As threats multiply and
AI seems poised to radically change operating practices for attackers and defenders, too many teams still rely on siloed, point solutions for their cybersecurity needs.
These teams have got
EDR for their PCs, servers and other endpoint systems. They've got
NDR to monitor traffic and spot behavioral anomalies on their networks. They've got various solutions —
CNAPP, CSPM, CWPP, CIEM — to lock down cloud assets, and they've got
OT security to manage machinery and other heavy digitally controlled equipment.
All these work very well to protect their particular domains, but what about the spaces in between? There are blind spots that each point solution has trouble monitoring, areas where a crafty attacker could wedge their way in and move about undetected.
"Most security tools only see one slice of the environment," writes
Mikey Anderson, Product Marketing Manager of Network Detection and Response at Darktrace in a recent blog post. "IT and OT networks,
endpoints, and
cloud systems are monitored in isolation, with little correlation between them."
The disparity of data formats and inputs from all these different tools, plus the duplicate alerts they raise, overload security teams with too much to respond to and too many interfaces to monitor.
The answer is a consolidated platform that lets defenders tie together data from different tools and, with the aid of
agentic AI to correlate and analyze signals, quickly respond to threats no matter where they pop up in the environment.
The cracks between EDR and NDR
Both NDR and EDR are excellent solutions for specific problems, but they can falter when they wander beyond their core competencies.
For example, EDR is designed to monitor PC and server processes, detect anomalous behavior, and automatically take the first steps toward investigating and remediating suspicious behavior or items, while at the same time triggering alerts for security teams to follow up on.
Extended detection and response (
XDR) is an extension of EDR to incorporate data feeds from multiple endpoints, as well as from networks and
firewalls, to provide a broader view of system activity. It's best for smaller organizations that don't have the resources for full-fledged
SOAR or
SIEM tools.
But XDR can't replace NDR, or even EDR. Instead, it supplements them. Yet because it's an outgrowth of EDR, it still falls short when trying to monitor subtle
network activity or anything happening on endpoints without EDR installed, Anderson says.
"XDR is an endpoint-focused tool that cannot see the full picture of threats moving laterally across the network, targeting unmanaged devices, or blending into legitimate traffic," he writes. "Without native network detection and response (NDR), critical incidents slip through undetected."
NDR has its limitations as well. Unlike EDR, it can spot unauthorized and rogue devices on the network, and suspicious network traffic and attacker lateral movement. But unless it has deep hooks into corresponding EDR or XDR programs, it can't see far into endpoints, especially those being used off premises.
Most NDR solutions "can't investigate beyond what the EDR already flags, lacking process-level context in network investigations," writes Anderson. "This reliance on EDR leaves critical gaps in network coverage, since EDRs themselves don’t provide network-level visibility."
Security teams may have a hard time keeping up with the input and alerts from EDR and NDR tools running in parallel, and possibly XDR tools too. Each of these tools will cover its own domain well, but security teams need to devote time to weeding out duplicate alerts, even as they're failing to get the full picture of what's going on in their systems.
"Analysts are forced to pivot between siloed point-products, each providing only a fragment of the incident," writes Anderson. "This slows response, creates blind spots, and limits the team’s ability to understand and contain threats effectively."
Filling in the gaps
Darktrace's knife to cut through this mess is to supercharge its NDR offering with agentic AI that can ingest and correlate data from Darktrace's other tools, including its endpoint, email and OT security products.
Anderson calls it Network Endpoint eXtended Telemetry, or NEXT, and claims it is "revolutionizing NDR with the industry's first mixed-telemetry agent using Self-Learning AI."
"The combined context of native network and endpoint process data significantly reduces incident triage and investigation times for threats spanning both domains," Anderson adds. "Our business-centric approach learns what normal looks like for each endpoint and now uses process context to extend our ability to identify novel threats that existing EDR/XDR tools often miss."
The AI's job, Anderson writes, is to help spot suspicious behavior on endpoints that might be missed by EDR, and to begin investigations across the network, sparing security analysts the trouble of jumping from one tool to another.
This AI-assisted security, he says, enables "real-time threat detection, investigation and response for cross-domain activity throughout the enterprise."
"By applying agentic AI, Darktrace empowers security teams to move from reactive alert triage to proactive, autonomous defense, surfacing and blocking threats that others simply can't see," Anderson says. "This bridges the gap between NDR and the endpoint, while adding value to existing EDR investments."
NEXT is part of Darktrace's ActiveAI Security Platform, which besides its network and endpoint modules also offers cloud, OT, email and identity solutions, each of which can be licensed individually or as part of the platform.
"By unifying insights from network to endpoint," says
Darktrace, the NEXT solution can "natively provide security teams with the ability to trace network threats directly to their endpoint root cause. For analysts, this means investigations that once took hours and multiple pivots between NDR, EDR and XDR tools can now be resolved in seconds."