A few years ago, XDR was everywhere.
At RSAC, it was one of the dominant narratives. Vendors were building around it, analysts were debating it, and companies were raising large rounds on the idea's back. The promise made sense on the surface. If you could pull together data from across the environment, not just the endpoint, you should be able to detect and respond to threats faster and more effectively.
It was a logical evolution.
But the market never fully settled on what XDR actually was.
Different vendors meant different things. For some, it was an extension of EDR. For others, it was closer to a lightweight SIEM. Some positioned it as a platform that could replace existing tools, while others framed it as something that sat alongside what customers already had.
The analysts did not help resolve the ambiguity. Gartner never introduced a dedicated Magic Quadrant for XDR, and their coverage often overlapped with EPP and EDR. Forrester had a different take, which added to the confusion rather than clarifying it.
So buyers were left asking basic questions.
Does this replace my SIEM? If not, what does it actually do differently? Does it replace EDR? If not, why do I need it?
Those questions did not always have clear answers.
For a period of time, that did not seem to matter. The category had momentum. There was enough interest, enough capital, and enough belief that something important was happening.
But over time, the lack of clarity caught up with the market.
Some companies were able to carve out specific use cases and build around them. They got more precise about what they did and where they fit, and they are still growing.
Most did not.
They stayed broad. They tried to cover too much ground. They positioned themselves as part replacement, part addition, and part platform. And as a result, they ended up in a kind of no man's land. Not clearly replacing anything, and not clearly essential on their own.
That is where XDR largely sits today.
Which makes it worth asking what the next wave of security companies should take from it, especially as "AI security" starts to follow a similar path.
There are a few lessons that stand out.
1. Be clear about what you actually do
Clarity sounds simple, but it is where most categories start to break down.
If buyers cannot quickly understand what your product does, where it fits, and why it matters, everything else becomes harder. Sales cycles slow down, comparisons become messy, and your story starts to drift depending on who is telling it.
XDR struggled here because it tried to mean too many things at once. The companies that have done better are the ones that narrowed their focus and made their role in the stack explicit.
The same will be true for AI security.
2. Make the value critical, not optional
A lot of XDR positioning lived in the space of "better visibility" or "more efficient operations." Those are valuable, but they are often not urgent enough to force a decision.
If your product does not tie directly to something the buyer has to solve, it becomes a nice-to-have. And nice-to-haves are easy to push out or deprioritize.
The companies that broke through made their value more concrete. They tied their work to specific problems that security teams were already trying to solve.
AI security companies will need to do the same. The value has to connect to something that is already on the roadmap, not something buyers might get to later.
3. Be willing to take a position
One of the more subtle issues with XDR was how often companies tried to straddle the fence.
They would suggest they could replace parts of the stack, but stop short of saying it directly. Or they would position themselves as complementary, even when they were clearly overlapping with existing tools.
That kind of ambiguity makes it harder for buyers to decide. If you are not clear about what you are replacing or how you are changing the environment, the burden shifts to the customer to figure it out.
At some point, you have to be willing to take a position and stand behind it.
If you believe you can replace something, say it clearly. If you do not, be equally clear about where you fit and why that matters.
4. Build for how the market actually buys
A lot of XDR innovation was driven by what vendors believed would be valuable, not always by how buyers were actually evaluating and purchasing tools.
That gap shows up in subtle ways. Features that sound compelling but do not map cleanly to real workflows. Capabilities that require changes in process that customers are not ready to make. Positioning that assumes a level of maturity that is not there yet.
The companies that have sustained growth are the ones that stayed close to how customers actually operate. They built around real use cases, real constraints, and real buying motions.
That is not a product problem. It is a positioning and product marketing problem.
XDR did not fail because the idea was wrong.
The idea made sense. In many ways, it still does.
What broke down was how the category was defined, communicated, and brought to market.
As AI security continues to evolve, it is worth paying attention to its history. The same patterns are already starting to show up.
Categories do not just succeed or fail based on technology.
They succeed or fail based on whether the market can understand, evaluate, and adopt them.
That part does not happen on its own.