Try our new research platform with insights from 80,000+ expert users
Senior Data Hosting and Security Special at Two aquate
Real User
Top 5
Helps to prioritize threats, provides good visibility, and saves us time
Pros and Cons
  • "Microsoft Defender for Endpoint is extremely stable."
  • "A single dashboard would be a significant improvement."

What is our primary use case?

We are a Microsoft-heavy organization, so we use Microsoft Defender for Endpoint because of its compatibility with our environment and its reports, which provide good visibility into our environment and send telemetry logs to the server.

How has it helped my organization?

Microsoft Defender for Endpoint collects all system logs, activity logs, and threats. It then sends this data to the Office 365 security portal, where we can view all logs and use various analytics tools to forecast average bandwidth usage, identify programs used by users, and view which apps are running in our environment, including unauthorized apps. All of these insights are easily accessible if we have a complete Microsoft solution.

Microsoft Defender for Endpoint helps us prioritize threats across our enterprise. We have configured the standard settings and are using many Microsoft solutions, so we receive direct support from Microsoft. We have created many policies, including a standard policy for all apps and programs used in our organization. We have a list of these programs, and any that are in the Defender for Endpoint exclusion list, such as DLP software or trusted software, are excluded so that they do not slow down the process. We then prioritize the apps according to standard cybersecurity priorities. For example, if an application is vulnerable and not from a renowned vendor, it should be blocked.

We have integrated Sentinel with Defender for Endpoint. The integration was a few simple clicks.

Our integrated solutions work together seamlessly to provide coordinated detection and response across our environment. We like Microsoft's Advanced Threat Protection solution, which uses EDR and AI to protect endpoints. Recently, a user downloaded an unknown file, and ATP immediately flagged it. ATP then ran an automatic investigation and provided us with the results in the portal. We can then decide whether to quarantine, delete, or report the file to Microsoft Defender for Endpoint.

Microsoft provides comprehensive security products that have fulfilled all of our security needs and assured us that we have enterprise-grade security and do not need any other solutions. We have received positive results.

We use the cloud's bidirectional synchronization capabilities to synchronize our on-premises Sentinel agents with the Azure Monitor agents.

It is our requirement to have bi-directional synchronization between the cloud and on-premises environments because we now have users in both locations. This means that if a user changes their password in the cloud, it will also be updated in the local Active Directory. Additionally, we have some on-premises servers that require our SQL databases in Azure, so they communicate with the cloud bi-directionally.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. The whole point of Sentinel is to collect logs and notify us, showing us our cybersecurity posture and where we stand. It also advises us on the policies we define for our system and whether the system in our environment matches those policies, identifying any applications that are not fulfilling those policies.

Sentinel provides visibility into our environment and we can investigate and respond to threats through Defender.

In the context of user and entity behavior analytics, Sentinel is very effective. It can identify high- and low-risk users by analyzing their daily usage activities, such as the applications they access, the websites they visit, and how they handle data. Sentinel then segregates users into high-risk and low-risk groups based on this analysis. This gives us good visibility into user behavior, which is essential for protecting our organization. While Sentinel has other capabilities, we are currently using it for UEBA.

Microsoft security has helped us save about 30 hours per month, reducing our workload.

Microsoft security has helped us save costs. In our company, we have different Office 365 licenses, including E5, E3, and F5. Some of the security add-ins are free with these subscriptions. For example, the E5 license includes SIEM, Office 365, Defender for Endpoint, and an Active Directory P1 subscription. This means that we do not have to purchase these add-ins separately, as they are included in our licensing.

Defender for Endpoint has reduced our time to detect and respond. Once an incident has occurred the AI automatically takes action and provides us with a detailed report of the investigation. It takes five to ten minutes to resolve an incident.

What needs improvement?

To have full visibility, we must access multiple dashboards, which is a problem because they change frequently, with daily updates to naming conventions. A single dashboard would be a significant improvement.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for seven months.

Buyer's Guide
Microsoft Defender for Endpoint
August 2025
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
866,561 professionals have used our research since 2012.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is extremely stable.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint is easily scalable because it is compatible with a variety of Windows and Linux machines.

How are customer service and support?

Technical support is good. We usually receive a response with a solution within 24 hours.

How would you rate customer service and support?

Neutral

Which other solutions did I evaluate?

We are currently evaluating CrowdStrike and a few other solutions.

What other advice do I have?

I would rate Microsoft Defender for Endpoint eight out of ten.

Microsoft-heavy organizations should avoid using third-party SIEM solutions, as the compatibility issues would require significant effort from the IT department to configure them with Microsoft applications.

Microsoft Defender for Endpoint is a detection system, not a prevention system. We receive alerts after a threat has occurred.

It is better to choose a single company security solution because it will free up time to focus on the environment and identify loopholes. Rather than using three or four third-party software programs, which would require us to spend more time learning about them and resolving compatibility issues, a single solution would provide a better view of the environment.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Head of Security at Mannai Microsoft Solutions
Real User
We can block suspicious URLs, quarantine malicious files, and conduct a forensic investigation
Pros and Cons
  • "We can run the virus scan across our entire environment."
  • "Some of the integrations that Defender should include involve the use of the web app."

What is our primary use case?

We utilize Microsoft Defender for Endpoint as our EDR solution, which stands for endpoint detection and response. Through this solution, devices are integrated. If new vulnerabilities or novel attacks emerge, Defender for Endpoint promptly identifies them. It serves as our primary EDR solution amidst the variety available in the market.

The current surge in Defender for Endpoint's popularity is attributed to its real-time detection capabilities. Additionally, we can execute SOAR actions, namely security orchestration response. For instance, if we need to isolate a device from the network or run an antivirus scan on a machine, Defender for Endpoint facilitates these tasks.

Consider a scenario where one of the devices becomes compromised. During the investigation, if a malicious IP address is identified, it can be blocked using Defender for Endpoint.

How has it helped my organization?

Microsoft Defender for Endpoint offers excellent visibility. We can observe all the details regarding the attack process, such as the type of activity that occurred, including the entire MITRE ATT&CK framework. This enables us to view the initial actions, the device involved, the IP address used, and the extent of the impact on users and devices all through a single interface.

Microsoft Defender for Endpoint definitely assists us in prioritizing threats throughout our enterprise. Based on the signatures, the alert categories are related to high severity, medium severity, and low severity. Therefore, we can determine which alerts require our focus and prioritize them accordingly.

I am currently the Subject Matter Expert for Microsoft within my organization. This encompasses the entire Microsoft security suite. I specialized in working with Microsoft Sentinel. In the past, I was a part of the Microsoft Sentinel team itself, back in 2017 when Sentinel was in its pilot version, known as Azure Security Insights. 

It's very easy to integrate the Microsoft solutions. We have data connectors and APIs readily available. There are no difficulties. If we teach an unfamiliar person for a week how to use Defender for Endpoint and Microsoft Sentinel, they can likely gain insight into the basics of integrating Defender for Endpoint, Microsoft Sentinel, Defender for Identity, or Defender for Cloud Apps.

These solutions work natively together to deliver coordinated detection responses across our environment. When an incident is detected in Microsoft Defender for Endpoint, the same incident will be captured in Microsoft Sentinel within a few minutes. The integration capabilities with both Microsoft and third-party solutions are valuable.

The comprehensiveness of threat protection provided by these Microsoft security solutions is combined into a single interface. We can access all necessary features from one place. The combined solutions offer us User and Entity Behavior Analytics, Endpoint Detection and Response, on-premises, and cloud application security. While no single product can handle everything independently, by implementing basic security practices across all Microsoft products, we achieve a comprehensive threat detection system.

The bi-directional sync capability is a feature that allows us to enable safe devices in both Defender for Cloud and Defender for Endpoint.

Sentinel allows us to ingest data from across our entire ecosystem. If we are utilizing third-party firewalls or other products, we can employ APIs to integrate those solutions with Sentinel.

Sentinel allows us to examine threats and respond comprehensively from a single location. Within this location, we can utilize SOAR playbooks to accomplish different tasks, such as blocking all compromised email sign-in sessions with just one click.

Sentinel is a comprehensive security product, owing to its integrated SOAR, UEBA, and threat intelligence capabilities. UEBA employs built-in machine learning to identify users with high, medium, and low-risk profiles. The user interface also includes a feature that enables us to log out of the user. Threat intelligence has the ability to assimilate all access information from third-party solutions and identify threats originating from the internet. Sentinel consistently operates proactively to prevent compromises. 

I used to utilize Splunk back in 2015, but I have recently transitioned into being a Microsoft security advocate due to the cost optimization benefits. Microsoft Sentinel's pricing is based on the data we ingest. We have the flexibility to choose different models, such as the pay-as-you-go model or the bandwidth model. For instance, if we ingest 500 GB of EPS, we will incur charges for that usage; however, a 20 percent discount is applicable in this scenario. The pricing is directly linked to the amount of data we ingest, which is advantageous. I prefer not to ingest certain security events that are intended for operational purposes. By excluding these events, I can effectively reduce the overall cost of using Microsoft Sentinel. Additionally, being a cloud-native tool eliminates the need for any physical hardware. With just one click, the entire installation process is completed.

There are three ways Microsoft Defender for Endpoint has benefited our organization. The primary advantage is the optimization of our organization's scanning process. We have established a bi-weekly scanning process that runs at midnight, encompassing all machines. This stands as the foremost enhancement. The second advantage revolves around obtaining visibility into vulnerabilities within our environment. Considering our role as an MSSP, responsible for managing over 25 clients, this visibility holds paramount importance. Within Defender, a particularly noteworthy feature is the enabled management. This provides us with the latest information regarding vulnerabilities within Microsoft products as well as third-party software. The third and final advantage pertains to responding to emerging threats. For instance, in the case of a new attack, such as the recent CVE 3688, which targets a Microsoft Office vulnerability, including a zero-day exploit lacking an available solution, our Microsoft-oriented threat intelligence block comes into play. Through custom query languages deployed within Defender, we have the capability to identify anomalous activities. Additionally, this third point ties in with the Application Guard rules. These rules have proven instrumental in proactively preventing ransomware attacks. They operate by automatically obstructing any suspicious processes occurring within the Office environment.

Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We have APIs established, allowing us to develop our own dashboards using the Defender for Endpoint APIs. For instance, we can utilize Power BI to generate a security report, providing a comprehensive overview of the organization's internal activities.

It has eliminated the necessity for multiple dashboards. This pertains to the MXDR dashboard, which stands for Microsoft Extended Detection Dashboard, as well as the Detection Response Dashboard. Essentially, we have consolidated these into a single comprehensive dashboard, developed entirely by Microsoft. This unified dashboard streamlines the process of accessing organizational insights. As a result, there's no longer a need to access different security products to view their respective dashboards. Within Defender for Endpoint itself, we offer an array of security reports, all conveniently accessible with just one click. For those who may not find the reports relevant, we also provide the option to utilize our in-house developers for Power BI integration. This entails having a centralized dashboard where data from all products is collected and displayed in one location, facilitating a holistic view of security reports.

The integration into a single dashboard has simplified our security operations. Previously, our team had to perform numerous manual tasks for all customers. Therefore, with automation, when we present the report to the customers, they are quite impressed with having everything in one place. 

Microsoft Defender for Endpoints' threat intelligence assists us in preparing for potential threats before they materialize, enabling us to take proactive measures. We identify these proactive threats due to the presence of a threat entry system. If any IOCs are obtained, they are undoubtedly identified by Microsoft Sentinel. Moreover, we have set up indicators ingestion for Defender for Endpoint. This process involves creating steps to acquire data from third-party sources and directly inputting it into Defender for Endpoint. Since Defender for Endpoint has a capacity limit of 15,000 indicators of compromise, we can only ingest data up to this extent. Any surplus data will be automatically removed, provided their IOC scores fall below 60 within a month. Consequently, new IOCs will replace the removed ones.

It has saved our organization around 30 percent of our time in terms of not having to worry about malware. When any malware does get in, it is automatically remediated. Now, the main portion of our time is dedicated to conducting in-depth investigations and identifying other occurrences.

We have cut our organization's costs in half compared to our previous solutions. This is mainly due to the automation of most tasks, which means we now only need ten people to manage 20 customers, a significant reduction from the 30 engineers we needed before.

Microsoft Defender for Endpoint has significantly reduced our time for detection and response. Our Service Level Agreement entails detecting issues within 15 minutes and responding within 30 minutes. Defender for Endpoint has greatly contributed to these time savings. The incidents that we used to address using Splunk required extensive coordination within our team and with our customers, leading to substantial time consumption. Previously, resolving a single incident took around 40 minutes. Presently, this process takes approximately 15 minutes.

What is most valuable?

The most valuable feature is the timeline, which allows us to view the details of an event 30 minutes before and after.

Forensic investigation is a valuable feature of Defender for Endpoint.

We can run the virus scan across our entire environment.

We can block suspicious URLs and quarantine malicious files within the Defender for Endpoint portal.

What needs improvement?

Some of the integrations that Defender should include involve the use of the web app. Utilizing the web app implies that the Defender API should be accessible through mobile devices as well. For instance, if there exists a mobile application, it would be beneficial. Let's imagine a scenario where I'm traveling and I receive a new alert. With a Defender mobile application, I could easily isolate the threat, conduct an investigation on my mobile device, or even automatically escalate or assign the alert to my engineers.

There are certain third-party apps that haven't been integrated with Defender. I would be delighted to witness the integration of those apps with Defender for Endpoint. 

The deployment of Defender for Endpoint should be made smoother via Intune.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for five years.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is stable.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint is scalable.

How are customer service and support?

The technical support is fine but it takes time to reach them.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We previously used Splunk but switched to Microsoft Defender for Endpoint because of the cost and smoother operation.

How was the initial setup?

With the proper training, the initial setup is straightforward.

When conducting customer onboarding, the deployment will require a minimum of three days. Therefore, we must ensure everything is executed flawlessly and follow security best practices. Emphasizing precise deployment is crucial. Hence, deploying without careful planning is not an option, aiming to prevent any issues in a larger environment. In contrast, a smaller environment can be deployed within two days.

For a large organization with over 5,000 employees, a team of up to six people is required for the deployment.

What was our ROI?

We are achieving a 15 percent return on investment, which is contributing to the growth and impact of our company.

What's my experience with pricing, setup cost, and licensing?

If we are acquiring everything in a single place, the front end becomes cost-effective. We won't need to purchase five separate products for various tasks. Instead, it's one product designed for five tasks, which is certainly a cost-effective approach.

What other advice do I have?

I rate Microsoft Defender for Endpoint an eight out of ten.

We also utilize Defender for Cloud. Defender for Cloud is employed specifically for the Azure product. If we have servers deployed within Azure, the system handles alerting, traceability, and security. Therefore, we certainly use it.

We have three locations where Microsoft Defender for Endpoint is deployed. One is in Australia, another is in Qatar, and the third is in India. Consequently, we employ approximately two hundred personnel.

No maintenance is required for Defender for Endpoint on the customer's end.

A single-vendor security solution approach is better than a best-of-breed strategy. We all are using Microsoft laptops and OS.

I recommend completing a POC before adapting Microsoft Defender for Endpoint.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Buyer's Guide
Microsoft Defender for Endpoint
August 2025
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
866,561 professionals have used our research since 2012.
Naman Verma. - PeerSpot reviewer
Security Delivery Specialist at a consultancy with 10,001+ employees
Real User
Top 5
Reasonably priced with good support but still needs to improve its threat intelligence
Pros and Cons
  • "We have very good visibility on our endpoints. The level of information it throws back is helpful."
  • "Where we stand right now, compared to other products that are there in the market, they still have to work on their threat intelligence and the overall maturity of detecting the malware."

What is our primary use case?

The solution is used as an endpoint solution to provide a 360-degree portfolio around an endpoint. It acts as a next-gen antivirus. 

What is most valuable?

It’s included with the Microsoft licensing, so we don't need multiple licenses.

Microsoft is very effective in device control. If there is malware that is coming in, It is very quick to remove it. It doesn't let it gain a footprint on your drive, so that prevents further damage from happening to the endpoint.

This solution helps us prioritize threats across our enterprise. When we are looking at our current scenario, post-COVID, most of the employees of the clients that we are dealing with are remote. When it comes to remote, you can make sure that they're logging in to VPN, however, most of their time is online and we need a product that is actively protecting them even if a user is not on a VPN or a company network. This product integrates very well with Windows due to the fact that it's a Microsoft product. It's giving users the protection that they need while ensuring businesses don’t have to spend extra on licenses.

We are using other Microsoft products. Including CASB integrated with our endpoint. We’re also using Azure, for example, and Microsoft Defender for Cloud as well as Sentinel (although a different team manages it). We have seen a very hybrid kind of environment with one of our clients where they were using an on-prem solution throughout, and they were aiming to move to the cloud. It becomes very easy to integrate everything and move most of their infrastructure to the cloud. It does take time and effort, however, with everything integrated, you can get it done. Microsoft solutions also work natively together. That’s a big strength. Everything communicates seamlessly.

We have very good visibility on our endpoints. The level of information it throws back is helpful.

How long it takes to see the level of benefits will depend on the deployment. Our deployment took two months for one client. Within a month’s time, they started seeing the benefits. We had a substantial number of endpoints to roll out, however, we began to note benefits pretty fast.

Microsoft Defender for Endpoint helps automate the finding of high-value alerts. It still needs to mature a little bit. Overall, we are seeing very security-intensive products and Microsoft still has a lot to learn.

It helped eliminate having to worry about multiple dashboards. Now, we have one single dashboard where our team takes care of everything. That has been very helpful. It makes the team focus on one single product. That helps prepare us for potential threats before they hit. We get fairly decent visibility into what's happening. Since we have one single dashboard that is giving us all the information, it becomes very easy for the team to react to incidents as well.

Overall, the solution has saved time. Previously, while we were doing deployment, most of our time was spent figuring out how to handle the products that are not natively from Microsoft. We had to figure out how we could integrate to get the most out of our products. Now, with Microsoft, we have all the integrations present in one place.

On average, we’ve likely saved nine to 12 hours weekly just by having one single Microsoft dashboard.

We’ve saved money, too. Considering it comes under one existing license, we don’t have to spend money separately or buy another license to get all the features we need.

The solution decreased our time to detection and time to respond. Our turnaround is better. From the moment we receive an alert to the moment we close the case, we’ve seen a reduction of 18% to 20% overall.

What needs improvement?

The visibility of threats needs to improve a bit. It still has to learn a lot. Where we stand right now, compared to other products that are there in the market, they still have to work on their threat intelligence and the overall maturity of detecting the malware. Sometimes we have seen instances where they have wrongly identified the malware. That is something that we would really hope that Microsoft works on.

Microsoft has to improve the efficacy of the product further. When we are talking about a security product, there are minor frameworks and there are close to 145 different techniques that we are talking about. It broadly categorizes into types yet it doesn't drill it down to techniques, which gives us a very specific idea of what they are aiming for. 

For how long have I used the solution?

I've been using the solution for the past one and a half years as a solution architect to design and deliver EDR solutions. 

What do I think about the stability of the solution?

The product is fairly stable. 

What do I think about the scalability of the solution?

The solution can scale. We scaled up initially from 500 to 32,00 endpoints and it was fine. 

How are customer service and support?

We've had to contact support in the past and found them to be very effective. They are knowledgeable in their approach. However, the tasks can be a bit time-consuming.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We are using CrowdStrike, Palo Alto XDR, and a lot of different products. The client using CrowdStrike may have moved to Defender based on the cost.

How was the initial setup?

The initial setup was simple. 

There is a bit of maintenance required around data retention. It has a data retention period of 80 or 90 days depending on the configuration. We make it a habit of filing data for compliance purposes. Two to three people are normally involved with the maintenance aspect. It's not resource-intensive. 

What about the implementation team?

We are the third party. We help clients implement the solution. 

What was our ROI?

We have witnessed an ROI. 

What's my experience with pricing, setup cost, and licensing?

The product is very cheap compared to other options. It's very affordable, which is why Microsoft is gaining a foothold in terms of client acquisition.

What other advice do I have?

We're a Microsoft partner. 

I'd rate the product seven out of ten. 

You can spend a lot of money to get a very specific security tool, however, if you don't have the money, Defender does a pretty good job for you.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer.
PeerSpot user
Mark Foust - PeerSpot reviewer
Director strategic alliances at a computer software company with 11-50 employees
Real User
Top 10
I like that the solution is integrated and doesn't have a third-party payload trying to advertise subscription renewal
Pros and Cons
  • "I like that Defender is integrated and doesn't have a third-party payload trying to advertise subscription renewal."
  • "The interface isn't necessarily intuitive to a nontechnical person. You can get stuck in the little endpoint security portal. Sometimes, if you uninstall a competitive product, the end user doesn't always know if it's running or if they're protected even though it's silently running. There could be a notification, widget, or something that's resident on the screen for at least a bit, especially if you're doing remote support. You want to talk them through it, but sometimes, we're not allowed to look at the PCs we support."

What is our primary use case?

We use Defender for endpoint security, firewall administration, and antivirus. 

How has it helped my organization?

From an administrative perspective, Defender provides a single pane of glass for us to look at compliance throughout the company and for the customers we recommended it to. That's probably the most significant piece. The governance and policy features work together for us because we can easily provide the self-attestation that we need for the federal government.

Automation at this point, as I understand, is a lot of one-offs. It depends on the particular console that you're looking at. I'd love to have them integrated. I understand that there's a larger solution for that, but it's challenging to figure out a cost estimate of what it would take to get it up and running. The automations are often tied to the separate Defender products and not always integrated, but we're still shy about buying the larger product and integrating all the logs. 

Defender for Endpoint saves time by making administration more manageable. It's at least four hours per month per administrator. We save money with Defender because it's packaged with other Microsoft solutions. It's $20 to $60 per user annually, depending on the suite you're getting. 

What is most valuable?

I like that Defender is integrated and doesn't have a third-party payload trying to advertise subscription renewal. I don't get spam because of it. Regarding visibility, no one has their finger in as many operating systems as Microsoft. No one has the platform or deployment profile that Microsoft has. Microsoft can outshine any third-party vendor when it comes to visibility.

What needs improvement?

The interface isn't necessarily intuitive to a nontechnical person. You can get stuck in the little endpoint security portal. Sometimes, if you uninstall a competitive product, the end user doesn't always know if it's running or if they're protected even though it's silently running. There could be a notification, widget, or something that's resident on the screen for at least a bit, especially if you're doing remote support. You want to talk them through it, but sometimes, we're not allowed to look at the PCs we support.

I'd like them to improve visualizations for people higher up the reporting chain, such as potential purchasers, directors, VPs, and CEOs. They have little time. They want to see red, green, and yellow lights or some other type of visualization. It would be great to have this functionality out of the box without a lot of custom development.

We're learning about the AI Security Co-pilot. I'm unsure how it integrates, but I'd like to see it integrated. I'm an administrator, so I don't look at the logs constantly, but patching is critical. I would love to see the percentage of PCs patched in a given period. Reporting and alerts are crucial issues. When an alert needs to be triggered, we'd love to see some events flush up.

We often have to wait for and do a report until we find what we're looking for. It would be nice to sort of set it and forget it or have a community board of plugins that we could download and say, "Here's the meantime to resolution for x, y, or z policy or some policies that we could potentially integrate.

For how long have I used the solution?

I have used Defender for Endpoint for seven years. 

What do I think about the stability of the solution?

I can't think of any ongoing issues that we have other than our own internal minor configuration. I don't know if this is in there, but I would love the ability to see how we're deployed and get recommendations.

What do I think about the scalability of the solution?

Defender is scalable. The solution covers multiple locations and departments. We have about 100,000 end users. The departments vary in size. 

How are customer service and support?

I rate Microsoft support six out of 10. They're responsive and willing to help. I have no problems with their customer service. However, it's sometimes difficult to find a technician that understands your issue. Sometimes, when you try to do self-service with Microsoft, it refers you to a third-party website for support ideas and stuff. That's absolutely bizarre. Why would I trust a third party linked from the Microsoft community forums and things?

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We were using Norton Antivirus, but we switched because we were familiar with Defender. We had Defender running on our home machines, and we had positive experiences because it didn't noticeably slow our machines. It was fairly intelligent at what it did. Sometimes, you feel a little restricted by a few of the things that it may not have. But in the end, I don't think that we're missing anything that we didn't already have in the product.

What's my experience with pricing, setup cost, and licensing?

Defender is typically bundled with 365 packages that the customers are already buying. We haven't done an in-depth ROI for right. Often, we leave the customer to make those decisions even though we can point to tools like that on the web or allow an analyst tool to do that type of work. 

Which other solutions did I evaluate?

We looked at Norton, McAfee, and another one that I can't recall. Ultimately, our decision primarily came down to integration into the system. If it's integrated, it isn't overwritten by the security patch, and it doesn't add to the payload we're already sending down to manage the PC. We wouldn't use it if the quality wasn't there, but all else being equal, it's always easier to use an integrated solution from a single vendor.

What other advice do I have?

I rate Microsoft Defender for Endpoint nine out of 10. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner and reseller
PeerSpot user
reviewer2315553 - PeerSpot reviewer
Senior program lead at a manufacturing company with 10,001+ employees
Real User
Top 10
Works very well with the Microsoft ecosystem and helps to stop threats at the source
Pros and Cons
  • "The endpoint detection of threats is valuable. The initial detection of things like ransomware and viruses and being able to shut down machines immediately and stop a threat is valuable. We can stop a threat at a source versus allow it to propagate it across the network."
  • "The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases."

What is our primary use case?

We use it as an Enterprise Detection and Response (EDR) solution. We use it for compliance purposes, and we are starting to use it for DLP purposes.

How has it helped my organization?

Microsoft Defender for Endpoint allows our threat hunting and threat remediation teams to reduce the footprint of viruses when they come on the network.

We have immediate visibility on all endpoints. It is very good at visibility.

For prioritizing threats across our enterprise, the threat-hunting system in Microsoft Defender for Endpoint is not top-notch. We usually integrate it into things like our SIEM or Sentinel or other things to prioritize or our SOAR system to automate.

We can feed the alerts coming out of it into our XSOAR system to immediately act on events versus waiting until people see them and use the ticketing system.

Microsoft Defender for Endpoint has saved us time. It has saved us at least 40 hours a week. We are able to automate and have the ability to handle threats on an enterprise with 50,000 devices.

Microsoft Defender for Endpoint has not saved us costs. It is a Microsoft product.

Microsoft Defender for Endpoint has reduced our time to detect and respond. By going from a manual process to an automated process, depending on the severity, the time reduced has gone from minutes and days to seconds.

What is most valuable?

The endpoint detection of threats is valuable. The initial detection of things like ransomware and viruses and being able to shut down machines immediately and stop a threat is valuable. We can stop a threat at a source versus allow it to propagate it across the network.

What needs improvement?

The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases. Instead of being able to go back to Microsoft and ask how to do something, we have to work with a vendor who does not exactly know how to do that and has to go to Microsoft to say, "How do we do this?" so that they can answer our questions. There are a lot of things in relation to various compliance standards such as CIS. The primary levels of support of Microsoft do not know or cannot implement that. Working through vendors is time-consuming. It is a painful process to get back to them to get the answers.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for three years.

What do I think about the stability of the solution?

We have never seen any downtime in it, so it is incredibly stable.

What do I think about the scalability of the solution?

It is incredibly scalable. However, its ability to bind things into the groups on its dashboard is limited. You can see your 50,000 machines empire, but dividing it into regions, and dividing it into subgroups and management areas is very limited.

It is deployed across the world. There are 250 sites worldwide with 50,000 devices.

How are customer service and support?

I would rate their support poorly. I would rate them a two out of ten.

How would you rate customer service and support?

Negative

Which solution did I use previously and why did I switch?

The history would be a Symantec product, but I do not remember what it was. Then we went up through Azure ATP to Microsoft EDR. 

How was the initial setup?

I was involved in its deployment and initial setup, but I was not a part of PoC at the time. The deployment was very easy. We pushed it out with SCCM.

Our implementation strategy was PoC, small user groups, and then wide or regional deployments.

We have on-premises and cloud deployments. It is an endpoint protection platform. It goes on any endpoint that we have or that we have running. It could be an endpoint that is sitting in the cloud. It could be an endpoint that is sitting on-prem. We use Azure, GCP, and AWS. There is also some limited rack space from IBM.

What about the implementation team?

We used CDW.

What was our ROI?

We have reduced man hours using the product. We have definitely been able to leverage automation with it more than other products that we have used previously and other products that we are using.

What's my experience with pricing, setup cost, and licensing?

I recently switched from education to private business, and all I can say is that private business licensing from Microsoft is not cheap until you hit certain quantities or scale. That does not mean that it is not comparable to other industries. It is similar pricing, but it is still crazy to me how much you pay for a client. I feel it is high, but it is in line with other vendors.

Which other solutions did I evaluate?

We evaluated Cortex XDR, Carbon Black, and QRadar or whatever that solution was from IBM.

The Microsoft ecosystem is the main difference. Everything under the umbrella of the Microsoft security toolkit makes life easier when all the systems talk together nicely.

What other advice do I have?

To those evaluating this solution, I would advise first figuring out what your needs are. Figure out what levels of granularity you need in the system to see if it will support your needs. For example, if you have something like department-level control over devices, you might want to look at another system versus a central security solution that controls all devices. Beyond that, make sure your machines have the resources necessary to support the features you turn on in the environment. A lot of the resources in Microsoft Defender for Endpoint can be shut down for slower machines and older machines.

I would rate Microsoft Defender for Endpoint a solid nine out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Shashank Gahoi. - PeerSpot reviewer
Security Architect at a tech vendor with 10,001+ employees
MSP
Top 20
We can directly connect to a machine, access the system, and check if any malicious files are present
Pros and Cons
  • "There are a couple of features, such as isolating the devices or connecting the device and connecting live response."
  • "Microsoft Defender for Endpoint does not offer default templates for alerts, requiring us to configure everything ourselves to avoid numerous false positives."

What is our primary use case?

We use Microsoft Defender for Endpoint for anti-malware purposes.

How has it helped my organization?

Microsoft Defender for Endpoint has good visibility into threats, capturing 95 percent of them.

Microsoft Defender for Endpoint helps us prioritize threats across our organization, which is important.

We have integrated Microsoft Defender and Sentinel. The process of integrating Microsoft Defender for Endpoint and Sentinel was easy.

They work natively together to deliver coordinated detection and response across our environment which is important. Microsoft Defender for Endpoint and Sentinel work together comprehensively to detect and protect against threats. If one solution misses a threat, the other one will pick it up.

Sentinel allows us to gather data from our entire ecosystem, which is crucial for us.

It enables us to investigate threats and respond holistically from one place.

Microsoft Defender for Endpoint is an effective anti-malware solution. Additionally, it offers the capability to isolate a device in case of more significant issues with a workstation or server. Moreover, we can directly connect with the machine through Microsoft Defender itself to access and check files using live response, allowing us to assess the situation accurately.

Microsoft Defender for Endpoint offers a unified XDR dashboard that eliminates the need to view multiple dashboards. However, we are only focusing on incidents and log queries.

The threat intelligence helps us prepare for potential threats before they occur, allowing us to take proactive steps, as long as there are alerts and we have properly configured them.

We were previously using IBM QRadar, but it was not quite effective for generating alerts or for data analytics. Additionally, it created numerous alerts, which only sent us notifications for issues like behavioral concerns. This had a significant impact on the workload for InfoSec Operations. Microsoft Defender for Endpoint has helped to reduce our SecOps team's investigation time.

Once we invest the initial time to create alerts and queries, Microsoft Defender for Endpoint saves us time by sending alerts and logs directly. This eliminates the need to repeatedly create queries to search for specific alerts, incidents, or events.

Microsoft Defender for Endpoint has decreased our time to detection and time to respond.

What is most valuable?

There are a couple of features, such as isolating the devices or connecting the device and connecting live response. These are very good features of Microsoft Defender for Endpoint because we can directly connect to the machine, access the system, and check if any malicious files that our Defender or Sentinel is detecting are present or not. This allows us to investigate those files further.

What needs improvement?

Microsoft Defender for Endpoint sometimes fails to detect malware incidents, and when it does manage to stop them, we only receive a notification stating that the issue has been resolved. Unfortunately, we are not provided with any information on how the solution resolved the incident.

Microsoft Defender for Endpoint does not offer default templates for alerts, requiring us to configure everything ourselves to avoid numerous false positives.

The pricing needs to be improved.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for a little over one year.

What do I think about the stability of the solution?

I give the stability a nine out of ten.

What do I think about the scalability of the solution?

I give the scalability an eight out of ten.

How are customer service and support?

We rarely need technical support, but when we encounter issues with log ingestion, we contact them. Unfortunately, the support isn't very helpful as they suggest trying things we've already attempted, which haven't worked. Consequently, we often find ourselves searching online to resolve the problem on our own.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I also use FireEye, which is now called Trellix, along with McAfee. Each tool has its own advantages and disadvantages. FireEye was solely an EDR solution. Microsoft Defender for Endpoint is superior to McAfee due to the higher number of alerts and the ability to isolate and connect to the machine in real-time.

Microsoft Defender for Endpoint is the default solution for Microsoft, but it can be challenging to integrate with Linux environments. Additionally, if we are using any other EDR or anti-malware solutions, Microsoft Defender for Endpoint will only work passively, not actively, and we cannot convert it to function as an active anti-malware solution.

How was the initial setup?

The initial setup of Microsoft Defender for Endpoint may be more complex compared to other solutions that only require pushing agents to workstations or servers. Each device must be compliant and onboarded to Azure in order to be active, and any non-compliant workstations cannot be uploaded to Azure. On the other hand, with McAfee and similar solutions, we only need to push the agent and it starts reporting to the console. Our deployment process lasted six months and involved a group of three to four people and their respective teams. We had one team for field agents, another for SCCM purposes, and an Operations team as well.

What about the implementation team?

Microsoft assisted with the implementation, and they were efficient.

What's my experience with pricing, setup cost, and licensing?

We are required to pay for the data we ingest, and increasing the data amount incurs additional expenses.

What other advice do I have?

I give Microsoft Defender for Endpoint an eight out of ten.

We currently have around 6,000 Microsoft Defender for Endpoint users in our organization.

We have a team called InfoSec Operations that handles maintenance and consists of approximately five people.

I recommend Microsoft Defender for Endpoint for larger organizations, and they should undergo training if they intend to use it in conjunction with Microsoft Sentinel, as it is a complex tool compared to others like QRadar. For smaller organizations, I suggest using Splunk, which is a reliable solution.

Microsoft Defender for Endpoint is a viable solution, but it does have limitations when it comes to other operating systems. I would not recommend this solution for an organization that operates in a Linux-based environment.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Azure Consultant at a tech services company with 11-50 employees
Real User
Eliminates the need to look at multiple dashboards by automatically providing one XDR dashboard to show the security score of each subscription
Pros and Cons
  • "File protection is the most valuable feature. Antivirus security on the Level OS, Microsoft Defender, and Microsoft Guard for 2019."
  • "The solution should be updated by Microsoft with new features from time to time."

What is our primary use case?

Microsoft Defender for Endpoints supports any changes to file permissions, file access, and modifications to file delivery, as well as anti-virus and anti-malware protection. We enable Microsoft Defender on subscription. We depend on the solution for anti-malware, antivirus, and threat protection.

How has it helped my organization?

Regarding visibility into threats, Automatic integration enables Microsoft Defender on the level of subscription on the virtual machine. On the level of resources, and OS services, the direct integration between Azure Resources and Microsoft Defender is very smooth. The solution is perfect compared to using third-party software such as antivirus, Symantec, or any other option. We may face some issues in some integrations, but Microsoft Defender for Endpoint integration with Azure Resources is much better than trying to integrate with other solutions.

We use additional Microsoft solutions such as Gateway which is automatically integrated with Microsoft Defender by enabling it from the portal.

The integrated Microsoft products we are using work together to provide a coordinated detection response. The logs are all integrated and sent to a Log at network spaces. Level network spaces and Azure Monitor are already integrated with Microsoft Defender, and if an alert appears in the environment from a firewall, the web, or any other security component, it will automatically generate a security alert on Microsoft Defender. Microsoft Defender becomes the interface or supporter that manages all the security alerts in the environment.

All of our subscriptions are on the Cloud. We don't use anything on-prem. Microsoft Defender is a portal that manages all Endpoint Defender resources in an environment. This includes Defender for Endpoint on virtual machines, Defender for Cloud, Defender for App Service, and any other Defender resource.

We integrated Microsoft Sentinel with Defender Endpoint enabling us to ingest data from our entire ecosystem.

We utilize the interface for our Security Environment. We don't install any other third-party products such as Microscan at the outset, but we are a partner of Microsoft, and we only use Microsoft products.

We act according to the automatic alerts triggered by the Microsoft Center.

Microsoft Defender for Endpoint helps us eliminate the need to look at multiple dashboards by automatically providing one XDR dashboard to show the security score of each subscription and the vulnerability that needs to be remediated for each resource.

Having a consolidated dashboard allows us to address the vulnerabilities that automatically appear on the portal sooner using the recommendations provided by the solution.

Microsoft Defender for Endpoint automatically protects our environment once a virus or malware is detected without any action from our end.

Microsoft Defender for Endpoint has saved us time detecting viruses, but we still have to manually manage any viruses related to the Windows updates batching in order to fix vulnerabilities on a monthly basis.

The solution has decreased our time to detect and respond to threats. Microsoft Defender for Endpoint should secure the environment automatically. We just act when any threat is detected on the back end by the SOC team.

What is most valuable?

File protection is the most valuable feature. Antivirus security on the Level OS, Microsoft Defender, and Microsoft Guard for 2019. 

Threat protection is a critical part of Azure security and is managed under the umbrella of Microsoft Defender. All threat protection services work directly with the Microsoft Defender agent or the Qualys vulnerability scanner.

Microsoft Defender for Endpoint is enabled on the machines to automatically route tasks and help us automate the findings of high-value alerts. The alerts appear on the security alert under the Microsoft Defender for Cloud.

What needs improvement?

The solution should be updated by Microsoft with new features from time to time. The backend may have been changed to be more stable and secure, but there have been no major changes to the portal itself.

For the next update, I would like a link that connects directly to the resource, instead of having to connect manually. This will make it easier to identify any issues related to App Service.

For how long have I used the solution?

I have been using the solution for four years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution automatically scales to our requirements and we currently have plans to scale up.

How are customer service and support?

The quality of Microsoft's technical support depends on the service type. Some services are okay, and some are not. Sometimes we open a case and get the result the first time, and sometimes it takes more than one session.

How would you rate customer service and support?

Neutral

How was the initial setup?

The initial setup is straightforward and takes about an hour.

We enable all subscriptions, which come with free basic services, and we can upgrade to premium services by selecting the required resources. If we have Azure Sequel, or infrastructure, such as virtual machines, we enable it at the virtual machine level. We enable services according to the current resource.

What about the implementation team?

The implementation was completed in-house by a team of two people.

What's my experience with pricing, setup cost, and licensing?

Bundling our Microsoft products is more effective and cost-efficient.

The license cost is around $35 per machine, which is not expensive compared to other products. In addition to the solution's license fee, Azure DevOps Standard costs around $30,000. I believe this is too expensive and hope that the cost can be lowered in the future.

What other advice do I have?

I give the solution a nine out of ten.

The solution is used for a website and is deployed in one location. We have 1,000 users.

Maintenance is completed once a month for batching the products in the environment for Sequel, SharePoint, and Microsoft products. Two people are required for the maintenance.

Microsoft Defender for Endpoint is a very good solution. I recommend the solution to others and suggest using only Microsoft products in order to receive all the support from one place.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. partner
PeerSpot user
Head of Security at a tech vendor with 10,001+ employees
Real User
Helps prioritize threats, offers good visibility, and saves us time
Pros and Cons
  • "The antivirus is the most valuable feature."
  • "There are alternative solutions that offer a greater range of dashboard insights when compared to Microsoft Defender for Endpoint."

What is our primary use case?

We use Microsoft Defender for Endpoint for our antivirus protection.

How has it helped my organization?

The visibility into threats that Defender for Endpoint provides is good because we are using all Microsoft products. 

Microsoft Defender for Endpoint assists us in prioritizing threats throughout our enterprise. This prioritization of threats is crucial for safeguarding end-user devices.

Sentinel allows us to gather data from our entire ecosystem, and the interface is highly impressive. Data ingestion is of utmost importance for our organization, especially concerning the security of our environment.

It allows us to comprehensively investigate threats and respond from a unified platform. This is of great significance to us, as Sentinel plays a pivotal role in our Security Operations Center.

Microsoft Defender for Endpoint assists us in automating the prioritization of critical alerts. I am certified in cybersecurity. Recently, I have begun the process of renewing my certification as it is set to expire next year. I have been reading numerous articles regarding Sentinel, Defender for Cloud, Identity, and Endpoint applications, and there is a multitude of information available. Automation is now fully integrated, which holds significant importance for enterprise-level customers.

The solution assists in eliminating the necessity of using multiple dashboards, providing us with a single XDR dashboard integrated across various Microsoft products.

The threat intelligence assists us in preparing for potential threats before they occur, allowing us to take proactive measures to prevent them. The assessment mechanism analyzes and identifies threats, providing clear instructions before we proceed to the security parameters.

It has saved our clients time, mainly with their SOC operations. 

What is most valuable?

The antivirus is the most valuable feature.

What needs improvement?

There are alternative solutions that offer a greater range of dashboard insights when compared to Microsoft Defender for Endpoint. The solution needs better integration with third-party vendors.

The analysis that identifies the threats and remedies them can be enhanced in a future release.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for almost four years.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is stable.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint is scalable.

How are customer service and support?

The quality of technical support is determined by the customer's priority levels: P1, P2, and P3. Overall, they are known to provide good support.

Sometimes, the support takes a while to respond, and their shifts change, so we have to begin again with the new person on the shift.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is straightforward for me. All Microsoft products are easy to configure and integrate data also. To properly utilize all the features the person integrating must understand the architecture code concept as well.

Before deployment, I consistently conduct a rapid assessment to comprehend the customer's infrastructure. Subsequently, I formulate a plan grounded in this information. Typically, we aim for minimal personnel involvement due to the centralized nature of cloud operations. Additionally, we can advocate for either GPO or CCM deployment software. Our approach entails utilizing a singular architect, one resource, and one SME for implementing and overseeing the infrastructure, aligning with the security prerequisites of the customer's locale. Continuous monitoring of the infrastructure is imperative, maintaining a 24/7 vigilance.

The implementation takes around three months to install and configure.

What's my experience with pricing, setup cost, and licensing?

The pricing is competitive. The pay model is pay as we use.

For organizations that make use of all Microsoft solutions, the cost is lower, and the visibility is increased.

What other advice do I have?

I rate Microsoft Defender for Endpoint nine out of ten.

Microsoft Defender for Endpoint is indeed a commendable product. However, despite its implementation, we should consider the integration of other security products. This is due to the escalating variety of cyberattacks prevalent today. While Windows consistently issues patches to update its existing products, I propose the adoption of a dual-product approach within our infrastructure. This approach aims to preempt eleventh-hour security breaches. By juxtaposing and scrutinizing the attributes of different solutions, we can better comprehend their nuances, specifically at the feature level. The pivotal factor lies in how adeptly a solution identifies and mitigates potential threats. Therefore, I advocate for the incorporation of two distinct solutions within our infrastructure. This strategy is poised to yield heightened efficiency, effectively mitigating the risks of both security breaches and data breaches.

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2025
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.