Endpoint Security, Open XDR, Security Operations
Can endpoint security keep up with the AI era?
Jamie Heans, Product Director, Elastic Security•
June 30, 2025
Security vendors and threat actors embrace innovative artificial intelligence capabilities. As AI technology becomes increasingly integrated into cyber enemy toolkits, it fundamentally changes the strength and sophistication of attacks. For cybersecurity leaders, this asks for a pressing question: Can endpoint security keep up with the AI era? And is security focused on endpoints the strongest defense?
See also: Beyond Replication and Version: Protect S3 Data in the Face of Advanced Ransomware Attacks
As AI-driven attacks reshape the threat landscape, security leaders need to look beyond assumptions, and vendors must argue to verify the effectiveness of their endpoint solutions. Without independent scenario-based testing, there is no way to assess whether the defense is ready or already outweighed.
Cybersecurity AI: Increased threats
AI didn’t just accelerate and increase the threat, it changed them. Endpoint protection is extremely difficult to manage due to AI-powered phishing and social engineering.
Traditional endpoint solutions have long focused on blocking known malware and suspect executables. But today’s phishing attacks are no longer yesterday’s clumsy, typo emails. Generation AI tools such as ChatGPT and wormmpt enable cybercriminals to create near-perfect, personalized, well-written, automated lures across thousands of targets.
These lures often circumvent traditional security filters and target human defense layers. When a user clicks on a persuasive, malicious link, the endpoint solution must detect and block the resulting payload or behavior, not just the file hash. This requires a level of contextual analysis and behavioral insight that many legacy endpoint solutions do not offer.
Merciless and polymorphic malware tactics
AI is used to write malicious code that changes its appearance and behavior when running. This malware is specially designed to avoid signature-based detection engines.
Unprotected attacks, extra-life binaries, and dynamic code injection are becoming standard fares. AI accelerates the development and deployment of these evasive tactics and requires endpoint solutions that rely heuristics and behavioral detection rather than static analysis.
Automated Multi-Stage Attack
Modern attacks rarely consist of a single file or action. AI allows attackers to coordinate multi-stage multi-vector campaigns with incredible efficiency, from initial access to privilege escalation and data removal.
Endpoint protection not only enables real-time detection and automated responses, but also requires detecting and destroying complex kill chains by correlating low-level signals across processes, memory and network traffic.
Why XDR is important for AI-driven attacks
Modern endpoint protection plays a key role in frontline defense, but AI-driven attacks are increasingly taking advantage of the gaps between siloed security tools. Multi-stage multi-vector threats often quickly attack endpoints, networks, cloud services, and identities. Also, a single control point cannot catch everything.
So we enter the XDR, which is an extended detection and response. XDR integrates visibility and discovery through endpoints, networks, crowd workloads and other telemetry resources. XDR helps security teams identify complex attack chains that avoid isolated defenses by correlating signals from multiple domains.
For example, a malicious email link triggers an endpoint event, a compromised endpoint launches a suspicious network connection, causing abnormal authentication attempts to the cloud service.
Individually, these may appear benign. Together, they form a kill chain. The ability to correlate different signals in XDR and automate response actions allows security teams to disrupt AI-driven multi-stage attacks before damage occurs.
As enemies employ AI to increase speed and refinement, defenders need to match pace with integrated AI-assist detection and response capabilities that expand beyond the endpoint.
Third-party testing is more important than ever
In the face of these evolving threats, third-party testing can be invaluable for security leaders who are trying to decide which endpoint security provider to trust.
Beyond mere consumer antivirus testing, narrowly focusing on basic malware detection, companies such as AV competition offer independent, corporate grade ratings that replicate real attack scenarios with today’s leading business endpoint security solutions.
This rigorous, multi-faceted testing approach provides a more accurate picture of how a particular product works in a business-related environment. These tests are designed to push endpoint vendors into restrictions – assess each ability to identify and neutralize each latest malicious software.
In the latest business security tests, AV-Compalative simulated 220 clear and complex attack scenarios that replicate the tactics and techniques of modern threat actors. Of the 17 major security vendors who participated in real-world protection testing of AV locals and malware protection testing, there was only one to achieve a full 100% score on both.
blockedUser-dependent device compromisedprotection ratefalse alarmselastic220 – 100%10trellix220 – 100%11bitdefender, vipre219–199.5%1microsoft219–199.5%2avast219–199.5%10g data, Kaspersky218–299.1%1ESET218–299.1%2SOPHOS218–299.1%6CrowdStrike215–598.2%10NETSECURITY214–697 .3%6K7214–697.3%9ManageEngine213–796.8%6CISCO212–896.4%0RAPID7210–1095.5%0Senseon209–1195.0%0GeneralBusiness Software Elasticity,Kaspersky100%BendlMalware Protection RateFalseAlarmAlarmAvast99.7%0BitDefender,Cisco99.6%0ESET,GDASA99.5%0VIPRE99.4%CREADDSTRIKE, Microsoft99.3%0RAPID799.1%0SENSEON99.0%0NETSECURITY98.9%0TRELLIX98.4%0SOPHOS98.0%0K796.1%0MANAGEENGINE91.5%0
Security Leaders: From buyers to verifyers
Security experts must envision a more stringent attitude towards endpoint protection in the age of AI. This means not only understanding what your tools should do, but what they actually do under pressure.
The enemy needs to be correct only once, but the endpoint security solution must be correct each time. In this biased game of cybersecurity, strong technology partnerships are the requirement to level the playing field. This means asking difficult questions, seeking evidence, verifying claims through objective third-party data to find the right partner.
So, can endpoint security keep up with the AI era? Yes, it is only if it is evolving in parallel with hostile technology, and if it is measurably effective in the face of modern and useful threats. Below that is a dangerous assumption.
Are you ready to step up your defense against AI-powered threats?
Elastic offers real-time visibility and auto-response across your environment, from endpoints to the cloud.
Explore Elastic’s XDR features. Learn how elasticity protects your endpoints. Discover AI-powered threat detection.
The release and timing of features or features described in this post remains at Elastic’s sole discretion. Features or features that are currently unavailable may not be delivered on time at all.
This blog post may have mentioned third-party generation AI tools owned and operated by their respective owners. Elastic has no control over any third party tools and is not liable or liable for any loss or damage that may arise from the content, operation or use, or the use of such tools. Please be careful when using AI tools for personal, sensitive or sensitive information. The submitted data can be used for AI training or other purposes. There is no guarantee that the information you provide will remain safe or confidential. You need to get used to the privacy practices and terms of use of the generated AI tool before use.
Elastic, Elasticsearch, ESRE, Elasticsearch related engines and related marks are trademarks, logos or registered trademarks of Elasticsearch NV in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.
