IAM) and SD-WAN connectivity. Critical to this work has been its investment in identity as a key tool for endpoint threat management, with Court warning that organisations that failed to implement mature IAM programs faced significant blind spots, especially where endpoint agents could not be deployed.

“You can’t separate identity from the endpoint now,” Court said.

“You have to look at them together, because there can be important context that you miss otherwise.”