Full Report
LevelBlue was recognized as a Major Player in the IDC MarketScape: Worldwide Extended Detection and Response Software 2025 Vendor Assessment ( September 2025, IDC #US52997325e.) This recognition follows the analyst firm earlier this month naming Trustwave a Leader in the IDC MarketScape: APEJ Managed Detection and Response Services 2025 Vendor Assessment (doc #AP52998725, September 2025). LevelBlue acquired Trustwave in August 2025. The IDC MarketScape noted, “LevelBlue is an evolution of both AT&T Cybersecurity approaches and a neat legacy company in AlienVault. AT&T (and now LevelBlue) historically competed as an MSSP against standalone cybersecurity providers and AlienVault targeted midsize businesses.” According to the report, “The LevelBlue USM Anywhere Platform is both highly customizable and easily personalized as well. The tiered pricing makes sense as midsize businesses vary from auto painting shops to online retailers that require a varying degree of digital presence. In addition, the attention that LevelBlue pays to FIPS 140-2 helps its partners offer products to the U.S. federal government. Midsize businesses, managed SPs, and MDRs are the sweet spot for LevelBlue.” IDC MarketScape Highlights LevelBlue’s USM Anywhere Strengths The LevelBlue USM Anywhere is multifaceted. Owing to its AlienVault legacy, the platform includes an asset scanner, a device vulnerability scanner, user scanner, network and host (Windows/Linux/Mac) intrusion detection and response (NIDS/HIDS), global compliance reporting, a rules correlation engine, a centralized investigations panel, and visibility into on-premises and multicloud environments. All of these capabilities are included in the XDR solution and do not require additional modules. LevelBlue has strong integration partnerships. LevelBlue has 895 integrations and includes free builds — 60 of these integrations are bidirectional. Perhaps the most important of these integrations is with SentinelOne for endpoint EPP/EDR. This integration with LevelBlue provides identity protection with one-click device rollback capability but also adds LevelBlue detection rules and NIDS/HIDS detection for better alert granularity. To support integrations, LevelBlue offers webhooks and other multiple data collections for both integration into LevelBlue USM Anywhere and the creation of BlueApps. The platform offers different methods of integrations, including APIs, syslog-esque forwarded data, webhooks, and cloud connectors. API authentication schemes supported include Basic Auth, OAuth, HMAC, and API Keys and return formats include JSON, XML, and CSV. If taken as a whole, the various forms of interconnectedness allow LevelBlue USM Anywhere to include use cases for network monitoring, risk assessment, and additional telemetry such as firewall, application, and identity and access management logs to be included in detection and response rules. BlueApps are types of pre-integrations that are available such as BlueApps with Qualys and Tenable for vulnerability management and Akamai and Cloudflare for aspects of network security. The LevelBlue USM Anywhere offers over 2,500 detection and response rules. An advantage of being an MDR is that it has developed extensive in-the-field detection and response capabilities. User behavioral analytics may also find anomalies even before a threat is formally defined. The LevelBlue USM Anywhere platform tracks "alarms by intent." The alarm types are classified by system compromise, exploitation and installation, delivery and attack, reconnaissance and phishing, and environmental awareness. The end user receives high-fidelity alerts. LevelBlue maps to the MITRE ATT&CK framework encompassing 14 tactics and 135 subtechniques. The LevelBlue USM Anywhere platform includes the ability to customize detection and response rules. Drop-down menu options for rule creation include fields such as source name, destination name, and event activity. The rules can be implemented discretely or chained together. In addition, the end user can add suppression rules to reduce noise. Threat intelligence is an important component of the LevelBlue USM Anywhere. LevelBlue maintains the 15-year legacy of both LevelBlue Labs (formerly Alien Labs) and the OTX threat exchange. The open source OTX has 450,000 subscribers, and roughly one-third of those are from cybersecurity vendors. Roughly 20 million threat indicators, 400,000 threat artifacts, and 250,000 suspicious files are contributed or investigated daily. Threat intelligence libraries include charting industry-specific threats and mapping threats to malicious actors. USM Anywhere detection and response capabilities include on premises, AWS, Azure, and GCP. The same dashboard/platform provides visibility and actions in on-premises and the major cloud environments. AI and security automation turn insights into actions. The AI engine includes behavioral analytics that makes detections such as lateral movement and impossible travel possible. Response actions enable an agent to create an action, initiate a scan from an event, add a blocklist from an alarm, and disconnecting an asset from the network are automation ready. A tiered pricing model provides value for end users. There are four different types of pricing: Essentials, Standard, Premium, and Threat Detection and Response for Gov. The important differentiators between services include the number of days that hot storage is available, physical storage itself from gigabyte to terabyte, and access to BlueApps. For the Response for Gov service, FIPS 140-2–encrypted sensors are included, and it is U.S. FedRAMP authorized, with data storage in the AWS GovCloud (U.S.-West region) to address specific regulatory requirements.
Analysis Summary
# Industry News: LevelBlue Solidifies XDR Position Following Trustwave Integration and Major Analyst Recognition
## Summary
LevelBlue has been positioned as a Major Player in the IDC MarketScape for Worldwide Extended Detection and Response (XDR) Software 2025. This recognition, closely following the designation of Trustwave (recently acquired by LevelBlue) as a Leader in APEJ MDR Services, validates the strategic integration of both entities under the LevelBlue umbrella. The company's USM Anywhere platform is highlighted for its comprehensive feature set, strong integration ecosystem, and tailored value proposition for the midsize business and Managed Security Service Provider (MSSP)/MDR sectors.
## Key Details
- Date: September 2025 (Reports issued) / August 2025 (Trustwave Acquisition finalized)
- Companies Involved: LevelBlue, Trustwave, IDC
- Category: Market Analysis / Corporate Momentum Consolidation
## The Story
IDC has recognized LevelBlue as a Major Player in its Worldwide XDR Software 2025 Vendor Assessment. This comes shortly after IDC named Trustwave, which LevelBlue acquired in August 2025, a Leader in the APEJ Managed Detection and Response (MDR) Services assessment. The analyst narrative frames LevelBlue as an evolution combining AT&T Cybersecurity's strong heritage with AlienVault's established technology, specifically targeting midsize businesses, managed service providers (SPs), and MDRs as its "sweet spot." The core product, USM Anywhere, is lauded for its built-in, modular-free suite of capabilities (including scanning, NIDS/HIDS, compliance, and correlation) and its massive integration library (895 integrations, including critical ones like SentinelOne). Key differentiators include strong FIPS 140-2 compliance for government accessibility, tiered pricing suitable for varied midsize needs, and advanced capabilities like "alarms by intent" tracking and behavioral AI analytics, all supporting on-premises and major cloud visibility.
## Business Impact
### For the Companies Involved
- **LevelBlue:** The dual analyst recognition provides powerful third-party validation for the post-acquisition strategy, positioning the combined entity as a serious contender in the XDR market, especially for the midmarket, shifting perception away from its MSSP roots.
- **Trustwave:** Integration validates the strategic value of the acquisition, accelerating Trustwave's MDR capabilities into LevelBlue’s global XDR platform.
### For Competitors
- Competitors in the XDR space, particularly those focused solely on enterprise or those with less integrated service delivery models, face increased pressure from a vendor that combines extensive legacy detection capabilities (AlienVault) with strong service expertise (Trustwave) and a unified platform.
- The specific focus on midsize businesses with flexible, tiered pricing creates a highly competitive barrier against platforms that rely on complex module stacking.
### For Customers
- **Existing Clients:** Customers benefit from the consolidation of threat intelligence (LevelBlue Labs/OTX) and expanded detection capabilities, particularly the deepened EDR integration with SentinelOne.
- **Prospective Clients (Focus Segment):** Midsize organizations gain access to a highly bundled, customizable XDR solution that incorporates necessary components (vulnerability scanning, compliance) natively, potentially lowering total cost of ownership (TCO) and complexity compared to purchasing disparate tools. Specific attention to FedRAMP/FIPS 140-2 compliance opens doors for government contracting.
### For the Market
- This validates the ongoing industry trend towards convergence: MDR providers are becoming XDR platform vendors, and XDR platforms must incorporate service wrap capabilities to achieve full market penetration, especially outside large enterprises.
- The market continues to reward vendors that offer comprehensive, easily integrated solutions rather than tool sprawl.
## Technical Implications
The USM Anywhere platform’s strength lies in its all-inclusive nature within the core offering, eliminating the common XDR friction point of requiring add-on modules for basic functions like asset or vulnerability scanning. The depth of integration via BlueApps (like those with Qualys/Tenable) and its 895 existing connectors demonstrate robust API utilization and data harmonization, crucial for delivering effective cross-environment detection across on-prem and cloud (AWS, Azure, GCP). The behavioral AI engine handling advanced detection scenarios (lateral movement) signals a mature application of machine learning in their detection methodologies.
## Strategic Analysis
- **Market Positioning:** LevelBlue is strategically positioned as a vendor bridging the gap between large-scale enterprise XDR solutions and solutions built solely for the midmarket, leveraging its history in both MSSP competition and accessible technology (AlienVault).
- **Competitive Advantage:** The combination of AlienVault’s asset/vulnerability scanning legacy, MDR-honed detection rules (2,500+), and the integration depth with top EDR/Vulnerability vendors gives them a significant "out-of-the-box" value proposition. The commitment to FIPS 140-2 immediately unlocks significant access to the highly regulated government sector.
- **Challenges:** Successfully integrating and marketing the "new" LevelBlue branding across disparate legacies (AT&T Cybersecurity, AlienVault, Trustwave) requires consistent messaging. Ensuring the scalability of the midmarket-focused pricing structure meets the needs of larger enterprises leveraging expanded MDR capabilities will be key to broadening market share.
## Industry Reactions
- **Analyst Opinions:** IDC’s placement suggests that LevelBlue has successfully leveraged the Trustwave acquisition to enhance its service delivery perception while securing its product's technical standing in the competitive XDR software space.
- **Expert Commentary:** Industry focus will be on their ability to operationalize the Trustwave MSSP expertise through the integrated XDR platform.
## Future Outlook
- Look for LevelBlue to heavily market its integrated MDR offerings alongside its XDR software, emphasizing the blend of robust platform technology and real-world threat hunting expertise.
- Further expansions or specialization of the "BlueApps" ecosystem, particularly in niche compliance or industry-specific threat intelligence (given their Labs legacy), will be an area to watch.
## For Security Professionals
Practitioners benefit from a platform that minimizes security tool fatigue by bundling key capabilities. The high fidelity of alerts, driven by behavioral analytics and comprehensive telemetry ingestion (including identity logs), should translate directly to lower mean time to detection (MTTD) and mean time to response (MTTR). The custom rule creation and suppression options provide necessary flexibility for tuning the system within complex operational environments.