Best XDR Tools

XDR stands for Extended Detection and Response. It is an advanced version of endpoint detection and response (EDR) that pulls in other security tools and coordinates everything from the cloud.

While system coordination occurs on the cloud, detection and remediation actions need to be implemented by on-site modules. The extent to which research gets refined before it is sent to the cloud depends on the design decisions made by each vendor of XDR systems.

The interplay between detection speed and processing efficiency influences how much of an XDR is based onsite and how much is centralized in the cloud. Competing businesses need to offer attractive prices and centralized SaaS-based components bring costs down. However, a remote system that can be cut off from networks under attack is no use to anyone, no matter how cheap it is. So, XDRs are never entirely cloud-based.

Here is our list of the best XDR tools:

  1. Barracuda Managed XDR EDITOR’S CHOICE This cloud-based system remotely monitors your sites for security threats and constitutes a full Security Operations Center (SOC) with 24-hour attendance by cybersecurity experts. Access a demo.
  2. Heimdal Security XDR (FREE TRIAL) This cloud-based system provides an XDR  service by extending protection to each endpoint on a network through on-device agents and coordinating threat intelligence and responses between devices. Start a 30-day free trial.
  3. UnderDefense MAXI Platform (GET DEMO) This platform is a security operations center that companies without their own cybersecurity experts can contract in to run security software for them. Access a demo.
  4. ESET Protect MDR This is a Managed Detection and Response service that provides a SaaS XDR and also the staff to run the system and take appropriate action.
  5. Palo Alto Cortex XDR The definitive XDR system from the company that coined the phrase.
  6. LogRhythm SIEM A NextGen SIEM combined with UEBA and SOAR is a largely cloud-based system.
  7. CrowdStrike Falcon Combines onsite modules and SaaS systems in a unified security platform.
  8. Rapid7 Insight Platform A combination of on-site and cloud-based tools that compose an XDR.
  9. TrendMicro XDR A cloud-based SIEM that coordinates with on-site security services from that same vendor, including email security.
  10. Exabeam A SaaS SIEM system that interfaces to on-site agents.
  11. ImmuniWeb A cloud-based vulnerability management suite that blends together to form an XDR.
  12. Cynet XDR Platform This platform uses AI routines and provides a high degree of threat resolution automation in its cloud-based services.

Elements of an XDR

An XDR is a platform – it is composed of a range of modules that work together. These are:

  • Data collection which could be adapted from an EDR.
  • Threat hunting which could be a SIEM, a vulnerability manager, or both.
  • User and Entity Behavior Analytics (UEBA) to rule out false-positive reporting.
  • Security Orchestration, Automation, and Response (SOAR) for threat mitigation.

Some providers offer these modules as individual products as well as bundled services

The best XDR platforms

Our methodology for selecting XDR systems

We reviewed the market for XDR tools and analyzed the options based on the following criteria:

  • A cloud-based system that can monitor multiple sites
  • Options to include remote work-from-home devices in monitoring
  • User and entity behavior analytics for activity baselining
  • Detection of anomalous activity
  • Automated threat remediation functions
  • A free trial or a demo to enable a no-obligation assessment before buying
  • Value for money from a system that provides full security monitoring at a reasonable price

All of these products are SaaS-based, which is one of the defining characteristics of an XDR system. You can read more about these tools in the following sections.

1. Barracuda Managed XDR (ACCESS DEMO)

Barracuda MSP

Barracuda Managed XDR is a managed security service opportunity for MSPs. This service delivers a team of security experts as well as SaaS-based XDR software. This is a managed service for managed service providers.

Key Features:

  • Includes all security software
  • Includes hardware to run security systems
  • Secure connections
  • 24-hour attendance
  • Cybersecurity experts

Why do we recommend it?

Barracuda Managed XDR extends the XDR platform by adding on the security staff to run the system and analyze security alerts. Barracuda runs its own Security Operations Center and subscribing businesses get coverage for their entire site added to the duty roster of this team.

The Security Operation Center (SOC) of Barracuda MSP will implement threat detection for your enrolled clients, allowing you to add a new product to your service menu without needing to source hard-to-find security experts. The system provides MSPs with a dashboard that allows you full visibility into your customers’ environments. Otherwise, all security-related support is supplied by Barracuda.

The system is a SIEM tool with automated responses. When one of your clients signs up for the Barracuda service, they are enrolled into the self-service dashboard. This guides the installation of data collectors that will upload log files to the Barracuda platform. The Barracuda system consolidates those logs while making them available to the AI-based SIEM system for security scanning.

The SIEM operates on a speedy triage basis, looking for anomalous behavior and then locking in tracking for the accounts and devices that were involved in that event. The service won’t raise a threat alert right away. Instead, it continues to scan incoming logs, looking for the next expected action that would mark out an intrusion.

This system uses generic rules, so it isn’t reliant on a signature database or even a set pattern of indicators of compromise. This makes the Barracuda XDR able to spot zero-day attacks.

Not all attacks are easy to spot and insider threats are particularly difficult to define. This is why an effective threat detection system needs the occasional input of human analysts. While many threats are clear, tricky hackers can sometimes evade detection and so the human eye is called in for borderline threat identification. Similarly, automated responses can be fine-tuned to prevent legitimate user activity from being shut down.

Who is it recommended for?

This package is marketed only to managed service providers. In this case, MSPs act as agents for Barracuda because the SOC is not intended to manage the XDR for the MSP but for its clients. So, MSPs can market security services and then let Barracuda deliver them.


  • Designed with managed service providers in mind
  • Includes a self service portal – great for reducing tickets
  • Highly visual – displays data at scale well
  • Includes various alert and reporting templates
  • Best suited for MSPs and enterprise companies


  • Would like to see a trial option

You can access a demo to find out more about the XDR.


Barracuda Managed XDR is the perfect security solution for businesses that can’t locate sufficiently qualified staff to run their security monitoring systems. The right people to solve problems for businesses that don’t have their own qualified IT staff are managed service providers and the Barracuda system is part of a suite of systems aimed at MSPs. This managed SOC can be offered by the MSP to their clients as a pass-through service. IT could also be a useful service for use by MSPs to guard their own systems because a security breach at an MSP’s facilities would be very damaging to that service’s business prospects.

Official Site:

OS: Cloud based

2. Heimdal Security XDR (FREE TRIAL)

Heimdal Security Process Tree PathHeimdal Security XDR is a cloud platform that protects each endpoint through the installation of an endpoint agent. There are agents available for WindowsmacOS, and Linux. Each endpoint is protected, while the cloud system exchanges data and instructions with each agent. This amounts to an XDR because threat responses are implemented by the agent and also through coordination with other security tools, such as firewalls.

Key Features:

  • UEBA
  • Web infection detection
  • Zero-day protection
  • HIDS

Why do we recommend it?

Heimdal Security XDR is a cloud-based service that gathers activity data from a site and performs threat detection on that unified data pool. The main source of data for the package is the Heimdal Next-Generation Anti-Virus package, which installs on each endpoint and runs on Windows, macOS, and Linux.

The Heimdal Security system uses a mix of strategies to protect endpoints. The first of these is a host-based intrusion detection system (HIDS), which is like a SIEM. this searches through log files with the agent uploading those messages to the central server for threat detection. If a problem is detected, the tool sends back a response instruction. This response could be implemented by interfacing with third-party tools, such as firewalls and access rights managers. The log messages are activity records and while scanning for threats, the Heimdal system also records each activity, indexing them per endpoint, remote source, or user account. This is what is known as User and Entity Behavior Analytics (UEBA). It looks for anomalous behavior and is a good way to tackle zero-day threats for which no detection pattern has yet been formulated. This is a machine learning (ML) technique.

The console for the Heimdal Security XDR system is based in the cloud and accessed through any standard Web browser. While scanning activities on each protected endpoint, the console also compiles statistics and shows alerts when a problem has been detected. The system can be tuned to only raise an alert or to implement automated responses as well. As well as protecting endpoints from activities that hit them, such as malware and data theft attempts, the Heimdal system prevents internet-based attacks. It enforces HTTPS to ensure that snoopers can read Web traffic and it also encrypts DNS queries to prevent man-in-the-middle attacks.

Who is it recommended for?

The system can implement automated responses on the detection of a threat these are quickly applied to on-site Heimdal products but they can also be implemented through third-party tools. The system will also provide general system activity analysis in the cloud-based dashboard. Heimdal Security XDR will also generate compliance reporting.


  • Cloud-based coordination between on-device agents on a site
  • An option to blend the system with network protection
  • Responses that involve third-party security tools
  • Identifies zero-day attacks


  • The multiple strategies in this package make it complicated

Heimdal Security offers a range of security products, not just its XDR package. For example, it also operates a Network Threat Prevention system. Multiple products can be managed from a single console and they also have cross-over features. If you contact Heimdal for a consultation on your business’s needs, you will get an assessment of which of the company’s products are right for you. You will then get a 30-day free trial of the recommended products.

Heimdal Security XDR Start a 30-day FREE Trial

3. UnderDefense MAXI Platform (GET DEMO)

UnderDefence SIEM - Activity on Site view

UnderDefense MAXI Platform is a managed security service and it gives you a team of technicians and cybersecurity consultants so that you don’t need to hire those skills onto your payroll. This is a cost saver and provides continuity because you don’t need to worry about replacing leavers.

Key Features:

  • Cybersecurity support team
  • 24/7 support
  • Incident analysis
  • Cybersecurity software calibration

Why do we recommend it?

The UnderDefense MAXI Platform combines security monitoring and compliance reporting. The system offers value for money through efficiency by eliminating the need to buy a separate compliance management service. This system also integrates with your SIM and other third-party security tools to provide automated responses.

This system is a cybersecurity technical support team and not an XDR package. This gives you the flexibility to choose your own software. With most managed security services, you assess the software on offer and not the quality of the staff in the security operations center. In this case, the staff is the product.

The UnderDefense team will assess your cybersecurity software and report on its suitability. There might be gaps in coverage or you might need to install updates to your existing software. If you don’t already have a cybersecurity package in place, UnderDefense will recommend the appropriate purchases to protect your system.

On starting its service, the UnderDefense team will recalibrate your cybersecurity software to provide the minimum protection. The team also combs through log files, looking for indicators of threats that the automated threat detection system you deploy has missed.

Discoveries will result in an adjustment to the configuration of your security system, changes to your network access controls, or recommendations for extra software to improve coverage.

The typical customer of UnderDefense is a business that struggles to hire expert cybersecurity staff either because of their budget or their location. Even corporations that can afford and find suitable experts will find that contracting this outsourced SOC saves them money and HR issues

Who is it recommended for?

The UnderDefense system is designed for businesses that hold sensitive data. It is particularly interesting for larger businesses. The company doesn’t provide a price list, which will put off small businesses that are usually price-sensitive. The company also offers a Managed Detection and Response (MDR) service for businesses that don’t have their own cybersecurity staff.


  • Round-the-clock security software monitoring
  • Options to monitor multiple sites
  • A customizable support package


  • UnderDefense will have full access to your systems

The UnderDefense MAXI Platform is a custom service and the price will vary according to the level of service that you require. The team won’t provide monitoring or management of your non-security systems. As it is a bespoke service, there is no free trial for this package but you can request a demo of the MAXI Platform.

UnderDefense MAXI Platform GET DEMO

4. ESET Protect MDR

ESET-Test MK_test display-1

ESET Protect MDR is a managed security service that provides an account with the ESET Protect SaaS cybersecurity system plus the technicians to run the service for you. You still get to see the console for the security package and you can extract data for other purposes, such as capacity planning.

Key Features:

  • Managed service
  • On-device protection
  • Central threat hunting
  • Cybersecurity technicians

Why do we recommend it?

The ESET Protect MDR is a managed security service that provides system hardening services as well as ongoing security protection. This is a complete security operation service that protects endpoints, networks, and system services, synch as email. The package also protects cloud-based applications.

ESET offers its Protect range in a number of editions. The base package gives you an anti-virus system that needs to be installed on each device. This software is available for Windows, Linux, macOS, iOS, and Android. Each instance sends activity reports to a cloud-based controller. Higher plans use that uploaded data for threat detection and the top plan will automatically send response instructions to all equipment on the site.

The ESET Protect Complete plan gives you an XDR that covers on-site systems and cloud services. This system sends response instructions to ESET units. The top plan, ESET Protect Elite can send automated response instructions to third-party systems as well.

Even though you might buy a cybersecurity package that automatically shuts down threats, you still need a cybersecurity expert to manage it. If you don’t have such a person, you are the ideal customer for the ESET Protect MDR system.

The top plans of ESET Protect don’t just detect threats, they also scan for system vulnerabilities. The package will fix some of those weaknesses with a patch manager or issue guidance on what system changes need to be made. You need experts to implement these changes and those tasks form part of the duties of the ESET Protect MDR staff.

Who is it recommended for?

This cloud-based service covers on-premises and cloud services, so it is ideal for businesses that run hybrid systems. The package includes cybersecurity technicians to run the security software, so the deal is particularly interesting for businesses that are in locations where security specialists are hard to find.


  • A security operations center for hire
  • XDR and vulnerability management software included
  • Cloud host and storage also included


  • No free trial for the MDR add-on

The MDR system is a technician add-on service to your choice of ESET Protect plan, so there isn’t a free trial for this system. You need to contact ESET to discuss your requirements.

ESET Protect Contact ESET

5. Palo Alto Cortex XDR

Palo Alto Cortex XDR Dashboard

The term “XDR” was defined by Palo Alto Networks in 2018. As the inventor of the industry, Palo Alto can certainly be assumed to have got the right combination of tools to compose the definitive XDR service.

Key Features:

  • Cloud-based
  • UEBA
  • Threat intelligence
  • SOAR

Why do we recommend it?

Palo Alto Cortex XDR follows the typical XDR format of gathering activity data from local cybersecurity tools and consolidating that data in the cloud for threat hunting. The service will implement automated responses by sending instructions to those on-site tools. The Cortex system will work with third-party cybersecurity packages, so the local systems don’t have to be from Palo Alto.

Each security software provider arrived at the XDR target from a different starting point. The Palo Alto journey to XDR started with evolved onsite security products, such as an EDR to replace endpoint antivirus and a Next-Generation Firewall to protect the network. Palo Alto also offers a virtual firewall – which is a SaaS service, based in the cloud, effectively creating a virtual network. This can protect your own cloud-based services, such as virtual servers provided by the likes of AWS or Azure.

Palo Alto Networks created its Cortex XDR to tie each of these services together into a coordinated cybersecurity service. This is the essence of XDR, a SaaS console that presents an overview of security elements and, behind the scenes, unites the information feed from each to provide a consolidated data lake for threat hunting.

The threat detection system that is the core service provided by Cortex uses UEBA and triage to cut through to pertinent data. As it operates on the servers, of the Palo Alto Networks servers, this system gets instant threat intelligence feeds and also benefits from the zero-day experiences of security processes operating for other Cortex customers.

Cortex speeds up threat mitigation through SOAR, lightening the code base on-site by interfacing to services that are already present on-site, such as Active Directory (AD) and the firewall.

The elements of the XDR platform, such as the next-generation firewall, can all be deployed independently, so getting the XDR plan is a matter of buying a service bundle.

Who is it recommended for?

This is a solution for large businesses that will get extra value from their existing security software. The Palo Alto brand is top-of-the-line and is priced accordingly. The company doesn’t provide a price list and there is no free erosion and those two factors mean that it won’t appeal to small businesses.


  • Great user interface and easy-to-use reporting features
  • Manages coordinated cybersec as a SaaS platform
  • Reduces mitigation time via SOAR functions


  • Better suited for enterprises

Palo Alto Cortex XDR is a leading pick for an XDR solution because the XDR term was invented to describe it. This system has all of the indicators of a classic XDR. It is a SaaS coordinator of onsite protection measures and it uses already installed services to direct responses to attack. The cloud module pools attack experience from all customers and injects threat intelligence developed at the same data center. UEBA and AI processes complete the combination of services that thread together into a coordinated defense platform.

6. LogRhythm SIEM

LogRhythm Dashboard

LogRhythm SIEM operates as an XDR because it gathers log messages from third-party on-site systems through an agent. This data is standardized into a common pool of records on the LogRhythm cloud server and forms the source material for threat detection.

Key Features:

  • A SaaS package
  • Network activity feed
  • UEBA

Why do we recommend it?

LogRhythm SIEM provides a core package with extra units that you can choose to add on. The extra modules include network detection and response, user and entity behavior analytics, and security orchestration, automation, and response (SOAR). Although this tool is entitled a SIEM, its activities also define it as an XDR.

The SIEM will implement threat detection and response. Those functions can be enhanced by add-on modules. The first of these is the LogRhythm UEBA, which records user activity and transactions per endpoint or remote identity. The tool uses ML to establish a baseline of regular activity and then alerts when it identifies deviations from that standard.

LogRhythm NDR stands for Network Detection and Response. This adds network activity data to the threat-hunting data pool and also interacts with on-site network security systems, such as firewalls to block suspicious activity.

The LogRhythm Axon system is a security analytics tool that refines the intelligence identified by the SIEM. this is a little like a vulnerability manager because it will identify weak points in your IT system and provide guides on how to fix them.

The final element that you can add to the SIEM is the LogRhythm SOAR. This provides extensive interactions with third-party tools and will let you thread together otherwise incompatible cybersecurity tools from different providers.

Who is it recommended for?

This is another solution for large organizations. The system will particularly interest businesses that have already invested a lot of money in on-premises security tools and find that they are so siloed that they cannot provide a unified approach to security. This service ties all of your current security tools together.


  • Uses simple wizards to setup log collection and other security tasks, making it a more beginner-friendly tool
  • Sleek interface, highly customizable, and visually appealing
  • Leverages artificial intelligence and machine learning for behavior analysis
  • Does an excellent job at live data processing


  • Would like to see a trial option
  • Data correlation could use improvement

LogRhythm SIEM is a cloud-based system and its data collector can install on Windows, Windows Server, and Linux. There is no free trial for the package but you can schedule a demo.

7. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is a brand of cybersecurity tools. CrowdStrike has created a series of products within the Falcon product range that cover all aspects of system security. It markets these tools individually and in bundles.

Key Features:

  • Strong endpoint unit
  • Multi-level threat hunting
  • Automated responses

Why do we recommend it?

CrowdStrike Falcon Insight is a cloud-based coordinator for on-premises CrowdStrike tools. The main requirement for the XDR is the presence of the Falcon Prevent unit, which needs to be installed on each protected endpoint on the network. The XDR coordinates the protection of the Prevent anti-virus system and creates a central threat detection and response service.

The full complement of the Falcon range creates an XDR. CrowdStrike offers an EDR solution, which is installed on each endpoint, providing constant defense even when the device is offline. It provides a management console for its EDR system, which coordinates data collection and threat response. That central coordinator is cloud-based and that service, called Falcon Insight, is the core of a classic XDR.

The Falcon Insight system can be augmented by other modules to create a stronger XDR system. Those other services are Falcon Intelligence, which is a threat intelligence feed, Falcon Overwatch, which is a threat hunting service, and Falcon Discover, which is a vulnerability manager. Other add-ons are a firewall management system and USB device management.

CrowdStrike produces a next-generation antivirus system, called Falcon Prevent. This is installed on each endpoint. However, customers of Falcon Insight don’t need to buy this separately because it is bundled in with that coordinated service. In fact, Falcon Insight is really a coordinator that communicates with Falcon Prevent instances.

Features of the CrowdStrike Insight service include UEBA for detection triage and SOAR for threat response. It is included in the Falcon Enterprise, Falcon Premium, and Falcon Complete bundles. Falcon Complete is actually a custom-built package. CrowdStrike also offers a managed cybersecurity service.

Who is it recommended for?

This system enhances the on-device Prevent module but it can also gather data from other CrowdStrike tools on a site and the more that you have, the better the Insightr service gets. This tool can work with Falcon Fusion SOAR to communicate responses to third-party security systems.


  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc.)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Lightweight agents take up little system resources


  • Would benefit from a longer trial period

CrowdStrike offers customers a 15-day free trial, although this actually gets you Falcon Prevent, not the fully-coordinated Falcon Insight service.

8. Rapid7 Insight Platform

Rapid7 Insight Platform Dashboard

Rapid7 has assembled an XDR platform called Insight. This is a collection of security products, mostly based in the cloud, that coordinate to provide a full XDR.

Key Features:

  • SIEM
  • Attack analysis
  • UEBA

Why do we recommend it?

Rapid7 Insight Platform is a cloud-based system with a core SIEM that can be enhanced by extra modules. The service can also be enhanced by the addition of a threat intelligence feed and a vulnerability manager. The system requires agents to be installed on the protected site.

The main component of the Insight system is called InsightIDR. This is a SIEM system that performs most of its tasks on the cloud and offers a browser-based console to customers. This tool is not all cloud-based, however, because it includes onsite agents that gather data and upload them to the Rapid7 server over an encrypted connection. InsightIDR uses UEBA for activity baselining that reduces false-positive reporting.

The InsightIDR service implements threat detection by searching through unified log records for “chains of attack.” This is the threat intelligence base of the InsightIDR system, which is termed Attack Behavior Analytics (ABA). This service identifies the typical behavior of active hacker groups and can spot the opening attacks of each. This enables the system to jump ahead of the attackers and shut down the avenues that they typically use to get into a system and wreak havoc.

IDR stands for Incident Detection and Response. As that term explains, InsightIDR includes response mechanisms that are implemented through the onsite agent modules and also involve interfacing with other security products in a typical SOAR strategy. That SOAR system is called Insight Connect.

Who is it recommended for?

The full Insight platform provides all of the tools that any Security Operations Center (SOC) could need. As such, this is a solution for large, multi-site organizations with centralized cybersecurity services. The package is probably a little too much even for mid-sized businesses.


  • Leverages behavioral analytics to detect threats that bypass signature-based detection
  • Uses multiple data streams to have the most up-to-date threat analysis methodologies
  • Allows for robust automated remediation


  • Pricing is higher than similar tools on the market
  • Some features may require paid plugins

Other modules in the Insight Platform include InsightVM, which is a vulnerability manager that operates through both cloud and on-site components. Cloud services are protected by the DivvyCloud service. Rapid7 offers an Insight module specifically for DevOps environments concerned with Web applications. This is called Insight AppSec.

9. TrendMicro XDR

TrendMicro XDR Dashboard

TrendMicro implements its XDR solution by coordinating its onsite security products through a cloud-based SIEM system. Those onsite tools include endpoint protection, network security, server protection, and email security products. There is also a cloud security system that can feed into the TrendMicro XDR service.

Key Features:

  • Gathers logs
  • SIEM
  • Automated responses

Why do we recommend it?

TrendMicro produces one of the most widely used AVs in the world and the XDR builds a cloud layer on top of that on-device protection system. This tool provides a secondary threat detection system in addition to the on-device anomaly detection. This enables the service to take a business-wide view of threats.

The various security products that are busy protecting specific aspects of IT infrastructure gather log messages and also generate their own monitoring notes. These get sent to the TrendMicro server for consolidations. That unified pool of live event records is then searched through by a threat detection module, which is essentially a SIEM system. Any worrying events generate system alerts and instructions to the relevant onsite module for deeper vigilance.

Confirmation of malicious activity triggers automated response actions that are performed directly by the onsite tools or relayed through them to system utilities. This is the classic SOAR strategy.

Who is it recommended for?

TrendMicro is strong at supporting mid-sized business sector and jockeys for the lead in this market with Sophos. As with many of the other packages on this list, the XDR relies on the company’s AV unit being installed on every endpoint. However, the TrendMicro system is more affordable than those of CrowdStrike and Heimdal Security.


  • Can detect system vulnerabilities as well as threats based on behavior
  • Includes HIDs features for additional protection
  • Can isolate unpatched applications and systems until fixes are deployed
  • Stops browser-based threats such as crypto mining, and clickjacking


  • Is only available as a cloud-based solution

TrendMicro offers XDR in two formats. The first of these is called Vision One, which is a coordinating SaaS layer offered to customers of TrendMicro onsite security packages. The other option is called Managed XDR, which is a fully managed, outsourced SOC service.

10. Exabeam

Exabeam Dashboard

Exabeam is a cloud-based SIEM that expands out into a security operations suite to form an XDR. The majority of the Exabeam system is based in the cloud with onsite elements deployed as relays. The device agents upload log messages and receive mitigation instructions.

Key Features:

  • UEBA
  • SIEM
  • Playbooks for responses

Why do we recommend it?

Exabeam is similar to the LogRhythm XDR platform because the company doesn’t produce its own on-premises AV unit but deploys agents on a site to collect data for threat hunting. Essentially, this is a remote AV system that can spot insider threats, account takeovers, and intruders as well.

Step one in this SaaS SIEM service is the creation of an Exabeam Data Lake. This is a consolidated poll of records that gets constantly added as new uploads arrive from device agents. These records are made available in the web-based console for viewing and sorting by the user but their main purpose is to provide a data mine for the threat detection service in the Exabeam XDR.

Exabeam Advanced Analytics operates as a UEBA service and establishes a pattern of normal behavior on a client-by-client basis. This reduces false-positive reporting and gives the threat hunter a baseline to compare activity records against.

Incident response can be varied according to the preferences of the user. The XDR platform includes the Exabeam Incident Responder. this is where the user decides on the level of threat mitigation automation. The response is dictated by “playbooks.” These are workflows that get triggered by a specific type of threat. That response could just be a notification – which is the default. Otherwise, the user can set up an automated response to shut down detected threats.

Who is it recommended for?

This cloud-based SIEM is able to gather logs, detect threats, and implement responses from its cloud location. On-site agents mediate between locations and can interface to third-party systems in order to shut down threats. Therefore, buyers will need to have other security systems on site from third-party providers.


  • Supports incidents response workflows, playbooks, and automation
  • Offers usefully query features for filtering large datasets
  • Can be used for compliance reporting and internal audits for HIPAA, PCI DSS, etc.


  • Lacks live network monitoring capabilities
  • Wasn’t initially designed as a SIEM tool

An optional extra for the Exabeam XDR system is an archiving to store log files. The Exabeam XDR SaaS is available on a free trial.

11. ImmuniWeb

ImmuniWeb Web Dashboard

ImmuniWeb offers penetration testing and a vulnerability scanner. These are offered as a platform that can be combined with a SIEM to create an XDR. The SIEM isn’t included, however, so you will need to source that elsewhere on advice from the ImmuniWeb team.

Key Features:

  • Log collection and consolidation
  • Vulnerability scanning
  • Penetration testing option

Why do we recommend it?

ImmuniWeb provides useful components for an XDR rather than a full threat detection and response system. You would use this service to discover which parts of your system are more vulnerable to attack and then take steps to remove those weaknesses or to focus security monitoring on those vulnerable points.

The difference between penetration testing and vulnerability scanning is that penetration testing is a manual process and vulnerability scanning is automated. So, the ImmuniWeb services that you would subscribe to for your self-assembled XDR would be its Discovery and Continuous systems.

ImmuniWeb Discovery is an external scan that searches through Dark Web sites for any indications that your site has been compromised. This could be because user account details are up for sale or hackers specifically mention your services or URLs when advertising attack tools.

ImmuniWeb regularly sweeps hacker sites for information on attack strategies and feeds that knowledge into its Continuous service. This is a vulnerability scanner that looks through a client’s system from an external viewpoint, testing its protection against any newly-discovered attack vector.

Who is it recommended for?

ImmuniWeb can be useful for large businesses and consultancies that want to perform a full system audit to get security up to standard. Continuous scanning keeps the system up to that newly achieved high level and a Dark Web scanner alerts the business to heightened risk.


  • Uses the OSINT framework combined with AI to proactively stop threats
  • Includes features that are production safe and place a minimal impact on your network
  • Includes supply chain attack tools


  • Not the best fit for smaller networks

The ImmuniWeb service is entirely cloud-based and is offered in three editions: Corporate Pro, Corporate, and Express Pro. These are all subscription services with a monthly charge rate.

12. Cynet XDR Platform

Cynet 360

Cynet calls its XDR system an Autonomous Breach Protection platform. It links together next-generation antivirus, EDR, UEBA, network traffic analysis, and deception intelligence in a classic on-site/cloud combination that typifies an XDR.

Key Features:

  • Deception technology
  • Log collection
  • UEBA

Why do we recommend it?

The subscription plans of the Cynet XDR Platform provide buyers with the option to choose endpoint protection, and EDR, a full XDR, or a hybrid protection service for on-premises and cloud resources. This creates a wide spread of products that build upon each other and is similar to the strategy adopted by CrowdStrike.

The data collection element in this SaaS service is called Sensor Fusion. These are log message collectors and network monitoring sensors that generate their own activity records. These are uploaded to the Cynet XDR Platform service, which performs a SIEM search for threats.

The Deception module of Cynet XDR Platform is very good – it is a unique service created by this business. The Deception strategy is to work as a honeypot. It creates fake, weakly-protected user accounts that attract hackers. It also diverts malicious activities with fake data files and deceptively easy-to-change (but fake) device settings.

Who is it recommended for?

The Cynet EDR/XDR options are focused on mid-sized to large businesses. The Essential Plan could work well for small businesses because it is mainly implemented on each device as an AV. However, its pricing puts it at the high end of the AV market and many buyers might proffer the cheaper solution offered by Trend Micro.


  • Excellent interface
  • Combines backend threat intelligence with live network data to prevent attacks
  • Includes a honeypot feature to detect probes and intrusions
  • Leverages AI to spot malicious behavior


  • Could use a longer trial

Cynet XDR Platform uses AI-based UEBA to zoom in on intruder activity and leave genuine users alone. The service includes an armory of scripts and strategies that automate threat response. This mitigation service also interfaces with other system services in a SOAR defense strategy. Cynet offers a 14-day free trial of its Cynet XDR Platform.