Anton on Security
Published in

Anton on Security

Does the World Need Cloud Detection and Response (CDR)?

Let’s play a game and define a hypothetical market called Cloud Detection and Response (CDR). Note that it is no longer my job to define markets, so I am doing it for fun here (yes, people find the weirdest things to be fun!)

So, let’s define CDR as a type of a security tool primarily focused on detecting, confirming and investigating suspicious activities and other security problems in various public cloud environments, including, but not limited to IaaS, PaaS, SaaS. As you can see, I stole some ideas from my original EDR definition so that some useful similarities come out. But, no, the cloud is not just somebody else’s computer :-)

Now, the questions:

  • Does it exist?

Naturally, all hard problems in life are solved with a Twitter poll… so here is the relevant one:

CDR poll by Anton

Among all the responses, one stood out to me: “public cloud has enough special deployment and collection differences from on-prem that there has to be a CDR function.” This to me represents the strongest logic in favor of CDR existence, whether as a market or a technical capability. Now let’s think about it a bit more, especially using my RSA 2022 experiences.

First, I bet nobody would contest that we need to detect threats in public cloud environments and we need to investigate incidents there. So the problems are real hence there is a need.

Second, a hypothetical CDR tool will need to do its own threat detection, enable the analysts to triage alerts, support incident investigative workflows and probably do some response automation too. However, there are already tools that do all these things, but perhaps not all at once and not focused on the cloud. Naturally, a SIEM (cloud-native or otherwise) can do cloud threat detection off cloud provider logs, support alert triage and investigations. A SOAR may automate responses. Similarly, broad cloud security vendors (all those CWPPs and CNAPPs) promise to “secure your cloud” and that often includes detecting threats.

So, do we need a CDR or not?! Three roads I see:

  1. CDR should exist as a technology and/or market: Cloud is a new realm for threat detection and so old tools/approaches are not ideal; so we need new tools that work well in this new realm.

Furthermore, at RSA 2022, I have looked at vendors like Cado and Mitiga (among others) and I noticed that focus on incident response in the cloud does call for tools that are different enough (BTW, a podcast on how we do it here is coming soon). The “R” of CDR is perhaps the harder nut to crack as SIEM and SOAR are of limited value here, and traditional forensics tools and EDRs only work on virtual machines (to an extent they do). To me, this provides additional motivation for CDR.

Finally, my prediction: I am voting Choice 2: we will probably have “CDR technology,” a tool set optimized for D&R in public cloud (built by both cloud providers and standalone vendors), but perhaps won’t have a separate market (we have enough long acronyms starting with “C” already….). Why do I think so? I think doing cloud D&R with a) pre-cloud tools and/or b) cloud tools not focused on D&R would be irritating enough for enough people to necessitate a new category creation, if not a whole new market.


P.S. I first saw the term CDR in Sift Security messaging around 2017. I did NOT invent the term. And here is a quick review who uses the term now (example, example for SaaS, example via NDR, example via MDR, example via a broad cloud security stack, etc)

Related blog posts:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store