Try our new research platform with insights from 80,000+ expert users
Siddip Neduri - PeerSpot reviewer
Specialist - Collaboration Platform Engineer at a tech vendor with 1,001-5,000 employees
Real User
Helps us find a lot of vulnerabilities and fix a lot of security-related issues
Pros and Cons
  • "Defender for Endpoint has one dashboard with security-related information, vulnerability-related information, and basic recommendations from Microsoft, all in different tabs. That's helpful because if we want to fix only the recommended ones, we can go fix all of them..."
  • "Right now, the solution provides some recommendations on the dashboard but we don't have any priorities. It's a mix of all the vulnerabilities and all the security recommendations. I would like to see some priority or categorization of high, medium, and low so that we can fix the high ones first."

What is our primary use case?

Once we enroll devices, the Microsoft scanners scan them in the backend and find vulnerabilities for the devices. For example, if our Office version is outdated, or Chrome is an outdated version, or there are any vulnerabilities or security loopholes, they will be displayed in Defender for Endpoint. We go through those vulnerabilities and we try to fix them by creating group policies or by using Intune. If there are any security recommendations in Defender for Endpoint, we fix those assets.

How has it helped my organization?

It's the best solution for vulnerabilities. Most updates will be done by group policies in a big organization and everything will be maintained in that way. But with non-group policies, if it's not a hybrid environment, or they are only using cloud, or they're connected to Azure already, or they don't have AD, a lot of updates will be missed. That is a very difficult situation for handling vulnerabilities. In that situation, once we enroll the devices to Defender for Endpoint, all the vulnerabilities will be displayed on the dashboard and we can review them and fix them. In that way, we can stop most cyberattacks and close all the vulnerabilities and loopholes.

Before enrolling devices to Defender for Endpoint, we don't know what vulnerabilities or security loopholes are on those devices. Once we enroll devices we find a lot of vulnerabilities and we have been able to fix a lot of security-related issues. It has helped us a lot.

It is impacting our security score. Before we enrolled our devices to Defender for Endpoint, our security score was 58. When we enrolled 500-plus devices to Defender for Endpoint, our security score went down to about 42 percent. We then understood we need to maintain it above 50 percent, as recommended by Microsoft. We are trying to increase our security score by fixing those issues.

It shows how to fix a given vulnerability or security issue, providing step-by-step guidance. That saves a lot of time because if we didn't know how to fix a vulnerability, we would need to do some research and find the right document. That would take time. It is saving us 10 to 15 hours per month.

What is most valuable?

It finds the loopholes and vulnerabilities and shows you some security recommendations as well. Based on the requirements, we fix them. We don't necessarily need to fix all the vulnerabilities. For example, if an organization is using Office 365 and the accounts team wants Excel to be updated to version 16.2.0, some applications or some data will work only with that particular version, but some data will not be supported. In that situation, we don't want to upgrade MS Excel.

Integrating Microsoft solutions with other solutions is not that difficult. Microsoft provides documentation on how to integrate things, which is good. We get a lot of information from the Microsoft pages. Integration is very helpful for finding all the security-related stuff.

Defender for Endpoint has one dashboard with security-related information, vulnerability-related information, and basic recommendations from Microsoft, all in different tabs. That's helpful because if we want to fix only the recommended ones, we can go fix all of them, or if we want to work on the security-related ones, we can go to the security tab and work on all of them.

The solution's threat analytics is another tab and it is helpful for finding vulnerabilities, phishing emails, and spam emails. If we want to release them, we can release them. We will check IP abuse and whether the IP is related to brute force attacks. If we want to improve on something, we will send it to Microsoft to analyze it. Being proactive is important. As specialists, we need to review the recommendations from Microsoft on a day-to-day basis and fix them as much as we can. Day-to-day, we need to upgrade and make sure all the devices are up to date. That should not be done on a weekly or monthly basis.

What needs improvement?

Right now, the solution provides some recommendations on the dashboard but we don't have any priorities. It's a mix of all the vulnerabilities and all the security recommendations. I would like to see some priority or categorization of high, medium, and low so that we can fix the high ones first.

Buyer's Guide
Microsoft Defender for Endpoint
August 2025
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,445 professionals have used our research since 2012.

For how long have I used the solution?

We have been using Microsoft Defender for Endpoint for one and a half years. 

What do I think about the stability of the solution?

I haven't seen any downtime. I don't see any issues with the stability. If there is any downtime, Microsoft will send a message on the dashboard and we can see any service issues.

How are customer service and support?

Their tech support is very good. If we raise a ticket, they will respond within 15 to 20 minutes. If they don't know, they will do some research and come back to us. I love working with Microsoft

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used GFI Vipre. We switched because Vipre was not a Microsoft product, and we trust Microsoft. Between a third party and Microsoft, most people will choose Microsoft because the solution and the support are very good. We also have a client portfolio and we get a discount on the license.

How was the initial setup?

The initial setup is simple. We run a script on the local machine and the device will be enrolled to Defender.

I completely configured Defender for Endpoint to be used in an automated way. We enrolled our devices to Intune and we configured Defender for Endpoint in Intune. Once we add our devices to Intune and to a group, those devices will be enrolled to Defender for Endpoint also. Enrolling takes around 24 to 48 hours.

Maintenance is pretty easy. Once we run that script, there are no complications while enrolling the devices.

What's my experience with pricing, setup cost, and licensing?

The comprehensiveness of the threat-protection that Microsoft security products provide depends upon the license. Right now, we are using E5 licenses which cover every security feature. But if a small or mid-level organization uses an E3 license or Business Basic plan, not all the features are provided. The cost is high for E5 licenses, but if we go with the E3 license, most of the features are not covered.

Which other solutions did I evaluate?

We did some research and found other solutions. The support is very good for Microsoft. If we raise a ticket, within 15 to 20 minutes, we will get a response from the Microsoft support team regarding the issue. They keep an eye on it; every ticket is tracked. If we want, we can also escalate. With a third-party solution, we cannot get as much support as we can with Microsoft.

There are a lot of cyber security tools, so it depends upon the requirements. I'm not saying that we need to use only Microsoft. But when it comes to support, I don't know how the others do. Using a suite of solutions from Microsoft has benefits. Support is a very good one. The recommendations are also provided in the dashboard, and the SLA is 99.9 percent; we don't expect downtime with Microsoft.

What other advice do I have?

We are not using Microsoft Sentinel. It will create alerts regarding VMs or storage but the cost is very high. Sentinel is not going to help much more when compared with Defender for Endpoint. Sentinel isn't preferable. It only creates alerts. There is not that much impact on the organization if it uses Sentinel also.

Microsoft Defender for Endpoint is a very good solution. I recommend using it.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Matthew Weisler - PeerSpot reviewer
Sole Proprietor at Core-Infosec
Real User
Top 10
Works natively with detection and response across the whole environment but not the strongest solution on the market
Pros and Cons
  • "Integration between Microsoft products is very easy."
  • "If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket."

What is our primary use case?

We primarily use the solution for security. For most clients, we deploy the solution for security purposes. Some clients just deploy it as part of Microsoft. Some haven't fully set it up even though they've paid for it. Some may be deployed and set it up and then have it disabled. 

What is most valuable?

They've grown the solution into an XDR EDR type of solution. It's nice. Everyone is going in the same direction. There are good process flows and features that make permissions and setup easier if clients are all under Microsoft.

If you get it set up correctly, it just works. 

It does help us prioritize issues. It depends on how the user has it set up, however. You can make a very nice pane of glass. It depends on who it's set up for and what they are doing with it. Some people throw the Windows Defender EDR solution out there and walk away. It does you no good if you're not sitting there watching it, monitoring and setting it up to get the feeds and the alerts and everything else.

It integrates really well with other security tools. That's something they've done very well. Integration between Microsoft products is very easy. It also works well with API plugins, etc. It works natively with detection and response across the whole environment. There may be pieces that may be tuned or integrated correctly. However, it's all pretty seamless.

The threat protection is pretty comprehensive.  

Defender helps automate routine tasks and find high-value alerts. It's a one-stop shop. You can do integration, for example, with Microsoft Teams. It depends on the business you want to run. A mom-and-pop shop may not need so many tasks sent to very specific people. For larger enterprises, having the same tool across the board makes it very easy.

Defender Endpoint does help prepare for potential threats before they hit. When you're looking at signature-based AV, Defender, just like everyone else, will pick up something known. However, when it comes to user behavior analysis, that's a bit more complicated. 

We've saved five hours or less per month in terms of saving time.

I might help clients save money, depending on the size of the organization. With Defender, you are just paying for licensing. It's all moved to the cloud. 

What needs improvement?

If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket.

Since they are linked to the operating system, they should have good visibility on what is malicious and what is not. They should be at the forefront in that area. However, they are doing what everyone is doing - especially in threat sharing. Pretty much any EDR solution has the same intelligence. Microsoft should go further since they do develop so much underlying infrastructure since they've "built the house" they should know everything about it. They should be more intuitive.

For how long have I used the solution?

I haven't been using the solution for too long. I've started using it recently. However, Defender has been around for years.

How are customer service and support?

Technical support is always good. There are different levels you can pay for. I personally have never had to use support for the Defender product. Getting really good technical support depends on what partner level you are. 

Which solution did I use previously and why did I switch?

I'm also familiar with Sentinel and CrowdStrike. I do move my clients towards third parties and don't necessarily try to set them up under just Microsoft.

Inherently, everyone is using the trend intel. They share and ingest threat information. The intel is there. Some organizations may do it a bit better if you were ranking them. However, Microsoft's job isn't necessarily security. They have cloud infrastructure, et cetera. Unlike CrowdStrike, where security is their bread and butter. For Microsoft, Defender has always been the last on their list in terms of priorities.

What was our ROI?

Calculating ROI would depend on what your overall security posture is for your entire organization. If you are just trying to do PCI compliance, you may be opening yourself up to threats down the line. Also, if you are never updating, et cetera, you might be a target for ransomware. However, if you take the time to diversify and watch your systems regularly, you will see more ROI.

What's my experience with pricing, setup cost, and licensing?

The solution is cost-effective as it is on-cloud. You don't need to accrue costs related to hosting. 

The pricing is fair. However, it depends on what you are trying to buy and what size your organization is. 

What other advice do I have?

I'm a Microsoft partner. 

This solution does not make my top five.

As far as relatively decent, I'd say they are okay. I'd rate it seven out of ten. However, it's always the number one thing threat actors are targeting. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Buyer's Guide
Microsoft Defender for Endpoint
August 2025
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,445 professionals have used our research since 2012.
reviewer1812804 - PeerSpot reviewer
Associate Director-Technology Consultancy at a consultancy with 1,001-5,000 employees
MSP
Proactive, doesn't slow down the systems, and integrates well with Microsoft products
Pros and Cons
  • "The most important feature is the way it monitors the threats and blocks them. About 10 days ago, we were implementing SOC for a particular client. The SOC was not yet implemented, but they had Microsoft Defender. That organization was hit by some ransomware, but the hacker could not succeed. Because of the EDR, the hacker could not install the hacking tools. They were trying to do that, but Microsoft Defender completely blocked that. The hacker could log into the system, but they could not install anything."
  • "It should support non-Windows products better. Microsoft is now one of the leading vendors in the security area. So, they should be product-independent."

What is our primary use case?

We provide solutions to our customers based on their requirements. We started working with Microsoft products because we saw people getting more inclined toward Microsoft security products. For example, previously, for SOC, we saw more organizations working with Splunk or QRadar. However, over the last six months, we have seen a lot of customers migrating to Microsoft Sentinel because they already have Microsoft products in their environment, and it works better with other Microsoft products.

How has it helped my organization?

The main purpose of EDR is threat protection, and Microsoft Defender is most impressive when you are factoring in the E3 and E5 security enhancements. It gives all monitoring alerts on a proactive basis. It generates an alert if it finds suspicious traffic, and it also helps to understand where the risks are.

It helps us to prioritize threats across our enterprise. That's one of the key features.

It helps automate routine tasks and the finding of high-value alerts. Because of the automation, you don't need to do anything. You are not required to do anything manually. It automatically detects threats and blocks them. It reduces a lot of manual effort.

It makes the organization much more secure. Microsoft Defender is one of the leading products. It works perfectly. When you are monitoring daily alerts, you can understand what kind of threats your organization is facing or how it is blocking. Based on this analysis, you can secure your organization more. Based on their automation, they are protecting you, and from that analysis, you can understand what threats your organization is facing. So, you can focus more on that area. It helps you to identify and secure those areas so that the same threats don't come in the future.

It has saved us about 20% of the time from an endpoint perspective. It has reduced our time to detect and respond by 50%.

Our customers also use M365 and Microsoft Sentinel. We have integrated all of these products. The base product is Microsoft Sentinel because that is the SIEM. All M365 logs get ingested for the phishing attack checks, and Microsoft Defender logs get integrated with Microsoft Sentinel to check all the endpoint-related activities. These endpoints include Windows servers, laptops, and desktops. On Windows Server also, we have installed Microsoft Defender EDR. From there, the logs go to Microsoft Sentinel, and from there, a centralized monitoring console works. These solutions work natively together to deliver coordinated detection and response across an environment.

What is most valuable?

The most important feature is the way it monitors the threats and blocks them. About 10 days ago, we were implementing SOC for a particular client. The SOC was not yet implemented, but they had Microsoft Defender. That organization was hit by some ransomware, but the hacker could not succeed. Because of the EDR, the hacker could not install the hacking tools. They were trying to do that, but Microsoft Defender completely blocked that. The hacker could log into the system, but they could not install anything. 

Microsoft Defender is a lot proactive, and it can also analyze the threats on the latest technologies. In the case of the attack that happened just 10 days ago, we immediately logged in and saw various challenges because we didn't have any other logs. SOC was not ready, and we only had EDR logs. From there, we could identify that the hacker couldn't succeed because Microsoft Defender was proactively working. It prevented the complete attack.

It is proficient and proactive in monitoring threats. It can seamlessly monitor all the individual assets in real time. Another thing is that after installing the Microsoft Defender agent, your computer doesn't slow down even though real-time scanning is going on in the background.

What needs improvement?

It should support non-Windows products better. Microsoft is now one of the leading vendors in the security area. So, they should be product-independent.

For how long have I used the solution?

I have been using it for the last year.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is scalable.

How are customer service and support?

I have not faced any issues with their technical support. Our client has a tie-up with Microsoft, and the Microsoft team has provided them with good support, but I'm not sure how they will be in the case of small customers. 

Which solution did I use previously and why did I switch?

We are working with multiple vendors for our clients. We are using CrowdStrike for some of the other organizations. Microsoft Defender has grown in a very big way in a very short period, but CrowdStrike Falcon is ahead of it in terms of protection.

Microsoft doesn't give everything in a single dashboard, whereas with Mandiant or Secureworks, from a single dashboard, you can manage everything, such as your EDR threats, vulnerability detection and response, and network detection and response. Microsoft has not grown up in that way.

How was the initial setup?

It is much easier to deploy for the Windows platform. One of the customers had 3,000 or 4,000 endpoints, and we could do the deployment in two months.

There was a team of 10 members. They were working on multiple things. They were not fully dedicated to it. We had SCCM, and we had to push everything through SCCM. That helped a lot to automatically push to multiple endpoints at the same time.

If it is on the cloud, you don't require any separate maintenance, but when their patch is coming, you have to do the patch upgrade. You can make that automated. It is easy.

What was our ROI?

It is hard to measure the amount of money saved from using this solution because it depends on if you had any attack, and if an attack happens, how much your organization would lose based on the threat. It was published that in the last year, companies have lost millions of dollars because of ransomware and multiple attacks.

What's my experience with pricing, setup cost, and licensing?

They are now doing it on an endpoint basis. It is based on the number of endpoints, which is good.

Which other solutions did I evaluate?

We made multiple comparisons between tools. We had not only Microsoft Defender but also CrowdStrike and Tanium. I was working on some of the requirements for one of our clients, and based on that, we started evaluating these three products. We started working with Microsoft Defender based on the endpoints or hosts available on the Windows platform. We saw that most of the organizations are still on the Windows platform. They have Windows laptops as well as Windows servers. 

One of the reasons why the client agreed to go with Microsoft Defender was that it was easy to deploy. We didn't need to spend a lot of time implementing it. It is much simpler compared to other competitive products.

During the PoC, we found Microsoft Defender to be easy to implement. It was able to detect a lot of things, but in a few areas, we found CrowdStrike much ahead of Microsoft Defender. Another difference is that CrowdStrike is product-independent, whereas Microsoft Defender is limited to Microsoft products. Also, if you have any other EDR running on your system and if you implement Microsoft Defender, it'll immediately disable others. In this tenure, if something happens, there is always a risk.

What other advice do I have?

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would agree. I prefer multiple vendors. I am not in favor of implementing Microsoft products in all areas because, in every domain, there are some specialty products. You should focus on that and see how to make your organization much safer. Every organization claims that it has all the products, but all the products are not good. That's why you have to find out the best one and put it there.

I would recommend comparing it with other products and defining what are the most important needs for your organization. You may not require all the features. Microsoft Defender includes a lot of things. Microsoft Defender has its own MCAS solution. It also supports DLP, which is not yet mature. You should see what is required for your organization and then do a testing or PoC on that.

Microsoft Defender works well with Microsoft products. You can implement or install it on the Windows platform, but you will have to find another way to track non-Windows platforms, such as Linux platforms or Unix platforms.

Similarly, Microsoft Sentinel does the analysis for Microsoft products in a better way, but they are yet to catch up when it comes to non-Windows products. It lacks when it comes to analyzing non-Windows products. It isn't able to identify all the threats properly. The number of false positives is much more compared to other products, but still, Microsoft Sentinel is one of the leading products in the market. It has developed a lot as compared to what we saw one year ago. It enables you to ingest data from your Microsoft environment, but I am not sure about the non-Microsoft environment. This data ingestion is very important. Without ingesting all the logs to your SIEM, you can't monitor the threats. When it comes to security products, they need to be product-independent. In terms of cost, it is almost similar to other products, but it is a little bit cheaper than Splunk. In terms of ease of use, on the Windows platform, it is very easy to use, but it is not so easy for non-Windows platforms.

Overall, I would rate Microsoft Defender an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. MSP
PeerSpot user
Jim Wang - PeerSpot reviewer
Security Researcher/Data Scientist at a tech vendor with 1,001-5,000 employees
Real User
Top 10
Enhanced security through detailed threat investigation and alerting
Pros and Cons
  • "Investigators can trace back to find the root cause."
  • "It seems there are challenges associated with IP addresses at times."

What is our primary use case?

I have been using Microsoft Defender for EDR (Endpoint Detection and Response). I started working with Microsoft when Defender was an anti-malware product. Over time, it evolved into an EDR solution.

How has it helped my organization?

Microsoft Defender helps investigate and monitor security alerts effectively. The EDR collects all the information from the device and matches it with an attack database. If it finds a match, it alerts, and then an investigator can trace back to find the root cause of what happened. This is very helpful for investigation purposes.

What is most valuable?

The valuable feature of Microsoft Defender is its ability to collect all the information from the device and match it with the attack database to alert if something matches. Investigators can trace back to find the root cause.

What needs improvement?

I have not thought about areas needing improvement, however, it seems there are challenges associated with IP addresses at times.

For how long have I used the solution?

I began using Microsoft Defender since its beginning as an EDR solution and worked on it for a long time, even before it was known as Microsoft Defender when it was just an anti-malware product.

What do I think about the stability of the solution?

There are no stability issues. It is stable.

What do I think about the scalability of the solution?

Scalability is good.

Which solution did I use previously and why did I switch?

Many security products are used, including Trend Micro, Microsoft, Cisco, and Oracle. I worked with Microsoft for around ten years, focusing on Microsoft Windows Defender.

How was the initial setup?

The initial setup is pretty easy to use.

What's my experience with pricing, setup cost, and licensing?

I don't have any information on the pricing, setup cost, or licensing.

What other advice do I have?

Microsoft Defender is integrated into Windows systems and is a pretty good product. It is something I would recommend to others.

I'd rate the solution nine out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Cyber Threat Hunter at a tech services company with 51-200 employees
Real User
Helps prioritize threats across our enterprise and improves security posture
Pros and Cons
  • "Endpoint's most valuable feature is deep analysis."
  • "Microsoft Defender for Endpoint does not provide much flexibility in terms of threats."

What is our primary use case?

We use Microsoft Defender for Endpoint for protection, asset onboarding, and service onboarding. We primarily focus on Microsoft-based endpoints. Specifically, we look for processes to determine if malware, viruses, or adware have been installed.

How has it helped my organization?

Microsoft Defender for Endpoint helps prioritize threats across our enterprise. The solution notifies us of new vulnerabilities, including those that have been published, exploited, or are being exploited, and it provides some visibility into these threats.

Microsoft Defender for Endpoint has a significant impact on reducing the number of affected machines. I personally write custom detection rules to analyze the environment and look for specific patterns, such as ransomware. Although some of the pre-built detection rules in Azure on GitHub are useful, they are not as flexible in terms of use cases. Therefore, it makes sense to write custom rules instead of importing the pre-built ones.

Microsoft Defender for Endpoint helps automate routine tasks and helps automate the finding of high-value alerts.

Microsoft Defender for Endpoint improved our security posture and operations by automating some of the mundane tasks, such as analyzing alerts. This allows us to focus on incidents that were created from specific individual alerts.

Microsoft Defender for Endpoint saved us time in terms of operational and C- CERT security. It reduced the amount of time we spend analyzing what happened on a particular endpoint, which processes were started, and which ones were suspicious. For example, it helped us to quickly identify suspicious installation protocols.

Microsoft Defender for Endpoint reduced our time to detect and respond by 25 percent.

What is most valuable?

Endpoint's most valuable feature is deep analysis. It provides a lot more in-depth findings. However, it only analyzes portable files with the .exe and .drl extensions. It does not analyze other file extensions. Additionally, it does not provide all the necessary information about the file's memory usage or size. I have to download the file to my computer to do further analysis. Therefore, the size of the application that the deep analysis analyzes is the only other red flag I can think of.

What needs improvement?

Microsoft Defender for Endpoint does not provide much flexibility in terms of threats. It only looks at what is currently in the environment. It does not provide flexibility like threat modeling, where we can provide our own threat model within the environment. This would allow Defender to provide us with feedback on threat intelligence that is tailored to our organization's needs and threat landscape.

Microsoft Defender for Endpoint's deep analysis shows that it works well with Microsoft's standard applications. However, it does not function as intended when used with Unix or Linux distributions. Therefore, it would be beneficial to improve support for other systems.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for one and a half years.

What do I think about the stability of the solution?

In terms of resources, I believe the solution is more resource-intensive because I can initiate multiple automated investigations, which will likely take a day or two to complete.

What do I think about the scalability of the solution?

Our organization has thousands of people using the solution.

What other advice do I have?

I give Microsoft Defender for Endpoint an eight out of ten.

No maintenance is required from our end.

I believe a best-of-breed solution is better because it eliminates some of the limitations of applications that do not provide solid stability in terms of detection time, response time, and eradication. This is because a best-of-breed solution is designed to be the best in its class at each of these tasks. As a result, it can identify threats more quickly, respond to them more effectively, and eradicate them more completely.

When evaluating the solution, we must understand how our environment is structured. Is it a hybrid environment? Does it have Unix, Linux, or Microsoft distributions? And within those distributions, do we plan to purchase multiple enterprise systems to cater to each individual distribution?

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Cyber Security Analyst with 1-10 employees
Real User
Enables us to see details on vulnerabilities and connections and it identifies any unauthenticated extensions
Pros and Cons
  • "I find the vulnerability management section of Microsoft Defender for Endpoint to be very useful for organizations."
  • "The time to generate certain alerts on our dashboard can take between 45 minutes to an hour, and I am unsure of the factors that influence this duration."

What is our primary use case?

We use Microsoft Defender for Endpoint to prevent traffic attacks. The solution displays each attack through Symantec. Therefore, we do not need to develop any use cases. It will detect anomalies using machine learning in Defender for Endpoint. It collects logs from the sensor, which include all mission data from the Windows sensor. The machine logs will then be sent to the cloud for analysis, and for every anomaly found, an alert is generated in our console.

How has it helped my organization?

Microsoft Defender for Endpoint provides comprehensive threat visibility. It allows for file analysis, checking unsupported files in the system, and accessing the Mission Live console. Unused files can be deleted, and suspicious files are analyzed and checked for viruses on the platform. In cases where a file has numerous detections from different security vendors, it is quarantined, blocking it in the organization. Care is taken to avoid quarantining legitimate files to prevent disruption. Additionally, there are numerous advanced configuration options available.

It helps us prioritize threats across our entire enterprise. We receive notifications for any advanced threats and can also identify if there is an advanced threat within our organization. Additionally, we can view the different priorities, such as high, medium, or low, and understand the severity of the alerts. For high and medium alerts, we can take immediate action, such as isolating the machines from the network.

We also utilize Microsoft Elastic Cloud and EnCase. I believe the integration is straightforward, but I was only responsible for monitoring after the integration had been completed.

Microsoft offers four products that can seamlessly work together and be accessed through one console. These products are Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft CloudApp Security. With the appropriate license, we can subscribe to all four solutions from the Microsoft security website.

Sentinel allows us to collect data from our entire ecosystem and seamlessly integrate the log files with an API.

Microsoft Sentinel allows us to investigate threats and respond swiftly from a centralized platform. We possess the capability to generate customized queries and delve deep into the logs.

Microsoft Sentinel also has built-in SOAR, UEBA, and threat intelligence capabilities. The playbooks make the security analyst's job much easier. If there is unwanted software, we can configure a notification from the playbook to send the user a message or block the IOCs.

Defender for Endpoint aids our organization by enabling us to monitor the antivirus status on devices to ensure they are up-to-date. We can also access vulnerability details that we can share with the vulnerability team to promptly apply necessary patches. Additionally, it allows us to identify any pending configurations, streamlining our security analysis process.

It helped eliminate having to look at multiple dashboards and gave us one XDR dashboard for everything.

Microsoft Defender for Endpoint's threat intelligence assists us in proactively preparing for potential threats before they strike. Any threats detected by Microsoft Defender for Endpoint are automatically blocked, while for those that are not, we have the option to block them manually.

What is most valuable?

I find the vulnerability management section of Microsoft Defender for Endpoint to be very useful for organizations. It provides details on vulnerabilities, connection, and software vulnerabilities, and identifies any unauthenticated extensions. The Secure Score option is also helpful for reviewing configurations. In a project to improve Secure Score, we reviewed configurations on a weekly basis and implemented changes gradually. Each section (Identity, Endpoint, Encryption) can be configured phase by phase, and the changes are tracked through a graph. Comparing our Secure Score with other organizations is also possible. From a security perspective, Microsoft Defender for Endpoint is easy to understand and facilitates advanced investigations.

What needs improvement?

The time to generate certain alerts on our dashboard can take between 45 minutes to an hour, and I am unsure of the factors that influence this duration. When I analyze the logs, I notice that some incidents occurred an hour before the alert was generated and sent to the console. This suggests that we are not detecting threats in real-time. Additionally, we encountered another issue with the dashboard while monitoring multiple organizations. One organization received a notification that 70 of their machines were at risk, while the other organizations only had five or ten machines at risk. Upon checking all 70 machines, we found no alerts or vulnerabilities in the logs. We submitted a ticket and provided the logs to Microsoft, but they were unable to offer a proper explanation for the triggered alert on those machines being at risk.

We were experiencing high CPU usage issues on the servers and found that Microsoft Defender for Endpoint was the root cause. We reached out to Microsoft and, after two weeks, they provided us with a solution to edit the registry keys and update the software.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for two years.

What do I think about the stability of the solution?

The stability is good.

How are customer service and support?

The technical support team is good.

How was the initial setup?

The initial setup is simple. We can deploy using Microsoft SCCM and provide the onboarding package to SCCM. 

What's my experience with pricing, setup cost, and licensing?

There are different licenses, such as E3 and E5. With an E5 license, we can access all the solutions, which is better, but the cost is high. However, it is still valuable from a security perspective.

What other advice do I have?

I give Microsoft Defender for Endpoint an eight out of ten.

We deployed Microsoft Defender for Endpoint and CrowdStrike together in one organization. While Microsoft Defender for Endpoint displayed valid alerts, there were no alerts in CrowdStrike.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Danny Nagdev - PeerSpot reviewer
Founder at LetsReflect
Real User
Top 20
Single console gives me a one-shot view of our whole infrastructure
Pros and Cons
  • "The solution's threat protection is mostly AI and machine-learning based. That is the most important feature of the product. It also offers centralized management so I can remotely manage devices."
  • "The automation could be simpler on the mitigation side. It has a learning curve. Otherwise, it's pretty easy."

What is our primary use case?

We use it for threat protection.

How has it helped my organization?

It protects my endpoints from malware and viruses. Those benefits were immediate.

And the automation of routine tasks, such as finding high-value alerts, had an immediate impact because I can see all the threats in a single console, and how they are mitigated.

It has also definitely eliminated having to look at multiple dashboards, giving me one XDR dashboard. It's really effective because it is very tough to handle two different dashboards or environment consoles. The single console gives me a one-shot view of the whole infrastructure, security-wise.

The solution also saves me time because there is no need to install it on all the machines. That is automated. Even the mitigation is sometimes automated, which definitely saves time. It saves me about 90 percent of the time I would otherwise spend on these things.

I have also seen a clear improvement in time to detect and respond. It is instant.

What is most valuable?

The solution's threat protection is mostly AI and machine-learning based. That is the most important feature of the product. It also offers centralized management so I can remotely manage devices.

In terms of visibility, it gives me all the threats. They are showcased in the management portal. I check there and it's nice.

We also use Microsoft Intune and Azure Information Protection and have them integrated with Defender For Endpoint. The integration was moderately difficult, slightly confusing, but it can be done. But the solutions work natively together to deliver coordinated detection and response. That is very important. Integration is one of the main things I look at. The fact that they work together is the best thing. The threat protection these solutions provide is very comprehensive and very detailed. They cover different aspects and layers of security and that's why it's very important to have them integrated.

What needs improvement?

The automation could be simpler on the mitigation side. It has a learning curve. Otherwise, it's pretty easy.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for one and a half years.

What do I think about the stability of the solution?

It is a stable solution.

What do I think about the scalability of the solution?

It's also scalable.

How are customer service and support?

If I have any issues I can relate them to support. But they are quite slow in responding.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We used Sophos and we switched because of integration. 

How was the initial setup?

It's deployed on the cloud and the setup is quite fast. I just needed to add the machines and the deployment happened quickly. Within a day, we were up and running. It was straightforward and involved two people.

There is not much maintenance required.

What was our ROI?

We have definitely seen ROI, due to the fact that I only have one dashboard and one solution. Our ROI is around 20 percent.

What's my experience with pricing, setup cost, and licensing?

The cost is high, compared to other products in the market, if you look at it as a separate product. If you look at the cost where it is part of a bundle, the cost is okay.

What other advice do I have?

Defender for Endpoint doesn't really help to prioritize threats across the enterprise. It's more of a basic threat protection solution. It's more of a reactive approach, once something hits.

With a single vendor, it's much easier to detect alerts and threats beforehand. Having a single vendor helps.

I would recommend Defender For Endpoint. If you are using other Microsoft products, together, this is a better security solution.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Mahmoud Eldeep - PeerSpot reviewer
Security Team Lead at Global Brands Group
Real User
Real-time detection, easy to deploy, and scalable
Pros and Cons
  • "Real-time detection and cloud-based delivery of detections are highly efficient."
  • "The application control feature requires improvement."

What is our primary use case?

We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security. 

Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.

How has it helped my organization?

The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.

Microsoft Defender for Endpoint helps prioritize the threats across our organization.

The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.

The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.

In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.

The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.

Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.

The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.

Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.

Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.

The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.

The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.

This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.

What is most valuable?

Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations

What needs improvement?

The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.

The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.

For how long have I used the solution?

I have been using the solution for three years.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is stable.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint is scalable.

Which solution did I use previously and why did I switch?

I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.

How was the initial setup?

The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.

What about the implementation team?

We implement the solution for our customers.

What's my experience with pricing, setup cost, and licensing?

Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.

There is an additional cost for Microsoft Premier support.

What other advice do I have?

I give the solution an eight out of ten.

Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.

To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2025
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.