Endpoint security has regenerated roughly once a decade — and the firm that owned the last generation has never been the firm that owned the next one.
Why the AV-to-EDR Moment Matters Now
Every decade or so, the endpoint security category does not improve — it regenerates. A new product appears with its own SKU, its own budget line, its own buyer conversation, and its own category winner. Signature antivirus was the first. Endpoint detection and response — the term Gartner coined in 2013 — was the second. Extended detection and response, which took shape around 2018, was the third. The agent firewall is the fourth, and it is forming on the same clock.
This matters now not because category history is interesting, but because each regeneration was a repricing event. The firm holding the incumbent position got marked down hard while a challenger compounded from zero. Symantec and McAfee owned signature AV; neither owned EDR. CrowdStrike, founded in 2011 by a McAfee alumnus, went from nothing to a multi-billion-dollar ARR position while the AV incumbents’ enterprise security revenue moved sideways for a decade — Symantec eventually sold its enterprise security business to Broadcom in 2019. The control surface moved; the incumbent’s product did not; the market repriced.
Agentic AI is the move in the underlying that triggers the next repricing. Autonomous agents act directly on the endpoint — file I/O, process spawns, network connections, kernel syscalls — and no current generation of endpoint tooling is instrumented for it. The exposure is already on the tape.
| Metric | Figure | Source |
|---|---|---|
| Enterprises with at least one AI agent security incident in the past year | 88% | Ospiri research |
| Average shadow-AI premium per incident above the cyber baseline | +$670K | Ospiri research |
| Window before agent governance consolidates as a category | 12–18 months | Ospiri research |
| Global average cost of a data breach (2024) | ~$4.9M | IBM Cost of a Data Breach Report 2024 |
Three Generations of Endpoint Security, One Repeating Outcome
Treat the endpoint security category as a position that gets marked to market. Three times the position has been repriced, and three times the same thing happened: the generation-N winner did not become the generation N+1 winner.
| Generation | Category named | Control surface | New winner | What the prior incumbent did |
|---|---|---|---|---|
| Signature AV | 1990s | Known file hashes | Symantec, McAfee | Defined the category, then stalled |
| EDR | 2013 (Gartner) | Endpoint process behavior | CrowdStrike, SentinelOne | Shipped “EDR modules” that trailed the pure-plays |
| XDR | ~2018 | Cross-telemetry correlation | Palo Alto, EDR-era platforms | AV-era names largely absent from the conversation |
| Agent firewall | 2025– | Per-action kernel scope | Open | EDR incumbents will ship an “AI agent module” |
The pattern is not that incumbents lack engineering talent. It is that each new generation has a different control surface, and the incumbent’s architecture is wired to the old one. The instrumentation that is a moat in generation N becomes an anchor in generation N+1.
The Incumbent’s Dilemma: Why Generation-N Winners Miss Generation N+1
The repeating outcome has a repeating cause. It is structural, not a failure of will — which is precisely why it will happen again.
- The architecture is wired to the old control surface. Signature AV was built to evaluate file hashes and could not reprice itself around runtime behavior. EDR instruments the process layer and cannot reprice itself around per-action kernel scopes. The control point is fixed at founding.
- The revenue base punishes cannibalization. A public security incumbent with a large installed base optimizes to defend renewal revenue, not to build the product that turns its current SKU into a line item. The challenger has no installed base to protect.
- The buyer conversation moves. EDR was sold to a SOC team. The agent firewall is sold to whoever owns agent governance — frequently not the same buyer. Incumbents route the new product through the old sales motion and miss the budget.
- The category gets named before the incumbent ships. Gartner named EDR in 2013; credible pure-play products were already in market. By the time the incumbent’s module ships, the integration patterns — policy schema, audit format, telemetry API — are set by someone else.
- A “module” is not a generation. An AI agent module bolted onto an EDR agent inherits the EDR control point. The control point is the product. A wrong control point cannot be corrected with a feature flag.
A Way to Price Whether a Category Is Regenerating
Category regeneration is not a vibe. It is observable, and it can be scored. The question a CISO and a board should both be asking: is this an incremental feature, or a generational repricing?
Regeneration Pressure = (Control-Surface Gap × Incident Frequency) + (Architectural Distance × Incumbent Inertia)
| Factor | What it measures | Reading for agent risk |
|---|---|---|
| Control-Surface Gap | Share of the new surface no current tool observes | High — agent actions on the local endpoint are unmonitored |
| Incident Frequency | Rate of incidents the current stack cannot pattern-match | High — 88% of enterprises already report an agent incident |
| Architectural Distance | How far the new control point sits from the incumbent’s | High — kernel scope vs. process-layer instrumentation |
| Incumbent Inertia | Revenue and roadmap cost of moving the control point | High — EDR pure-plays defend a large installed base |
When all four factors read high at once, the category is not getting a feature. It is regenerating — and the incumbent’s module will price the last generation.
What the Fourth Generation Actually Requires
The agent firewall is generation four because it moves the control point, not because it adds a dashboard. The difference between a module and a generation is specific.
| A generation-N module does | The fourth generation requires |
|---|---|
| Watches agent processes from the EDR process layer | Enforces at the kernel, per action — file, process, socket, syscall |
| Denies on policy violation, triggering engineering revolt | Copy-on-write mediation — the agent proceeds on a shadow copy, commits only on a pass |
| Applies per-tenant SaaS config, vendor by vendor | One fleet-wide policy across sanctioned and shadow agents alike |
| Logs the action after it lands, for the SIEM | Intercepts the action before it reaches the OS |
The copy-on-write distinction is the one that survives political review: block-on-deny enforcement gets ripped out within two quarters because engineering teams revolt against a control that halts their work. This is the architecture an agent firewall is built on, and the reason agent governance at this layer is a control rather than a report.
What CISOs Should Do This Quarter
| Step | Action | Output | Effort |
|---|---|---|---|
| 1 | Score the agent surface on the four regeneration factors | A one-page read: feature or generation | Low — 1 day |
| 2 | Inventory agents on the endpoint fleet, sanctioned and shadow | A count, typically 8–15 per 1,000 dev endpoints | Low — 1 week |
| 3 | Pilot kernel-scope enforcement on the highest-exposure team | Mark-to-market on one quartile of the fleet | Medium — 1 quarter |
| 4 | Take the category to the board as its own budget line | An FY27 line item owned by agent governance, not an EDR sub-item | Low — one session |
The sequencing is deliberate. Step 1 settles the framing argument before it reaches the board. Steps 2 and 3 produce numbers — a count and a marked quartile — and numbers reframe a budget conversation faster than any narrative.
The Bottom Line
Endpoint security regenerates once a decade, and the firm that owns the current generation has never been the firm that owns the next one. AV gave way to EDR; EDR extended into XDR; each handoff minted a challenger and stranded an incumbent. The agent firewall is generation four, its control surface is the per-action kernel scope, and it is running on the same 12-to-18-month clock that separated CrowdStrike’s 2013 emergence from the AV incumbent’s decade of flat revenue. An EDR vendor’s “AI agent module” is the incumbent’s dilemma in product form — the right brand on the wrong control point. The firms that treat agent security as a generation rather than a feature will be the ones holding the right position when the category reprices.
If your team is sizing the fourth generation for the FY27 budget cycle, request a working session. We will walk through your environment, score your agent surface on the four regeneration factors, and scope a deployment. Ninety minutes.