LevelBlue was recognized as a Major Player in the IDC MarketScape: Worldwide Extended Detection and Response Software 2025 Vendor Assessment ( September 2025, IDC #US52997325e.)
This recognition follows the analyst firm earlier this month naming Trustwave a Leader in the IDC MarketScape: APEJ Managed Detection and Response Services 2025 Vendor Assessment (doc #AP52998725, September 2025). LevelBlue acquired Trustwave in August 2025.
The IDC MarketScape noted, “LevelBlue is an evolution of both AT&T Cybersecurity approaches and a neat legacy company in AlienVault. AT&T (and now LevelBlue) historically competed as an MSSP against standalone cybersecurity providers and AlienVault targeted midsize businesses.”
According to the report, “The LevelBlue USM Anywhere Platform is both highly customizable and easily personalized as well. The tiered pricing makes sense as midsize businesses vary from auto painting shops to online retailers that require a varying degree of digital presence. In addition, the attention that LevelBlue pays to FIPS 140-2 helps its partners offer products to the U.S. federal government. Midsize businesses, managed SPs, and MDRs are the sweet spot for LevelBlue.”
IDC MarketScape Highlights LevelBlue’s USM Anywhere Strengths
- The LevelBlue USM Anywhere is multifaceted. Owing to its AlienVault legacy, the platform includes an asset scanner, a device vulnerability scanner, user scanner, network and host (Windows/Linux/Mac) intrusion detection and response (NIDS/HIDS), global compliance reporting, a rules correlation engine, a centralized investigations panel, and visibility into on-premises and multicloud environments. All of these capabilities are included in the XDR solution and do not require additional modules.
- LevelBlue has strong integration partnerships. LevelBlue has 895 integrations and includes free builds — 60 of these integrations are bidirectional. Perhaps the most important of these integrations is with SentinelOne for endpoint EPP/EDR. This integration with LevelBlue provides identity protection with one-click device rollback capability but also adds LevelBlue detection rules and NIDS/HIDS detection for better alert granularity.
- To support integrations, LevelBlue offers webhooks and other multiple data collections for both integration into LevelBlue USM Anywhere and the creation of BlueApps. The platform offers different methods of integrations, including APIs, syslog-esque forwarded data, webhooks, and cloud connectors. API authentication schemes supported include Basic Auth, OAuth, HMAC, and API Keys and return formats include JSON, XML, and CSV. If taken as a whole, the various forms of interconnectedness allow LevelBlue USM Anywhere to include use cases for network monitoring, risk assessment, and additional telemetry such as firewall, application, and identity and access management logs to be included in detection and response rules. BlueApps are types of pre-integrations that are available such as BlueApps with Qualys and Tenable for vulnerability management and Akamai and Cloudflare for aspects of network security.
- The LevelBlue USM Anywhere offers over 2,500 detection and response rules. An advantage of being an MDR is that it has developed extensive in-the-field detection and response capabilities. User behavioral analytics may also find anomalies even before a threat is formally defined. The LevelBlue USM Anywhere platform tracks “alarms by intent.” The alarm types are classified by system compromise, exploitation and installation, delivery and attack, reconnaissance and phishing, and environmental awareness.
- The end user receives high-fidelity alerts. LevelBlue maps to the MITRE ATT&CK framework encompassing 14 tactics and 135 subtechniques. The LevelBlue USM Anywhere platform includes the ability to customize detection and response rules. Drop-down menu options for rule creation include fields such as source name, destination name, and event activity. The rules can be implemented discretely or chained together. In addition, the end user can add suppression rules to reduce noise.
- Threat intelligence is an important component of the LevelBlue USM Anywhere. LevelBlue maintains the 15-year legacy of both LevelBlue Labs (formerly Alien Labs) and the OTX threat exchange. The open source OTX has 450,000 subscribers, and roughly one-third of those are from cybersecurity vendors. Roughly 20 million threat indicators, 400,000 threat artifacts, and 250,000 suspicious files are contributed or investigated daily. Threat intelligence libraries include charting industry-specific threats and mapping threats to malicious actors.
- USM Anywhere detection and response capabilities include on premises, AWS, Azure, and GCP. The same dashboard/platform provides visibility and actions in on-premises and the major cloud environments.
- AI and security automation turn insights into actions. The AI engine includes behavioral analytics that makes detections such as lateral movement and impossible travel possible. Response actions enable an agent to create an action, initiate a scan from an event, add a blocklist from an alarm, and disconnecting an asset from the network are automation ready.
- A tiered pricing model provides value for end users. There are four different types of pricing: Essentials, Standard, Premium, and Threat Detection and Response for Gov. The important differentiators between services include the number of days that hot storage is available, physical storage itself from gigabyte to terabyte, and access to BlueApps. For the Response for Gov service, FIPS 140-2–encrypted sensors are included, and it is U.S. FedRAMP authorized, with data storage in the AWS GovCloud (U.S.-West region) to address specific regulatory requirements.
The content provided herein is for general informational purposes only and should not be construed as legal, regulatory, compliance, or cybersecurity advice. Organizations should consult their own legal, compliance, or cybersecurity professionals regarding specific obligations and risk management strategies. While LevelBlue’s Managed Threat Detection and Response solutions are designed to support threat detection and response at the endpoint level, they are not a substitute for comprehensive network monitoring, vulnerability management, or a full cybersecurity program.
