Managed Detection & Response (MDR) , Security Operations

Expel, CrowdStrike, Red Canary Dominate MDR Forrester Wave

Secureworks, Binary Defense Tumble From Leaders Category as Winners Start to Emerge
Expel, CrowdStrike, Red Canary Dominate MDR Forrester Wave

Expel, CrowdStrike and Red Canary held steady atop Forrester's managed detection and response rankings, while Secureworks and Binary Defense tumbled from the leaders category.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

"MDR is a more mature market than it was in prior Forrester Waves," said Vice President and Principal Analyst Jeff Pollard. "There's definitely a situation where some of the winners are starting to emerge."

MDR providers have over the past two years turned their attention from maximizing their efficacy at detecting ransomware to finding faster and better ways to respond to cyberattacks through automation, according to Pollard. But Pollard said the vendor desire for automated response exceeds the customer appetite, and clients need playbooks to understand what in their environment should be automated.

"It's definitely a little bit more clear who is executing and who is winning in the MDR market right now."
– Jeff Pollard, vice president and principal analyst, Forrester

Forrester continues to see Expel's current offering as the strongest by a considerable margin, but changes are afoot beyond the top slot. Red Canary, Secureworks and CrowdStrike took the silver, bronze and fourth place in their strength of current offering this time around, while in March 2021, Forrester awarded second, third and fourth place to Red Canary, FireEye and CrowdStrike, respectively.

"The winners that are going to emerge out of the MDR market as it matures are certainly starting to coalesce a little bit more clearly," Pollard said. "There's still tons of opportunity there, but it's definitely a little bit more clear who is executing and who is winning in the MDR market right now."

From a strategy standpoint, CrowdStrike remains the leader of the pack, and Expel, Red Canary, Arctic Wolf and SentinelOne earned silver, bronze, fourth place and fifth place, respectively. Last time around, CrowdStrike and Expel tied for the gold in strategy, and Forrester awarded the bronze in strategy to Binary Defense, Deepwatch, Rapid7, Secureworks and SentinelOne in a five-way tie (see: Selecting the Right MDR Strategy).

"CrowdStrike is certainly pulling away from a market perspective because they are dominating a lot of the go-to-market out there," Pollard said. "They're a very successful provider at winning business and very successful at matching services."

Over the next two years, Pollard expects to see the MDR detection surface expand beyond endpoints, laptops and desktops to include applications, APIs, cloud and infrastructure, forcing vendors to invest in app security and observability. Pollard also anticipates generative AI will be applied to ticketing, reporting and workflows, and additional automation will streamline tasks that currently are menial and repetitive.

Outside of the leaders, here's how Forrester sees the managed detection and response market:

  • Strong Performers: Secureworks, Rapid7, Arctic Wolf, Binary Defense, SentinelOne, eSentire
  • Contenders: ReliaQuest, BlueVoyant, Deepwatch
  • Challenger: IBM

How the MDR Leaders Climbed Their Way to the Top

Company Name Acquisition Amount Date
CrowdStrike Reposify $18.9M October 2022
CrowdStrike Secure Circle $60.6M November 2021
CrowdStrike Humio $370.3M March 2021
CrowdStrike Preempt Security $91.2M September 2020
Expel None N/A N/A
Red Canary None N/A N/A

Expel Debuts MDR for Kubernetes, Vulnerability Prioritization

Expel unveiled a native managed detection and response for Kubernetes offering at the start of 2023 to safeguard the container surface sitting inside the customer's cloud for organizations that don't own a cloud application security broker, said CEO Dave Merkel. The company has partnered with Lacework to help protect the 70% of Expel's customer base that uses Kubernetes, but Merkel said the need extends to non-Lacework customers.

The company also debuted vulnerability prioritization capabilities to ascertain what clients need to worry about most. The tool focuses on what's most relevant to a customer's operating environment rather than the CVE score, Merkel said. It plugs into Qualys' or Tenable's vulnerability management offerings and taps into Expel's understanding of customers to figure out what they should care about (see: Dave Merkel on Why MDR Firm Expel Sought More Money in 2022).

"Nobody's faster than we are and more accurate," Merkel told Information Security Media Group. "From initial detection to fully remediated, we're done with critical incidents in less than 20 minutes. Nobody else does that."

Forrester criticized Expel for being one of the more expensive providers, embracing the channel late and having a smaller budget and less reach than competitors. He said Expel is early in its partner journey but now has partners touching 50% of revenue. Expel has changed how it carves up its offerings to better match what clients are willing to buy, and he said they benefit from not having to support a broader product portfolio.

"We've well-established our brand, our capability and our expertise," Markel said. "Plus our customers are our best advocates with some very prominent brands and logos everyone recognizes. They'll be happy to tell you how comfortable they are with us protecting their environment."

CrowdStrike Extends MDR to Cloud, Identity, Log Management

CrowdStrike has added cloud security, identity protection and log management capabilities to its managed detection and response offering, said Tom Etheridge, chief global professional services officer. Hackers have pivoted to cloud infrastructure and capitalized on misconfigurations, mismanagement and mistakes, and CrowdStrike's familiarity with the cloud has helped with extending MDR capabilities.

Extending MDR to cover identity provides organizations with more control and visibility over privileged credentials at a time when there's been an 80% increase in incidents where stolen credentials are at the root of compromise, Etheridge said. The Humio acquisition, meanwhile, makes log collection and storage possible at scale to investigate how adversaries gain and propagate access during a security incident (see: XDR for ChromeOS: What Does It Mean for the Cyber Industry?).

"A lot of the other MDR providers will send out alert notifications," Etheridge told ISMG. "They will send instructions out for how to take action. CrowdStrike is one of the vendors that actually takes corrective action on behalf of customers on those endpoints, and that has allowed us to maintain our competitive advantage. It also allows us to deliver value in terms of being able to prevent breaches from happening."

Forrester criticized CrowdStrike for gaps in its cloud capabilities, limited API access and being dependent on integrations for technologies outside the Falcon ecosystem. Etheridge said CrowdStrike has made big investments in monitoring, triaging and remediating cloud-related breaches and threats, and the company partners with cloud, email and network security providers such as ExtraHop and Corelight to gain more telemetry.

"We have continued to build relationships with leading technology companies and providers to build integrations with Falcon that can be taken advantage of from an XDR and MDR perspective on the platform," Etheridge said.

Red Canary Takes on Business Email Compromise, Cloud Threats

Red Canary pursued tighter integrations with Microsoft 365 and Google's G Suite to help organizations better understand what's happening with their email and productivity suite, said co-founder and CEO Brian Beyer. Although business email compromise isn't as destructive or consequential as ransomware, Beyer said there has been a huge increase in the prevalence of BEC attacks affecting cloud environments.

As data and applications increasingly move to Amazon Web Services, Microsoft Azure, Google Cloud Platform and SaaS applications, Beyer said adversaries will increasingly target cloud environments. Red Canary's investments in the cloud aim to make the company exceptional at identifying when a threat actor is doing something nefarious and better understand how and why their behavior changes (see: Threat Outlook: Impact on Visibility, Response).

"Whereas many MDR providers focus on the lower side of the market - smaller SMBs or commercial businesses - Red Canary has a very large enterprise business," Beyer told ISMG. "You see more and more large enterprises who are looking to augment their security operations and their in-house team with a team like Red Canary, the world's experts on finding and stopping very advanced adversaries."

Forrester criticized Red Canary for limited skills around marketing and business development and failing to help customers understand what changes they should make to improve their security posture. Beyer said customer reviews and feedback indicate Red Canary is helping customers improve their security plans and that the company's significant competitors have raised more money and spend more on marketing.

"We have one of the only viable business models in the MDR space that doesn't need to continually raise more capital and then burn more capital," Beyer said. "We have a financial model and a business model that serves customers with the highest quality and also is viable and will be viable for years and years to come."


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.