Security · EDR / XDR · IBM Power

EDR beyond Windows: protecting Linux, AIX and IBM i.

We map how far today's leading EDR solutions actually reach across your estate — including the servers CrowdStrike and SentinelOne have no agent for. Where the radar reaches, where the blind spots are, and how to close them with open source.

11 min readTechnical analysis

There's a conversation that comes up every time we review a client's detection strategy. They walk us through their coverage: Windows protected, Linux mostly there, macOS depending on the case. All reasonable. Then we ask: "What about the AIX servers? And the IBM i?" What usually follows is a brief silence.

It isn't an oversight. It's that most EDR solutions on the market — CrowdStrike, SentinelOne, Microsoft Defender — have no agent for AIX or IBM i. And in banking, insurance or logistics, those are precisely the systems running the organisation's most critical transactions.

44%
Of breaches
involve ransomware
0
Leading EDR
agents for AIX
10M+
Annual Wazuh
downloads
24h
Alert deadline
under NIS2
01 · Clearing up the acronyms

EDR, XDR, MDR: three letters that aren't the same thing

The industry stacks up acronyms fast, and the lines between products aren't always clear. Before we go further, it's worth pinning down what each one means — because the difference matters when it's time to protect a server that isn't Windows.

EDR Endpoint Detection & Response Detects threats on endpoints by analysing behaviour, not signatures. It catches the malware that leaves no file behind — exactly what traditional antivirus never sees.
XDR Extended Detection & Response Correlates telemetry from endpoints, network, identity, email and cloud to detect threats from a single platform. It extends visibility beyond the individual endpoint.
MDR Managed Detection & Response Not a technology — a service. Someone runs your EDR/XDR 24/7. It makes sense without an in-house SOC; less so if you already have a team but lack the tooling.
The distinction most people miss

Antivirus looks for known signatures: files that match a malware database. If an attack is new or leaves no file (fileless, living-off-the-land), it won't see it. EDR will — because it doesn't look at files, it looks at behaviour.

02 · The coverage map

How far does your EDR's radar actually reach?

Here's the exercise that rarely happens in a security review: mapping the real EDR coverage of the leading commercial solutions across every kind of system you run in production. Not the datasheet version — the real one.

Windows
x86_64
Full coverage
Linux x86
RHEL · Ubuntu · Debian
Full coverage
macOS
Apple Silicon · Intel
Partial coverage
Linux on Power
ppc64le
Partial coverage
AIX
IBM Power · Unix
Blind spot
IBM i
IBM Power · AS/400
Blind spot
Leading commercial EDR covers it Limited or vendor-dependent No agent available

The last two tiles are the problem. CrowdStrike has no agent for AIX or IBM i. Neither does SentinelOne. Neither does Microsoft Defender. It's a blind spot in the commercial EDR market that hits the sectors with the largest regulated attack surface — banking, insurance, healthcare, logistics — which happen to be the ones with the heaviest IBM Power footprint.

The angle few people look at

You're already paying for CrowdStrike, SentinelOne or Microsoft Defender. The problem isn't only a security one — it's that part of your most critical infrastructure sits outside that investment. You're paying for coverage that, by design, never reaches the systems running your transactions.

03 · The market

Consolidation, concentration and a quiet alternative

The EDR landscape has been reshaping itself for a couple of years now. And the most significant move didn't come from the products — it came from the mergers.

The enterprise leader CrowdStrike remains the reference at the high end. The July 2024 incident brought a level of scrutiny that wasn't there before, but technically it's still among the best.
The native integration Microsoft Defender for Endpoint is gaining share on the back of its Microsoft 365 integration. For anyone already in that stack, the marginal cost is hard to beat.
The acquisitions Cisco bought Splunk (USD 28 billion). Palo Alto absorbed the SaaS side of QRadar. The message: detection and response are merging with the SIEM. They're no longer separate products — they're layers of the same platform.
The open-source alternative Meanwhile, Wazuh has passed 10 million annual downloads and added local-LLM threat hunting — with no licensing cost.
04 · Wazuh as EDR/XDR

What works and what doesn't

Let's be specific, because this is a product we work with daily and we know both its strengths and its limits well. Wazuh is open source, lightweight and cross-platform — and, most relevant for this article, its agent runs in IBM i PASE environments and on AIX.

What it does well
  • File integrity monitoring (FIM) and rootkit detection
  • System log analysis and software/hardware inventory
  • CVE-based vulnerability detection and automated active response
  • Agents for Linux, Windows and macOS; deployable on PASE (IBM i) and with an agent for AIX
  • Local-LLM threat hunting since 2025, with no licensing cost
Where its limits are
  • No kernel-level protection like CrowdStrike or SentinelOne
  • No threat sandboxing
  • Functional console, with room to improve on usability
  • The 3,000+ default rules are a starting point, not a turnkey solution
  • Needs a team that knows how to configure and tune it

That last line is the important one. The difference between a Wazuh that generates noise and one that generates actionable intelligence lies in configuration, tuning and knowledge of the environment. For the full comparison with commercial alternatives, it's on our Wazuh page.

05 · Reducing the blind spot

Is there an EDR for IBM i and AIX?

It's the direct question, and the honest answer is: not in the catalogue of the big vendors, but yes — through open source. Back to the two red tiles on the map. If the commercial solutions don't reach AIX and IBM i, three pieces remain that complement each other.

Wazuh on PASE (IBM i) and AIX

Wazuh can be deployed in PASE environments on IBM i, letting you collect system telemetry and events that are then correlated in the central platform. For AIX there's a native agent. They don't match the coverage Wazuh offers on Windows, but they collect system logs, monitor file integrity and detect configuration changes. On IBM i, pairing Wazuh with collection of the QAUDJRN — the native audit journal — adds a layer of visibility most of these systems don't have today.

PowerSC for hardening and compliance

PowerSC is IBM's native tool for AIX and IBM i. It monitors file changes, checks configurations against CIS/STIG standards and generates compliance reports. It isn't an EDR in the strict sense, but it covers the change detection and configuration management that complement Wazuh. IBM itself positions PowerSC as an EDR solution for Power environments.

Open source for IBM Power

Beyond IBM's own tooling, there are open-source repositories maintained specifically for IBM Power that make it easier to deploy monitoring agents and automation tools on AIX and IBM i.

LibrePower: the open-source catalogue for IBM Power It maintains package repositories for AIX and IBM i with the dependencies needed to deploy monitoring agents, audit scripts and automation tools. With AWX and Ansible, you deploy and configure those agents across fleets of Power servers just as you would on Linux. AIX catalogue IBM i catalogue AWX / Ansible
The piece the auditor wants to see

Wazuh + PowerSC + Ansible across IBM Power isn't an off-the-shelf EDR. But it provides visibility over systems the commercial EDR platforms don't cover, and it produces evidence aligned with the monitoring, traceability and detection requirements set out in NIS2.

06 · Where to start

Three steps if you only protect Windows

Audit your real coverage

Inventory every endpoint — not just the ones IT actively manages, but the ones that have been running "on their own" for years. Every AIX server, every IBM i, every production LPAR that sends no telemetry to a central system is a blind spot. If you don't know how many unprotected systems you have, you can't size the solution.

Deploy Wazuh as a baseline

A Wazuh server with agents on everything — Windows, Linux, AIX, IBM i — gives you centralised visibility. It isn't the final step, but it's the one that generates the most insight per euro spent. Our guide to Wazuh and NIS2 walks through the process for environments under regulatory pressure.

Define your response strategy

Detection without the ability to respond is an alarm nobody turns off. Wazuh's active responses (endpoint isolation, IP blocking, process kill) need careful configuration to avoid false positives that hit production. This is where experience matters more than technology.

Where SIXE comes in

Sizing a Wazuh deployment, bringing your Power systems into the EDR strategy, or preparing detection for a NIS2 audit — at SIXE we've spent more than 15 years at that intersection of IBM Power infrastructure and security.

In short

The essentials in five points

What to take away

→ Traditional antivirus isn't enough: it detects signatures, not behaviour. EDR does see fileless malware.

→ The leading EDR solutions have no agent for AIX or IBM i — a blind spot in banking, insurance and logistics.

Wazuh is a genuine open-source alternative, with an agent for PASE (IBM i) and AIX, and over 10M annual downloads.

Wazuh + PowerSC + Ansible significantly reduces that blind spot and produces evidence aligned with NIS2.

→ The LibrePower open-source ecosystem makes deploying agents and automation on IBM Power simpler.

FAQ

Frequently asked questions

What's the difference between EDR, XDR and antivirus?

Antivirus looks for known malware signatures in files. EDR analyses system behaviour (processes, connections, changes) to detect threats that leave no file behind, such as fileless malware. XDR extends that visibility beyond the endpoint, correlating data from network, email, cloud and identity into a single platform.

Do CrowdStrike or SentinelOne have an agent for AIX or IBM i?

No. The leading commercial EDR solutions have no agent for AIX or IBM i. It's a blind spot that affects sectors with heavy IBM Power footprints: banking, insurance, healthcare and logistics.

Is there an EDR alternative to CrowdStrike or SentinelOne on AIX?

Since CrowdStrike and SentinelOne offer no agent for AIX, the practical alternative combines Wazuh (detection and event collection), PowerSC (IBM's native hardening and compliance) and Ansible for automated deployment. It's not a one-to-one replacement, but it provides the detection layer those platforms don't offer on AIX.

Does this help with NIS2 compliance?

Combining Wazuh, PowerSC and Ansible automation across IBM Power provides a detection and traceability layer over systems that commercial EDR platforms don't cover. Collecting IBM i's QAUDJRN and AIX syslog into a central SIEM produces evidence aligned with the monitoring, traceability and detection requirements set out in NIS2.

Endpoint security · IBM Power

Got blind spots in your EDR coverage?

Tell us which systems are unprotected, how many endpoints you run and which regulations apply to you. We'll get back to you within 24 hours with an outline architecture and a realistic sense of effort. If Wazuh fits, we'll say so. If it doesn't, we'll say that too.

See the Wazuh solution Contact