Analyzing Cisco’s Place in the Forrester XDR Wave

Recently, research firm Forrester released its XDR Wave, which ranks most of the major security vendors based on their capabilities in this market. While I generally agree with the placement of most of the vendors in the Wave, I did think Cisco looked grossly out of place. This is why I’ve decided to challenge this placement, based on my experience working closely with Cisco, its customers, and partners on XDR deployments, and my belief that the solution is well aligned with what customers are looking for.

I’ve looked at the Wave and analyzed where Cisco scored poorly, and I would like to offer my analysis. Below are the top five key points that, in my opinion, Forrester did not accurately score Cisco.

Additional detection surfaces - Cisco Score: 1

Part of the issue here is the definition of XDR. I was the first analyst to use the term in 2018, long before the Wave existed. In my post, I wrote that the “X” in XDR means “everything,” where telemetry should be gathered from as many sources as possible, with cloud, endpoint, and network being the core data sources. Since then, other firms have embraced the term “X,” meaning eXtended from the endpoint.

When one looks at the Wave, many endpoint vendors, including Microsoft, CrowdStrike, and TrendMicro, are near the top right. Vendors I consider to be more network-centric, such as Cisco and Fortinet, scored lower. I also think Fortinet should be higher in the Wave, but I'll leave that for another post.

Of all the XDR vendors, Cisco has one of the richest data sets from products such as Cisco NVM, ISE, Umbrella, Talos, and its firewall and network devices. Additionally, it gathers data natively from Secure Endpoint, as well as from several third parties such as AWS, Azure, and GCP.

Giving Cisco a “1” in this category defies the simple eyeball test of where the company has products feeding telemetry to XDR.

Innovation – Cisco Score: 1

This score is calculated based on the company's investment in R&D at a company level. Cisco is a massive company with R&D spend across its portfolio, including networking, security, collaboration, and other areas. Forrester likes to see an R&D spend of 20% of company revenue to award a 5, and Cisco spends about 13%. However, this number is misleading. For a company of Cisco’s size, 13% of its revenue is more than most of its competitors combined.

Also, in my discussion with Cisco leadership, they indicated that the level of R&D across Cisco is not uniform. More mature areas require less spending, while emerging technologies, such as security, are well above the 20% threshold. Scoring a broad, diverse company like Cisco on the same scale as a small startup is misleading and frankly irresponsible.

Community – Cisco Score: 1

The scoring criteria for “community” is holding a security-specific conference. This is another case where the diversity of Cisco’s portfolio is not considered. The company’s user event, Cisco Live, is one of the largest technology shows held in many regions. As long as I have been attending Cisco Live, which has been going on for over two decades, security has been a significant part of the event.

Specifically, regarding XDR, I looked back at the agenda for Cisco Live 2024 EMEA, and there were dozens of security sessions, many of which were dedicated to XDR. The company also holds threat-hunting workshops for its customers, as do many of its global partners.

Cisco was also a key sponsor at the RSA Conference, held a keynote and many educational sessions, and had a massive overall presence. When one looks at the size of Cisco’s customer base, partner community, certified engineers, sponsorships, and other related factors, it’s quantifiability one of the largest security communities.

Product Security – Cisco Score: 3

I found the quantification of this a bit confusing. Forrester states, “5 = The vendor provides transparency on how it secures its offering.” From my experience, which dates to being a Cisco Security customer, the company has a well-established process around security trust and policies. I've talked with Cisco leadership, and the company as a whole takes vulnerability scanning, pen-testing, and red-teaming very seriously while pushing this mentality down to its channel partners to ensure its entire ecosystem is transparent.

Forrester may not find what Cisco does enough, and that’s its opinion, but Cisco Security scored a 5 in the network analysis and visibility (NAV) wave. The process and criteria are the same for both, as should be the score.

Training – Cisco Score: 1

From the Wave's scoring criteria, a score of 5 is achieved when "the vendor offers free, comprehensive online training on the product and offers live online training for a fee. In-person training is available for a fee in multiple languages." As one of the more active Cisco industry watchers, I’m updated on their training activity from customers, partners, and the company. I know Cisco has a wealth of free information in the area of XDR.

For example, Cisco XDR customers receive proactive onboarding and configuration guidance from a Customer Success representative. The company also offers in-product help and product documentation to help users understand the tool, as well as in-product video training and step-by-step instructions.

Cisco also holds a wide range of expert and educational webinars, during which customers can interact with Cisco to resolve issues, understand best practices, and develop strategies for threat detection and response. The company also has its Learning Center, which contains walkthroughs, demos, on-demand labs, and threat-hunting workshops.

One of Cisco’s historical differentiators, for the past 30 years, has been the amount of free training it offers across its product line. A score of 1 here indicates Forrester isn’t aware of Cisco's range of training offerings.

Summary

Generally, I’m not one to criticize another analyst firm's analysis as much of it is opinion. However, tools like Waves and Magic Quadrants are valuable as they are formulaic and provide a quantifiable “score.” In this case, Forrester’s placement of Cisco seems way off base from my knowledge. As I mentioned, Forrester’s definition may differ from mine, where they view XDR as the evolution of EDR. I look at it more holistically, but that doesn’t explain some of the other inconsistencies.

My advice to customers is always to use these as a guide but it’s always wise to do your own proof of concepts as every environment is different.

Zeus Kerravala is the founder and principal analyst with ZK Research.

Read his other Network Computing articles here.

Related articles: