The emergence of extended detection and response (XDR) platforms was a direct response to the need to correlate a growing volume of security telemetry across endpoints, cloud, identity, and networks, and the recognition that doing so through the addition of discrete tools would create an unsustainable management overhead.

In 2026, that requirement has hardened into expectation. Security teams increasingly want a single system that sees everything, connects everything, and responds in a unified manner.

According to Gartner research vice president Craig Lawson, one of the defining characteristics of the XDR market today is the continued blurring of boundaries around where XDR begins and ends, as capabilities traditionally delivered through discrete cybersecurity tools, including endpoint detection and response, network security, and SIEM, are incorporated into XDR platforms.

“When you look at threat detection and incident response, it’s a process or a capability involving people, process and technology,” Lawson said.

“It could be a SIEM, it could be an XDR, it could be an EDR - they all sit under the process of how we get better at threat detection and incident response. It’s more of a mindset change – how do we, in a multidisciplinary way, detect threats better and respond and contain them more effectively?

“A lot of the outcomes that we originally defined in XDR – a cloud scale centralised data lake, advanced analytics, better orchestration and automation – they are absolutely key battleground features.”

As XDR platforms have become more comprehensive, they have also driven a sharp increase in the volume of security data, compounding the challenge of how that data is analysed and acted on.

“We always tend to have more data than we can process, we pay a lot for it, and we tend not to have enough people,” Lawson said.

That tension is now driving the next phase of XDR’s evolution: the integration of artificial intelligence to make sense of that data, and to act on it at speed.

“These platforms are helping to address that in meaningful ways,” Lawson said.

“Built-in agentic AI is going to help with a lot of the operationalisation of security processes … and a lot more automation and orchestration is being delivered through that.”

But while AI is helping to operationalise XDR, it is also reshaping the environment those platforms are designed to protect.

As organisations adopt SaaS platforms and embed AI into their operations, the nature of threat detection and response is shifting beyond the environments that traditional tools were designed to secure. Security teams are being forced to rethink how they detect and respond to threats in SaaS applications and AI-driven systems, where endpoint-centric approaches offer limited visibility.

At the same time, attackers are increasingly exploiting identity rather than infrastructure, using valid credentials, session tokens, and misconfigurations to move through environments undetected.

This is driving the rise of identity threat detection and response (ITDR), which focuses on detecting and responding to attacks that target identities rather than systems.

Together, these shifts reflect a broader move towards zero trust architectures, where identity, visibility, and continuous verification replace the traditional network perimeter. Over time, ITDR may become a critical layer within XDR platforms, with identity acting as the primary control point for detection and response.

AI is also becoming part of that attack surface. As SaaS platforms embed AI into their core functionality, organisations are facing a proliferation of autonomous agents operating across their environments.

For security teams, the challenge is no longer just visibility of users and systems, but visibility of what those agents are doing, and what they have access to.

Despite these developments, organisations still face a familiar constraint: how to add capability without adding complexity.

“Buyers will always want fewer vendors, not more,” Lawson said.

Case study – Employers Mutual Limited

When your corporate datasets include intimate medical details on thousands of your clients’ workers, you need to employ the strictest security protocols.

Employers Mutual Limited (EML) is an Australian insurance service provider specialising in workers’ compensation insurance and claims management, servicing schemes including icare, WorkSafe Victoria, the South Australian Return to Work Scheme, as well as various private clients.

The company has grown quickly in the past decade and now holds significant volumes of personally identifiable information (PII), including highly sensitive records on behalf of people facing injury, illness or life-changing events.

For EML’s head of security and infrastructure, Leon Gelderblom, safeguarding this information securely has required substantial investment into its extended detection and response (XDR) capabilities to maximise visibility.

“It is about being able to see any suspicious activity, and then automate the actions we need to take,” Gelderblom said.

Three years ago the company adopted an XDR capability from SentinelOne, replacing a more limited endpoint detection and response (EDR) solution.

“We wanted to expand and get more 24/7 coverage, but they weren’t as flexible and willing to work with us to expand our portfolio without significant cost impact,” Gelderblom said.

While Gelderblom entered the tool selection process with high expectations for competency, he said this was not the only factor influencing his evaluation criteria.

“I don't think any product is perfect,” he said.

“It’s about having the ability to raise queries when there are problems and knowing the supplier will work with you to resolve them.”

Since then EML has expanded its relationship with SentinelOne, adopting additional AI-powered, cloud-based SOC and SIEM services to improve its ability to derive intelligence from XDR data.

“We tend to limit the number of relationships we have, so we will look at an existing partner and see if they have the necessary capability when we want to expand,” Gelderblom said.

“(SentinelOne) was meeting our requirements, so it made sense for us to expand the service.”

This shift also enabled EML to retire its on-premises SIEM platform.

“Making the shift to a (cloud-based) SIEM eases our team’s burden from managing an on-premises capability,” Gelderblom said.

“We have a small team, and building a SIEM and a SOC service on premises is not sustainable. Having our telemetry going into SentinelOne, which was already looking at a lot of our EDR and XDR services, means we are combining that all into one. That gives us a single pane of glass that we can take actions on quickly.”

He added that the move has improved both efficiency and response times.

“There is always the danger that we might have missed a few things when we had the on-premises system. The burden on our team has eased up, and the AI service is analysing the logs a lot faster, so we can take the action as quickly as possible.”

This transition has also served to tighten the relationship between EML and its supplier. Gelderblom said that while initially the cloud-based SIEM generated a high volume of false positive alerts, over time SentinelOne and EML have fine-tuned its responsiveness to better reflect EML’s operations.

“It is about building trust with the service provider, so you can know when you need to care about an alert,” Gelderblom said

A key element of EML’s strategy also includes ensuring that its workforce can identify and report threats.

“Our threat vector is very much composed of emails coming to our users,” Gelderblom said.

“That has not changed much, but the volume has significantly increased. So we have been focusing on awareness and making sure that users are vigilant and report things as quickly as they can.

“We have multiple layers, but no layer is 100 percent foolproof. If something reaches the end point, we need to know about it as quickly as possible so we can take the right action, be it automated or manual.”