For the past two years we've watched a specific shape of breach repeat itself across SMEs. It usually starts the same way — a finance user opens a macro-laden invoice, the EDR catches it, the user clicks "allow" because the IT person is overworked. By the time anyone notices, the attacker has run a credential-dump tool that the primary EDR happens not to flag.
The recovery cost is always 10× the cost of prevention. So we built Managed XEDR — and shipped it as our flagship endpoint product this month.
The premise
Single-vendor EDR is a single point of failure. Every product has known bypass techniques, and any engineer who's worked in offensive security can name the bypasses for the major vendors off the top of their head. The fix isn't a better EDR — it's two EDRs from two different vendors, watched by two independent teams, on the high-value endpoints where a breach actually hurts.
We deploy:
- One commercial-grade EDR from a tier-1 vendor — same one most enterprises run
- One independently-operated EDR from a separate tier-1 vendor — different detection model, different heuristics
- A managed AV layer (Windows Defender on Windows) — kept hot, kept tuned
If the attacker disables the first stack, the second one isolates the host. If the attacker is good enough to defeat both, the SIEM signals the deviation and an engineer picks up the phone.
What "managed" actually means
Security Engineering is Software Engineering. The engineers who write detections and the analysts who triage alerts are the same team.
This is the rule we hire on. There is no offshore tier-1 in the Datatrek SOC. Every alert is reviewed by someone who could have written the detection that produced it. That sounds expensive — it is — but it's the only way to keep false-positive rates under 1% on serious alert volumes.
Where it fits
XEDR is strategic. The right fit is:
- Domain controllers
- Database servers (especially the ones running ERP)
- Production application hosts
- Backup servers (not the data — the orchestration host)
- Hypervisors (the management plane, not every guest)
For workstations, single-EDR is fine. For the systems that turn a breach into a crisis, dual-EDR is now table stakes.
Pricing
Per-agent, monthly, no minimum. We'd rather earn the renewal than win a procurement battle.