The EDR/XDR market is worth north of $15B and growing. It is the default answer to “what security tools do you have?” at board level, and the largest line item in most security budgets. The implicit assumption underneath that spend: the endpoint is where you defend.
That assumption is worth examining.
How breaches actually happen
Most breaches do not start on the endpoint. They start with a credential.
Phishing, password spray, credential stuffing: the attacker’s first move is almost always acquiring legitimate access, not exploiting a machine. This is not an accident. Developing custom malware is expensive. Weaponizing a zero-day requires finding one first. Chaining multiple exploits requires conditions to align that may never align. Buying a set of valid credentials from an initial access broker costs less than a dinner out.
Attackers follow economics. When stolen credentials get you to the same place as a sophisticated exploit chain, at a fraction of the cost and with far less operational risk, you use the credentials. The result: most intrusions look, at the network level, like legitimate activity. Someone is logged in with a real account, running real tools, doing things that are hard to distinguish from normal work.
From there: lateral movement using those credentials, living off the land with tools that are already present, escalating privileges through misconfigurations or over-provisioned accounts. Data exfiltration or ransomware deployment comes last.
Endpoint detection sits at the far end of this chain. By the time an EDR fires an alert, the attacker has credentials, has moved laterally, and has reached the target. The endpoint saw the last step. Everything that made that last step possible happened upstream, where the endpoint was not watching.
CrowdStrike
July 2024. A faulty content update pushed to CrowdStrike’s Falcon sensor took down 8.5 million Windows machines in hours. No attacker was involved. Airlines grounded flights. Hospitals diverted patients. Banks went offline. The most disruptive IT outage in recent memory was caused not by a breach, but by the security tool itself.
The irony is instructive. When you mandate a single vendor’s agent on every machine in your estate, you have created a dependency with the same blast radius as a critical infrastructure attack, and handed the trigger to a software update process outside your control. The concentration risk that endpoint-first programs build in is significant, and almost never discussed when the EDR contract is being signed.
This is not an argument against CrowdStrike specifically. It is an argument about what happens when endpoint security becomes the load-bearing element of your program. Kelly Shortridge has made the point well, if not in exactly these words: you are basing your security strategy on preventing people from clicking things on the thing-clicking machine. The endpoint is designed to run software, open files, and follow links. Treating it as your primary line of defense means your program’s success depends on winning a fight you structurally cannot win.
Where upstream controls intercept
If the attack chain starts with a credential, the place to break it is the credential. Phishing-resistant MFA (hardware tokens, passkeys) stops credential theft from translating into access. Privileged access management limits what any given credential can reach, so a compromised account is not a key to everything. Identity is where most breaches could have been stopped, before there was anything on an endpoint to detect.
Zero-trust network architecture limits what happens after initial access. If every resource requires authentication and every connection is evaluated against policy, lateral movement becomes structurally difficult. A compromised endpoint cannot reach production databases because it was never permitted to, not because an agent noticed something suspicious and fired an alert in time.
Supply chain controls intervene earlier still. Dependency scanning, software composition analysis, verified registries: these prevent the malicious package from entering the build pipeline in the first place. The threat never reaches the endpoint because the build process rejected it.
The pattern across all three: they intercept upstream of the endpoint. By the time an EDR would fire, these controls have already broken the chain. The attacker needed a credential they could not get, reached a resource they were not permitted to touch, or introduced a dependency the pipeline rejected. The endpoint saw nothing because there was nothing to see.
The last line
None of this is an argument for removing endpoint detection. Knowing something is happening on a machine is useful. When upstream controls fail, and some will, visibility at the endpoint is how you find out. An EDR that catches ransomware deploying is better than no EDR. That is not in question.
The question is what role endpoint security plays in the program and what it costs relative to that role. As a last line of defense, it earns its place. As the primary investment, the thing the program is built around, it is defending the wrong position. You are spending the most on the control that fires latest, catches the least preventable threats, and, as July 2024 demonstrated, can itself become the incident.
The budget conversation should follow the logic of where controls intercept. Identity stops the attacker before they have access. Zero-trust limits what they can do with it. Supply chain prevents compromised software from running. Endpoint detection sees what made it through all of that. Sequentially, it is the last resort. In most security budgets, it is the first line item.