Microsoft ranked highest in Strategy and received the top score in Vision, earning the designation across seven current offering criteria including identity detection, cloud detection, SIEM replacement, and threat intelligence.
Forrester named Microsoft a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026. Microsoft ranked highest of any vendor in the Strategy category and earned the highest score in Vision — the only vendor to do so.
The report evaluated XDR platforms across current offering and strategy criteria. Microsoft received the highest possible scores in seven current offering categories: identity detection, cloud detection, SIEM replacement, threat intelligence, threat hunting, administrative controls, and training.
"Microsoft articulates a compelling vision to build a Frontier approach to security, bringing people and AI together while the platform continuously shields against and disrupts attacks," Forrester wrote in the report.
A new frontier for XDR
The XDR market is shifting. Attackers use AI to scale and accelerate campaigns. Defenders need more than correlated signals. They need a system that connects data, people, and workflows so security operates at the same speed and coordination as adversaries.
Microsoft's XDR foundation links signals across identities, endpoints, email, SaaS apps, and cloud workloads into a shared context layer. Protection and operations run on that same foundation. Microsoft Defender's native capabilities continuously shield against attacks with built-in, system-level defenses. Embedded agents triage alerts, hunt for threats, and deliver intelligence in the analyst workflow.
The result moves security from fragmented response to coordinated, system-level defense. Decisions, actions, and protection move together by default.
Attack disruption
Attack disruption is one of the clearest expressions of that vision. It uses cross-domain signals and AI to stop multi-stage cyberattacks — like ransomware and adversary-in-the-middle campaigns — while they are active and unfolding.
Forrester noted attack disruption in the report: "As well as its roadmap, it (Microsoft) has built unique features, like automatic attack disruption, to help deliver on its vision."
Adaptive defense now expands autonomous protection to predict and shield against a threat actor's next move during active attacks. It acts just in time to defend against common attacker tactics — group policy objects, Safeboot, identity compromise — with new controls that include device isolation.
Threat intelligence at the core
Threat intelligence is a new evaluation criterion in this Wave. Microsoft earned the highest possible score.
Microsoft Threat Intelligence analyzes 100 trillion signals each day. That intelligence feeds directly into the analyst experience: threat actor motivations and tactics appear inside incidents, alongside affected assets, and tied to response actions. The intelligence is built into detections, attack disruption, hunting, and AI that helps analysts interpret what they see.
Microsoft's global security research teams track nation-state actors, ransomware groups, and emerging threats. Frontline insight reaches defenders through the platform.
Native protection across cloud, identity, and SIEM
Microsoft delivers differentiated protection across cloud and identity by natively harnessing signals from Azure and Microsoft 365 coverage. Combined with Microsoft Sentinel's SIEM and threat hunting capabilities, the foundation enables disruption of attacks directly within the SOC for critical data sources including Amazon Web Services, Okta, and Proofpoint. The SIEM becomes a threat protection solution.
Microsoft received the highest possible scores in both identity detection and cloud detection.
Security Copilot agents in Defender
Security Copilot agents in Defender help SOC teams investigate faster, automate response, and prioritize high-risk threats. Microsoft recently extended the Security Copilot alert triage agent to cloud and identity, extending assistive and autonomous AI to two of the most critical attack surfaces security teams defend.
The agent helps analysts triage alerts faster, surface high-value context, and move more quickly from signal to action.
Securing local AI agents
At Microsoft Build 2026, Microsoft announced endpoint security for local AI agents. Defender helps security teams gain visibility into AI agents running on devices, assess exposure across identities and resources, block malicious activity in real time, and investigate agent activity through Advanced Hunting.
What this means for customers
The Forrester recognition reinforces Microsoft's commitment to helping defenders stay ahead of modern cyberattacks. The strength of the vision, breadth of protection across identities, endpoints, email, cloud, and applications, and continued investment in bringing people and AI together in the SOC drove the ranking.
As the threat landscape evolves, Microsoft remains focused on helping customers investigate faster, respond more effectively, and strengthen their security operations with an integrated platform built for today's attacks.
Access the full Forrester Wave™ report to read the full analysis behind Microsoft's positioning as a Leader.
Comments
Please log in or register to join the discussion