Infosec glossary
XDR
Extended Detection and Response
Security operations teams investigate activity across endpoints, identities, email, networks, cloud services, and applications. XDR combines signals from several of these domains to support detection, investigation, and response. The included data sources and response actions vary between platforms.
XDR connects activity across security domains
An endpoint alert may have related identity, email, network, or cloud activity. When those records remain in separate tools, an analyst must assemble the sequence manually. XDR can correlate the events around an entity, time period, or detection to create an incident view.
Correlation quality depends on data coverage, normalization, detection logic, and entity mapping. Collecting many event types does not guarantee that the resulting incident is complete or correct.
XDR supports investigation and coordinated response
XDR investigations may include timelines, affected entities, related alerts, process details, identity activity, network connections, and evidence from cloud services. Analysts use this context to confirm a detection, determine scope, and choose a response.
Response actions can be native or performed through an integration. Examples include isolating an endpoint, disabling an identity, removing an email message, blocking an indicator, or containing a cloud workload.
- Multi-domain telemetry and detection ingestion
- Entity mapping and incident correlation
- Investigation context and case management
- Response actions across connected controls
XDR, EDR, and SIEM serve different roles
EDR focuses on endpoint telemetry, detection, investigation, and response. XDR extends detection and response across multiple security domains. Some XDR systems build on an EDR foundation, while others use a different primary data source.
A SIEM collects and analyzes logs across a broad environment and often supports custom rules, retention, compliance, and security operations workflows. XDR and SIEM functions can overlap, but deployment model, data scope, analytics, and response capabilities may differ.
Related reading
The term is clearer when the nearby language is clear too.
Use the pages below when you need adjacent terms, category context, or a longer explanation instead of leaving the definition to stand on its own.
Adjacent terms
Further reading
Sources used to check the definition and terminology
Guides
Where the definition expands into a longer explanation
A practical guide to the traits that separate strong cybersecurity content from generic B2B copy, with examples of what to aim for across common asset types.
How to Review Cybersecurity Content Before PublishA practical pre-publish review process for cybersecurity content covering terminology, claims, audience fit, proof, structure, and trust.