IT Central Station is now PeerSpot: Here's why
Buyer's Guide
EPP (Endpoint Protection for Business)
July 2022
Get our free report covering CrowdStrike, Microsoft, SentinelOne, and other competitors of Cortex XDR by Palo Alto Networks. Updated: July 2022.
622,949 professionals have used our research since 2012.

Read reviews of Cortex XDR by Palo Alto Networks alternatives and competitors

SimonThornton - PeerSpot reviewer
Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
Real User
Top 10
Provides good visibility and is fairly easy to set up within one tenant, but doesn't support multitenancy and is not as capable as other solutions
Pros and Cons
  • "I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible."
  • "A challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy."

What is our primary use case?

Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

Its version is usually up to date. It is a cloud solution. 

How has it helped my organization?

Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

What is most valuable?

I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

What needs improvement?

The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

For how long have I used the solution?

I have been using it for about two years. I've got a couple of customers today with it.

What do I think about the stability of the solution?

Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

What do I think about the scalability of the solution?

It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

How are customer service and support?

It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

How would you rate customer service and support?

Neutral

How was the initial setup?

It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

What's my experience with pricing, setup cost, and licensing?

The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

What other advice do I have?

A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

I would advise asking yourself:

  • What do your endpoints consist of?
  • Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
  • What is it that you're trying to achieve by taking Defender? 
  • Are there more capable XDR-type solutions out there? 

If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

I'd give it a cautious six out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSSP
Flag as inappropriate
SagarShah - PeerSpot reviewer
Cyber Security Manager at a tech services company with 10,001+ employees
Reseller
Top 10
Provides good control over external devices, and has good reliability, dashboard view, and reporting
Pros and Cons
  • "The dashboard view and reporting are valuable. It is stable and easy to integrate, and it provides custom options."
  • "Nowadays, threats are changing, and they are moving more towards script control and zero-day attacks. So, we would like to have more control similar to an EDR solution. Symantec Endpoint Protection has certainly come a long way as a traditional antivirus, but because the threats are changing, we would like to have more EDR features so that we have a detailed view of the source from where the infection entered the environment and whether it has tried to connect any other endpoint. It should provide such a detailed view for investigation. It should protect against zero-day threats, etc. These are the key enhancements that can make it a complete solution for any enterprise. Currently, we have seen organizations going for two solutions: antivirus and EDR. With both these capabilities, it would be a complete package."

What is our primary use case?

We have used Symantec for several scenarios depending on a client's requirements. We have used the Symantec solution for host integrity, device control, and communication policies. It has the host integration part where we get the custom option to add certain scripts.

Most of the clients have been using it on-prem, but we are now looking into the cloud or SaaS environment because it would be much easier to manage the infrastructure. Our clients have Amazon AWS and Microsoft Azure.

How has it helped my organization?

Policies are very important and valuable for us. We have to ensure the security of the client environment. We have to ensure that there is no tampering, and restrictions are applied to the devices when one uses third-party devices such as storage and pen drives. It has the flexibility to integrate with other devices.

It is helpful in identifying the rogue devices in the environment where we don't have any agents deployed. We can identify them through Symantec. We have also heard that with cloud Symantec, we can do remote deployment through the console itself.

What is most valuable?

The dashboard view and reporting are valuable. It is stable and easy to integrate, and it provides custom options.

The agent is lightweight, and the response to the known infections with regular updates from Symantec is also valuable.

What needs improvement?

Nowadays, threats are changing, and they are moving more towards script control and zero-day attacks. So, we would like to have more control similar to an EDR solution. Symantec Endpoint Protection has certainly come a long way as a traditional antivirus, but because the threats are changing, we would like to have more EDR features so that we have a detailed view of the source from where the infection entered the environment and whether it has tried to connect any other endpoint. It should provide such a detailed view for investigation. It should protect against zero-day threats, etc. These are the key enhancements that can make it a complete solution for any enterprise. Currently, we have seen organizations going for two solutions: antivirus and EDR. With both these capabilities, it would be a complete package.

For how long have I used the solution?

I have been supporting various clients for six to seven years.

What do I think about the stability of the solution?

It is stable, and that's why I recommend Symantec, especially when it comes to the server environment.

We follow the N-1 process. Whenever there is a new version, we don't upgrade immediately because there can be potential risks. We upgrade to a new version immediately only if we get the recommendation from the vendor or they have fixed any vulnerability or issue that was reported. Otherwise, we follow the N-1 version approach for upgrades.

What do I think about the scalability of the solution?

I have not seen any challenges with the scalability of the solution. I have worked with multiple clients. One of our clients has about 30,000 end users. They are located in eight to nine countries and have about 15 different remote locations.

We have plans to increase the usage of the product, but it all comes down to client requirements. It depends on their environment, its size, and how we want to further enhance that.

How are customer service and support?

Generally, we get a response, and it works, but we have seen some delays or very generic responses. If there is a quarantined file and we need information about what kind of data is there in that file, it takes a lot of time. We sometimes have to escalate to the next level for getting a proper and timely response because it's our client's data that is in quarantine. I would rate them an eight out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have worked with multiple solutions, such as McAfee, Cortex, and CrowdStrike. McAfee has several components, and if any component stops, it impacts the compliance status and puts everything at risk because the definition will not be distributed. Symantec has an edge there because it does not have too many components. Only with the GUP server, we can distribute the definition in remote locations, which makes it easier. It also provides a view of all the GUP servers in the console.

EDR is a different solution. It provides complete visibility and footprint of zero-day and other threats based on the behavior. Symantec also provides that, but it needs more enhancement on the investigation part.

How was the initial setup?

Based on what I have seen and the feedback I have received, its deployment is straightforward. It takes almost a week because it goes through various stages, such as planning, designing, and deployment. It also depends on a client's environment.

The implementation strategy varies, and it depends on a client's environment, such as whether they are a huge organization or whether they have multiple remote locations.

After the deployment, the next stage is doing the configuration, which takes a little while because it involves engaging different departments of a client and doing segregation and restructuring.

It doesn't take more than four to six months for the technology to mature in the client environment. Immediately after deployment, we start making changes to tune the policies based on a client's requirements and define the exceptions. It takes four to six months to have a stable environment.

What about the implementation team?

We have a separate team that does the deployment, but I do share some recommendations depending upon the client environment. After the deployment, that team hands it over to my team for operations, and then we make the changes. So, they do the basic deployment, and we then take over and make the solution mature.

Generally, its deployment does not require more than two people. At the initial stage, they collect and gather information from various sources and proceed with the deployment, and then it takes some time to do the configuration. So, two people are good enough for initial deployment, but when it comes to rolling out the agent to the entire landscape, it takes time. You have to engage various people from different departments. The people involved in its deployment and configuration are administrators and engineers.

It usually doesn’t require much maintenance. We do our regular health checks to see whether the definitions are getting updated or not and whether their replications are working or not. Its maintenance is a one-man job, but the operational activities of the organization generally require two to three people, but the number can vary based on the size of the environment.

What was our ROI?

Our clients have certainly seen an ROI. They have been using the solution for a long time. They don't want to switch from one solution to another, and that's why we recommend the most stable ones to them.

What's my experience with pricing, setup cost, and licensing?

Pricing is handled by a separate team. Whenever a new client asks for a recommendation, we provide it, but they deal directly with Symantec or other vendors for the pricing.

What other advice do I have?

You should first understand a client's environment in terms of:

  • What does the client environment look like?
  • What is the size of the environment?
  • What are the features they are looking for?
  • What is the criticality of their environment?

All these aspects are important. At times, we have seen that clients just ask for the best solution, but they don't have a vision of what would make a solution best for them and what are they expecting from it. They should summarize their requirements, and accordingly, you can propose how Symantec can meet their requirements.

Overall, I would rate it a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
SimonThornton - PeerSpot reviewer
Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
Real User
Top 10
Has good process visualization and automated response capabilities, and comes with excellent support and flexible licensing
Pros and Cons
  • "The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable."
  • "The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work."

What is our primary use case?

We're a partner of SentinelOne, but we're also a partner of many other companies. We're not a vendor per se. We sell SOC as a service, and as a part of that service, we provide protection solutions. My area is around antivirus. So, we are not a reseller in that sense.

I am using its latest version. It can be deployed on-prem as well as on the cloud. I have customers with a requirement for both. SentinelOne provides their own cloud because that's where they do their artificial intelligence (AI).

How has it helped my organization?

SentinelOne is what they call extended detection and response (XDR). So, it is the next generation of endpoint detection. The main difference between Endpoint Detection and Response (EDR) and XDR is that in XDR you have visibility on how something is executing. An EDR solution detects a suspicious or malicious package based on its signature or its behavior and sends an alert, but the problem is that you only see the file that it alerts on. For example, if it is an attachment to an email, you'll see the trigger on the attachment when you try to open it, but what you don't always know is from where that came. With an XDR solution like SentinelOne, you can see the whole process execution. You can say that it was executed from inside Word, Outlook, or something else. For example, when you opened an attachment in Outlook, it triggered Word and got opened in Word. This whole process execution is visible with XDR. It also offers the possibility to suspend or respond intelligently. So, you can use it not only to detect that the package is suspicious, but you could also suspend it so that when the person comes to investigate, the suspended process is still there.

What is most valuable?

The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable.

What needs improvement?

The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work.

For how long have I used the solution?

I have been using it for about a year and a half.

What do I think about the stability of the solution?

It gives good stability. It can have an impact on the performance of the workstation, but that is usually a question of tuning. From a stability point of view, I've never had a machine with a blue screen.

What do I think about the scalability of the solution?

It scales very well.

How are customer service and support?

They're excellent. I would rate them a five out of five.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We are technology agnostic in the sense that if a customer doesn't have a solution, we'll make a recommendation. If they don't have a solution, then our recommendation goes along the lines of SentinelOne, Palo Alto Cortex, Microsoft Defender ATP, or ESET. These are the ones that I typically would recommend, but Microsoft Defender ATP is problematic because you have to have the Azure and Office licenses to get it. For the other ones, you can buy the licenses separately. We also take over other solutions. I have some customers on Kaspersky and other solutions.

How was the initial setup?

It is straightforward. If we deploy it from a URL where it downloads, it can be done in 10 minutes. If it is coming from an internal deployment server, it can be a few minutes. It is essentially headless. There are no prompts.

What about the implementation team?

I have six people, but they normally work with the customers. As an MSSP, we normally work with the customer IT teams to deploy the agents in large companies. In small companies, it could be our people who do it. 

The number of people required depends on the number of endpoints, but generally, the number is low because it is a very simple installation. In fact, we even have end users running this.

What was our ROI?

It has the best ROI that I've seen. If I compare it to Microsoft Defender ATP or Defender for Endpoint, which a lot of people compare it against because it's included with the E3 or E5 Office licenses, Defender is three to five years behind SentinelOne. You're also tied to Microsoft's licensing scheme, whereas SentinelOne is independent of all of them. The ROI is very good. For me, its closest direct competitor is either Cybereason or Palo Alto's Cortex.

What's my experience with pricing, setup cost, and licensing?

Its price is per endpoint per year. One of the features of its licensing is that it is a multi-tenanted solution. From an MSSP point of view, if I want to have several different virtual clouds of customers, it is supported natively, which is not the case with, for example, Microsoft Defender.

Another nice thing about it is that you can buy one license if you want to. Some vendors insist that you buy 50 or 100, whereas here, you can just buy one.

The Singularity product has three versions: Singularity Core, Singularity Control, and Singularity Complete. The Singularity Complete one is really what I consider an enterprise rate solution. The middle one, Control, is more than adequate. In terms of price, it works out very similar to what you would pay for Kaspersky or for any other solution. The licensing per endpoint, per year, and per version is progressively more expensive for the Core, Control, and Complete versions. 

The interesting thing is that it is possible to upgrade across the versions without a major change. If a customer buys the most basic installation and would like some of the features out of the middle, it is possible.

What other advice do I have?

You have a choice between an on-premise console and the cloud. My advice would be to use the cloud, but it is a consideration of whether your endpoints can connect to the cloud or not. One of my customers is in the military defense area, and they have no connection to the internet. So, we had to deploy on-prem. What you don't get with the on-prem is all the AI. So, if you're deploying on-prem, you get the core features of SentinelOne, but you don't get all of the bells and whistles that you get from the cloud environment. The same is true for Cisco AMP and other solutions that are deployed on-prem. So, you need to consider how you're going to consume it if you have a disconnected network. If you're in the financial world, a lot of the production networks are not connected to the internet. So, solutions like Microsoft Defender are not an option because they're cloud-based, whereas SentinelOne is an option in those environments.

I would rate it an eight out of ten. It is a very good solution, but you have to compare it to understand it better.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Hari Prasad M - PeerSpot reviewer
Senior Security Engineer at a tech company with 1,001-5,000 employees
Real User
Top 20
Doesn't need to constantly run a security scan for images because the scorecards are updated periodically
Pros and Cons
  • "Everything is built into Azure, and if we go for cross-cloud development with Azure Arc, we can use most of the features. While it's possible to deploy and convert third-party applications, it is difficult to maintain, whereas Azure deployments to the cloud are always easier. Also, Microsoft is a big company, so they always provide enough support, and we trust the Microsoft brand."
  • "Azure's system could be more on point like AWS support. For example, if I have an issue with AWS, I create a support ticket, then I get a call or a message. With Azure support, you raise a ticket, and somebody calls back depending on their availability and the priority, which might not align with your business priority."

What is our primary use case?

I have a highly specific use case for Azure Defender, so I don't think I've used most of its features. We primarily use it to secure Kubernetes clusters in other cloud environments. For example, I have Kubernetes in Amazon AWS, and we're trying out Azure Defender to protect those Kubernetes clusters.

We also use Defender to scan the image repositories held in Azure Container Repository or ACR. We use Defender plus Azure ARC and Windows Defender. All three products work in conjunction to give us some security insights into our cluster.

How has it helped my organization?

We haven't fully implemented Azure Defender yet. Right now, we're at the POC stage. However, if people have a genuine use case, they should see its value, especially because of its cross-cloud compatibility. I don't think any other tool provides the same cross-cloud compatibility as Azure Defender combined with Arc, so that's a significant selling point for this product.

What is most valuable?

The security scorecard is something I find helpful. It tells me what's missing and identifies new vulnerabilities inside my registries. Once I publish the image, the scorecards automatically update. I don't need to constantly run a security scan for my images because the scorecards are updated by Azure periodically. That makes my job easier.

For how long have I used the solution?

I haven't been using Azure Defender for long. It's been around three months. 

What do I think about the stability of the solution?

Overall, Azure Defender's availability is excellent. However, the Kubernetes security is a new offering that is still under development, so the service's availability and support are not mature at this point and definitely need improvement.

What do I think about the scalability of the solution?

I rate Defender's scalability about eight out of 10. If you compare Azure Defender to a similar product AWS offers, there isn't much difference in scalability. The solution is able to accommodate all your requirements. I don't think I have ever reached a point where the solution couldn't scale to meet my needs. 

I deduct two points because you incur more costs as you increase usage, so it's more expensive when you have lots of logs flowing into the system. That is why I rate it eight. Otherwise, I don't see any technical issues there.

How are customer service and support?

Azure's system could be more on point like AWS support. For example, if I have an issue with AWS, I create a support ticket, then I get a call or a message. With Azure support, you raise a ticket, and somebody calls back depending on their availability and the priority, which might not align with your business priority. 

I can't talk about Microsoft support generally, but I can speak to my experience specifically with Azure Defender support. I would rate it five out of 10. Maybe it's because this is a product that Azure is still developing on the side. I don't think they have made Azure Defender for Kubernetes available to the general public yet, so that could be why their support is not up to par. I don't know the reason, but I haven't had a good experience with the support.

How was the initial setup?

It is just a POC, so I don't have many endpoints. The whole setup took three days for around 10 endpoints. They have an agent-based security system. It's always complex because you need to deploy the agent to all endpoints which is a lot of work to get it set up. 

We have still have not decided to implement Azure Defender because we are also trying out other products in the same line. Once the RFP process is finished, we will know which one we'll implement.

What's my experience with pricing, setup cost, and licensing?

Azure Defender is definitely pricey, but their competitors cost about the same. For example, a Palo Alto solution is the same price per endpoint, but the ground strikes cost a bit more than Azure Defender. Still, it's pricey for a company like ours. Maybe well-established organizations can afford it, but it might be too costly for a startup. They should try some open-source tools. That's how it is today.

Which other solutions did I evaluate?

Compared to other products, Azure Defender's main advantage is native integration with all Azure services. If your company uses Active Directory and builds everything on Azure, you get it as a complete package. There's no need to buy another tool and set it up in your cloud environment. 

Everything is built into Azure, and if we go for cross-cloud development with Azure Arc, we can use most of the features. While it's possible to deploy and convert third-party applications, it is difficult to maintain, whereas Azure deployments to the cloud are always easier. Also, Microsoft is a big company, so they always provide enough support, and we trust the Microsoft brand. 

What other advice do I have?

I rate Azure Defender eight out of 10. If you're looking for standard Azure Defender services like cloud posture management or application security, these features are all highly mature. Defender also has newer capabilities that they recently introduced, such as endpoint security, cross-cloud integration with Azure Arc, and Kubernetes runtime security. 

These are all new services, so potential users need to think twice before buying into it solely for these features because I don't think the support is there to encourage customers to buy the product. I don't feel confident about Microsoft's support in these particular areas. I would exercise caution before buying Defender for these particular use cases. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Senior Director, Platform Development at a tech services company with 51-200 employees
Real User
Top 10
Self-monitoring, easy to deploy, and stable
Pros and Cons
  • "The ease of deployment and the command center that they have are the most valuable. It is basically self-monitoring. It doesn't require that much tinkering after you deploy or install."
  • "It could have a 10,000-feet overview of the whole infrastructure because the software is easily installable on the whole infrastructure and not just the infrastructure, but also the workstation themselves. I would love to have a 360 view of the whole network and basically see from where a test is coming, and if there is an instance in the cloud that is actually misbehaving or if there is a workstation that is infected and stuff like that. It can also have some kind of AI to detect all those things and then cut off the connection from that machine. In Cortex, you can link the logs, reports, and all that stuff. You can also see the full picture of when it happened, and you can trace it back all the way to a file or something else. I would like to see similar functionality in Avast Business Endpoint Protection."

What is our primary use case?

We have a bunch of instances in production and Dev infrastructure. We use it to protect Linux boxes, PCs, and Macs. We are using the latest version.

How has it helped my organization?

We didn't use any similar solution before, and we did not suffer from any attacks previously. We were lucky that we did not have any attacks, and we didn't suffer from anything.

We got it more for compliance. To be compliant, you have to have endpoint protection. Now that we have this solution, we still haven't detected anything. Overall, the employee workforce is kind of at top of their game regarding phishing attacks, but again, you cannot always be a hundred percent on it. So far, we didn't have anything that Avast Business Endpoint Protection would actually catch.

What is most valuable?

The ease of deployment and the command center that they have are the most valuable. It is basically self-monitoring. It doesn't require that much tinkering after you deploy or install.

What needs improvement?

It could have a 10,000-feet overview of the whole infrastructure because the software is easily installable on the whole infrastructure and not just the infrastructure, but also the workstation themselves. I would love to have a 360 view of the whole network and basically see from where a test is coming, and if there is an instance in the cloud that is actually misbehaving or if there is a workstation that is infected and stuff like that. It can also have some kind of AI to detect all those things and then cut off the connection from that machine.

In Cortex, you can link the logs, reports, and all that stuff. You can also see the full picture of when it happened, and you can trace it back all the way to a file or something else. I would like to see similar functionality in Avast Business Endpoint Protection.

For how long have I used the solution?

I have been using it since August, that is, for about four months.

What do I think about the stability of the solution?

It is stable. There are no bugs or glitches.

What do I think about the scalability of the solution?

It is scalable. You have to purchase licenses. One thing that we have is that the instances are mostly kind of static. Once they go up, they remain for at least a year or something like that. Therefore, we didn't have a case where you have a license just hanging there. I don't know if they offer any kind of flexible amount, pool, or something like that.

It is being used throughout the company. We have 40 people. It is used to protect every personal computer and the whole production and developer infrastructure.

How are customer service and technical support?

I haven't used their technical support so far.

Which solution did I use previously and why did I switch?

I used Norton 360 previously in a different company. From a resource standpoint, it is not resource-intensive like Norton.

We actually wanted to go with Norton 360 in my current company, but we could not get hold of them, and we could not purchase. That's the worst experience that we had. We wanted to give them money, but they couldn't be reached to actually schedule.

How was the initial setup?

It was straightforward.

What's my experience with pricing, setup cost, and licensing?

It is $75 per license for a year. There are no additional costs.

What other advice do I have?

It is pretty much straightforward to set up. Installation and updates are the only two steps. If you're setting up your company from scratch in the beginning, then I would suggest to buy it and then basically get it installed on every image. For a bigger company or for each personal computer or workstation, you can install it as an image. It will then already be there, and you don't have to bother with installing it later. For your cloud infrastructure, if you have an AMI, AWS, or any kind of image, that image should be updated with that software. The only thing that you need to change is the license.

I would rate Avast Business Endpoint Protection a nine out of ten. For a ten, it should have a 360 kind of view of the whole organization or the whole infrastructure.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
EPP (Endpoint Protection for Business)
July 2022
Get our free report covering CrowdStrike, Microsoft, SentinelOne, and other competitors of Cortex XDR by Palo Alto Networks. Updated: July 2022.
622,949 professionals have used our research since 2012.