Microsoft Defender is a Windows platform that can be integrated with various solutions. It has a complete dashboard that gives us clear visibility into the total security of things, the endpoint devices connected, and their status. It also gives us information about who has been logged in and at what time. Compared to other solutions, Microsoft Defender for Endpoint gives us more visibility and threat analysis reports.
Senior Manager ICT & Innovations at Bangalore International Airport Limited
A highly stable solution that gives more visibility and better threat analysis reports
Pros and Cons
- "The solution's latest features for threat analysis are updated to provide us with future protection against the latest threats worldwide."
- "Microsoft Defender for Endpoint should include better automation that will make it faster to detect the latest threats happening across the world."
What is our primary use case?
How has it helped my organization?
Microsoft Defender for Endpoint has improved my security score very well. Since it is a fully automated solution, all false positives have been ruled out for me. The investigations provided by the dashboard have compliance functionality and are useful for auditing purposes.
What is most valuable?
The solution's latest features for threat analysis are updated to provide us with future protection against the latest threats worldwide. It allows us to prepare from our side for the worst scenarios so that the business operations would not be affected.
What needs improvement?
Microsoft Defender for Endpoint should include better automation that will make it faster to detect the latest threats happening across the world. The solution should also generate an automatic report for any investigation before I generate a report. The solution's cost could be improved as it is an expensive tool.
Buyer's Guide
Microsoft Defender for Endpoint
July 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
862,514 professionals have used our research since 2012.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for four years.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is a highly stable solution.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint is a scalable solution. We have around 3,000 total endpoint devices with two administrators, and we have plans to increase the usage.
How are customer service and support?
The solution's technical support is good. We were able to get proper support from the technical support team.
How would you rate customer service and support?
Positive
How was the initial setup?
The solution’s initial setup is easy.
What about the implementation team?
The solution’s deployment took almost three weeks. Two network engineers and I ensured the configuration of the group policies. We ensured that all the inbound and outbound traffic was properly configured and implemented.
What was our ROI?
We have seen a return on investment with Microsoft Defender for Endpoint.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender for Endpoint is an expensive solution.
Which other solutions did I evaluate?
Before choosing Microsoft Defender for Endpoint, we evaluated other solutions by Azure. We chose Microsoft Defender for Endpoint because of its better functionalities and capabilities.
What other advice do I have?
The solution provides us with clear visibility. We have a clear dashboard analysis, and we don't need to worry about the changes we need to make as it gives a clear solution for us. Threat hunting is the best feature that gives the response to any event happening.
The solution helps me prioritize threats across our enterprise because I'm able to map all the devices across my enterprise. It is improving my security score compared to the earlier one. Compared to our earlier endpoint protection solutions, we have a good edge over the mapping we have with Microsoft Defender for Endpoint. Any new devices getting added to our ecosystem are getting secured in a better way.
We use more than one Microsoft security product. We have integrated all of these products, and it was easy to integrate them.
The integrated Microsoft security solutions work natively together to deliver coordinated detection and response across our environment. This is very important for us because we follow a framework where protection, detection, response, and recovery have to happen in a seamless manner.
Microsoft security products give visibility into the information about the latest threats happening across the globe. This gives us awareness and helps us to be well-prepared before the attacks.
We use Microsoft Defender for Cloud, and we make use of its bi-directional sync capabilities. Microsoft Defender for Endpoint has both on-premises and cloud capabilities.
We use Microsoft Sentinel, which enables us to ingest data from our entire ecosystem. We have different types of endpoints. The ingestion of data gives more data and more credibility to the logs, which makes my environment more secure.
MS Sentinel enables us to investigate threats and respond holistically from one place. It provides vulnerability management and threat detection so that we'll be able to see different logs and parameters. Normally, the threat collection, detection, and response are very much important for an organization.
MS Sentinel’s built-in SOAR and UEBA are different higher-end functionalities with artificial intelligence that provide a secure environment for any platform. It can analyze more volumes of data.
Compared to MS Sentinel, SOAR solutions are more costly.
Our Microsoft security solution helps automate routine tasks and help automate the finding of high-value alerts. It gives us a clear investigation report to find the RCA appropriately, thereby speeding up our response time.
Our Microsoft security solution has helped eliminate having to look at multiple dashboards and given us one XDR dashboard. I can integrate all my security parameters into one dashboard, and looking for the management review is easy for me.
The solution’s threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. It alerts me immediately from which IP the threat is coming so that I can block that respective port immediately and prevent it from entering my network.
Our Microsoft security solution has saved us time by making the operations faster and reducing the response time. The solution has saved me almost 15 days in a month.
Our Microsoft security solution has saved us money by providing a single integrated solution and eliminating the need for different security solutions.
The solution has decreased our time to detect and respond. The solution has enabled me to act quickly on any issue before it hits me.
Microsoft Defender for Endpoint is a one-stop solution for your protection, and it gives overall visibility of your endpoint devices. You can easily add on the devices whenever the enterprise is growing.
With Microsoft Defender for Endpoint, you can club your endpoint protection, email protection, network protection, and application protection and ensure they are in good hands. We can handle anything regarding security operations, investigations, or complaints from a single point.
Overall, I rate Microsoft Defender for Endpoint a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner

Conseiller Expert en Architecture de sécurité at a tech services company with 1,001-5,000 employees
An easily integrated solution and enables us to investigate threats and respond holistically from one place
Pros and Cons
- "Microsoft Defender for Endpoint is different from other security tools because we can configure it to use multiple types of scanning or archiving."
- "Sometimes the software doesn't work the way we expect it to, and in those cases, we can't communicate with a device because it may be infected."
What is our primary use case?
We use Microsoft Defender for Endpoint to protect our devices from virus and malware attacks.
How has it helped my organization?
Microsoft Defender for Endpoint provides visibility into threats. Using the solution we can see threats easily and address them in order to protect our devices.
The solution provides an overview and we can configure it to have a higher queue, to take action against any risks.
The prioritization of threats is very important to us. With Defender, we can prevent attacks in a number of ways. When we are alerted about a potential threat, it is important to prioritize and take action quickly. We can check the type of incident and confirm the threat level.
We also use Microsoft Sentinel. The solution enables us to investigate threats and respond holistically from one place. Our success is also a result of our four-year investment. I have invested a lot of time in studying Microsoft products and technical subjects such as firewalls.
Microsoft Defender is a good tool. As an anti-virus solution, it helps monitor for any attacks. The solution works similarly to an alarm and is very important. Microsoft Defender is the best protection solution for me, it's safe to use, and I can see the alerts in real-time.
The benefits of Microsoft Defender for Endpoint are immediately clear when implementing it across the enterprise. Within a week the entire enterprise noticed the benefits. The solution communicates with all employees through all devices across the organization. For me, Microsoft Defender for Endpoint is the best.
Microsoft Defender for Endpoint has saved us around two months a year of time.
The solution significantly reduced our detection and response time because it is integrated with all the devices across the enterprise. All the devices are constantly being analyzed and monitored so in the instance there is an anomaly detected we are notified and able to respond quickly.
What is most valuable?
Microsoft Defender for Endpoint is different from other security tools because we can configure it to use multiple types of scanning or archiving. Microsoft Defender is an important tool for our security arsenal. We can also use the solution to perform many tasks.
Integrating Microsoft Defender for Endpoint with other Microsoft solutions is easy as long as the organization has a proper implementation process. The devices and materials need to be organized and connected in a way that is efficient for the organization, and the implementation process must be considered.
Our integrated solutions work natively together with Microsoft Defender for Endpoint to deliver coordinated detection and response across our environment which is very important.
What needs improvement?
Sometimes the software doesn't work the way we expect it to, and in those cases, we can't communicate with a device because it may be infected. When this happens we can't access the device directly or implement the interface.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is very scalable.
What other advice do I have?
I give the solution a nine out of ten.
The comprehensiveness of Sentinel's security protection is linked to identity management and is very easy.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Microsoft Defender for Endpoint
July 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
862,514 professionals have used our research since 2012.
Director of Security at Overseas Adventure Travel Partners, Inc.
Takes automated actions, integrates well, and helps us to improve our security posture with a small team
Pros and Cons
- "The best thing I like about it is its interaction with the other Defender products. It provides the ability to push telemetry up. It gives me endpoint visibility and allows me to take automated actions."
- "They're in the process of pulling more things together. They can continue with the integrations and provide a better way of seeing the impact of security changes, especially on the endpoint side. Before we actually flip the switch, we should be able to see the impact of security changes on the business or business applications. It would prevent breaking any business applications."
What is our primary use case?
It is our endpoint protection solution as a part of the full Defender Suite that we use. We use it for every one of our devices, including Macs and Windows.
Each endpoint is with Intune, and then the management is done out of Azure.
How has it helped my organization?
It takes automated actions. If a device is found to have a virus, it will automatically remove it, isolate the device, and then notify us to follow up. That way, things are less critical when we get to them. It will stop the spread. We're a worldwide company with very few people on the security staff. It allows us to remove the risk in an immediate fashion without the staff having to jump on it, which just takes time.
It helps us prioritize threats across our enterprise. We have limited resources to deal with the threats. So, this prioritization is critical to us.
We use more than just Defender for Endpoint. We use Defender for Identity, Defender for Office 365, and Cloud App security. We use the whole 365 Defender suite. It is easy to integrate these products. The challenge is having all the features in your environment and obviously making it work within your environment because of your different applications and business processes, but all these solutions work natively together to deliver coordinated detection and response across our environment. This is critical for us because we have limited resources. So, allowing the machines to talk to each other and not having to jump from place to place just makes life a lot easier.
We use Microsoft Defender for Cloud for the hybrid cloud environment. We are not multi-cloud at this point. We use it to identify weaknesses within our environment, both prem and off-prem so that we can prioritize. We do not use Sentinel at this time.
For the most part, it gives me what I need in one spot. I do have to drill down into other dashboards for more defined reports. We go into the Intune dashboard for compliance and things like that.
Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. We use the secure score to help identify what we need to do to protect against things as they come up. It lets us know about any ransomware out there so we can jump right on those and do protections. We also use it for the compliance piece against NIST, PCI, and things of that nature.
It saves time. If I didn't have the integrated pieces of Microsoft Defender, to do the same amount and be on top of things, I would probably need two FTEs.
It has absolutely decreased our time to detect and time to respond.
What is most valuable?
The best thing I like about it is its interaction with the other Defender products. It provides the ability to push telemetry up. It gives me endpoint visibility and allows me to take automated actions.
It is excellent in terms of visibility into threats. It is very comprehensive in terms of threat detection, and it keeps on getting better. They are consistently adding new features.
What needs improvement?
They're in the process of pulling more things together. They can continue with the integrations and provide a better way of seeing the impact of security changes, especially on the endpoint side. Before we actually flip the switch, we should be able to see the impact of security changes on the business or business applications. It would prevent breaking any business applications.
For how long have I used the solution?
In its current rendition, I have been using it for two years.
What do I think about the stability of the solution?
Its stability is very good.
What do I think about the scalability of the solution?
Its scalability is very good. It definitely scales easily.
How are customer service and support?
Their support is okay. We get support through Insight, which is also our CSP. They're better. I would rate them a five out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
On the endpoint side, I've used Sophos and Symantec. We switched because of the integration between all different securities.
How was the initial setup?
The deployment was relatively easy, but when you get into turning on the switches, things can get complicated because it has a lot of different features. Overall, it was easy.
What about the implementation team?
We did it in-house. We had two security systems engineers doing it.
What was our ROI?
We have seen a return on investment, but it is hard to give metrics. It has definitely allowed us to maintain a small team and increase our security posture.
What's my experience with pricing, setup cost, and licensing?
If you're on Microsoft products, and you've bought into what they're doing with Teams Voice and Office, then adding in the security piece is just a slight bump. You go with the E5 licensing, which saves you a lot of money.
With the bundling that Microsoft does, we have saved money. Buying individual point products would've cost us a lot more money than one integrated solution that also capitalizes on Teams Voice and things of that nature. Given our size, buying individual products would have easily cost us a million dollars.
Which other solutions did I evaluate?
We've looked at other solutions. We've looked at CrowdStrike. We've looked at Symantec. We went for Microsoft because of the full integration. The breadth of the products and the pricing were the main reasons.
What other advice do I have?
I would advise following those secure scores and watching out as you start to communicate with your user base because you're going to impact applications.
To a security colleague who says that it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, my response would be that you got to measure trying to do the integration because with security, to me, bringing that integration together is the key thing. You need to know how quickly you are going to be able to move from your detection to your mitigation. Are you going to turn on things on the firewalls or can you go right to the devices and isolation? The best of the breed is great, but trying to get them all to work together becomes very complex.
I would rate it an eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
Provides good visibility and is fairly easy to set up within one tenant, but doesn't support multitenancy and is not as capable as other solutions
Pros and Cons
- "I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible."
- "A challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy."
What is our primary use case?
Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case.
When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.
It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.
Its version is usually up to date. It is a cloud solution.
How has it helped my organization?
Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.
You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.
What is most valuable?
I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.
The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.
What needs improvement?
The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.
Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.
It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.
It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.
For how long have I used the solution?
I have been using it for about two years. I've got a couple of customers today with it.
What do I think about the stability of the solution?
Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.
What do I think about the scalability of the solution?
It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.
How are customer service and support?
It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.
How would you rate customer service and support?
Neutral
How was the initial setup?
It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant.
We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.
In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.
It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.
What's my experience with pricing, setup cost, and licensing?
The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.
You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.
The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.
What other advice do I have?
A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.
Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.
Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.
I would advise asking yourself:
- What do your endpoints consist of?
- Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
- What is it that you're trying to achieve by taking Defender?
- Are there more capable XDR-type solutions out there?
If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.
If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.
I'd give it a cautious six out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSSP
SOC Analyst with 1-10 employees
Provides comprehensive logs and the live response feature allows me to remotely access different endpoints and investigate malicious files
Pros and Cons
- "I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues."
- "Threat intelligence has the potential for improvement, particularly by integrating more sources."
What is our primary use case?
I am a SOC analyst and I use Microsoft Defender for Endpoint to investigate endpoints in our environment and malicious activity.
How has it helped my organization?
The visibility into threats that Defender provides is excellent. The logs I receive are quite comprehensive, allowing me to see what is happening on each endpoint, including the running processes and generated alerts. It does a pretty good job of detecting when certain events occur, which helps me stay attentive to potential issues. Overall, it offers significant visibility.
Defender does a good job in helping to prioritize threats across our entire enterprise because it provides me with context by distinguishing between high and medium threats.
We also utilize Azure Sentinel, Defender for Cloud Apps, Defender for Identity, and Office 365. These solutions are integrated together, and whenever one of them receives an alert, it is sent to the main alert queue. I would give the integration an eight out of ten.
Sentinel allows us to collect data from our entire ecosystem. We primarily use it for the network firewall logs, but it can also handle other types of logs.
Sentinel does an excellent job of providing us with comprehensive security protection and visibility into security alerts and incidents. It informs us about policy violations, such as foreign user sign-ins and sign-ins from multiple or different devices, among other things. Therefore, it offers greater visibility beyond just phishing alerts.
Microsoft Defender for Endpoint has significantly improved our organization by identifying the activities of individual users and effectively hunting for any threatening activities they might engage in. For instance, if a user downloads a malicious file or clicks on a malware-infected link, the software can promptly detect and mitigate the issue on the server.
Defender helps to automate routine tasks and the identification of high-value alerts. Sentinel aids in the automation process by allowing me to address the issue of numerous false positives. Specifically, I automated the handling of certain false positives that originated from a particular IP range. This IP range was generating false positives due to a flagged server, even though the server itself was not actually malicious. In such cases, Sentinel proved to be beneficial as it facilitated the automation and removal of unnecessary noise.
Microsoft Defender for Endpoint has helped save us the trouble of looking at multiple dashboards by providing a single XDR dashboard.
Microsoft Defender for Endpoint has been instrumental in saving us time, especially by identifying true positives instead of wasting time on false positives.
What is most valuable?
I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues.
What needs improvement?
Threat intelligence has the potential for improvement, particularly by integrating more sources. This will enable us to accurately identify when a domain or an IP is malicious. If we could obtain information from external sources, it would reduce the need to use different open source tools to verify whether a domain or IP is malicious or not.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for a year and a half.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is stable. I have only experienced one crash.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint proved to be scalable in our environment, supporting over 500 endpoints.
Which solution did I use previously and why did I switch?
I have also used Splunk. Splunk is more modular and portable, allowing us to integrate it with a wide range of different tools. In contrast, features of Defender and Sentinel, such as those provided by Microsoft, do not integrate well with as many other options.
What other advice do I have?
I would rate Microsoft Defender for Endpoint a nine out of ten. It provides me with greater certainty regarding malicious activity compared to Splunk, which demands much more analysis. Defender for Endpoint performs a significant amount of work in terms of identifying and validating malicious elements. This saves us from having to read and interpret a large number of logs. It takes care of the interpretation and conducts about half of the log analysis on our behalf.
I still have to conduct threat intelligence on my own, such as open-source intelligence. I don't automatically search VirusTotal for things, but I still end up doing my own source searching.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Project Manager at LTIMINDTREE
Provides good visibility into threats, integration with other Microsoft products, and effective threat intelligence
Pros and Cons
- "Defender for Endpoint provides good visibility into threats and has favorable threat intelligence."
- "The solution has minimal customization options, especially compared to Mandiant, so we want to see more scope for customization. A single portal for customization would also be a welcome addition."
What is our primary use case?
We deploy the solution for our customers, typically with Plan 1, as they generally have E3 licenses. We also use Microsoft Purview, the compliance system consolidating every security aspect into its portal. This offers centralized management and tight integration with Azure and Intune, which are identity and device management tools, respectively.
Our customers have a variety of cloud providers; Azure and GCP are the most popular, but we have some AWS users too.
We use multiple Microsoft security products, including Azure Information Protection and DLP, in addition to the other flavors of Defender, such as Defender for Cloud and Defender for Identity.
We integrated all of these products and the integration was easy.
These solutions work natively together to deliver coordinated detection and response across our environment, which is essential. The beauty of Microsoft is the tight integration of their various products.
How has it helped my organization?
The solution helps us prioritize threats across the enterprise, which is essential for every organization. If a malicious actor or another type of threat gets into the network, we need to know exactly what's happening, how it happened, who triggered it, lateral movement, etc.
Defender for Endpoint is a 360° solution that sees and covers all areas. Microsoft also has a zero-day protection framework, so they are thinking ahead.
The product decreased our time to detect and respond to threats.
What is most valuable?
Defender for Endpoint provides good visibility into threats and has favorable threat intelligence.
The product helps us automate routine tasks and the finding of high-value alerts; it discovers all threats and categorizes them as low, medium, or high priority, then begins remediation automatically based on the threat severity. It's also possible to automate the isolation from the production network of a device infected with ransomware. As always, the workflows and configurations should be optimized based on the environment.
The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Some bots take care of remediation and an automatic ticketing system whereby open items trigger tickets sent to the team concerned.
What needs improvement?
The solution has minimal customization options, especially compared to Mandiant, so we want to see more scope for customization. A single portal for customization would also be a welcome addition.
A high level of expertise is required to maximize visibility into threats as the tool provides the data, but it isn't crystal clear. Other products are more straightforward and user-friendly, so admin and management-level staff can easily understand the root cause of a threat, which isn't the case with Microsoft. The threat detection and response are there, but significant expertise is required if we want the same level of visibility provided by third-party tools.
There are some issues around ingesting data from MS Sentinel. If we configure Purview, then our compliance is configured for our entire Microsoft tenant, but the integration isn't easy, and there are some known challenges.
We can't see all the data in one place, so we have to log into different portals to access various data, and this needs to be more straightforward. We want to see a single portal with one URL, so those with the appropriate credentials can gain access and see the big picture regarding the threat landscape.
For how long have I used the solution?
We've been using the solution for over five years.
What do I think about the stability of the solution?
The product is stable.
What do I think about the scalability of the solution?
Defender for Endpoint is scalable.
How was the initial setup?
The deployment was relatively straightforward, but one issue is the knowledge base articles are not particularly accessible.
Regarding implementation strategy, we do discovery, make an assessment, and match with business needs; then, we know precisely what we have to do and which license is required. We can then start the implementation and deployment.
For maintenance, two team members are sufficient to manage 5,000 users or devices.
What about the implementation team?
We're a service provider, so we carry out the deployments ourselves.
What was our ROI?
We have seen an ROI.
What's my experience with pricing, setup cost, and licensing?
I'm not too familiar with costs as I'm an architect, though I know about online pricing, as I help two teams with online purchasing and procurement. Nowadays, everyone has an enterprise agreement, such as an E3 license, which we provide to our customers.
The solution saved us money.
Which other solutions did I evaluate?
We evaluated many solutions, including Mandiant, Cortex XDR, McAfee MVISION, and Fortinet FortiClient.
What other advice do I have?
I rate the solution nine out of ten, and I recommend it.
We use Microsoft Sentinel, and it allows us to ingest data from our entire ecosystem.
Sentinel enables us to investigate threats and respond holistically from one place, which is important to us.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Cybersecurty Analyst at a university with 5,001-10,000 employees
Provides great investigative capabilities, and the timeline function allows us to quickly see what caused an alert
Pros and Cons
- "The investigation aspect is the most useful. It's user friendly and has a good user interface."
- "I would like MDE to have the ability to isolate a certain amount of time on the timeline."
What is our primary use case?
I used MDE to investigate individual alerts. We were able to initiate AV scans on devices from MDE. That was our normal practice as soon as we pulled up an alert. My understanding was that it wouldn't slow down the throughput or the productivity of the endpoint device. We could theoretically isolate the device via MDE.
We also used Cloud App Security, Microsoft Defender for Cloud, and Azure Sentinel. At my last two organizations, they were in the process of moving from Splunk to the Microsoft security suite. It was standard procedure for us to install MDE on Microsoft Defender as the endpoint solution for every device. We didn't have anything on-premises.
I have experience with Microsoft Sentinel. We were transitioning toward using that as our SIEM. They encouraged us to learn the Kusto Query Language, which is extremely useful.
My organization was in the process of using Sentinel to ingest data from their entire ecosystem.
The solution was deployed across multiple departments and multiple locations in North America. It was deployed on a private cloud.
How has it helped my organization?
MDE eliminates the need to look at multiple dashboards, given it has only one XDR dashboard. It has a good user interface for looking at campaigns and the big picture as opposed to just one incident. They also have good graphics.
MDE decreased the time it takes to do detection and response. It allows us to quickly look at the timeline and see what caused the alert. In my organization, they wanted to know what caused the alert, not just whether or not it was a false positive.
If there is malware on a device, they wanted to know how it got there. If there is malware on the device from another device in our environment, that is a huge deal. If someone clicked on something in an email or went to a suspicious website on their own, that is extremely important to determine quickly in our environment. It's very helpful to determine the level of the threat.
What is most valuable?
The investigation aspect is the most useful. It's user-friendly and has a good user interface. There's a universal search bar at the top of MDE. Plugging in the hostname brings up the page for the host. From there, we can see any alerts and an overview of the host, who it's assigned to, and who is logged into it.
I usually quickly go straight to the alerts tab and start investigating the alerts. It has a really great timeline function on it. It shows everything that occurred on the device and any connections it made on the internet or with other devices on the network. It shows activities like who logged in and who logged off. I could pull all of that through the timeline and figure out what happened and why it happened. The investigative capabilities are really good.
MDE provides pretty good visibility into threats. I would give it an A-. Overall, I was pretty impressed by it.
Sentinel enables us to investigate threats and respond holistically from just one place. Sentinel's security protection is pretty good. We had some alerts that we considered for a potential campaign. There were some instances when we had the AI perform an investigation for us, and it was pretty comprehensive.
MDE helps automate routine tasks. This was at a level higher than mine, but the automation seemed to work well for them. They had some queries and other tasks that they would schedule and set up alerts for.
MDE has also saved us time.
One of our main problems in cybersecurity is dealing with noise. If you look at the logs for any device over a 10-minute period, it's just too much information. The timeline on MDE is very good at whittling down the noise to find the answers to our questions.
What needs improvement?
I would like MDE to have the ability to isolate a certain amount of time on the timeline. Splunk has a better UI when it comes to isolating a certain amount of time. I need to know exactly what happened two minutes prior to and two minutes after an incident. I don't need to see half an hour's worth of information.
With Splunk, the UI is perfect. With just a couple of clicks of a button, it'll show us 30 seconds prior to and 30 seconds after an incident. The timeline for MDE is more difficult to understand.
After a failed log-in, Splunk shows when the event happened on the timeline down to a thousandth of a second. Theoretically, we could do that with the Kusto language, but that would mean changing the query every time. It's just not as user-friendly as it could be.
For how long have I used the solution?
I used MDE for two years.
What do I think about the stability of the solution?
The stability is great.
Which solution did I use previously and why did I switch?
I used Carbon Black and McAfee ePO in my previous organization, but they were in the process of moving everything to the Microsoft security solution.
Splunk was our main SIEM and alert system. It pulled alerts from different sources. When we received an alert, Splunk would quickly give us basic information, and then we would go straight to MDE. We received a lot more information from MDE's alerts than we did from Splunk.
I didn't spend a lot of time with Splunk. I normally input the hostname of the affected device that triggered the alert. I pulled all of the information from there, like the timeline of the event, the IOCs it had spotted, the name of the alert, and all of the other details. From there, I did a full investigation of the alert through MDE. I was very impressed with MDE. It gives great details, and it's very easy to use.
How was the initial setup?
We didn't have dedicated personnel for any problems. We purchased full support with the license. Setup wasn't flawless, but there weren't any major issues.
What other advice do I have?
I would rate this solution as eight out of ten.
If you have the money for it, I would recommend the Microsoft security solution.
I would recommend a single-vendor strategy if you have the money for it. I believe in defense in depth. Regarding endpoint protection, I think it's better to stick with one vendor. In my previous organization, they had conflicts between MDE and McAfee. McAfee would read MDE as a virus, and MDE would read McAfee as a virus.
The problem with endpoints is that if you have more than one solution, each of those solutions will see the other guy as a virus or potential virus. When it comes to endpoint protection, I would go with a single vendor.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Assistant Manager - Cyber & Cloud Security at a financial services firm with 1,001-5,000 employees
Provides a detailed level of visibility and helps to proactively prevent attacks before they happen
Pros and Cons
- "It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune."
- "With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in the multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation."
How has it helped my organization?
It provides good visibility in terms of the number of devices covered, users covered, and so on. With most people working from home for the past two years as a result of the pandemic, Microsoft has helped us improve our security. Because it's a cloud component, we have been able to have improved coverage for our remote users, which was a challenge when we were using traditional endpoint protection solutions. Microsoft Defender for Endpoint has enabled us to secure devices even when they are off of the organization's premises. It has added value to our organization and has helped improve and mitigate security risks across the organization.
What is most valuable?
I like the fact that it's prebuilt onto Windows and that it integrates with various solutions.
The Microsoft Defender for Endpoint dashboard gives you a very wide view. If, for example, a device is having some malicious activity, it will tell you who has logged into that device and the history of the activity such as whether the activity began because that particular user clicked a malicious link in an email. It is able to do this because Microsoft Defender can connect to the whole Microsoft 365 ecosystem. Thus, it can provide more visibility as compared to a standalone endpoint solution, which will only give you visibility with regard to the information collected on the client in which it is installed.
It provides a detailed level of visibility considering that it's prebuilt onto Windows. It's able to drill down into the processes, such as the DLL files that are running and the installation files from where the threat is emanating. It gives you a deeper threat analysis in comparison to that of other solutions I've worked with. Microsoft Defender is able to provide details such as whether it is a malicious file, the process that is executing a particular file, how it is initiated, the process number, the particular execution file that is running, and so on.
When it discovers a threat, it has its own inbuilt capabilities to prioritize the severity as low, medium, high, and critical. You can also intervene and assign a particular priority to an incident if the priority was not what you expected. Microsoft Defender gives you visibility not just from a threat perspective but also from a user perspective, for example, to identify the most high-risk users in an organization. It gives you the ability to prioritize the riskiest users and devices.
We use Azure AD Identity Protection, Windows Defender for Cloud, and Microsoft Defender for Office 365.
It is easy to integrate these solutions because Microsoft Defender for Endpoint gives you a central view of all of the security components in the organization. We have integrated these solutions to have one central dashboard.
Having one XDR dashboard has eliminated the need to look at multiple dashboards.
In terms of these solutions working natively together to deliver coordinated detection and response across our environment, Defender for Endpoint works natively well on its own Defender for Office 365. The full integrated visibility doesn't come natively enabled by default. As an administrator, you have to figure out where the configuration is and enable that configuration so that the events are captured by one solution and pushed to the central dashboard for security.
Microsoft has come a long way in terms of security and comprehensive threat protection. They've done quite a lot to mature their solutions. It's hard to find one vendor who covers your email security, cloud security, and endpoint security, giving you central visibility into all of it, and Microsoft is one of the major players at the moment.
Threat intelligence helps us proactively prevent attacks before they happen. Defender can pick up an activity that is happening across other tenants in the organization. You can then look at what controls you can put in place to prevent it from happening in your own organization. It's better to prevent an attack rather than to stop one that is already happening. This approach allows us to proactively put measures in place and be ready to respond in case an attack does occur. It keeps us more alert and prepared.
With Microsoft Defender for Endpoint, you can automate some of the incident response actions. However, we do have false positives that are picked up, and automation needs to be done sparingly. Automation of routine tasks does free up our admins, and they can focus on more strategic initiatives and improvements, and leave the day-to-day administrative duties to the system.
This solution has saved us time in terms of providing centralized visibility and not having to onboard agents when deploying. It has made management a bit easier because it can be accessed from anywhere and has made it a bit more convenient to manage the whole Endpoint protection activities. Our team is still quite lean, and the time spent on EDR activities has probably reduced by about 50%, freeing us up to catch up on other activities that we're following up on in the entire information security program.
Microsoft Defender for Endpoint has decreased our time to detect and our time to respond. Proactive alerts help you send notifications before something actually happens. That means you have more time at hand to quickly detect threats before they happen. If they do happen, it gives you all of the information you need to be able to quickly respond compared to traditional EDR solutions for which you may need to look for VPN production to access your tenant. The ability to automate the responses has also decreased the time it takes to respond to an incident by about 50% because even before the notification is received, the system would have begun to take the action that you had configured for the automation. That is, the response will begin without your intervention.
What needs improvement?
Automation is one of the areas that need improvement because if you fully automate, then there's a high chance that you're going to be blocking a lot of actual false positives.
With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation.
Microsoft keeps changing the name of the solution, and when we go to senior management to ask for a budget, they think you're asking for a different solution. It would be great if Microsoft could decide that Defender for Endpoint is the name and stick with it.
For how long have I used the solution?
I've been using it for three years.
What do I think about the stability of the solution?
It's quite stable.
What do I think about the scalability of the solution?
It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune.
We have about 5,000 users.
How are customer service and support?
The technical support is okay, and I would rate them at seven out of ten. It depends on the level of support that you have with Microsoft. If you have enterprise support, you'll get dedicated support, and your issues will be resolved much faster. That is, if you're able to pay for premium support, you'll get good, faster responses. If you have normal support, however, it may take a bit longer to get someone to look at an issue.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We previously used Kaspersky Endpoint Protection. One of the reasons why we switched is the fact that traditional endpoint solutions tend to be monolithic. They usually run on an on-premises infrastructure. As a result, you have to deploy agents to all of the machines and to manage them, you have to be on the company's network or be able to access it through VPN. Also, those who work remotely will need to log into the VPN to receive updates. Often, those who don't need access to internal systems will go for months without logging into the VPN, which means that they will not pick up the updates.
We were also looking for a solution that was more cloud-friendly because the organization was moving towards the cloud with the emergence of remote work.
How was the initial setup?
The initial deployment can be straightforward if you have Windows 10 Enterprise Professional because it will come preinstalled. All you will have to do then is to enable it. In our case, we wanted to enable a particular GP and encountered some complexities in terms of connectivity. It took us about six months to deploy it.
It's a SaaS solution, so you don't require much effort in terms of deployment. Once installed, there's very little maintenance required. We don't have to upgrade any agents; it's straightforward. It mainly requires administrative work from the console.
Our environment is across multiple branches in the organization with branches in different locations and countries.
What about the implementation team?
We had a team of three with someone to configure the group policies, someone to look at the admin center on Microsoft, and someone to ensure that the traffic is allowed.
What's my experience with pricing, setup cost, and licensing?
Because Microsoft Defender comes as an add-on, it can be a bit expensive if you're trying to buy it separately. Another option is to upgrade, but the enterprise licenses for Microsoft can also be quite a bit pricey. Overall, the cost of Microsoft Defender compared to that of other endpoint detection solutions is slightly higher.
What other advice do I have?
If you have a big team, then you can go with a best-of-breed strategy where you have dedicated teams that are looking at your endpoint protection, email protection, network protection, and so on. You may have a SOC team as well that gets the events and incidents from all of the different teams, analyzes centrally and provides a general view from a security operations perspective. In summary, if you have a well-resourced, mature organization, then it may make sense to go for the best-of-breed strategy.
However, if you have an organization without a big security team, it makes sense to have a single vendor's suite. At times, it may appear to be a single point of failure, but in terms of management and usability, it's a bit easier to work with and deploy. It will give you some level of visibility that will cut across the different domains.
Overall, Microsoft Defender for Endpoint is a good solution, and it'll give you good visibility and protection. It's worth considering, and I will rate it at eight on a scale from one to ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Updated: July 2025
Product Categories
Endpoint Protection Platform (EPP) Advanced Threat Protection (ATP) Anti-Malware Tools Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
Microsoft Intune
Fortinet FortiEDR
Microsoft Defender for Office 365
Microsoft Sentinel
Microsoft Entra ID
Microsoft Defender for Cloud
SentinelOne Singularity Complete
Microsoft Defender XDR
Microsoft Purview Data Governance
Cortex XDR by Palo Alto Networks
Fortinet FortiClient
HP Wolf Security
Elastic Security
Trellix Endpoint Security Platform
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Compare Microsoft Windows Defender and Symantec Endpoint Protection. How Do I Choose?
- Which product would you choose: Microsoft Defender for Endpoint vs Cortex XDR by Palo Alto Networks?
- What do you think of the integration of Azure AD Services, Defender for Endpoint, and Intune as comprehensive security solutions?
- CrowdStrike Falcon vs Microsoft Defender ATP: Comparison of features and performance
- How does Microsoft Defender for Endpoint compare with Crowdstrike Falcon?
- Running Carbon Black Defense Along with Windows Defender
- How is Cortex XDR compared with Microsoft Defender?
- Which offers better endpoint security - Symantec or Microsoft Defender?
- How does Microsoft Defender for Endpoint compare with Carbon Black CB Defense?
- How would you compare between Microsoft Defender for Endpoint and Tanium EDR?