John Mc Loughlin, CEO of J2 Software.
If your cyber security strategy is built around buying managed detection and response (MDR), deploying an endpoint detection and response (EDR) agent, and calling it “done”, then someone has sold you a story, not a strategy.
There is a growing trend in the industry that is becoming difficult to ignore: organisations believe that once the tools are in place, the job is complete. Buy MDR, deploy EDR, tick the cyber security box and move on. Job done. Except it isn’t.
The uncomfortable truth is that cyber criminals are not measuring your security posture by the number of tools you’ve purchased. They are measuring how easily they can move through your business once they get in. And that movement rarely starts where most organisations are looking.
MDR is not the problem, it’s a valuable capability and, when implemented properly, it improves visibility and response. J2 Software recommends it, but it is not a cyber security strategy. It is one layer in a much larger attack surface that many organisations still do not fully grasp.
Attackers do not care whether you have an MDR platform watching your endpoints. They care about finding the weakest entry point into your environment. That could be a compromised Microsoft 365 account, a re-used password from a breach years ago, a phishing e-mail that looks convincing enough to trust or a misconfigured cloud application.
It could also be a privileged account that was never reviewed or a supplier connection that has been quietly forgotten. None of these are endpoint problems, which means none of them are solved by endpoint monitoring alone.
Cyber security as an industry has become very good at selling products. EDR, MDR, XDR, NDR, SIEM, SOAR – every year a new acronym arrives with the promise of better detection, better visibility, better response. But businesses do not buy acronyms, they buy confidence.
Confidence that attacks will be detected early, confidence that suspicious activity will not go unnoticed, confidence that identity compromise will be picked up before damage is done and confidence that someone is watching when no one else is. That confidence does not come from another tool, it comes from integration.
According to Gartner’s 2026 cyber security research, the industry is shifting away from fragmented toolsets towards resilience-led security models driven by identity, AI governance and operational integration.
Gartner highlights that AI is expanding the attack surface through agentic systems and automation, that identity has effectively become the new perimeter and that organisations must move from tool-centric security to resilience-centric operating models. The message is clear: security is no longer about stacking products, it is about managing systemic risk across the entire digital environment.
The reality is that most organisations still think in terms of tools, while attackers think in terms of access. Every modern attack moves across five interconnected domains: users, e-mail, data, machines and internet. These are not theoretical categories or product silos. They are live attack paths and a weakness in one quickly becomes an entry point into the others.
AI has only accelerated this problem. Attackers are now using AI to automate reconnaissance, create highly convincing phishing campaigns and scale identity-based attacks at speed. At the same time, defenders are also using AI for detection and response. But speed without context creates noise, and noise without integration creates blind spots. That is exactly where modern breaches thrive.
The real issue is that many organisations believe they are protected because they have coverage. MDR gives a sense of coverage. EDR gives a sense of coverage. But coverage is not the same as resilience. Coverage is fragmented visibility. Resilience is connected visibility and the difference between the two is often measured in how quickly a breach is detected and contained.
Cyber resilience is not another product you can buy, it’s a design principle. It is the ability to see across all attack surfaces, correlate behaviour across systems, detect identity-based anomalies early and respond before business impact escalates. MDR can and should be part of that model, but it cannot be the model itself.
If your strategy still begins and ends with “we have MDR in place”, then the real question is simple: what parts of your business are still invisible? Because attackers already know. And they are not starting where you are looking. They are starting everywhere else.