What is AD&R?

AD&R is a rapid evolution of traditional detection and response measures hugely challenged by quickly changing attackers’ techniques, the growing threat from APTs to the public but also private sectors.

Modern AD&R has elements in all the five NIST cybersecurity Framework Functions (Identify, Protect, Detect, Respond, Recover), while classic AD&R has elements only in the last three NIST functions: Detect, Respond, Recover.

Why it matters

The proliferation of digital enterprise has opened up many vectors for cybercriminals to attack, including network, end points, cloud, OT, IOT.

Fast growth of e-crime and the advancement of attacker tooling has made it easy to launch advanced attacks. Successful evasion of preventive controls is a matter of when and not if.

Blue ball Green ball Yellow ball Red ball Purple ball Diagonal straight lines curves outlines X-labels-Years 0-2 years 2-5 years 5+ years Y-labels-Areas AD&R
0-2 years
2-5 years
5+ years

0-2 years

2-5 years

5+ years

The landscape

Chat GPT has shown us all that AI works.

There is a positive impact across all industries, and MDR is no exception. One use case that is strongly aligned with the use of Generative AI is the automation of response and threat hunting.

Generative AI bots assist security analysts in hunting through large datasets, investigating incidents and automating rapid responses.

It’s a strong use case that is now receiving significant R&D investment. This will address the widespread shortage of security staff and reduce the burden on overworked security professionals in the security operations center.

Cybersecurity remains fragmented in terms of best-of-breed, niche technologies that address specific aspects of the threat landscape.

Security information and event management (SIEM), MDR, and extended detection and response (XDR) platforms have attempted to solve the problem of leveraging an organization’s various security technologies to achieve security outcomes.

There is still much that can be done to achieve deep integration. But it has been difficult due to the lack of a standard but dynamic architecture in the industry. The emergence of cybersecurity mesh architecture (CSMA) [1] will lead the way to an industry framework for integrating the mess of disparate security products into a mesh of security outcomes.

The AWS Open Cybersecurity Schema Framework (OCSF) initiative is an industry accelerator toward mesh.

[1] Hevesi, P. and Ruddy M. (2022). Gartner Research: The Future of Security Architecture: Cybersecurity Mesh Architecture (CSMA).

Security has gained traction at boardroom level.

However, there is still a communication gap between how the board consumes security information and how it is reported by security teams. The need to report security metrics in the context of the business is gaining traction in the industry.

The industry is moving toward a unified real-time business risk visualization approach. For example, if there are operational technology (OT) or Industrial Internet of Things devices in factories that have been affected by a cyberbreach, the board would like to visualize the business impact of production delays and associated financial impacts.

This is a major shift from security dashboards to unified real-time business risk visualization.

Key figures


of those technologies are either already adopted by most organizations or will be in the next two years.


of those technologies are expected to be adopted in the next 2 to 5 years cycle.


of those technologies are transformational and wide spread adoption will take over 5 years.