When it comes to discussing the future of eXtended Detection and Response (XDR) technologies, the key challenge today is embedded in its name - just how far its capabilities can be extended.

Since its emergence towards the end of the last decade, XDR has evolved beyond its origins in Endpoint Detection and Response (EDR) to achieve maturity across multiple security layers.

Over time its creators have looked further afield for growth, leading them to add functionality that was traditionally found within Security Information and Event Management (SIEM) tools.

According to Forrester’s principal analyst, Allie Mellen, this convergence was demonstrated through XDR companies purchasing data lake providers and log management and observability platforms. These transactions showed how XDR providers saw an opportunity to win over SIEM customers who were frustrated by high costs and the continuous maintenance requirements.

“What the XDR vendors are looking to do is to provide an easier route to getting the use cases that you have in the SIEM resolved within XDR,” Mellen said. “Many users are pretty interested in this, because the other factor here is that they have data is duplicated in multiple places. They then need to either bring that data into the SIEM for additional correlation or try to accomplish everything they can in XDR.”

The growth of XDR is shown clearly in global revenue estimates for the sector. The Business Research Company estimated the market for XDR had leapt in value from US$161 million ($254 million) in 2023 to US$2.12 billion ($3.34 billion) in 2024, at a compound annual growth rate of 31.9 percent.

That’s not to say that the market for SIEM didn’t remain healthy, however. While the growth of the SIEM market was not as impressive, its longer history meant it has been growing from a larger base, with Research and Markets projecting a compound annual growth rate for SIEM of 14.1 percent as spending rose from US$6.27 billion ($9.87 billion) in 2023 to US$12.1 billion ($19.1 billion) by 2028.

And while some of the growth of XDR might be coming at the expense of the EDR market that spawned it, according to Grandview Research, EDR would grow at a compound annual growth rate of 24.9 per cent, rising from US$4.39 billion ($6.91 billion) in 2024 to reach US$16.89 billion ($26.6 billion) by 2030.

According to Gartner’s research vice president for cloud security and security operations Craig Lawson, the lines between each market segment will only continue to blur, but what sets XDR aside from its forebears and competitors is the nature of its customer base.

“Historically, a lot of lot of new and disruptive security technology has been top down – firewalls, EPP, EDR and SIEM – the list goes on,” Lawson said.

“XDR however is bottom up, and so that is really disruptive. The biggest consumers of XDR today are smaller organisations of 500 to 5000 seats, and there are hundreds of thousands of business that are that size. They tend to have smaller teams, and an attitude of wanting to get more done with less products.”

Lawson said this market distinction is especially important because organisations of this size generally can not afford to implement traditional SIEM and hence provide a fertile market for XDR providers to sell in additional SIEM capabilities.

“Clients want more than just a fancy end point (protection) - they are looking for genuine convergence,” Lawson said. “And XDR in theory should be easier to operate and it should detect and respond to threats fast.”

Another area where Lawson sees XDR providers strengthening their value is in the evolution of the ‘R’ component of XDR.

“XDR at a minimum has to have an orchestration automation capability,” Lawson said. “You’ve got more signals coming in to make a more authoritative detection, but you also have more signals coming out in how you can respond to a threat, and that is a big deal because traditionally it was a point solution approach.”

According to Mellen, XDR providers are also seeking to differentiate by pushing further into the cloud, including the incorporation of identity capabilities, to provide higher-quality detections.

“That is how they are able to differentiate on the detection and response capabilities, because so much data has moved to the cloud and so many of the attacks are targeting cloud resources, that that is an area that complements the traditional endpoint detection capabilities,” Mellen said.