Report:

Magic Quadrant for Endpoint Protection Platforms

How does Gartner define the Endpoint Protection Platforms market in 2023?

Gartner defines an endpoint protection platform (EPP) as security software designed to protect managed end-user endpoints — including desktop PCs, laptop PCs, and mobile devices — against known and unknown malicious attacks. Additionally, EPPs provide capabilities for security teams to investigate and remediate incidents that evade prevention controls. EPP products are delivered as software agents deployed to endpoints and connected to centralized security analytics and management interfaces.

Key Facts for Magic Quadrant for Endpoint Protection Platforms in 2023

• Publication Date: 31 December 2023
• Document ID: G00789052
• Coverage: Global
• Authors: Evgeny Mirolyubov, Max Taggett, and 2 more
• Core Purpose: This Magic Quadrant evaluates endpoint protection platform (EPP) vendors based on their ability to protect managed end-user endpoints against known and unknown malicious attacks, and provide capabilities for security teams to investigate and remediate incidents that evade prevention controls.

Strategic Planning Assumptions

• All solutions in this research offer strong protection against most common attacks
• Advanced EDR features, managed services, identity threat detection and response, broader workspace security, security configuration management, and emerging XDR capabilities are the most significant differentiators

How was the Endpoint Protection Platforms market evolved in 2023?

• EPP is the most commonly deployed layer of malware prevention and foundational security hygiene for all organizations
• 90% of organizations use cloud-delivered EPP solutions according to vendor survey data
• 57% of organizations have EDR capabilities deployed, a 15% increase since 2022
• 17% of organizations subscribe to vendor-managed MDR service wrappers
• Market focus is shifting from point products to comprehensive workspace security solutions
• Vendor consolidation efforts are placing increased emphasis on integrated security platforms
• Ransomware remains the most significant threat to all organizations
• Remote working has accelerated adoption of cloud-delivered offerings
• Key market trends include cybersecurity platform consolidation, vendor-managed service wrappers, ransomware defense, and remote working/cloud adoption
• Identity threat detection and response (ITDR) and email security integrations are increasingly critical
• Security configuration management capabilities are becoming important for proactive risk reduction

What product features are required to be included in this year's evaluation?

• Prevention of, and protection against, security threats, including malware that uses file-based and fileless attack techniques
• The ability to detect and prevent threats using behavioral analysis of device activity, application, identity and user telemetry
• Facilities to detect and investigate incidents and to obtain guidance for remediation when threats evade prevention controls
• Management and reporting of operating system security controls, such as host firewall and device control
• Integrated endpoint detection and response (EDR) functionality

What are the common features of top products in the Endpoint Protection Platforms space?

• Risk reports based on inventory, configuration and policy management of endpoint devices
• Facilities to assess endpoints for vulnerabilities and report on or manage the installation of patches or mitigating security controls
• Natively integrated extended detection and response (XDR) functionality with add-on modules such as identity protection, email security, server and workload protection
• Vendor-managed service wrappers, such as threat hunting, managed detection and response (MDR) and digital forensics and incident response (DFIR) retainer
• Extended support for end-of-life or uncommon operating systems

Scope Exclusions

• A vendor would be excluded if it did not provide EPP software and licensing independently of other products or services in its portfolio
• A vendor would be excluded if more than 60% of its detection content did not come from the vendor's own threat intelligence team and if the protection techniques are not designed, owned, and maintained by the vendor itself
• A vendor would be excluded if it had not participated in at least two enterprise-focused, well-known public tests for accuracy and effectiveness within the 12 months before 1 March 2023
• A vendor had to have more than 7.5 million endpoints protected and actively under management using its EPP as of 15 June 2023. Of these, more than 500,000 must have been active production installations with accounts larger than 500 seats
• Due to a pause in coverage of all Russian vendors by Gartner, there may be Russian vendors that meet the inclusion criteria described but were not evaluated

Inclusion Criteria

Vendors must, among other requirements:

• The solution implements agent-based protection using multiple security techniques, such as static and behavioral analysis and attack surface reduction
• The solution implements all its prevention, detection, and response functionality using a single agent installed on the endpoint
• The solution can automatically invoke a native malware response action, such as deleting or quarantining files, blocking or killing processes, and isolating compromised endpoints
• The solution provides a severity rating, a process tree, and a mapping of events and alerts to MITRE ATT&CK tactics, techniques and procedures to aid root cause analysis and remediation
• The solution provides support for new versions of major operating systems, including Windows, macOS and Linux, within 90 days of the OS release
• The solution provides a cloud-based, SaaS-style, multitenant security analytics and management infrastructure that is required to be maintained by the EPP vendor
• The solution stores endpoint telemetry and detection events in its management infrastructure for at least 30 days, with the ability to extend or forward to other long-term storage
• The solution natively integrates with vendor-owned or third-party security controls, such as identity protection, email security, security service edge and workload protection

Ability to Execute — Relative Weighting

• Product or Service - High
• Overall Viability - Medium
• Sales Execution/Pricing - Medium
• Market Responsiveness/Record - High
• Marketing Execution - Low
• Customer Experience - High
• Operations - Medium

Completeness of Vision — Relative Weighting

• Market Understanding - High
• Marketing Strategy - Medium
• Sales Strategy - Low
• Offering (Product) Strategy - High
• Business Model - NotRated
• Vertical/Industry Strategy - Low
• Innovation - Medium
• Geographic Strategy - Low

Reference

• Gartner, Magic Quadrant for Endpoint Protection Platforms, 31 December 2023, ID G00789052

View Leaders
View Vendor Movements