Try our new research platform with insights from 80,000+ expert users
Head of Security at Mannai Microsoft Solutions
Real User
Top 20
We can block suspicious URLs, quarantine malicious files, and conduct a forensic investigation
Pros and Cons
  • "We can run the virus scan across our entire environment."
  • "Some of the integrations that Defender should include involve the use of the web app."

What is our primary use case?

We utilize Microsoft Defender for Endpoint as our EDR solution, which stands for endpoint detection and response. Through this solution, devices are integrated. If new vulnerabilities or novel attacks emerge, Defender for Endpoint promptly identifies them. It serves as our primary EDR solution amidst the variety available in the market.

The current surge in Defender for Endpoint's popularity is attributed to its real-time detection capabilities. Additionally, we can execute SOAR actions, namely security orchestration response. For instance, if we need to isolate a device from the network or run an antivirus scan on a machine, Defender for Endpoint facilitates these tasks.

Consider a scenario where one of the devices becomes compromised. During the investigation, if a malicious IP address is identified, it can be blocked using Defender for Endpoint.

How has it helped my organization?

Microsoft Defender for Endpoint offers excellent visibility. We can observe all the details regarding the attack process, such as the type of activity that occurred, including the entire MITRE ATT&CK framework. This enables us to view the initial actions, the device involved, the IP address used, and the extent of the impact on users and devices all through a single interface.

Microsoft Defender for Endpoint definitely assists us in prioritizing threats throughout our enterprise. Based on the signatures, the alert categories are related to high severity, medium severity, and low severity. Therefore, we can determine which alerts require our focus and prioritize them accordingly.

I am currently the Subject Matter Expert for Microsoft within my organization. This encompasses the entire Microsoft security suite. I specialized in working with Microsoft Sentinel. In the past, I was a part of the Microsoft Sentinel team itself, back in 2017 when Sentinel was in its pilot version, known as Azure Security Insights. 

It's very easy to integrate the Microsoft solutions. We have data connectors and APIs readily available. There are no difficulties. If we teach an unfamiliar person for a week how to use Defender for Endpoint and Microsoft Sentinel, they can likely gain insight into the basics of integrating Defender for Endpoint, Microsoft Sentinel, Defender for Identity, or Defender for Cloud Apps.

These solutions work natively together to deliver coordinated detection responses across our environment. When an incident is detected in Microsoft Defender for Endpoint, the same incident will be captured in Microsoft Sentinel within a few minutes. The integration capabilities with both Microsoft and third-party solutions are valuable.

The comprehensiveness of threat protection provided by these Microsoft security solutions is combined into a single interface. We can access all necessary features from one place. The combined solutions offer us User and Entity Behavior Analytics, Endpoint Detection and Response, on-premises, and cloud application security. While no single product can handle everything independently, by implementing basic security practices across all Microsoft products, we achieve a comprehensive threat detection system.

The bi-directional sync capability is a feature that allows us to enable safe devices in both Defender for Cloud and Defender for Endpoint.

Sentinel allows us to ingest data from across our entire ecosystem. If we are utilizing third-party firewalls or other products, we can employ APIs to integrate those solutions with Sentinel.

Sentinel allows us to examine threats and respond comprehensively from a single location. Within this location, we can utilize SOAR playbooks to accomplish different tasks, such as blocking all compromised email sign-in sessions with just one click.

Sentinel is a comprehensive security product, owing to its integrated SOAR, UEBA, and threat intelligence capabilities. UEBA employs built-in machine learning to identify users with high, medium, and low-risk profiles. The user interface also includes a feature that enables us to log out of the user. Threat intelligence has the ability to assimilate all access information from third-party solutions and identify threats originating from the internet. Sentinel consistently operates proactively to prevent compromises. 

I used to utilize Splunk back in 2015, but I have recently transitioned into being a Microsoft security advocate due to the cost optimization benefits. Microsoft Sentinel's pricing is based on the data we ingest. We have the flexibility to choose different models, such as the pay-as-you-go model or the bandwidth model. For instance, if we ingest 500 GB of EPS, we will incur charges for that usage; however, a 20 percent discount is applicable in this scenario. The pricing is directly linked to the amount of data we ingest, which is advantageous. I prefer not to ingest certain security events that are intended for operational purposes. By excluding these events, I can effectively reduce the overall cost of using Microsoft Sentinel. Additionally, being a cloud-native tool eliminates the need for any physical hardware. With just one click, the entire installation process is completed.

There are three ways Microsoft Defender for Endpoint has benefited our organization. The primary advantage is the optimization of our organization's scanning process. We have established a bi-weekly scanning process that runs at midnight, encompassing all machines. This stands as the foremost enhancement. The second advantage revolves around obtaining visibility into vulnerabilities within our environment. Considering our role as an MSSP, responsible for managing over 25 clients, this visibility holds paramount importance. Within Defender, a particularly noteworthy feature is the enabled management. This provides us with the latest information regarding vulnerabilities within Microsoft products as well as third-party software. The third and final advantage pertains to responding to emerging threats. For instance, in the case of a new attack, such as the recent CVE 3688, which targets a Microsoft Office vulnerability, including a zero-day exploit lacking an available solution, our Microsoft-oriented threat intelligence block comes into play. Through custom query languages deployed within Defender, we have the capability to identify anomalous activities. Additionally, this third point ties in with the Application Guard rules. These rules have proven instrumental in proactively preventing ransomware attacks. They operate by automatically obstructing any suspicious processes occurring within the Office environment.

Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We have APIs established, allowing us to develop our own dashboards using the Defender for Endpoint APIs. For instance, we can utilize Power BI to generate a security report, providing a comprehensive overview of the organization's internal activities.

It has eliminated the necessity for multiple dashboards. This pertains to the MXDR dashboard, which stands for Microsoft Extended Detection Dashboard, as well as the Detection Response Dashboard. Essentially, we have consolidated these into a single comprehensive dashboard, developed entirely by Microsoft. This unified dashboard streamlines the process of accessing organizational insights. As a result, there's no longer a need to access different security products to view their respective dashboards. Within Defender for Endpoint itself, we offer an array of security reports, all conveniently accessible with just one click. For those who may not find the reports relevant, we also provide the option to utilize our in-house developers for Power BI integration. This entails having a centralized dashboard where data from all products is collected and displayed in one location, facilitating a holistic view of security reports.

The integration into a single dashboard has simplified our security operations. Previously, our team had to perform numerous manual tasks for all customers. Therefore, with automation, when we present the report to the customers, they are quite impressed with having everything in one place. 

Microsoft Defender for Endpoints' threat intelligence assists us in preparing for potential threats before they materialize, enabling us to take proactive measures. We identify these proactive threats due to the presence of a threat entry system. If any IOCs are obtained, they are undoubtedly identified by Microsoft Sentinel. Moreover, we have set up indicators ingestion for Defender for Endpoint. This process involves creating steps to acquire data from third-party sources and directly inputting it into Defender for Endpoint. Since Defender for Endpoint has a capacity limit of 15,000 indicators of compromise, we can only ingest data up to this extent. Any surplus data will be automatically removed, provided their IOC scores fall below 60 within a month. Consequently, new IOCs will replace the removed ones.

It has saved our organization around 30 percent of our time in terms of not having to worry about malware. When any malware does get in, it is automatically remediated. Now, the main portion of our time is dedicated to conducting in-depth investigations and identifying other occurrences.

We have cut our organization's costs in half compared to our previous solutions. This is mainly due to the automation of most tasks, which means we now only need ten people to manage 20 customers, a significant reduction from the 30 engineers we needed before.

Microsoft Defender for Endpoint has significantly reduced our time for detection and response. Our Service Level Agreement entails detecting issues within 15 minutes and responding within 30 minutes. Defender for Endpoint has greatly contributed to these time savings. The incidents that we used to address using Splunk required extensive coordination within our team and with our customers, leading to substantial time consumption. Previously, resolving a single incident took around 40 minutes. Presently, this process takes approximately 15 minutes.

What is most valuable?

The most valuable feature is the timeline, which allows us to view the details of an event 30 minutes before and after.

Forensic investigation is a valuable feature of Defender for Endpoint.

We can run the virus scan across our entire environment.

We can block suspicious URLs and quarantine malicious files within the Defender for Endpoint portal.

What needs improvement?

Some of the integrations that Defender should include involve the use of the web app. Utilizing the web app implies that the Defender API should be accessible through mobile devices as well. For instance, if there exists a mobile application, it would be beneficial. Let's imagine a scenario where I'm traveling and I receive a new alert. With a Defender mobile application, I could easily isolate the threat, conduct an investigation on my mobile device, or even automatically escalate or assign the alert to my engineers.

There are certain third-party apps that haven't been integrated with Defender. I would be delighted to witness the integration of those apps with Defender for Endpoint. 

The deployment of Defender for Endpoint should be made smoother via Intune.

Buyer's Guide
Microsoft Defender for Endpoint
June 2025
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,687 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for five years.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is stable.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint is scalable.

How are customer service and support?

The technical support is fine but it takes time to reach them.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We previously used Splunk but switched to Microsoft Defender for Endpoint because of the cost and smoother operation.

How was the initial setup?

With the proper training, the initial setup is straightforward.

When conducting customer onboarding, the deployment will require a minimum of three days. Therefore, we must ensure everything is executed flawlessly and follow security best practices. Emphasizing precise deployment is crucial. Hence, deploying without careful planning is not an option, aiming to prevent any issues in a larger environment. In contrast, a smaller environment can be deployed within two days.

For a large organization with over 5,000 employees, a team of up to six people is required for the deployment.

What was our ROI?

We are achieving a 15 percent return on investment, which is contributing to the growth and impact of our company.

What's my experience with pricing, setup cost, and licensing?

If we are acquiring everything in a single place, the front end becomes cost-effective. We won't need to purchase five separate products for various tasks. Instead, it's one product designed for five tasks, which is certainly a cost-effective approach.

What other advice do I have?

I rate Microsoft Defender for Endpoint an eight out of ten.

We also utilize Defender for Cloud. Defender for Cloud is employed specifically for the Azure product. If we have servers deployed within Azure, the system handles alerting, traceability, and security. Therefore, we certainly use it.

We have three locations where Microsoft Defender for Endpoint is deployed. One is in Australia, another is in Qatar, and the third is in India. Consequently, we employ approximately two hundred personnel.

No maintenance is required for Defender for Endpoint on the customer's end.

A single-vendor security solution approach is better than a best-of-breed strategy. We all are using Microsoft laptops and OS.

I recommend completing a POC before adapting Microsoft Defender for Endpoint.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Syed Abid  - PeerSpot reviewer
Snr. Infrastructure Architect (Data Centre) at LogicEra
Reseller
Top 5Leaderboard
Advanced threat protection improves security posture and device management
Pros and Cons
  • "Microsoft Defender for Endpoint is a comprehensive and scalable solution for protecting on-premises and hybrid infrastructure."
  • "The initial support process can be lacking as first-line support is sometimes not well-versed technically, resulting in repeated exchanges to finally engage a knowledgeable support person."

What is our primary use case?

Our customers use Microsoft Defender for Endpoint to protect their hybrid environments. We onboard the hybrid environment to the Azure Security posture with proper Intune integration. This setup ensures that devices are protected and secured with anti-malware, antivirus, and other protective measures. We deploy this primarily in hybrid environments.

What is most valuable?

Microsoft Defender for Endpoint provides a unified management interface allowing customers to manage their on-premises and hybrid infrastructures from a single pane. The integration with Intune enables control over devices like laptops, enhancing security. Automated Investigation and Remediation features are vital for advanced threat protection and beneficial for device protection. The ability to manage both devices and users efficiently is advantageous.

What needs improvement?

One area that needs improvement is the integration cost of logs with external solutions like Sentinel, which can be expensive. Additionally, Microsoft could allow storing logs locally within the Defender panel to reduce costs. It would also be beneficial if policies could be configured without relying on Microsoft Entra ID, allowing for better integration with local directories.

For how long have I used the solution?

I have been working with Microsoft Defender for Endpoint for three to four years.

What was my experience with deployment of the solution?

Sometimes devices do not sync properly with the Endpoint. We often need to diagnose whether the issue lies with the Endpoint or the device. This can delay proper deployment.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is stable with no major issues reported. However, syncing of devices sometimes encounters problems, requiring us to investigate the root causes.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint is scalable enough to handle various devices across environments, whether they are laptops, Android devices, or operating in hybrid environments. Customers mostly use it in hybrid setups.

How are customer service and support?

The initial support process can be lacking as first-line support is sometimes not well-versed technically, resulting in repeated exchanges to finally engage a knowledgeable support person. This process is often slow and time-consuming.

How would you rate customer service and support?

Neutral

How was the initial setup?

Setting up Microsoft Defender for Endpoint requires technical knowledge of Microsoft Entra ID and policy configurations. While it is not easy for all customers, skilled technical personnel can handle it without major issues.

What's my experience with pricing, setup cost, and licensing?

The pricing of Microsoft Defender for Endpoint is reasonable. It costs $15 per VM for the P2 plan, which is seen as affordable for customers. Additional add-ons are priced at $5.

What other advice do I have?

Microsoft Defender for Endpoint is a comprehensive and scalable solution for protecting on-premises and hybrid infrastructure. It provides strong protection and management capabilities. Customers are advised to use this solution for its robust features like advanced threat protection and easy integration with other Azure applications. I rate Defender for Endpoint nine out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Microsoft Defender for Endpoint
June 2025
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,687 professionals have used our research since 2012.
reviewer2700672 - PeerSpot reviewer
Analyst at a financial services firm with 10,001+ employees
Real User
Reduces endpoint infection risk with efficient malware blocking and offers detailed attack surface visibility
Pros and Cons
  • "The feature I find most valuable in Microsoft Defender for Endpoint is that it blocks the process and keeps the endpoint from getting infected with malware."

    What is our primary use case?

    My use cases for Microsoft Defender for Cloud Apps include email security.

    My use cases for Microsoft Defender for Endpoint most likely involve scenarios where the endpoint has malware, as it shows the process of the malware detonation and that it was blocked.

    What is most valuable?

    The feature I find most valuable in Microsoft Defender for Endpoint is that it blocks the process and keeps the endpoint from getting infected with malware.

    These features have benefited my organization as they help reduce the risk of the endpoint and show us what we are getting, so we know what they attempt to do, such as anything that came with official email.

    My experience with the visibility into my organization's attack surface provided by Microsoft Defender for Endpoint is that the user interface gives us a lot of visibility.

    Microsoft Defender for Endpoint helps protect our endpoint and also gives us visibility with the endpoint data.

    For how long have I used the solution?

    I have been using Microsoft Defender for Cloud Apps for a couple of years.

    What do I think about the scalability of the solution?

    Microsoft Defender for Endpoint scales very well with the growing needs of my organization because we have a lot of endpoints.

    Which solution did I use previously and why did I switch?

    Prior to adopting Microsoft Defender for Endpoint, I don't think we had anything in place to address similar needs.

    What about the implementation team?

    I was not part of the implementation process; I am just using it.

    What was our ROI?

    I have seen a return on investment, even though I don't know what the budget for that is.

    I have seen a return on investment because it provides us with protection, which is the best investment we had.

    I have seen a return on investment from that.

    Which other solutions did I evaluate?

    Before choosing Microsoft Defender for Endpoint, they might have considered other options, but I was not involved in that evaluation.

    What other advice do I have?

    My experience with the automatic attack disruption feature is that it is already incorporated into the blocking process of the malware.

    It helped reduce my mean time to remediation from the start to process, from a couple of hours to less than an hour.

    Microsoft Defender for Endpoint does not free up our SOC team's job, but it makes our job easier.

    I don't know about the pricing, setup costs, and licensing because I'm just a user.

    I prefer to remain anonymous when publishing the review.

    I want to remain anonymous in terms of the company name as well.

    On a scale of 1-10, I rate Microsoft Defender for Endpoint an 8.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    Flag as inappropriate
    PeerSpot user
    Lead security engineer at a computer software company with 11-50 employees
    MSP
    Top 20
    Real-time protections and automatic attack disruption have saved our time
    Pros and Cons
    • "The features of Microsoft Defender for Endpoint that I prefer most are the detections. It just works."
    • "The automatic attack disruption feature in Microsoft Defender for Endpoint works great."
    • "The log searches for Microsoft Defender for Endpoint are pretty difficult to navigate. It needs a better UI or more intuitive search and filter mechanisms to make it easy to get through and filter through all the data logs."
    • "The log searches for Microsoft Defender for Endpoint are pretty difficult to navigate. It needs a better UI or more intuitive search and filter mechanisms to make it easy to get through and filter through all the data logs."

    What is our primary use case?

    We are an MSP. We've got a lot of clients that use Microsoft Defender for Endpoint as their EDR system. We support that.

    A lot of the use cases for Microsoft Defender for Endpoint check the boxes for the EDR solution for that client. We use the endpoint portals to work through any alerts. Mostly, we feed all of the Azure Office 365 security logs into our SIEM and then take those alerts if we have to do more work, and see if we can get more details from that.

    How has it helped my organization?

    The automatic attack disruption feature in Microsoft Defender for Endpoint works great. Microsoft Defender for Endpoint's auto-deployed deception techniques also work great. It hasn't bothered me, so it just does its thing, which helps a lot because we have many things to deal with.

    The visibility into the company's attack surface provided by Microsoft Defender for Endpoint is good. It's all in one place, which is great. I can see where things are going and make sure that it's deployed on all the machines that we work on.

    Microsoft Defender for Endpoint has affected the security posture of our clients' organizations. It does its job fine. For some clients, we don't have to worry too much. Even if we're not getting tons of alerts from it, it's at least there, doing its job.

    Microsoft Defender for Endpoint's coverage in client environments is comprehensive. Every device we support is a Microsoft Windows device. It covers pretty much all the endpoints and workstations for those clients.

    Microsoft Defender for Endpoint has helped reduce our mean time to remediation. A lot of the reduction is due to the automatic disruption, so we don't have to sit there. It also gives us another data point to look at where the vulnerability might have been.

    It has helped me free our SOC team to work on other projects or tasks. It has saved 5% to 10% of our time.

    What is most valuable?

    The features of Microsoft Defender for Endpoint that I prefer most are the detections. It just works. Malware getting on a machine and running is a big deal, so we can trust it to sit there and scan and have real-time protections.

    What needs improvement?

    The log searches for Microsoft Defender for Endpoint are pretty difficult to navigate. It needs a better UI or more intuitive search and filter mechanisms to make it easy to get through and filter through all the data logs.

    For how long have I used the solution?

    At the company, we've been using it for a long time. I've been here for about three months.

    What do I think about the stability of the solution?

    The stability of Microsoft Defender for Endpoint is good. I've never had it be unavailable. It's always available when I need it to be.

    What do I think about the scalability of the solution?

    It has been able to fulfill our needs. Everyone we work with is pretty small, so it's not usually an issue.

    How are customer service and support?

    I have never interacted with the customer service of Microsoft Defender for Endpoint, as it just does what I need it to. Based on my other experiences with Microsoft technical support, I would rate them an eight out of ten.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We use Microsoft Defender for Endpoint along with some other products. Some of our clients choose to stick with Microsoft. There are other EDR products that we support as well.

    How was the initial setup?

    I've deployed it for a client. It was pretty smooth and simple. They're small shops, so there wasn't a whole lot of craziness to do with it.

    What was our ROI?

    The biggest return on investment for me when using Microsoft Defender for Endpoint is the time saving. It's an easy recommendation. If I have clients wanting to dive into more security products for their environments and are hesitant about going with an endpoint solution or a different software vendor, it's an easy recommendation.

    What's my experience with pricing, setup cost, and licensing?

    It's all pretty easy. For some clients, it's an easier sell because it's just an add-on to their existing Microsoft licensing and Office 365 licensing.

    What other advice do I have?

    I would rate Microsoft Defender for Endpoint a nine out of ten. The log search features are difficult. If I don't have visibility into another product, the log search functions of Microsoft Defender for Endpoint are pretty difficult to navigate.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer. Not sure
    Flag as inappropriate
    PeerSpot user
    IT CONSULTANT at a tech company with 10,001+ employees
    Consultant
    Top 20
    Works reliably behind the scenes and saves labor costs
    Pros and Cons
    • "It's pretty easy to use, works with compliance issues, and is reliable."
    • "Microsoft Defender for Endpoint has helped reduce our mean time to remediation significantly."
    • "Microsoft Defender for Endpoint can have more options and more AI capabilities in the future, because everything keeps changing."

    What is our primary use case?

    Our main use case for Microsoft Defender for Endpoint is as a safety plan because we're in hospitality.

    How has it helped my organization?

    Microsoft Defender for Endpoint benefits my company by saving on labor costs since we don't have to put in extra effort to maintain it. It's self-sufficient.

    Microsoft Defender for Endpoint gives us information about attacks and security, and easy access to data, similar to a spreadsheet. It gives us the information we need. It helps provide quick responses.

    Microsoft Defender for Endpoint seems safe, which is the main thing we were looking for, and it works reliably in catching the things we used to catch. We see many random hacking attempts and fake emails, and it cuts them off before anything happens.

    Microsoft Defender for Endpoint works mainly behind the scenes. We know we are safe and feel we can relay accurate information to customers.

    Microsoft Defender for Endpoint's coverage across different platforms in our environment has no issues. Microsoft seems to have it covered, unlike other software that isn't compatible.

    I have tried integrating Microsoft Defender for Endpoint with other software products, and it seems compatible with all of them.

    Microsoft Defender for Endpoint has helped reduce our mean time to remediation significantly. It is doing all the work for us, so we don't have to spend our own time on it. It has reduced our mean time to remediation by about 75% to 80%.

    Microsoft Defender for Endpoint has helped free our SOC team to work on other projects since we don't have to waste time, as this solution does the work for us. We have saved about 70% to 80% of time because we don't have to focus on certain tasks, allowing Microsoft to handle it for us.

    What is most valuable?

    It's pretty easy to use, works with compliance issues, and is reliable.

    It sends us data, which is clear-cut. We don't have to do anything extra.

    What needs improvement?

    Microsoft Defender for Endpoint can have more options and more AI capabilities in the future, because everything keeps changing.

    For how long have I used the solution?

    I have been using Microsoft Defender for Endpoint for about six to seven years.

    What do I think about the stability of the solution?

    I have no complaints about the stability and reliability of Microsoft Defender for Endpoint; it feels solid.

    What do I think about the scalability of the solution?

    There is plenty of room to expand, which is not a problem since we have been bringing in different brands over the years. Compatibility is its main feature. 

    How are customer service and support?

    The technical support for Microsoft Defender for Endpoint is available around the clock, and that's not an issue at all.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I was using another solution six to seven years ago to address similar needs. It has been a long time, and I'm struggling to remember which one it was.

    What was our ROI?

    We have seen a return on investment when using Microsoft Defender for Endpoint, as it saves labor by reducing the need for staff to focus on it.

    What's my experience with pricing, setup cost, and licensing?

    It isn't cheap, but it's reasonable and fair.

    Which other solutions did I evaluate?

    I considered a few other solutions before choosing Microsoft Defender for Endpoint, but that was quite a while ago, and I don't even know if they exist anymore.

    What other advice do I have?

    I would rate Microsoft Defender for Endpoint a ten out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    Flag as inappropriate
    PeerSpot user
    AfsareHassane - PeerSpot reviewer
    Formateur Cybersecurité and SOC Analyst at Beekom
    Real User
    Top 10
    Advanced hunting and alert management made efficient
    Pros and Cons
    • "You can query and access useful information from logs and events, which is powerful and efficient."
    • "Sometimes, there are difficulties in downloading a file considered as malicious."

    What is our primary use case?

    I use Defender for Endpoint every day, for example, when a user downloads an unwanted application, we get an alert. Sometimes we have suspicious processes in an endpoint, and we receive an alert for those activities.

    How has it helped my organization?

    Microsoft Defender for Endpoint helps in detecting different alerts and potential threats by providing alerts and timelines with detailed explanations, which is useful to understand and close or address the issues.

    What is most valuable?

    In Microsoft Defender, there is a security portal that allows advanced hunting. You can query and access useful information from logs and events, which is powerful and efficient. Additionally, the timeline feature helps in understanding which process launched what and identifying errors.

    What needs improvement?

    Sometimes, there are difficulties in downloading a file considered as malicious. We encounter a bug that requires several attempts to download, which is a bit of a challenge.

    For how long have I used the solution?

    I have been working with Microsoft Defender for Endpoint since February, which is approximately eight months.

    What do I think about the stability of the solution?

    The stability of the solution is rated an eight out of ten. It is quite stable.

    What do I think about the scalability of the solution?

    The scalability of the solution is rated as eight, suggesting it is reasonably scalable.

    How are customer service and support?

    I contacted Microsoft support for personal use of Defender, and they were very nice, providing solutions quickly. This was a positive experience.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    Before using Defender for Endpoint, I used SentinelOne. Defender is easier to use than SentinelOne.

    How was the initial setup?

    For the initial setup, I’d give it an eight out of ten, suggesting it’s quite straightforward.

    What's my experience with pricing, setup cost, and licensing?

    The price for Microsoft Defender for Endpoint is about three euros, which is considered reasonably priced. I'd rate it seven out of ten for cost.

    Which other solutions did I evaluate?

    I have previously evaluated SentinelOne before using Microsoft Defender for Endpoint.

    What other advice do I have?

    I'd advise others to use Microsoft Defender for Endpoint because it's a good solution with many experts behind it. Additionally, it's compatible and easy to use with Windows environments.

    I'd rate the solution eight out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    Flag as inappropriate
    PeerSpot user
    IT Architect at a real estate/law firm with 10,001+ employees
    Real User
    Top 5
    We have seen improvement in all our endpoint vulnerabilities
    Pros and Cons
    • "The detection features are valuable, as is the fact that it is easier to port these logs into Sentinel. That is also useful for us. It is more comprehensive."
    • "If the solution could be integrated more with Defender for Cloud, to be more unified, that would help. It is good now, but even more integration could be done with Defender for Cloud. We see two different portals. If Defender for Endpoint could be ported to the CSPM, Defender for Cloud, that would make things even easier for us."

    What is our primary use case?

    We use it to protect our servers and endpoints, which include our employees' laptops and our own endpoint portal, where we see the single pane of glass reports. It is our first line of defense.

    How has it helped my organization?

    We have seen improvement in all our endpoint vulnerabilities, which is very crucial for us. If this had not been implemented, we would be in trouble because our endpoints would be unprotected. It has definitely improved the security posture of our organization.

    Also, automated investigation, protection, and alerts have affected our security operations in a positive way. We get to see the vulnerabilities quicker, and we get to see the root cause analysis as well.

    Defender for Endpoint has also eliminated having to look at multiple dashboards. The Endpoint portal is sufficient. It is easier for our security operations team to look at the vulnerabilities and reports and plan for remediation actions.

    In addition, the moment the solution's threat intelligence provides a suspicious IP or a suspicious URL, we block it right away. We are more secure. It has helped our security operations detect things in advance and preempt any vulnerabilities.

    We have seen productivity gains in terms of the mean time to resolve issues, on the order of 20 to 30 percent. We have the unified dashboarding and reporting, the investigation, and automated remediation. Saving 20 percent of our time translates to saving money.

    What is most valuable?

    The detection features are valuable, as is the fact that it is easier to port these logs into Sentinel. That is also useful for us. It is more comprehensive.

    The visibility into threats that Defender for Endpoint provides us with is quite deep and mature. The threats that we find help us understand our vulnerabilities and remediate them if required.

    Another very important point is that it prioritizes threats across our enterprise. This is important; the solution is the first line of defense. Defender for Endpoint is very crucial for our defense, considering that we all work remotely.

    We also use Defender for Cloud, Purview, and Microsoft Sentinel; all of these are integrated and go into Sentinel. It was easy to integrate them because we are using Azure Cloud, and all of them are native to Azure Cloud. The connectors also make it easy. The fact that these solutions work natively together, providing coordinated detection and response, is very important to us. That is precisely why we got into Azure. This does provide us with a comprehensive view of the threats, incidents, alerts, investigations, and threat-hunting processes. Overall, it gives us multiple ways of securing things.

    What needs improvement?

    If the solution could be integrated more with Defender for Cloud, to be more unified, that would help. It is good now, but even more integration could be done with Defender for Cloud. We see two different portals. If Defender for Endpoint could be ported to the CSPM, Defender for Cloud, that would make things even easier for us.

    For how long have I used the solution?

    I have been using Microsoft Defender for Endpoint for three years.

    What do I think about the stability of the solution?

    We have never had any downtime or any other issues.

    What do I think about the scalability of the solution?

    We have scaled up to 3,000 endpoints, and there is scope for it to be scaled more. When more employees join or more departments come in, we'll be scaling up.

    How are customer service and support?

    Defender for Endpoint's technical support is fairly good. We haven't encountered many problems with them. We initially had some problems when we integrated Sentinel, but that was resolved internally.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did not have another EDR solution. We started with Azure.

    How was the initial setup?

    The deployment was straightforward because it's all native. We are integrating within the Azure environment, so it is easy.

    This solution specifically would have taken a week or so to deploy, but it was part of our overall deployment along with the other Microsoft products. After a week, we started utilizing or pushing the data into our security operations.

    We had multiple servers and laptops that were endpoints to be protected by Defender for Endpoint, almost 3,000 endpoints. We had to go one by one. Initially, we implemented 500, and eventually we built on top of that.

    It doesn't require much maintenance unless we add more endpoints. That's when we need to push it. Otherwise, there is not much activity involved.

    What about the implementation team?

    It was all done in-house and required three full-time resources.

    What was our ROI?

    We have easily seen 20 to 30 percent savings, year on year.

    Which other solutions did I evaluate?

    They would have definitely evaluated other solutions, but the clear preference for a native solution is what made this stand out.

    What other advice do I have?

    A single-vendor security suite has its advantages in terms of ease of porting, ease of connecting to the SOC, and also dashboarding. For ease of use, a single vendor strategy is valuable. But cost-wise, if you go for multiple vendors, you may be able to negotiate the cost, but that approach makes things difficult to integrate.

    It detects suspicious malware and credential access issues, and it even maps to the Mitre ATT&CK framework. It's a pretty good product. Try it out and implement it as soon as possible.

    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    Doug Kinzinger - PeerSpot reviewer
    Director of Technologies Solutions at a retailer with 1-10 employees
    Real User
    Top 20
    Has good reporting and logging features
    Pros and Cons
    • "I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender."
    • "The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor."

    What is our primary use case?

    We want to find a solution that fits businesses of every size and type, but we primarily target small and medium-sized enterprises. 

    How has it helped my organization?

    Defender helps us prioritize threats across the organization. When we needed to update the patches on our endpoints, we could look at all the patches and see what still needed to be fixed. We could decide whether it's necessary to address something urgently or deploy it as part of routine monthly maintenance. It's crucial to have the insights and a report that I can show to an executive to demonstrate that we need to act fast. This is less common because most people accept your hotfixes and patches when they come out, especially monthly security updates. However, some older shops might be like, "I'm running Windows 10. No one's touching this." We still need to service and support those machines, too. 

    The solution helps us automate routine tasks and alerts. There's a dashboard where I can see the statuses of my machines in the environment. It helps us breathe a little bit easier. We're responding to businesses that had shifting needs during COVID. How can we be more proactive and help them to be more proactive? We shifted from traditional PC antivirus software to stuff that's totally different. I can't say it's "set it and forget it" because that implies a lazy mentality. However, I know I have a level of protection that I can have faith in. 

    Defender helps us be more proactive. I find value in the zero-day threats that get fixed from Microsoft bug fixes or security updates. I can read and research about those zero-day threats from Microsoft's public site without digging too deeply into the Defender side of things. 

    We've saved some time with Defender for Endpoint because we were doing a lot of unnecessary remediation with the other products. We had a series of servers that our previous product was installed on. It would blue-screen the server at random, and you can't have that. I'm not worried about Defender impacting my system stability. We put a lot of high-performance systems out there, including PCs and backend compute. I want to ensure we won't be overburdened by unnecessary security software that may not be giving me the protection I want.

    Defender's reporting saves us four hours to eight hours each month. It has many of the standard reports we need built in, so it's effortless to generate and pull from. The time we save in other areas isn't as easy to quantify. I don't have to worry about the stability of a box or a computer cluster. 

    It has decreased my detection time. On Wednesday, I got emails notifying me that new vulnerabilities were detected. They weren't new, but they were newly disclosed because patches came out for them. It has enabled us to react much quicker. 

    What is most valuable?

    I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender.

    Defender ties into the Microsoft 365 portal where many shops spend a lot of their time doing password resets or other tasks. There is much more in the Azure portal too, but the 365 portal has a list of open issues, bugs, and necessary remediation steps. If I'm working on my security score, I have all of those on an active list, which is nice.

    What needs improvement?

    Defender should be more accessible for small and medium-sized businesses. You have some organizations that maybe have a hundred employees, and they're focused on making their widgets. That's their nine-to-five every day. They're not thinking about that security side, but maybe they're already invested in 365 or the Azure ecosystem and having Defender as an add-on makes sense from a price perspective. It's easy to deploy, but it could be easier for some of those smaller businesses to onboard endpoints.

    The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor.

    For how long have I used the solution?

    We have used Defender for Endpoint for the last 18 months or so. 

    What do I think about the stability of the solution?

    Defender's stability is one of the things I love most about the solution. 

    What do I think about the scalability of the solution?

    There are no limitations on Defender's scalability. I get the impression that it's designed to cater to massive enterprises with 20,000 or more endpoints, but I think there's a market for a simpler deployment, like 100 PCs, 10 servers, etc. Give me a deployment option that's simple. 

    How are customer service and support?

    I rate Microsoft support eight out of 10. It's good overall, but it can be hit or miss depending on your issue, and sometimes you don't get the right level or technician. All of my 2023 support experiences have been stellar, but 2022 was a little inconsistent. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    The company evaluated other solutions in parallel and in tandem with it. Our trajectory shifted slightly during COVID-19, so we explored that more. We tried ESET and SentinelOne for a while. But those are apples-to-oranges comparisons. Defender for Endpoint is geared toward common reporting,  notifications, and backend stuff, whereas SentinelOne is designed to lock machines down. It has many more tendrils deep within, so they're not great comparisons. 

    We decided to go with Defender because we're pretty heavily invested in the rest of the Microsoft Stack, so it made sense. However, we wanted to do our due diligence because we're already using other products. We wanted to ensure we were picking the best of breed for our customers fair enough.

    We were having issues with other products like ESET, SentinelOne, and Symantec. SentinelOne is just too deep and heavy. It's like trying to shoot a fence post with a missile. It was too much. We rely on the product and trust it. It takes a little while to get there, but once you trust a product, you can move on to the next thing and know you're protected.

    How was the initial setup?

    The onboarding process could be more straightforward. I wish the onboarding were simpler. It seems a little more ethereal than, "Hey, here's your executable, put this on every machine." That would be easier for a small shop. We're still deploying into a lot of our sites. It didn't take long at all, but it takes a while to get fully ready to deploy, 

    What's my experience with pricing, setup cost, and licensing?

    Defender's pricing is competitive. There are ways to negotiate a better price with Microsoft or your reseller as your business grows. You can say, "Hey, I bought 365 Business, then E3, and E5. Now, I'm buying Defender, so give me bulk pricing."  There are opportunities to save as you grow that wouldn't exist if you picked a different vendor.

    What other advice do I have?

    I rate Microsoft Defender for Endpoint eight out of 10. 

    Disclosure: My company has a business relationship with this vendor other than being a customer. Resellers
    PeerSpot user
    Buyer's Guide
    Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.
    Updated: June 2025
    Buyer's Guide
    Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.