Why XDR Vendors Must Build, Buy, and Partner

As 2021 starts with record breaches, security teams continue to evaluate whether they have the best products in their toolbelt, looking for products that work together to provide security that is greater than the sum of its parts. Customers will be better protected and more efficient when they buy from a vendor offering its own best-in-class products complemented with external integrations from other vendors.

In many cases, security teams are already upgrading to best-in-class tools, but owning the best often means having many vendors in a technology stack. Even for organizations buying for price, surveys show that the average number of security tools within an organization is still greater than 50. The solution is neither vendor consolidation nor vendor integration, but both. CISOs don’t want or expect to go from 50 tools to one. They want to go from 50 tools to a dozen well-integrated ones to gain efficiency and security efficacy.

How easily a security product integrates with other vendor’s products is an essential factor today but will become a deciding factor as XDR (extended detection and response) becomes a standard. Increasingly sophisticated attacks exploit endpoint, identity, email, network, and the rest of the stack, so the full stack must work together to shut down the attack at every point.

Integrated Vendor Portfolios

Security vendors who approach XDR by building product portfolios will simplify security as long as they add products within their domain of expertise and integrate them by merging two sets of workflows into one.

Endpoint vendors, for example, can simplify a customer’s duties by expanding into more endpoint types. Natural extensions include Windows, macOS, Linux, iOS, Android, and ChromeOS. Merging those alerts and devices into shared workflows saves users time. Every new product a company builds or acquires should not mean another new administrative area for the customer.

Expanding from EDR into XDR is another example of building on a core competency. The best endpoint products are built on engines that correlate behavioral data points to block threats. Extending those engines to correlate behavioral data beyond the endpoint couldn’t be more natural, at least for the vendors who built their security on top of industry-leading engines that are only supplemented by managed security services.

Integrated Vendors

The pitfall that vendors have often found themselves in is that when the portfolio expands beyond the vendor’s area of expertise, its quality can suffer. No leading endpoint vendor is also a leading firewall vendor. No leading identity vendor is also a leading network security vendor. The vendors with the most extensive portfolios often have many sub-par products in their mix, and yet they are the vendors that offer the fewest integrations with other vendors.

Product portfolios that are walled in cause their customers more work and expose them to unnecessary threats at a time when the stakes of effective security have never been higher. Closed-off ecosystems may be effective by 2030, but integration is the most critical thing to do for 2025. Vendors should continue to look for areas within their circle of competence to expand, but they should also complement those offerings with a robust ecosystem of partnerships with other market-leading vendors.

Plug and Play Integrations

For a few well-funded security teams, a lack of integration between products can be worked around. Those well-funded teams can buy a SIEM and a SOAR, connect all those best-in-class tools, and dedicate a few people to writing SIEM detection rules and SOAR playbooks.

How, though, is the more common, classically understaffed security team supposed to manage all its tools? Detecting and responding across the stack, in real-time, without expensive playbook software, requires XDR.

Extended detection and response (XDR) is not just a marketing term, despite there being too much marketing describing it and not enough features delivering it. It is the technology being built to level the playing field.

With XDR, any team of any size can buy the best tools, regardless of vendor, and expect its products to work together to automatically detect at the campaign level and respond everywhere the attacker is.

XDR is the central, automated HUB that was always asked for by customers and just took technology years to begin delivering on.

Discover, Connect, Extend

Integration is critical, whether it be internal integration within a product portfolio or external integration with an ecosystem of partners.

SentinelOne started its XDR journey by expanding from securing Windows workstations to securing macOS, Linux, and Cloud. They all exist in a single console with shared workflows for policy, alerts, and our Deep Visibility event view.

The next evolution was to go beyond SentinelOne. We developed Threat Intelligence partnerships with industry leaders like RecordedFuture and ReversingLabs. By partnering with industry leaders we were able to bring the best Threat Intelligence into our best-in-class endpoint security.

When we set out to build these partnerships, we knew it was just the beginning. With our number of partners rapidly expanding, we envisioned a marketplace that would make it easy to find and enable integrations within just a few minutes and clicks.

Our recently externalized SentinelOne Marketplace is built to serve that vision of XDR. In the seconds it takes to input API keys for a selected vendor, the marketplace will make that handshake and begin working together with other best-in-breed technology.

Singularity Marketplace
Extend the power of the Singularity XDR platform with our ecosystem of bite-sized, 1-click applications for unified prevention, detection, and response.

Singularity Marketplace is part of our platform, so once an integration is set up, the effect becomes visible within the product. In the case of enabling a Threat Intelligence integration, threat intelligence is enriched into the product almost immediately. Marketplace makes discovery and integration as easy as online shopping.

Respond with Machine Speed

As Marketplace grows, our integrations will span more tool types, ingest more data from across those tools, and do more with it. Like everything we do, XDR will operate at machine speed. That’s where Scalyr comes in.

Our recent acquisition of Scalyr will enable SentinelOne to ingest more data, analyze for correlation, and prevent more threats. Regardless of whether the data source is from a new SentinelOne product or unstructured data from an integration with another vendor, Scalyr will connect the dots.

Further still, STAR (Storyline Active Response) sits on top of Scalyr. While much of STAR is still confidential, we can share that it is a highly customizable response tool developed to supply powerful XDR response capabilities on or beyond the endpoint.

Singularity XDR
Empower your SOC with end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.


Security is a rapidly evolving market with startups offering new innovations to help customers stay secure against an intensifying barrage of attacks. Ten years ago, the industry was largely composed of a handful of firewall and legacy AV vendors. A decade later, it’s unrecognizable.

This is an industry where invention will not stop because it cannot stop. As long as ransoms are paid, as long as rapid innovation creates new intellectual property to be stolen, as long as Bitcoin appreciates into more enriching loot to be stolen, and as long as compromising digital infrastructure offers money and power, attacks will continue to grow in their complexity.

To put it bluntly, the security market is being driven forward at breakneck pace by a virtual arms race. The blue team’s tech stack has to be everbetter to combat the undeniable innovation we’ve seen in red team efforts. XDR is emerging because there is a pressing need for connective tissue that will allow the new but disparate defensive tools to operate in a more hive-like manner. Over the next five years, vendors will be largely defined by those who deeply integrated their products to others and those who did not.

While thoughtful acquisitions will help, for every acquisition a new vendor with a new tool will emerge to take its place. The challenge of today is to build the connected defense network needed to connect tomorrow’s evolving tools.

To meet that challenge, SentinelOne is extending by launching new products within our domain expertise and partnering with other market leaders via Marketplace. To extend detection, we will ingest and correlate data from beyond the endpoint with Scalyr. Lastly, by leveraging STAR, we will respond wherever the attack is happening.

The future is an XDR-driven future. Specialized security products must work together to defend against an intensifying effort to overrun the digital barriers that protect our now technology-dependent lives. Security vendors preparing for this future should expand and strengthen their technology while also building an architecture to ingest from anywhere, correlate any data set, and respond wherever needed.