We use Microsoft Defender for Endpoint to protect our devices from virus and malware attacks.
Conseiller Expert en Architecture de sécurité at a tech services company with 1,001-5,000 employees
An easily integrated solution and enables us to investigate threats and respond holistically from one place
Pros and Cons
- "Microsoft Defender for Endpoint is different from other security tools because we can configure it to use multiple types of scanning or archiving."
- "Sometimes the software doesn't work the way we expect it to, and in those cases, we can't communicate with a device because it may be infected."
What is our primary use case?
How has it helped my organization?
Microsoft Defender for Endpoint provides visibility into threats. Using the solution we can see threats easily and address them in order to protect our devices.
The solution provides an overview and we can configure it to have a higher queue, to take action against any risks.
The prioritization of threats is very important to us. With Defender, we can prevent attacks in a number of ways. When we are alerted about a potential threat, it is important to prioritize and take action quickly. We can check the type of incident and confirm the threat level.
We also use Microsoft Sentinel. The solution enables us to investigate threats and respond holistically from one place. Our success is also a result of our four-year investment. I have invested a lot of time in studying Microsoft products and technical subjects such as firewalls.
Microsoft Defender is a good tool. As an anti-virus solution, it helps monitor for any attacks. The solution works similarly to an alarm and is very important. Microsoft Defender is the best protection solution for me, it's safe to use, and I can see the alerts in real-time.
The benefits of Microsoft Defender for Endpoint are immediately clear when implementing it across the enterprise. Within a week the entire enterprise noticed the benefits. The solution communicates with all employees through all devices across the organization. For me, Microsoft Defender for Endpoint is the best.
Microsoft Defender for Endpoint has saved us around two months a year of time.
The solution significantly reduced our detection and response time because it is integrated with all the devices across the enterprise. All the devices are constantly being analyzed and monitored so in the instance there is an anomaly detected we are notified and able to respond quickly.
What is most valuable?
Microsoft Defender for Endpoint is different from other security tools because we can configure it to use multiple types of scanning or archiving. Microsoft Defender is an important tool for our security arsenal. We can also use the solution to perform many tasks.
Integrating Microsoft Defender for Endpoint with other Microsoft solutions is easy as long as the organization has a proper implementation process. The devices and materials need to be organized and connected in a way that is efficient for the organization, and the implementation process must be considered.
Our integrated solutions work natively together with Microsoft Defender for Endpoint to deliver coordinated detection and response across our environment which is very important.
What needs improvement?
Sometimes the software doesn't work the way we expect it to, and in those cases, we can't communicate with a device because it may be infected. When this happens we can't access the device directly or implement the interface.
Buyer's Guide
Microsoft Defender for Endpoint
June 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,687 professionals have used our research since 2012.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is very scalable.
What other advice do I have?
I give the solution a nine out of ten.
The comprehensiveness of Sentinel's security protection is linked to identity management and is very easy.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Infrastructure Engineer at SBITSC
Provides excellent virus scanning and web activity tracking in an integrated security suite
Pros and Cons
- "The virus scanning capability is excellent, and it feeds all the logs into the Microsoft 365 Defender portal, making them easy to search for."
- "The integration and effectiveness of email security could be better. It's already built-in to the solution and checks emails, scans the links they contain etc."
What is our primary use case?
Our primary use case is for protecting Windows 10 endpoints. We use it for email scanning and application control, we can run analytics through it, and the product enables web content filtering. The Defender 365 package is all-encompassing now; it's a good product.
The solution is deployed across our whole business with 3,000 endpoints, including phones, laptops, tablets, and desktops, with 1,700 end users.
We use multiple Microsoft security products, including Defender, Defender for Cloud Apps, Identity Manager, and Intune. We have the whole security package.
I was the infrastructure engineer who integrated the products, which was elementary; we rolled out via Intune and used SCCM to build the endpoints.
The solutions work natively together to deliver coordinated detection and response across our environment, and it's better than using Symantec, for example. Defender is the best product out there; it's built into Windows, and it makes sense to use built-in products. This coordination is strategically important to us, as it makes passing knowledge on to the team easier because it's all in one place.
How has it helped my organization?
The solution offers better management of endpoints when it comes to antivirus and malware. It allows us to separate the functionality of managing that security area rather than putting it with the infrastructure team. The infrastructure team handles the monitoring services. At the same time, virus and threat detection can go to the core security team, which takes a load off the infrastructure team and allows the security team to concentrate fully on security.
Defender for Endpoint helps automate routine tasks and the finding of high-value alerts. Once we set our rules, including attack surface reduction (ASR) rules, there's a lot of automation capability. We can apply definitions for all endpoints across our organization.
The solution helped eliminate having to look at multiple dashboards and gave us one XDR dashboard, which positively affected our security operations. There are four staff in the department, so they appreciate this kind of management. They can see everything from one place, and our security picture is more integrated. They can even carry out basic auditing from the dashboard.
Defender for Endpoint saves us time because we can quickly go in and search for issues raised by the security department and eliminate the threat. We have 3,000 assets, so it saves the network around half an hour and the infrastructure staff a couple of hours.
What is most valuable?
The virus scanning capability is excellent, and it feeds all the logs into the Microsoft 365 Defender portal, making them easy to search for.
We can track web activity and see what users are logged into. The solution picks up a lot of information from machines and pushes it into the Defender 365 portal and Cloud App Security portal.
The product provides good visibility into threats. We can also log in anywhere, which is handy for the security teams.
Defender for Endpoint helps us prioritize threats across our enterprise; we can configure specific rules concerning viruses, malware, and threat detection.
In terms of the comprehensiveness of the threat protection provided by Microsoft security products, it's the best in the marketplace. The top three are Defender, Sophos, and Symantec; the others don't come close to these.
The solution's threat intelligence helps us take proactive steps to prepare for potential threats before they hit because it tracks definitions and threat footprints from the cloud. These can then be identified and stopped at the front door, which is the whole idea of antivirus products these days.
What needs improvement?
The integration and effectiveness of email security could be better. It's already built-in to the solution and checks emails, scans the links they contain etc.
For how long have I used the solution?
I've been using the solution since its first iteration came out in 2005, so about 17 years.
What do I think about the scalability of the solution?
The solution is scalable; we have it deployed across our entire organization to 3,000 endpoints, and 1,700 end users.
How are customer service and support?
The support is good; I don't have an issue with them. It's straightforward to go into Azure and raise a ticket, although you must know how to ask the right question.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
As far as I know, my organization used Defender for Cloud Apps for a long time and Symantec for service. Symantec is configurable, but it isn't always quick enough to deal with threats, as it has different quarantining methods.
I installed Darktrace for a data center and prefer to work with MS security products.
How was the initial setup?
I wasn't involved in the initial setup; I was a global admin.
In terms of maintenance, the product is lightweight; any patches are downloaded automatically, and we can configure when they're installed in our patch definitions.
What's my experience with pricing, setup cost, and licensing?
We have the E5 security license, and the solution comes with that.
What other advice do I have?
I rate the solution ten out of ten.
We use Defender for Cloud and make use of its bi-directional sync capabilities, or use Intune, so all our computer objects are synced via Azure ID and pushed into Intune. This capability is there, and it functions, though there are more important features.
It isn't easy to say if the product saves us money and the business is not overly concerned about the cost of Endpoint. You get what you pay for, it's an integrated solution, and there isn't a better one on the market. It does the job, is configurable, and has limitations like all products.
Once Defender for Endpoint becomes more mature in a couple of years, it'll be the Holy Grail like Windows 7 was.
To a security collogue who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say Microsoft is the best of breed for those who want a unified approach or integrated solution. I wouldn't use other security products because it's not necessary. I'd integrate the Microsoft security suite anywhere I go.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Microsoft Defender for Endpoint
June 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,687 professionals have used our research since 2012.
Director of Security at Overseas Adventure Travel Partners, Inc.
Takes automated actions, integrates well, and helps us to improve our security posture with a small team
Pros and Cons
- "The best thing I like about it is its interaction with the other Defender products. It provides the ability to push telemetry up. It gives me endpoint visibility and allows me to take automated actions."
- "They're in the process of pulling more things together. They can continue with the integrations and provide a better way of seeing the impact of security changes, especially on the endpoint side. Before we actually flip the switch, we should be able to see the impact of security changes on the business or business applications. It would prevent breaking any business applications."
What is our primary use case?
It is our endpoint protection solution as a part of the full Defender Suite that we use. We use it for every one of our devices, including Macs and Windows.
Each endpoint is with Intune, and then the management is done out of Azure.
How has it helped my organization?
It takes automated actions. If a device is found to have a virus, it will automatically remove it, isolate the device, and then notify us to follow up. That way, things are less critical when we get to them. It will stop the spread. We're a worldwide company with very few people on the security staff. It allows us to remove the risk in an immediate fashion without the staff having to jump on it, which just takes time.
It helps us prioritize threats across our enterprise. We have limited resources to deal with the threats. So, this prioritization is critical to us.
We use more than just Defender for Endpoint. We use Defender for Identity, Defender for Office 365, and Cloud App security. We use the whole 365 Defender suite. It is easy to integrate these products. The challenge is having all the features in your environment and obviously making it work within your environment because of your different applications and business processes, but all these solutions work natively together to deliver coordinated detection and response across our environment. This is critical for us because we have limited resources. So, allowing the machines to talk to each other and not having to jump from place to place just makes life a lot easier.
We use Microsoft Defender for Cloud for the hybrid cloud environment. We are not multi-cloud at this point. We use it to identify weaknesses within our environment, both prem and off-prem so that we can prioritize. We do not use Sentinel at this time.
For the most part, it gives me what I need in one spot. I do have to drill down into other dashboards for more defined reports. We go into the Intune dashboard for compliance and things like that.
Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. We use the secure score to help identify what we need to do to protect against things as they come up. It lets us know about any ransomware out there so we can jump right on those and do protections. We also use it for the compliance piece against NIST, PCI, and things of that nature.
It saves time. If I didn't have the integrated pieces of Microsoft Defender, to do the same amount and be on top of things, I would probably need two FTEs.
It has absolutely decreased our time to detect and time to respond.
What is most valuable?
The best thing I like about it is its interaction with the other Defender products. It provides the ability to push telemetry up. It gives me endpoint visibility and allows me to take automated actions.
It is excellent in terms of visibility into threats. It is very comprehensive in terms of threat detection, and it keeps on getting better. They are consistently adding new features.
What needs improvement?
They're in the process of pulling more things together. They can continue with the integrations and provide a better way of seeing the impact of security changes, especially on the endpoint side. Before we actually flip the switch, we should be able to see the impact of security changes on the business or business applications. It would prevent breaking any business applications.
For how long have I used the solution?
In its current rendition, I have been using it for two years.
What do I think about the stability of the solution?
Its stability is very good.
What do I think about the scalability of the solution?
Its scalability is very good. It definitely scales easily.
How are customer service and support?
Their support is okay. We get support through Insight, which is also our CSP. They're better. I would rate them a five out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
On the endpoint side, I've used Sophos and Symantec. We switched because of the integration between all different securities.
How was the initial setup?
The deployment was relatively easy, but when you get into turning on the switches, things can get complicated because it has a lot of different features. Overall, it was easy.
What about the implementation team?
We did it in-house. We had two security systems engineers doing it.
What was our ROI?
We have seen a return on investment, but it is hard to give metrics. It has definitely allowed us to maintain a small team and increase our security posture.
What's my experience with pricing, setup cost, and licensing?
If you're on Microsoft products, and you've bought into what they're doing with Teams Voice and Office, then adding in the security piece is just a slight bump. You go with the E5 licensing, which saves you a lot of money.
With the bundling that Microsoft does, we have saved money. Buying individual point products would've cost us a lot more money than one integrated solution that also capitalizes on Teams Voice and things of that nature. Given our size, buying individual products would have easily cost us a million dollars.
Which other solutions did I evaluate?
We've looked at other solutions. We've looked at CrowdStrike. We've looked at Symantec. We went for Microsoft because of the full integration. The breadth of the products and the pricing were the main reasons.
What other advice do I have?
I would advise following those secure scores and watching out as you start to communicate with your user base because you're going to impact applications.
To a security colleague who says that it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, my response would be that you got to measure trying to do the integration because with security, to me, bringing that integration together is the key thing. You need to know how quickly you are going to be able to move from your detection to your mitigation. Are you going to turn on things on the firewalls or can you go right to the devices and isolation? The best of the breed is great, but trying to get them all to work together becomes very complex.
I would rate it an eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
Provides good visibility and is fairly easy to set up within one tenant, but doesn't support multitenancy and is not as capable as other solutions
Pros and Cons
- "I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible."
- "A challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy."
What is our primary use case?
Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case.
When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.
It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.
Its version is usually up to date. It is a cloud solution.
How has it helped my organization?
Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.
You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.
What is most valuable?
I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.
The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.
What needs improvement?
The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.
Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.
It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.
It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.
For how long have I used the solution?
I have been using it for about two years. I've got a couple of customers today with it.
What do I think about the stability of the solution?
Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.
What do I think about the scalability of the solution?
It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.
How are customer service and support?
It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.
How would you rate customer service and support?
Neutral
How was the initial setup?
It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant.
We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.
In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.
It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.
What's my experience with pricing, setup cost, and licensing?
The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.
You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.
The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.
What other advice do I have?
A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.
Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.
Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.
I would advise asking yourself:
- What do your endpoints consist of?
- Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
- What is it that you're trying to achieve by taking Defender?
- Are there more capable XDR-type solutions out there?
If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.
If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.
I'd give it a cautious six out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSSP
SOC Analyst with 1-10 employees
Provides comprehensive logs and the live response feature allows me to remotely access different endpoints and investigate malicious files
Pros and Cons
- "I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues."
- "Threat intelligence has the potential for improvement, particularly by integrating more sources."
What is our primary use case?
I am a SOC analyst and I use Microsoft Defender for Endpoint to investigate endpoints in our environment and malicious activity.
How has it helped my organization?
The visibility into threats that Defender provides is excellent. The logs I receive are quite comprehensive, allowing me to see what is happening on each endpoint, including the running processes and generated alerts. It does a pretty good job of detecting when certain events occur, which helps me stay attentive to potential issues. Overall, it offers significant visibility.
Defender does a good job in helping to prioritize threats across our entire enterprise because it provides me with context by distinguishing between high and medium threats.
We also utilize Azure Sentinel, Defender for Cloud Apps, Defender for Identity, and Office 365. These solutions are integrated together, and whenever one of them receives an alert, it is sent to the main alert queue. I would give the integration an eight out of ten.
Sentinel allows us to collect data from our entire ecosystem. We primarily use it for the network firewall logs, but it can also handle other types of logs.
Sentinel does an excellent job of providing us with comprehensive security protection and visibility into security alerts and incidents. It informs us about policy violations, such as foreign user sign-ins and sign-ins from multiple or different devices, among other things. Therefore, it offers greater visibility beyond just phishing alerts.
Microsoft Defender for Endpoint has significantly improved our organization by identifying the activities of individual users and effectively hunting for any threatening activities they might engage in. For instance, if a user downloads a malicious file or clicks on a malware-infected link, the software can promptly detect and mitigate the issue on the server.
Defender helps to automate routine tasks and the identification of high-value alerts. Sentinel aids in the automation process by allowing me to address the issue of numerous false positives. Specifically, I automated the handling of certain false positives that originated from a particular IP range. This IP range was generating false positives due to a flagged server, even though the server itself was not actually malicious. In such cases, Sentinel proved to be beneficial as it facilitated the automation and removal of unnecessary noise.
Microsoft Defender for Endpoint has helped save us the trouble of looking at multiple dashboards by providing a single XDR dashboard.
Microsoft Defender for Endpoint has been instrumental in saving us time, especially by identifying true positives instead of wasting time on false positives.
What is most valuable?
I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues.
What needs improvement?
Threat intelligence has the potential for improvement, particularly by integrating more sources. This will enable us to accurately identify when a domain or an IP is malicious. If we could obtain information from external sources, it would reduce the need to use different open source tools to verify whether a domain or IP is malicious or not.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for a year and a half.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is stable. I have only experienced one crash.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint proved to be scalable in our environment, supporting over 500 endpoints.
Which solution did I use previously and why did I switch?
I have also used Splunk. Splunk is more modular and portable, allowing us to integrate it with a wide range of different tools. In contrast, features of Defender and Sentinel, such as those provided by Microsoft, do not integrate well with as many other options.
What other advice do I have?
I would rate Microsoft Defender for Endpoint a nine out of ten. It provides me with greater certainty regarding malicious activity compared to Splunk, which demands much more analysis. Defender for Endpoint performs a significant amount of work in terms of identifying and validating malicious elements. This saves us from having to read and interpret a large number of logs. It takes care of the interpretation and conducts about half of the log analysis on our behalf.
I still have to conduct threat intelligence on my own, such as open-source intelligence. I don't automatically search VirusTotal for things, but I still end up doing my own source searching.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Project Manager at LTIMINDTREE
Provides good visibility into threats, integration with other Microsoft products, and effective threat intelligence
Pros and Cons
- "Defender for Endpoint provides good visibility into threats and has favorable threat intelligence."
- "The solution has minimal customization options, especially compared to Mandiant, so we want to see more scope for customization. A single portal for customization would also be a welcome addition."
What is our primary use case?
We deploy the solution for our customers, typically with Plan 1, as they generally have E3 licenses. We also use Microsoft Purview, the compliance system consolidating every security aspect into its portal. This offers centralized management and tight integration with Azure and Intune, which are identity and device management tools, respectively.
Our customers have a variety of cloud providers; Azure and GCP are the most popular, but we have some AWS users too.
We use multiple Microsoft security products, including Azure Information Protection and DLP, in addition to the other flavors of Defender, such as Defender for Cloud and Defender for Identity.
We integrated all of these products and the integration was easy.
These solutions work natively together to deliver coordinated detection and response across our environment, which is essential. The beauty of Microsoft is the tight integration of their various products.
How has it helped my organization?
The solution helps us prioritize threats across the enterprise, which is essential for every organization. If a malicious actor or another type of threat gets into the network, we need to know exactly what's happening, how it happened, who triggered it, lateral movement, etc.
Defender for Endpoint is a 360° solution that sees and covers all areas. Microsoft also has a zero-day protection framework, so they are thinking ahead.
The product decreased our time to detect and respond to threats.
What is most valuable?
Defender for Endpoint provides good visibility into threats and has favorable threat intelligence.
The product helps us automate routine tasks and the finding of high-value alerts; it discovers all threats and categorizes them as low, medium, or high priority, then begins remediation automatically based on the threat severity. It's also possible to automate the isolation from the production network of a device infected with ransomware. As always, the workflows and configurations should be optimized based on the environment.
The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Some bots take care of remediation and an automatic ticketing system whereby open items trigger tickets sent to the team concerned.
What needs improvement?
The solution has minimal customization options, especially compared to Mandiant, so we want to see more scope for customization. A single portal for customization would also be a welcome addition.
A high level of expertise is required to maximize visibility into threats as the tool provides the data, but it isn't crystal clear. Other products are more straightforward and user-friendly, so admin and management-level staff can easily understand the root cause of a threat, which isn't the case with Microsoft. The threat detection and response are there, but significant expertise is required if we want the same level of visibility provided by third-party tools.
There are some issues around ingesting data from MS Sentinel. If we configure Purview, then our compliance is configured for our entire Microsoft tenant, but the integration isn't easy, and there are some known challenges.
We can't see all the data in one place, so we have to log into different portals to access various data, and this needs to be more straightforward. We want to see a single portal with one URL, so those with the appropriate credentials can gain access and see the big picture regarding the threat landscape.
For how long have I used the solution?
We've been using the solution for over five years.
What do I think about the stability of the solution?
The product is stable.
What do I think about the scalability of the solution?
Defender for Endpoint is scalable.
How was the initial setup?
The deployment was relatively straightforward, but one issue is the knowledge base articles are not particularly accessible.
Regarding implementation strategy, we do discovery, make an assessment, and match with business needs; then, we know precisely what we have to do and which license is required. We can then start the implementation and deployment.
For maintenance, two team members are sufficient to manage 5,000 users or devices.
What about the implementation team?
We're a service provider, so we carry out the deployments ourselves.
What was our ROI?
We have seen an ROI.
What's my experience with pricing, setup cost, and licensing?
I'm not too familiar with costs as I'm an architect, though I know about online pricing, as I help two teams with online purchasing and procurement. Nowadays, everyone has an enterprise agreement, such as an E3 license, which we provide to our customers.
The solution saved us money.
Which other solutions did I evaluate?
We evaluated many solutions, including Mandiant, Cortex XDR, McAfee MVISION, and Fortinet FortiClient.
What other advice do I have?
I rate the solution nine out of ten, and I recommend it.
We use Microsoft Sentinel, and it allows us to ingest data from our entire ecosystem.
Sentinel enables us to investigate threats and respond holistically from one place, which is important to us.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Assistant Manager - Cyber & Cloud Security at a financial services firm with 1,001-5,000 employees
Provides a detailed level of visibility and helps to proactively prevent attacks before they happen
Pros and Cons
- "It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune."
- "With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in the multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation."
How has it helped my organization?
It provides good visibility in terms of the number of devices covered, users covered, and so on. With most people working from home for the past two years as a result of the pandemic, Microsoft has helped us improve our security. Because it's a cloud component, we have been able to have improved coverage for our remote users, which was a challenge when we were using traditional endpoint protection solutions. Microsoft Defender for Endpoint has enabled us to secure devices even when they are off of the organization's premises. It has added value to our organization and has helped improve and mitigate security risks across the organization.
What is most valuable?
I like the fact that it's prebuilt onto Windows and that it integrates with various solutions.
The Microsoft Defender for Endpoint dashboard gives you a very wide view. If, for example, a device is having some malicious activity, it will tell you who has logged into that device and the history of the activity such as whether the activity began because that particular user clicked a malicious link in an email. It is able to do this because Microsoft Defender can connect to the whole Microsoft 365 ecosystem. Thus, it can provide more visibility as compared to a standalone endpoint solution, which will only give you visibility with regard to the information collected on the client in which it is installed.
It provides a detailed level of visibility considering that it's prebuilt onto Windows. It's able to drill down into the processes, such as the DLL files that are running and the installation files from where the threat is emanating. It gives you a deeper threat analysis in comparison to that of other solutions I've worked with. Microsoft Defender is able to provide details such as whether it is a malicious file, the process that is executing a particular file, how it is initiated, the process number, the particular execution file that is running, and so on.
When it discovers a threat, it has its own inbuilt capabilities to prioritize the severity as low, medium, high, and critical. You can also intervene and assign a particular priority to an incident if the priority was not what you expected. Microsoft Defender gives you visibility not just from a threat perspective but also from a user perspective, for example, to identify the most high-risk users in an organization. It gives you the ability to prioritize the riskiest users and devices.
We use Azure AD Identity Protection, Windows Defender for Cloud, and Microsoft Defender for Office 365.
It is easy to integrate these solutions because Microsoft Defender for Endpoint gives you a central view of all of the security components in the organization. We have integrated these solutions to have one central dashboard.
Having one XDR dashboard has eliminated the need to look at multiple dashboards.
In terms of these solutions working natively together to deliver coordinated detection and response across our environment, Defender for Endpoint works natively well on its own Defender for Office 365. The full integrated visibility doesn't come natively enabled by default. As an administrator, you have to figure out where the configuration is and enable that configuration so that the events are captured by one solution and pushed to the central dashboard for security.
Microsoft has come a long way in terms of security and comprehensive threat protection. They've done quite a lot to mature their solutions. It's hard to find one vendor who covers your email security, cloud security, and endpoint security, giving you central visibility into all of it, and Microsoft is one of the major players at the moment.
Threat intelligence helps us proactively prevent attacks before they happen. Defender can pick up an activity that is happening across other tenants in the organization. You can then look at what controls you can put in place to prevent it from happening in your own organization. It's better to prevent an attack rather than to stop one that is already happening. This approach allows us to proactively put measures in place and be ready to respond in case an attack does occur. It keeps us more alert and prepared.
With Microsoft Defender for Endpoint, you can automate some of the incident response actions. However, we do have false positives that are picked up, and automation needs to be done sparingly. Automation of routine tasks does free up our admins, and they can focus on more strategic initiatives and improvements, and leave the day-to-day administrative duties to the system.
This solution has saved us time in terms of providing centralized visibility and not having to onboard agents when deploying. It has made management a bit easier because it can be accessed from anywhere and has made it a bit more convenient to manage the whole Endpoint protection activities. Our team is still quite lean, and the time spent on EDR activities has probably reduced by about 50%, freeing us up to catch up on other activities that we're following up on in the entire information security program.
Microsoft Defender for Endpoint has decreased our time to detect and our time to respond. Proactive alerts help you send notifications before something actually happens. That means you have more time at hand to quickly detect threats before they happen. If they do happen, it gives you all of the information you need to be able to quickly respond compared to traditional EDR solutions for which you may need to look for VPN production to access your tenant. The ability to automate the responses has also decreased the time it takes to respond to an incident by about 50% because even before the notification is received, the system would have begun to take the action that you had configured for the automation. That is, the response will begin without your intervention.
What needs improvement?
Automation is one of the areas that need improvement because if you fully automate, then there's a high chance that you're going to be blocking a lot of actual false positives.
With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation.
Microsoft keeps changing the name of the solution, and when we go to senior management to ask for a budget, they think you're asking for a different solution. It would be great if Microsoft could decide that Defender for Endpoint is the name and stick with it.
For how long have I used the solution?
I've been using it for three years.
What do I think about the stability of the solution?
It's quite stable.
What do I think about the scalability of the solution?
It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune.
We have about 5,000 users.
How are customer service and support?
The technical support is okay, and I would rate them at seven out of ten. It depends on the level of support that you have with Microsoft. If you have enterprise support, you'll get dedicated support, and your issues will be resolved much faster. That is, if you're able to pay for premium support, you'll get good, faster responses. If you have normal support, however, it may take a bit longer to get someone to look at an issue.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We previously used Kaspersky Endpoint Protection. One of the reasons why we switched is the fact that traditional endpoint solutions tend to be monolithic. They usually run on an on-premises infrastructure. As a result, you have to deploy agents to all of the machines and to manage them, you have to be on the company's network or be able to access it through VPN. Also, those who work remotely will need to log into the VPN to receive updates. Often, those who don't need access to internal systems will go for months without logging into the VPN, which means that they will not pick up the updates.
We were also looking for a solution that was more cloud-friendly because the organization was moving towards the cloud with the emergence of remote work.
How was the initial setup?
The initial deployment can be straightforward if you have Windows 10 Enterprise Professional because it will come preinstalled. All you will have to do then is to enable it. In our case, we wanted to enable a particular GP and encountered some complexities in terms of connectivity. It took us about six months to deploy it.
It's a SaaS solution, so you don't require much effort in terms of deployment. Once installed, there's very little maintenance required. We don't have to upgrade any agents; it's straightforward. It mainly requires administrative work from the console.
Our environment is across multiple branches in the organization with branches in different locations and countries.
What about the implementation team?
We had a team of three with someone to configure the group policies, someone to look at the admin center on Microsoft, and someone to ensure that the traffic is allowed.
What's my experience with pricing, setup cost, and licensing?
Because Microsoft Defender comes as an add-on, it can be a bit expensive if you're trying to buy it separately. Another option is to upgrade, but the enterprise licenses for Microsoft can also be quite a bit pricey. Overall, the cost of Microsoft Defender compared to that of other endpoint detection solutions is slightly higher.
What other advice do I have?
If you have a big team, then you can go with a best-of-breed strategy where you have dedicated teams that are looking at your endpoint protection, email protection, network protection, and so on. You may have a SOC team as well that gets the events and incidents from all of the different teams, analyzes centrally and provides a general view from a security operations perspective. In summary, if you have a well-resourced, mature organization, then it may make sense to go for the best-of-breed strategy.
However, if you have an organization without a big security team, it makes sense to have a single vendor's suite. At times, it may appear to be a single point of failure, but in terms of management and usability, it's a bit easier to work with and deploy. It will give you some level of visibility that will cut across the different domains.
Overall, Microsoft Defender for Endpoint is a good solution, and it'll give you good visibility and protection. It's worth considering, and I will rate it at eight on a scale from one to ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Sr. Lead Consultant at catapult
The single pane of glass is vital to us as security consultants and to our clients, who need a high level of visibility
Pros and Cons
- "In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components."
- "Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition."
What is our primary use case?
I'm a security coach with multiple clients. I provide security implementation, planning, and maintenance through Microsoft Defender. I use all the Defender products, including Defender for Identity, Defender for Office 365, and Defender for Cloud.
It's easy to integrate the solutions. You only need to go into the settings and switch on the connectivity to all the Defender for Endpoint connectivity telemetry. Microsoft documentation is thorough, and it walks you through all the necessary steps.
We're multi-client and multi-cloud. We're working with multiple organizations and departments, so it's complex. We have domains and sub-domains that we must account for on the deployment side. We also use Defender for ATP, which is the Defender for domain controllers.
How has it helped my organization?
Defender for Endpoint helped to bridge the gap with remote workforce solutions because it protects managed and unmanaged devices. It's also easier to use because Defender for Endpoint is cloud-managed, so it stays maintained and updated. It has a leg up on competing solutions that require more system resources and maintenance.
The tight integration with Microsoft operating systems is another advantage because it's easier to manage. It also goes beyond Windows OS. Defender for Endpoint supports other platforms and operating systems, such as Linux, iOS, and Android. I like that Microsoft is expanding the product's scope beyond Microsoft operating systems. Microsoft is developing a holistic approach, so you don't need a third-party product to protect these other non-Microsoft platforms.
Defender helps us to prioritize threats across the enterprise. The weighted priorities are based on all the MITRE security standards. Defender products work together to provide comprehensive protection. I agree with the placement of Defender Products on Gartner's Magic Quadrant. Defender is a leader in that area of threat protection. I'm pleased with the outcome of a lot of the investigations. I can protect and harden areas that didn't usually didn't have that level of visibility and granularity.
Defender integrates with Sentinel, enabling me to ingest data from my entire ecosystem. Sentinel also covers non-Microsoft products with the third-party connectors that are provided. I enjoy that part of the Sentinel functionality and feature set. It has several features for aggregating the log data and analytics for the on-premises environment. Having that visibility is crucial.
Sentinel provides the SIEM and the SOAR capabilities, offering a single pane of glass for all of the security operations centers and providing on-site reliability for many of my clients. Sentinel is Microsoft's answer to competing tools such as Splunk and other log application tools. Sentinel seems to provide more added value from the ease of use and visibility. The licensing is also competitive.
You can set up Sentinel to forward alerts if you want to create a managed Cloud environment solution for Sentinel for a client. There's a way to set that up through Azure Front Door. You're seeing the data reporting and single pane of glass for other tenants and customers. It enables you to offer security as a service to maintain visibility for clients.
I like that it considers the status of a device (whether the device is online or offline, VPN or not, etc.) and provides several options for telemetry, depending on where and how the device is being used. It gives a lot of flexibility with the installations, maintenance, and management of the Endpoint solution. In addition to Defender for Endpoint's feature set, other parts of device management reduce the attack surface and protect those devices.
Defender's automation features have been a significant advantage with many of my clients because the remediation has been automated. Most of the time, it doesn't require any human intervention unless there's something that hasn't been set up. I must demonstrate the automated investigation and remediation to my clients to ensure their environment is automatically protected on weekends and after business hours.
The single pane of glass is vital to us as security consultants and our clients, who need a high level of visibility. You can go into the high-level executive dashboard view and drill into each telemetry graphic to provide you with more granular data. I see how easy it is to see the big picture and effortlessly drill into the details using the side navigation menus and more.
Consolidating things into one dashboard streamlined them significantly. When working with multiple tools and vendors, you typically have to stitch the reporting together to get an overarching view of everything. It's time-consuming. By the time some of these tasks are accomplished, the data starts to get stale, so you need to refresh and create an all-new view again. Having real-time capability in a single pane of glass is essential.
Defender Threat Intelligence helps us develop a forward-looking approach to threats and plans. That's one aspect of the product I find incredibly helpful. It will highlight things that may require intervention, such as turning on conditional access rules or setting up some geofencing for anything that looks like it could be a password spray attack from a known location that we can block.
There are opportunities to turn off any legacy protocols that may be in use. That's been a common thread with some of my clients who still use legacy protocols for sign-in and authorizations. The ability to do that has been a considerable help proactively.
You don't know what you don't know until you know. The continual flow of real-time data and analytics from Defender products helps create a security roadmap and harden many areas. With improved visibility, we can build a better roadmap to harden those areas by prioritizing and doing things methodically. Previously, we were guessing what to do next or what would be most important based on an educated guess. Now, we have data to guide our security decisions.
Microsoft Defender has saved us hours and hours. It has probably paid for itself many times over. I would agree that it has saved a lot of time and money. I estimate it probably saved us the equivalent of two people working full-time. You typically have at least one person overseeing on-premise resources and another dedicated to cloud resources.
What is most valuable?
In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components.
The bidirectional sync capabilities and off-app sanctioning of the SaaS applications are helpful. The identity security posture feature set provides investigation recommendations for risky users. The heat map for locations is also handy. Defender integrates with the AIP DLP for data governance and protection. I use all of that.
There's a need to have augmented workforce capability. You need to see the data streams for client work augmentation for the security operation center and act on the information. Having data in near real-time is essential to my organization and the work we do for our clients. The built-in SOAR, UEBA, and threat detection features are comprehensive.
What needs improvement?
It always helps to have onboarding wizards. Microsoft has done a lot of work in that area. I would like to see some more refinement in the wizards to allow more diverse use cases and scenarios that help us deploy Defender globally. In particular, I would like to see more deployments considering localization barriers and networks or devices common in various regions.
Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition.
For how long have I used the solution?
I have been using Microsoft Defender for about two and a half years.
What do I think about the stability of the solution?
It's pretty stable. I haven't had any reliability concerns with Defender, and there have not been too many complaints from users that have to have extensive reboots or any kind of performance impact. So I would say it's pretty stable.
What do I think about the scalability of the solution?
Scalability is built into the product. It's a cloud-managed solution, so it's capable of scaling pretty quickly as needed. You don't have to unlock another key or do something else to scale the product. It's scalable by design.
How are customer service and support?
I rate Microsoft support a seven out of ten. We've opened a few Microsoft tickets. For example, we've seen some discrepancies between Defender for Exchange Online and the reporting from Sentinel. We raised tickets to determine why Sentinel's logging data doesn't match what we see in Exchange Online.
It can be slow and tedious sometimes. Microsoft has different support level agreements. If you want prompter and higher-quality support, you typically need to pay for an Ultimate Support contract. If we compare that with other companies or organizations, Microsoft is probably on par with everyone else. You don't get a higher level of support unless you pay for it.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I've worked with all the major antivirus and endpoint protection vendors, including Splunk, CrowdStrike, Sophos, Norton, and McAfee. Microsoft's advantage is its integration with the operating system, ease of deployment, and support for the 365 Cloud experience. It makes everything easier to deploy, maintain and manage. It comes down to cost and integration. We realize cost savings because it's integrated into the E5 licensing product.
How was the initial setup?
The setup is straightforward and mostly automated. You only have to intervene when you experience errors. Those typically happen on non-US systems or in other countries. For the most part, it's effortless to deploy.
We try to use the auto-onboarding capabilities that come with Autopilot. If you have new systems deployed with Windows Autopilot onboarding capability, that's going to turn Defender on with the proper policies and security parameters.
One person is enough to deploy Defender if you have a plan and proper communication. You notify everyone that the deployment is happening and push the button. You need to let everyone know if reboots are required and the like. Other than that, it's pretty much a one-person deployment job.
In terms of maintenance, Defender is probably somewhere in the middle. Microsoft maintains a lot of automated updates. There are feature sets that come into play with things that are put in preview and you may want to see if it's something you want to turn on and try out while it's in preview. Those are the only areas that require some discussion and intervention. Most of the maintenance is automated. At the same time, you also need to be trained and aware of the updates and feature sets as they mature. You must stay on top of changes to the UI, reporting, etc.
What was our ROI?
If you look at what we pay on average and all the potential ransomware and malware threats we've averted, we've definitely saved tens of thousands of dollars, depending on the client. Some of the bigger clients have saved millions of dollars of potential ransomware payouts because Defender products helped protect those areas of attack.
What's my experience with pricing, setup cost, and licensing?
The cost is competitive and reasonable because most of the expense is log analytics, storage, and data consumption and ingestion. They can be throttled and controlled, so they are highly flexible. Defender has a lot of advantages over competing products.
From a licensing aspect, you're not just getting a security product. You're getting a lot of other capabilities that go beyond the Defender products. You get an E5 or E3 license and some form of Defender for Endpoint included with all the other security features of the other Defender products.
Which other solutions did I evaluate?
It didn't take too long to decide on Microsoft because of the integration and simplicity. CrowdStrike is probably the closest competitor.
What other advice do I have?
I rate Microsoft Defender for Endpoint a nine out of ten. Defender is one of the best I've seen, and I'm not saying that as a Microsoft reseller. We use Defender and have gotten our Microsoft certifications to provide a high level of service for our clients. It's crucial to have a product we stand behind and believe in wholeheartedly. We're not getting kickbacks from Microsoft for saying or doing any of that. We use it because it works.
I would say there's a trade-off. Once you start adding complexity to security, you're going against best practices that say simpler is better. Adding another vendor or a level of complexity is usually unnecessary. Unless there's something Microsoft completely missed, I would question the value of going to another vendor.
Communication and planning are most important. Any time you change products or deploy something for the first time, you should test it first in a smaller use-case scenario. That will help you identify any issues with your network, firewall, or legacy applications that may be falsely identified as a threat. It's always best to test your use case scenarios in a proof of concept before you deploy it.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner

Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2025
Product Categories
Endpoint Protection Platform (EPP) Advanced Threat Protection (ATP) Anti-Malware Tools Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
Microsoft Intune
Fortinet FortiEDR
Microsoft Defender for Office 365
Microsoft Sentinel
Microsoft Entra ID
Microsoft Defender for Cloud
SentinelOne Singularity Complete
Microsoft Defender XDR
Microsoft Purview Data Governance
Cortex XDR by Palo Alto Networks
Fortinet FortiClient
HP Wolf Security
Elastic Security
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Compare Microsoft Windows Defender and Symantec Endpoint Protection. How Do I Choose?
- Which product would you choose: Microsoft Defender for Endpoint vs Cortex XDR by Palo Alto Networks?
- What do you think of the integration of Azure AD Services, Defender for Endpoint, and Intune as comprehensive security solutions?
- CrowdStrike Falcon vs Microsoft Defender ATP: Comparison of features and performance
- How does Microsoft Defender for Endpoint compare with Crowdstrike Falcon?
- Running Carbon Black Defense Along with Windows Defender
- How is Cortex XDR compared with Microsoft Defender?
- Which offers better endpoint security - Symantec or Microsoft Defender?
- How does Microsoft Defender for Endpoint compare with Carbon Black CB Defense?
- How would you compare between Microsoft Defender for Endpoint and Tanium EDR?