News

Forrester XDR Research Signals Shift Toward Cloud, Identity and AI Defense

• By David Ramel
• 06/26/2026

Forrester's latest extended detection and response platform evaluation shows Microsoft and CrowdStrike in the Leaders category, but the larger takeaway for cloud-focused security teams is how much the XDR market itself has changed.

The 2026 report is Forrester's third XDR Wave, following versions in 2021 and 2024. In a companion blog post, Forrester Principal Analyst Allie Mellen said this year's Wave "differs significantly from the past," citing a smaller vendor field, new detection-surface criteria, more emphasis on threat intelligence, greater attention to SIEM replacement, and separate criteria for AI agents and agentic systems.

The cloud is central to that shift. Forrester said the 2026 XDR Wave added criteria including "detection surface: identity" and "detection surface: cloud." The firm said the additions matter because it sees identity and cloud as "two of the most important domains where detection can identify attacks that would otherwise be missed or downgraded in importance."

"The addition of the new detection surfaces, and the specificity of them, is crucial, as Forrester sees identity and cloud as two of the most important domains where detection can identify attacks that would otherwise be missed or downgraded in importance," Mellen said.

That is a notable framing for XDR buyers and cloud security teams because it places cloud workloads and identity systems alongside the endpoint as first-class detection surfaces. XDR started as an extension of endpoint detection and response, but Forrester's 2026 discussion describes a broader platform market in which detection and response are expected to span more domains with more specificity.

A Smaller Vendor Field
Forrester said only seven vendors were invited to participate in this year's Wave: Bitdefender, CrowdStrike, Elastic, Microsoft, Palo Alto Networks, SentinelOne and TrendAI. The firm said the smaller list was intended to prioritize vendors with "the most significant traction and differentiation" in the evaluation, compared with 11 vendors in the previous Wave and 14 in the one before that.

Forrester also said the smaller field helped it get "a better sense for true differentiation in the market." In the context of cloud security, that differentiation appears tied not only to whether a vendor collects telemetry from cloud services, but whether it treats cloud activity, identity activity, threat intelligence and response workflows as part of one operational platform.

The firm pointed to Palo Alto Networks as an example of the shift, saying the company has consolidated its Prisma Cloud capability into its Cortex platform. The same Forrester post also cited Microsoft as an example in the SIEM context, saying Microsoft has merged Defender XDR and Sentinel into one unified analyst experience.

That Microsoft integration has been covered previously by Virtualization & Cloud Review contributor Paul Schnackenburg. In The Evolution of a SIEM, Schnackenburg described Microsoft Sentinel as a cloud-based SIEM and discussed its unification with Defender XDR, the Sentinel Data Lake, graph capabilities, Copilot for Security and AI agents. In a separate article, Fine-Tune Defender XDR for Cost and Coverage, he examined Microsoft Defender XDR and Sentinel SOC optimization from the perspective of security coverage, log collection and cost control.

Cloud and Identity Move to the Center
Forrester's explicit callout of cloud and identity detection surfaces supports the firm's views of a changing XDR space. The firm said those domains can surface attacks that otherwise might be missed or treated as less important, which is directly relevant to organizations managing SaaS apps, cloud workloads, hybrid identity, cloud-native infrastructure and distributed endpoints.

Schnackenburg has written about that same operational pressure in cloud-era security coverage. In The SaaS Cybersecurity Kill Chain, he examined how attacks are evolving in SaaS environments, including the role of identity, cloud app integrations, single sign-on and OAuth. That topic aligns with Forrester's statement that cloud and identity are among the most important XDR detection domains in the 2026 evaluation.

Forrester also said threat intelligence is now a new evaluation criterion and that XDR vendors are prioritizing timely, accurate and native threat intelligence "more than ever." The firm described threat intelligence as a core detection and response feature, saying the quality and accessibility of threat intelligence can affect whether a team sees or misses an attack.

SIEM Replacement Becomes Real
Another major change is the role of XDR platforms in SIEM replacement. Forrester said SIEM replacement was an experimental capability for XDR vendors in previous years, but "this year, it's a reality." The Microsoft example is the combined Defender XDR and Sentinel analyst experience.

That matters for cloud teams because SIEM architecture has long been tied to cloud log volume, storage tiers, retention, data lake design and analytics cost. In his Sentinel article, Schnackenburg described how cloud service change cycles, Azure Log Analytics, Azure Logic Apps, the Sentinel Data Lake and Kusto Query Language fit into the evolution of Microsoft's cloud-based SIEM approach.

Forrester's 2026 framing suggests that XDR and SIEM are converging in platform architecture, especially where vendors can combine endpoint, identity, cloud, SaaS, threat intelligence and investigation workflows into a single analyst environment. The report does not say every XDR buyer should replace its SIEM, and Forrester's public blog does not document a universal recommendation to do so. Not documented.

AI Agents Get Separate Criteria
Forrester also separated AI agents and agentic systems from broader AI and machine learning criteria. The firm said AI value in security operations is "picking up speed through AI agents," particularly for SOC triage and investigation. It added that the most important differentiation among those capabilities comes from how vendors test and validate them.

That distinction is important because XDR vendors are not being evaluated only on whether they claim to use AI. Forrester's public commentary emphasizes testing, validation and analyst workflows. In Microsoft-focused coverage, Schnackenburg has also examined Microsoft Security Copilot and agents, including their role across Microsoft's security tools.

Microsoft and CrowdStrike each used their own posts to highlight Forrester's assessment. Microsoft said in its June 17 blog post that "Microsoft ranked the highest of any vendor evaluated in the Strategy category and is the only vendor to receive the highest score in Vision." CrowdStrike said in its posted release that "CrowdStrike ranked highest of any vendor evaluated in the Current Offering category and received the highest possible scores across the Strategy criteria of Innovation and Community."

The Wave therefore supports a two-part story: Microsoft and CrowdStrike are prominent Leaders in the 2026 XDR evaluation, while Forrester's own commentary indicates that XDR is being reshaped around broader platformization. The most cloud-relevant parts of that reshaping are explicit cloud detection criteria, identity detection criteria, SIEM replacement, native threat intelligence and the move from general AI claims to separately evaluated AI agents and agentic systems.

For readers responsible for cloud infrastructure, SaaS security, identity systems or hybrid SOC operations, the key point is not simply which vendors appeared in which quadrant. It is that Forrester's 2026 XDR discussion treats cloud and identity as core detection surfaces, and treats SIEM replacement and AI-assisted SOC work as part of the same platform conversation.