Forrester just killed endpoint security. Not the practice, but the entire category.
After a decade of xWaves, evaluations, and vendor rankings, they retired the whole thing. EPP and EDR don’t exist as separate products anymore, at least not in any way that’s useful to evaluate. XDR absorbed them, and the market moved on.
It’s a bold call, but it’s the right one.
What’s more interesting is what the announcement reveals about the direction the entire industry is heading. Detection is consolidating, SOC tools are pushing into cloud workloads, and CNAPPs are expanding into runtime and CDR.
The walls between endpoint, cloud, and SOC security are coming down fast, and platformization is the natural response. The industry is racing towards one platform and pane of glass where you can see everything that’s broken in one place.
That sounds like progress. And it is.
But there’s a problem nobody is talking about loudly enough: a more unified view of everything that’s broken is only useful if you can actually fix it. And right now, most organizations can’t, not fast enough, not at scale, and not without burning out the people responsible for doing it.
Detection is better than ever, but safe remediation hasn’t kept up.
See what Forrester’s announcement means for the future of cloud security and how closing the remediation loop is reshaping the next wave of platforms.
What Forrester Actually Said
In early February 2026, Forrester retired The Forrester Wave™: Endpoint Security, a category they’d evaluated for over a decade.
The reasoning was straightforward: EPP and EDR are no longer separate products. Vendors merged them years ago, customers stopped buying them separately, and evaluating them side-by-side no longer reflected how the market actually works.
XDR is the result, a broader platform that absorbs endpoint protection, detection, and response under one roof.
As cybersecurity analyst Andrew Green explained in his LinkedIn post on the announcement, the shift goes beyond just relabeling. Runtime security is the more accurate mental model now. Instead of thinking “endpoints,” think in layers:
- Application logic: Is your code doing what it should?
- Process execution: Are running processes behaving as expected?
- Infrastructure and environment: Is the environment hosting your workloads secure?
Different vendors own different layers. The point is that the threat landscape doesn’t respect the old boundaries, and neither should your security stack.
This isn’t a surprise to most practitioners. The category was already dead in practice. Forrester just made it official.
But here’s where it gets interesting. This isn’t just an endpoint story.
The Convergence Trend Is Bigger Than Endpoints
The retirement of endpoint security as a category reflects a broader shift in how security platforms are evolving.
Detection is consolidating across the board:
- SOC tools are pushing into cloud workloads
- CNAPPs are expanding into runtime protection and cloud detection and response.
The boundaries between endpoint, cloud, and SOC security, boundaries that were always somewhat artificial, are collapsing fast because detection tools are creating more work, not fewer problems.
Platformization is the natural response. Why manage separate toolchains for detection across application logic, process execution, and infrastructure when threats don’t respect those boundaries anyway?
The result is something the industry has been chasing for years:
- Unified visibility: Across runtime, posture, and identity
- One platform: Surfacing findings from across your entire environment
- A single pane of glass: Showing everything that’s broken in one place
For CISOs and security leaders, this is a real step forward. Consolidation reduces tool sprawl, simplifies reporting, and makes it easier to understand your overall risk posture.
But unified detection creates a new problem, one that’s easy to miss when you’re focused on the consolidation story.
More sources feeding into one platform doesn’t mean fewer findings. It means more findings, from more places, landing in one place. And someone still has to act on every single one of them.
That’s where the conversation usually stops, but it shouldn’t.
The Problem Nobody Is Talking About
Here’s the part that gets lost in the platformization conversation. Who’s going to investigate, prioritize, and remediate these unified findings?
A unified view of everything that’s broken is only useful if you can fix it. And right now, most organizations can’t.
The industry made a significant leap. It went from: “Detect and report from multiple places” → “Detect and report from one place.”
But that’s not the same as “Detect and resolve.”
Alert backlogs grew as detection capabilities consolidated. Better visibility into more of your environment means more findings surfaced, more misconfigurations flagged, more vulnerabilities prioritized, and the same understaffed team expected to close the loop on all of it.
This is what we call the remediation gap. Platformization is exposing the gap more clearly across the stack.
Think about what’s actually happening inside most cloud security teams today:
- Thousands of CNAPP findings, many of which recur after being “fixed”
- Manual investigation cycles that eat up hours before a single ticket gets written
- Security escalations are thrown over the wall to developers who don’t have the context to act
- MTTR numbers that never seem to move in the right direction because most teams are still arguing about who owns the fix
More unified detection means all of that gets louder, not quieter.
Forrester was right to retire the old category. The market evolved. But the evolution exposed something the industry still hasn’t solved: knowing what’s broken at scale is fundamentally different from fixing it at scale. The work still has to be completed by someone.
What This Means for Cloud Security Teams
Cloud security teams are already feeling this.
Most were hired to manage a CNAPP implementation and keep cloud risk under control. What they actually spend their days doing looks very different:
- Investigation cycles that stretch for days
- Alert queues that never empty
- Recurring findings that were supposedly fixed months ago
- Developer escalations that create friction and damage credibility
And that was before the SOC-cloud convergence accelerated.
As the lines between endpoint, SOC, and cloud security blur, cloud security teams will inherit more findings from more sources, including runtime alerts, identity risks, posture findings, and compliance gaps, all feeding into the same backlog, creating more work for the same people.
The math doesn’t work without a remediation layer.
When detection grows faster than remediation, the distance between known risks and fixed issues increases.
For CISOs, that gap is becoming impossible to hide. Boards want to see:
- Risk reduction, not alert volume
- MTTR trending down, not flat
- Proof that security investments are translating into outcomes, not just better dashboards
For cloud security managers, the pressure is more immediate. They’re measured on remediation, closing the loop, and managing a series of tools that find problems without fixing them.
That’s the real gap Forrester’s announcement points to. Not the death of an endpoint category. The growing distance between detection and resolution, and the teams stuck in the middle.
Close the Remediation Gap Once and For All
Better detection didn’t solve the problem. It only made it more visible.
The industry spent a decade getting better at finding problems. But the gap between finding a problem and fixing it is still wide open. And as detection consolidates, that gap becomes the loudest unsolved problem in cloud security.
Platformization doesn’t close it. Another CNAPP integration doesn’t close it.
What closes it is a purpose-built remediation layer, one that takes every finding your detection tools surface and resolves it at the root cause. Not just silencing the alert, but actually delivering safe remediation so the underlying issue doesn’t come back.
Tamnoon’s agent-led, expert-validated cloud security remediation agent Tami helps you close the last mile of cloud security, delivering safe, validated fixes that don’t break production or create more work for your busy teams.
Your CNAPP finds the problems. Tamnoon fixes them. Book a demo today to see what safe remediation looks like at scale.
