Forrester Just Retired Endpoint Security. Here’s What That Means for BYOD

In February 2026, Forrester announced it was retiring The Forrester Wave™: Endpoint Security – a market evaluation it had published under various names for over a decade. The reason: EPP (endpoint protection platform) and EDR (endpoint detection and response) have converged to the point where evaluating them separately no longer serves enterprise buyers. Vendors that once competed across two product categories now deliver both functions in a single offering, and the differences at the core are, in Forrester’s own assessment, negligible.

That’s a meaningful market signal. But the bigger story isn’t the convergence of EPP and EDR. The bigger story is what traditional endpoint security for remote work tools have never covered in the first place: personal laptops, third party devices, and unmanaged BYOD endpoints that IT doesn’t own or manage.

For security leaders responsible for remote workforces, extended contractor teams, or any organization running a BYOD model, this is the moment to ask a harder question. If the market is consolidating around managed device protection, what exactly is protecting work on the devices you don’t manage?

What Forrester Actually Said – and What It Means

EPP + EDR Have Converged. That’s the Good News.

Forrester’s retirement of the Endpoint Security Wave isn’t a warning sign for enterprise security — it’s a sign of maturity. EPP and EDR used to be separate tools, often from different vendors, covering different problems. EPP focused on prevention; EDR focused on detection and response after a threat bypassed prevention. As vendors acquired capabilities and consolidated product lines, those distinctions blurred. Now, evaluating them separately creates more confusion than clarity.

Forrester will continue covering the endpoint market through its XDR Wave, mobile threat defense, and OT security evaluations. The managed endpoint, for organizations that have invested in it, is as well-covered as it’s ever been. The research, the tooling, and the vendor ecosystem have all matured around a well-understood problem. You can read more about how EDR and XDR differ in practice and what that means for your security architecture.

The Real Endpoint Security Problem Has Always Been Coverage

Here’s the issue: EPP, EDR, and their XDR successors all share a foundational requirement. They require IT to install and manage an agent on the endpoint. That means they work on corporate-issued devices that IT controls. They don’t work on personal laptops, contractor devices, or any other endpoint that an employee or third party brought in from outside the organization’s management boundary.

The Forrester story is about the maturation of managed endpoint security. The BYOD story is about the large and growing population of devices that managed endpoint security was never designed to cover — and what happens when those devices are the ones your workforce uses every day.

Why Traditional Endpoint Security Was Never Built for Unmanaged (BYOD) Devices

Invasive Endpoint Agents Require Managed Devices

Traditional endpoint security tools operate on a simple assumption: IT owns the entire device. That assumption holds when you’re managing a fleet of company-issued laptops with standardized images, centralized patch management, and full administrative rights. Agents get installed, policies get enforced, and alerts flow back to the security team.

On a personal laptop, none of that infrastructure exists. IT can’t push an invasive EPP agent onto a device it doesn’t own. Even if a contractor agrees to install something, the organization has no authority over that device, no ability to enforce configuration standards, and no reliable way to know what else is running on it. The device is outside the management boundary by definition.

This isn’t a gap that better endpoint tooling solves. It’s a structural gap that exists because the category was built around a different operating model — one where IT controlled every device that touched company data.

The Contractor and BYOD Blind Spot

Modern organizations don’t work that way. Remote employees work from personal computers. Contractors are onboarded in weeks or days, often working from whatever device they already own. Offshore teams and third-party vendors connect to internal systems from endpoints that IT has never seen, let alone managed.

The scale of this problem is significant. Research consistently shows that

• Microsoft research found that 80–90% of successful ransomware attacks originate from unmanaged devices.
• 47% of companies allow access to corporate resources on unmanaged devices authenticated by credentials alone, according to industry research on endpoint security gaps.
• Approximately 48% of organizations have suffered data breaches linked to unsecured or unmanaged personal devices in the past year, according to BYOD security data from Venn’s research hub.

These aren’t theoretical risks. They’re the operational reality of running a distributed workforce on devices IT doesn’t control.

The Security Gap on Personal Laptops Is Getting Harder to Ignore

Unmanaged Devices Are the Attack Surface That’s Growing

As remote and hybrid work became permanent operating models, the number of unmanaged endpoints connecting to corporate systems expanded significantly. Contractors and third-party vendors are a growing share of modern workforces. BYOD programs that started as exceptions have become standard practice in many organizations. The devices IT tracks and secures represent a shrinking fraction of the endpoints that actually touch company data.

The threat landscape has adapted accordingly. Attackers have learned that unmanaged devices are frequently the softest path into an environment. A contractor’s personal laptop with no endpoint agent, no configuration enforcement, and a mix of personal and professional activity running side by side is an appealing target. Getting malware or credential-stealing software onto that device doesn’t require defeating enterprise-grade endpoint security — because enterprise-grade endpoint security isn’t there.

Understanding the full scope of

endpoint protection strategies for BYOD environments requires thinking beyond the managed device estate and addressing the structural gap that exists wherever personal devices touch business data.

What Microsoft Research Found About Ransomware and Unmanaged Endpoints

The ransomware data point deserves more attention. When Microsoft analyzed successful ransomware intrusions and found that the vast majority originated from unmanaged devices, it wasn’t describing an edge case. It was describing the dominant attack pattern in modern enterprise environments.

The reason is straightforward. Endpoint security on managed devices has gotten good. EDR catches behavioral anomalies. EPP prevents known threats. The gap that attackers exploit isn’t in the managed device estate — it’s in the unmanaged endpoints sitting outside it, often with direct access to the same internal systems.

What Does “Endpoint Security” Even Mean for a Device You Don’t Own?

This is the question most endpoint security conversations avoid. The category has been defined around managed devices for so long that the language, the tools, and the evaluation criteria all assume IT control. But for organizations running BYOD programs or relying on contractors and third-party workforces, that assumption doesn’t hold.

You Can’t Install a Traditional Endpoint Security Agent on a Device You Don’t Manage

Traditional endpoint security requires administrative access to the device. You can’t deploy an EPP agent without it. You can’t enforce policies without it. You can’t get meaningful telemetry without it. On a contractor’s personal laptop, that access doesn’t exist and, in many cases, shouldn’t exist.

Some organizations try to address this through conditional access policies: require a device health check before granting access, and hope that’s enough. But conditional access is a gate, not a control. It checks whether a device meets a minimum standard at the moment of login — it doesn’t govern what happens to company data once access is granted. Files can still be downloaded, shared, or exfiltrated through the personal side of the device after access is approved.

The question of how to apply endpoint DLP on unmanaged devices requires a different approach altogether — one that doesn’t depend on IT owning the device.

VDI Was the Legacy Answer – and It Has Its Own Costs

For years, the standard answer to the unmanaged device problem was virtual desktop infrastructure. Send contractors a VDI link instead of a company laptop, run everything in a hosted environment, and keep company data off their devices entirely.

VDI works in theory. In practice, it creates a different set of tradeoffs. Work runs in a virtualized environment, which means latency, limited application compatibility, and a user experience that professionals consistently describe as frustrating compared to running software locally. Provisioning VDI environments takes time. Scaling them is expensive. And the complexity of maintaining VDI infrastructure falls on IT teams that are already stretched.

A global investment firm managing nearly $300 billion in assets ran into exactly this problem. Shipping laptops to international contractors had become operationally untenable — customs delays, hardware costs, and setup time were adding up. But moving to VDI introduced performance and compatibility problems that disrupted the work itself. What they needed was a model that protected company data on contractor-owned devices without forcing contractors into a hosted environment. They found it with Blue Border™, which enabled same-day onboarding with full data protection and clear separation between work and personal activity — at a fraction of the cost of their previous model.

How Blue Border™ Closes the Endpoint Gap on Unmanaged Devices

A Secure Enclave Doesn’t Require Managing the Whole Device

Blue Border™ takes a fundamentally different approach. Instead of trying to manage the personal device — which IT can’t do and employees don’t want — Blue Border creates a company-controlled work environment directly on that device. Work lives inside the enclave. Business applications run locally with native performance. Company data stays protected and isolated from the personal side of the laptop.

IT controls what happens inside the enclave: application access, DLP policies, data encryption, network controls, and session governance. Everything outside the enclave — the employee’s personal applications, personal files, personal browsing — remains private and outside IT’s visibility. The boundary is clear, enforced, and visible. Work gets the governance it requires. The device owner keeps their privacy.

This model doesn’t require IT to own or manage the endpoint. It doesn’t require shipping hardware. It doesn’t require VDI infrastructure. It requires installing the Venn agent — a process that contractors can complete on their own devices in minutes.

Work Gets Protected. The Rest of the Device Stays Private.

The result is a security model that’s more aligned with how distributed workforces actually operate. Contractors and remote employees work on their own hardware, with the same performance they’d get from any locally installed application. IT teams get consistent data protection and policy enforcement across every device that touches company data, regardless of whether IT issued that device.

One aviation manufacturer deployed this model to secure more than 7,000 remote employees, contractors, and suppliers across multiple geographies. The organization had evaluated VDI and found the performance and compatibility issues unworkable. With Blue Border, contractors were onboarded same-day, work activity was fully isolated inside the enclave, and the organization eliminated the overhead of both device shipping and virtual desktop infrastructure.

The security gap that Forrester’s announcement implicitly highlights — the one that traditional endpoint tools were never built to close — is exactly the gap Blue Border was designed for.

The Real Takeaway From the Forrester Announcement

Forrester retiring the Endpoint Security Wave isn’t a crisis — it’s a market growing up. EPP and EDR have converged. Managed endpoint security is mature. The vendors and tools that protect company-issued laptops are well-established, well-evaluated, and well-understood.

The unmanaged device problem is different. It’s growing faster than the managed estate. It’s the attack surface that ransomware actors actively target. And it’s the one that traditional endpoint security tools, however mature, were never designed to address.

If your workforce includes remote employees, contractors, or third-party vendors working from personal devices, the question isn’t whether your EPP and EDR tools are good. It’s whether those tools cover the devices where work actually happens.

Blue Border™ was built to answer that question. See how it works — request a demo. We’d love to hear what you think in the comments below.