I have been using Microsoft Defender for EDR (Endpoint Detection and Response). I started working with Microsoft when Defender was an anti-malware product. Over time, it evolved into an EDR solution.
Security Researcher/Data Scientist at a tech vendor with 1,001-5,000 employees
Enhanced security through detailed threat investigation and alerting
Pros and Cons
- "Investigators can trace back to find the root cause."
- "It seems there are challenges associated with IP addresses at times."
What is our primary use case?
How has it helped my organization?
Microsoft Defender helps investigate and monitor security alerts effectively. The EDR collects all the information from the device and matches it with an attack database. If it finds a match, it alerts, and then an investigator can trace back to find the root cause of what happened. This is very helpful for investigation purposes.
What is most valuable?
The valuable feature of Microsoft Defender is its ability to collect all the information from the device and match it with the attack database to alert if something matches. Investigators can trace back to find the root cause.
What needs improvement?
I have not thought about areas needing improvement, however, it seems there are challenges associated with IP addresses at times.
Buyer's Guide
Microsoft Defender for Endpoint
June 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,687 professionals have used our research since 2012.
For how long have I used the solution?
I began using Microsoft Defender since its beginning as an EDR solution and worked on it for a long time, even before it was known as Microsoft Defender when it was just an anti-malware product.
What do I think about the stability of the solution?
There are no stability issues. It is stable.
What do I think about the scalability of the solution?
Scalability is good.
Which solution did I use previously and why did I switch?
Many security products are used, including Trend Micro, Microsoft, Cisco, and Oracle. I worked with Microsoft for around ten years, focusing on Microsoft Windows Defender.
How was the initial setup?
The initial setup is pretty easy to use.
What's my experience with pricing, setup cost, and licensing?
I don't have any information on the pricing, setup cost, or licensing.
What other advice do I have?
Microsoft Defender is integrated into Windows systems and is a pretty good product. It is something I would recommend to others.
I'd rate the solution nine out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Oct 30, 2024
Flag as inappropriate
Cyber Threat Hunter at a tech services company with 51-200 employees
Helps prioritize threats across our enterprise and improves security posture
Pros and Cons
- "Endpoint's most valuable feature is deep analysis."
- "Microsoft Defender for Endpoint does not provide much flexibility in terms of threats."
What is our primary use case?
We use Microsoft Defender for Endpoint for protection, asset onboarding, and service onboarding. We primarily focus on Microsoft-based endpoints. Specifically, we look for processes to determine if malware, viruses, or adware have been installed.
How has it helped my organization?
Microsoft Defender for Endpoint helps prioritize threats across our enterprise. The solution notifies us of new vulnerabilities, including those that have been published, exploited, or are being exploited, and it provides some visibility into these threats.
Microsoft Defender for Endpoint has a significant impact on reducing the number of affected machines. I personally write custom detection rules to analyze the environment and look for specific patterns, such as ransomware. Although some of the pre-built detection rules in Azure on GitHub are useful, they are not as flexible in terms of use cases. Therefore, it makes sense to write custom rules instead of importing the pre-built ones.
Microsoft Defender for Endpoint helps automate routine tasks and helps automate the finding of high-value alerts.
Microsoft Defender for Endpoint improved our security posture and operations by automating some of the mundane tasks, such as analyzing alerts. This allows us to focus on incidents that were created from specific individual alerts.
Microsoft Defender for Endpoint saved us time in terms of operational and C- CERT security. It reduced the amount of time we spend analyzing what happened on a particular endpoint, which processes were started, and which ones were suspicious. For example, it helped us to quickly identify suspicious installation protocols.
Microsoft Defender for Endpoint reduced our time to detect and respond by 25 percent.
What is most valuable?
Endpoint's most valuable feature is deep analysis. It provides a lot more in-depth findings. However, it only analyzes portable files with the .exe and .drl extensions. It does not analyze other file extensions. Additionally, it does not provide all the necessary information about the file's memory usage or size. I have to download the file to my computer to do further analysis. Therefore, the size of the application that the deep analysis analyzes is the only other red flag I can think of.
What needs improvement?
Microsoft Defender for Endpoint does not provide much flexibility in terms of threats. It only looks at what is currently in the environment. It does not provide flexibility like threat modeling, where we can provide our own threat model within the environment. This would allow Defender to provide us with feedback on threat intelligence that is tailored to our organization's needs and threat landscape.
Microsoft Defender for Endpoint's deep analysis shows that it works well with Microsoft's standard applications. However, it does not function as intended when used with Unix or Linux distributions. Therefore, it would be beneficial to improve support for other systems.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for one and a half years.
What do I think about the stability of the solution?
In terms of resources, I believe the solution is more resource-intensive because I can initiate multiple automated investigations, which will likely take a day or two to complete.
What do I think about the scalability of the solution?
Our organization has thousands of people using the solution.
What other advice do I have?
I give Microsoft Defender for Endpoint an eight out of ten.
No maintenance is required from our end.
I believe a best-of-breed solution is better because it eliminates some of the limitations of applications that do not provide solid stability in terms of detection time, response time, and eradication. This is because a best-of-breed solution is designed to be the best in its class at each of these tasks. As a result, it can identify threats more quickly, respond to them more effectively, and eradicate them more completely.
When evaluating the solution, we must understand how our environment is structured. Is it a hybrid environment? Does it have Unix, Linux, or Microsoft distributions? And within those distributions, do we plan to purchase multiple enterprise systems to cater to each individual distribution?
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Microsoft Defender for Endpoint
June 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,687 professionals have used our research since 2012.
Security Team Lead at Global Brands Group
Real-time detection, easy to deploy, and scalable
Pros and Cons
- "Real-time detection and cloud-based delivery of detections are highly efficient."
- "The application control feature requires improvement."
What is our primary use case?
We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security.
Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.
How has it helped my organization?
The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.
Microsoft Defender for Endpoint helps prioritize the threats across our organization.
The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.
The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.
In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.
The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.
Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.
The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.
Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.
Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.
The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.
The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.
This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.
What is most valuable?
Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations
What needs improvement?
The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.
The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is stable.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint is scalable.
Which solution did I use previously and why did I switch?
I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.
How was the initial setup?
The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.
What about the implementation team?
We implement the solution for our customers.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.
There is an additional cost for Microsoft Premier support.
What other advice do I have?
I give the solution an eight out of ten.
Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.
To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Senior Technology Consultant at SoftwareONE
Provides complete and secure integration that gives us a full picture of the status of the entire organization
Pros and Cons
- "The solution provides protections and reports about strange behavior and automatically blocks some of it. I love the way that statuses are represented."
- "The dashboard customization could be improved."
What is our primary use case?
I'm a consultant. When we do a project with a client, they want us to make an assessment of their environment so they know how to improve their security through Endpoint. I give advice on how to manage the daily case reports that Microsoft automatically sends.
The solution is mainly deployed on the cloud. Most of our clients are on-premises, but they are transitioning and moving most of their administrative tasks to the cloud.
We deploy this solution for multi-national companies. For example, the last customer I worked with has several departments and locations in several countries. It's a mixture of everything. It's a multi-national company nowadays.
We use all of the M365 security products. I'm also looking into Sentinel. For on-premise security, we're using Windows Defender managed by Security Center or Intune.
We have integrated the solution with other Microsoft products. For example, integrating Azure Active Directory and on-premises computers with Intune is really easy to accomplish. The security console gives us visibility over all the products that are managed by different Microsoft tools. The integration is amazing.
The solutions work natively together to deliver coordinated detection and response across our environment.
Using ORCA PowerShell provides us with an extensive report and assessment of the platform. It's officially recommended by Microsoft to get an assessment of their environment. It's easier to get the big picture from this tool than from the Microsoft console.
How has it helped my organization?
The main improvement is that we have complete integration. For example, there were a couple of projects where I integrated the already managed platform from on-premises using Endpoint Corporation Manager with Defender. The integration between the on-premises Microsoft hybrid environment, Intune, and Defender for Endpoint is secure. It gives me a full picture of the status of the entire organization. That was unimaginable a couple of years ago, but now it's real.
This solution helps us train a lot of customers and their employees to be aware of what they shouldn't do with certain behaviors, mail, and files on their corporate computers. It helps customers to be more aware of behaviors that put the entire company at risk.
We realized these benefits from the beginning of using this solution. It gives us information from different points of view and consoles in a convenient way.
It helps prioritize threats across an enterprise. The reporting shows companies what they need to do to resolve abnormalities and prioritize what needs to be solved in order to improve the security level of the company.
Prioritization is important because it's absolutely necessary to know what has been upgraded and what hasn't. Hackers take advantage of that.
Defender gives us the ability to look at all the dashboards from a single screen. The solution's threat intelligence helps us prepare for potential threats before they hit and take proactive steps by configuring some behaviors.
Microsoft Endpoint saved us from a lot of potential problems. It has absolutely saved us time. From the point of view of our clients, the solution saves money because the main tools that are used by the platform are already integrated into their contracts with Microsoft.
What is most valuable?
The solution provides protection and reports strange behavior and automatically blocks some of it. I love the way that statuses are represented.
It provides visibility into threats and gives daily reports about new threats and how to deal with them. We can change configurations so customers are continuously aware of new threats.
What needs improvement?
The dashboard customization could be improved. It's not as good as Azure. The center console isn't very flexible.
The automated remediation could be improved too. If there's a problem, most of the time they open a ticket for another help desk team. They don't remediate these vulnerabilities themselves 90% of the time.
For how long have I used the solution?
I have been using this solution for about five years.
What do I think about the stability of the solution?
It's stable. From time to time, there's a blackout on the web pages.
How are customer service and support?
The quality of technical support depends on the technicians who are assigned to your case, but the solutions they provided us with have worked every time. The reply time can be fast, but it depends on if you're lucky or not. You can be waiting for a week or two days.
I would rate technical support an eight out of ten.
How would you rate customer service and support?
Positive
How was the initial setup?
The setup is very quick. The amount of time it takes depends on the infrastructure that someone wants to maintain or update.
Only a couple of people were involved in the deployment. From my point of view, I leave the customer's teams in charge of the maintenance of the tools. I recommend taking a look at the weekly reports that Microsoft sends in order to know what changed, what's new, and what has been upgraded.
What other advice do I have?
I would rate this solution an eight out of ten.
There are several free platforms to test all the functionalities and evaluate the solution. If you see that they cover all of your needs, my advice is to buy the product.
I prefer a single vendor's security suite because integration is easier.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Modern Workplace Technical Team Manager at a tech services company with 11-50 employees
Helps us prioritize threats across our enterprise and gives us better perception of incoming and active threats
Pros and Cons
- "The attack surface reduction rules are the most valuable. We're able to have unattended remediation actions when the solution works side by side with a local antivirus like Microsoft Defender or Kaspersky. The attack surface reduction rules help us to proactively block and stop threats."
- "Reporting could be improved. I would like to see how many security incidents occurred in the last six months, how many devices were highly exposed to security risks, and how many devices were actually compromised."
What is our primary use case?
Our target is to have control over protected endpoints. As a centralized console dashboard, we want to see the exposure level and security weaknesses associated with those protected endpoints.
We are a consultancy company and a Microsoft Gold partner, so we are strictly attached to the Microsoft stack. We have used Microsoft Defender for Cloud for some of our customers on a few occasions.
The solution is deployed on the cloud. From an infrastructure point of view, it's on Microsoft and likely would be geo-distributed. The solution is typically deployed for all endpoints that require cloud protection in an organization. If a company has 300 devices, typically all 300 devices are connected. It doesn't make sense to divide profiles for different departments.
On average, we have 300 to 600 devices and a similar amount of users. In a few cases, we have Defender for Endpoint protecting shared workstations.
How has it helped my organization?
The solution helps us prioritize threats across our enterprise. If we're talking about projected vulnerabilities, like an outdated web browser, then there's a different priority associated with that. Conversely, if we have an endpoint out of data, like outdated Windows security patches, it will be registered with a different, higher priority. It helps a lot.
Sentinel enables us to natively ingest data from our entire ecosystem. By design, Microsoft ingests data from Office 365 to Sentinel.
This ingestion of data is critical to our security operations. Without data ingestion, nothing is shown in the dashboard or in the security and compliance portal. If it stops, we don't have data to analyze.
Sentinel enables us to investigate threats and respond holistically from one place. There are threat investigations directly in the portal, which depends on the license. This feature is really important for enterprise-class companies that have a huge emphasis on security.
Since using this solution, we have seen a better perception of incoming and active threats. We're able to see weaknesses or misconfigurations in applications and operating systems for devices.
It definitely takes time to realize benefits from the time of deployment. After we deployed the agent for Microsoft Defender for Endpoint, it took about a week to collect data.
Defender for Endpoint doesn't help us automate routine tasks or automate finding high-value alerts. The most valuable feature is attack surface reduction rules, and in this case, we have an automated response. It's a lot like SOAR, which helps to contain security risks in an unmanned way, but it's limited to just that feature.
This solution absolutely eliminated the need to look at multiple dashboards because we have one XDR. It's a worthy capability that helps a lot. Having one dashboard makes our security operations more seamless. To retrieve data, we consult different places within the portal.
The solution's threat intelligence helps us prepare for potential threats before they hit and take proactive steps.
The solution saves us time, but it depends on the point of view. It helps to have a better understanding and outlook on our current situation within our organization and plan proactively for tasks in order to improve our security score.
We saved money by not needing to buy additional pieces of software or deploying additional infrastructure for an on-premises security product.
It also depends on the competitor and the infrastructure required.
Detection and response take minutes because as soon as something is compromised or something happens within our organization, an alert will be triggered within minutes. After we receive an email with an alert, we are likely to start the analysis and remediation if it exceeds or doesn't fall within the scope of the attack surface reduction rules.
What is most valuable?
The attack surface reduction rules are the most valuable. We're able to have unattended remediation actions when the solution works side by side with a local antivirus like Microsoft Defender or Kaspersky. The attack surface reduction rules help us to proactively block and stop threats.
The visibility into threats is fair. It's accurate and gives us control over threats.
Prioritization is pretty important to us because we need to concentrate on new threats with higher risks associated with them.
Generally speaking, Microsoft Defender for Endpoint, along with Sentinel, provides fair, decent capabilities but it depends on the situation.
What needs improvement?
Reporting could be improved. I would like to see how many security incidents occurred in the last six months, how many devices were highly exposed to security risks, and how many devices were actually compromised.
For how long have I used the solution?
I have worked with this solution for more than a year.
What do I think about the stability of the solution?
It's very stable.
Generally speaking, there are no bugs or glitches. We have had issues twice in the past two months, but nothing too critical. Before those two occasions, it hadn't happened in a year or more.
What do I think about the scalability of the solution?
It's highly scalable considering it's a SaaS solution.
How are customer service and support?
I would rate technical support an eight out of ten. It depends on the support engineer who is working on the problem.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used Kaspersky, but the version is exactly comparable to Microsoft Defender for Endpoint.
We switched to Microsoft for better integration. It integrates very well with the Microsoft antivirus, so we don't have to deploy additional infrastructure or an additional piece of software. We have extended security controls over Windows devices especially and a single dashboard.
There is also integration with Intune, which is the MDM from Microsoft.
How was the initial setup?
The initial setup was absolutely straightforward. We spent some time reading the documentation in order to understand how the setup and agent deployment worked, but then it was pretty straightforward.
It took a couple of hours to deploy the solution. Assuming you have the current licenses, you need to enable the features at the tenant level, and then you have to create a policy to distribute the Defender for the Endpoint sensor.
One person is sufficient to set up and onboard devices. The solution doesn't require any maintenance because the solution is upgraded from the cloud. Maintenance is very limited.
What was our ROI?
We have absolutely received ROI. Initially, it's time-consuming to understand how to onboard devices and start protecting them, but it's pretty easy to replicate the configuration across different customers.
What's my experience with pricing, setup cost, and licensing?
The price is fair for the features Microsoft delivers. If you want tailor-made features, you have to mix different licenses. It isn't straightforward.
Intune is an additional cost. Microsoft Defender for Endpoint works really well with Intune, but you may decide to go for a license that encompasses Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Intune, which is typically a Microsoft E5 license.
Which other solutions did I evaluate?
I evaluated other solutions, but the decision diverted to Microsoft products because we have a Microsoft partnership. I requested more information from PeerSpot about the differences between Microsoft Defender for Endpoint and Sophos Intercept X because I had to provide a business justification to a customer in order to go for Microsoft Defender for Endpoint.
What other advice do I have?
I would rate this solution an eight out of ten.
There are pros and cons to having a best-of-breed strategy versus a single vendor security suite. I would go for a single vendor security solution just to have convergence but it depends. Considering the fact that I'm working for a Microsoft Gold partner, I haven't had the occasion to make a comparison.
I would recommend implementing Microsoft Defender for Endpoint. My advice is to use Intune to have better control, especially for Microsoft devices. I would also advise using third-party local antivirus solutions rather than relying on Microsoft Defender Antivirus, which is a lock-in to a single vendor.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Manager at a recruiting/HR firm with 51-200 employees
Supports centralized management, provides complete visibility, and reduces management costs
Pros and Cons
- "We had Norton Antivirus before, and with Norton, we didn't have a way to centrally manage a lot of features. Defender allowed us to deploy it from our Office 365 admin console. That is probably the biggest thing that made us go with Defender."
- "One thing that was lacking in Defender was web filtering. Its web filtering wasn't as comprehensive. Sophos was a little bit better than Defender for blocking URLs or installing programs."
What is our primary use case?
We're using it for endpoint security.
How has it helped my organization?
We are able to get quite a lot of details about the laptops that we have across the organization. I would rate it pretty high in terms of visibility into our environment.
We are better able to see or get alerts on things that we might not have been able to see before. With Norton, for example, we didn't have a centrally managed system. All we could see was that a node had some threat on it, and we had to manually log into that node and work with the user to figure out what that threat was. With Defender, we are able to see all of that through the console instead of having to reach out to the user, which speeds up the process of figuring out what type of vulnerability we're looking at, and we are able to run scans and do other things remotely without having to interact with the user anything. It speeds up our process of detecting vulnerabilities and threats.
It has significantly reduced the amount of time to respond to threats and manage threats.
It has definitely improved our security, and it also helped us in reducing management costs.
What is most valuable?
We had Norton Antivirus before, and with Norton, we didn't have a way to centrally manage a lot of features. Defender allowed us to deploy it from our Office 365 admin console. That is probably the biggest thing that made us go with Defender.
Since we moved to Defender, we have more visibility into our security posture for our devices across the organization. We can not only see how the devices are doing as far as AV is concerned; we can also see any threats that might come up. We get alerts on those as well, which is very useful for us.
What needs improvement?
One thing that was lacking in Defender was web filtering. Its web filtering wasn't as comprehensive. Sophos was a little bit better than Defender for blocking URLs or installing programs.
In terms of additional features, we have more features than we use. We haven't really had a chance to dig too deep into it.
For how long have I used the solution?
We've been using this solution for about a year.
What do I think about the stability of the solution?
So far, so good. We haven't had any issues related to the service not being available or anything like that.
What do I think about the scalability of the solution?
It is highly scalable. We were able to deploy it across the organization fairly quickly. It is also pretty straightforward to add users or remove users.
We use Office 365 and Azure AD. We have somewhere around 400 users dispersed across the USA.
How are customer service and support?
When we reached out for support, there were times when it took a little bit longer than we liked, but once we were able to engage with their support, we were able to get the resolution fairly quickly.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We were using Norton as our endpoint antivirus solution. We switched so that we are able to centrally manage endpoint security.
How was the initial setup?
My team implemented it, and I was in charge of overseeing the deployment.
We're a small team managing about 400 users across the organization. A lot of them are remote, especially since the pandemic. We have a couple of administrators who are responsible for checking Defender and just keeping on top of our security.
What was our ROI?
We have definitely seen improvements in terms of quickly being able to manage threats and being able to centrally manage everything.
What's my experience with pricing, setup cost, and licensing?
We mostly use Microsoft products. We use Office 365, and we use Azure. We're also a Microsoft partner. So, the licensing was much cheaper for us, and at the same time, a lot of the features that we were looking for were included in Defender.
We were trying to get our firm the security certification for government contracting. One of the requirements was to upgrade our Microsoft licensing to a level to be able to use the government cloud. We found out that the required licensing already included Defender. So, it helped us kill two birds with one stone. It was much easier for us to convince the executives to go with it.
Which other solutions did I evaluate?
We did evaluate other options. CrowdStrike was one of the solutions we looked at. It was a pretty good option, and then there was Trend Micro. Symantec was another one, and then there was also Sophos. Those were the options that we were looking at.
Some of them were priced prohibitive for us. Sophos was a pretty good solution, but it was pretty expensive as compared to some of the other options. Trend Micro was good, but the management interface was lacking for us. It didn't have some of the features that we were looking for. Symantec was just expensive, and their centralized management was also not that great. So, both Trend Micro and Symantec didn't have good management interfaces. Sophos had probably the best one, but it was very expensive. Sophos was also better than Microsoft Defender in terms of web filtering. Web filtering was something for which Microsoft Defender didn't have as good features.
What other advice do I have?
I would advise comparing it with others. If your environment is mostly Microsoft, it makes sense to use Microsoft Defender as part of your deployment.
I would rate it a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Security Analyst at SecureOps
Threat intelligence helps against potential threats before they hit, and Sentinel is powerful for searching
Pros and Cons
- "The visibility into threats that the solution provides is pretty awesome... This is something that makes me think, "Wow, okay. If I had my own organization, I would probably get this too." It stops the threat before an employee gets phished or something gets downloaded to their computer."
- "If there were more template queries in the library, that would make it much easier. They could have basic things, like, "Where's the IP for this user?" or, "What file was downloaded from this user?" If there were more of those basic queries that would help."
What is our primary use case?
Our server is on Azure, so we get alerts on Microsoft Defender. If it's an endpoint alert, we investigate the endpoint based on the type of endpoint it is, whether it's a computer or a phone, et cetera. We then figure out what kind of file was downloaded, if it was bad or good, based on the hash file.
We also use Microsoft Defender for Office 365 for email, where we get alerts based on phishing emails, spam, and we investigate them. We also do Sentinel queries, with KQL (Kusto Query Language).
How has it helped my organization?
Automation has had a positive impact. When we have a lot of false-positive alerts, we are able to set up a condition in Microsoft Defender where it will automatically close that as false. I don't create those conditions, that's something our security engineer does, but it makes my job easier.
Also, threat intelligence helps against potential threats before they hit. You can actually block and delete the emails from MDE whenever you detect them, or when they report, "Hey, this is a phishing email or spam email." It's also able to block and detect a bad or phishing URL. It has decreased our time to respond because if it detects a URL, we're able to automatically block and delete it before a user even sees their mailbox the next morning. It's very fast in detecting and we like that.
As a SOC, it has saved us time, on the order of 60 percent of our time.
What is most valuable?
The Microsoft Sentinel part is the most valuable when you have to search for the malicious folder or file the user downloaded. We use it to ingest data from our entire ecosystem and that is very important if we have to go back 30 days and investigate cases, and we need more details. It's able to ingest that much data. That's pretty important.
Sentinel also enables us to respond holistically from one place and that's good for my job. It makes it easy.
Also, the visibility into threats that the solution provides is pretty awesome. I had never actually seen this type of technology before. It was the first time I had exposure to the cloud. This is something that makes me think, "Wow, okay. If I had my own organization, I would probably get this too." It stops the threat before an employee gets phished or something gets downloaded to their computer. Even if it gets downloaded to the computer, it doesn't spread to the other networks, because Defender will automatically block it.
Another thing that is pretty awesome is that our Microsoft security products work natively together and deliver coordinated detection and response throughout our environment. As a SOC person, it makes my job very easy.
When it comes to the comprehensiveness of the threat protection from these products, so far I have seen how it's able to pick up the smallest script that is hidden in any type of malicious file. It's so good. And it gives you all the details: what kind of script was run, what kind of hash file, and what type of command was run. I'm pretty happy with it.
What needs improvement?
If there were more template queries in the library, that would make it much easier. They could have basic things, like, "Where's the IP for this user?" or, "What file was downloaded from this user?" If there were more of those basic queries that would help. I haven't seen basic ones, but there are a lot of advanced queries, where people need to know the KQL language to understand them. I'm still learning so that's why I'm providing that feedback.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for almost a year.
What do I think about the stability of the solution?
The stability has been really good so far. I haven't seen it go down or have an issue where it didn't work.
We have had some integration issues when something breaks, but that's just occasional. So far, it's good.
What do I think about the scalability of the solution?
We have it deployed across various departments. The IT users have more privileged settings.
Which solution did I use previously and why did I switch?
When I started with this company we used Splunk before we switched to Sentinel. We switched because Sentinel seems way faster.
How was the initial setup?
I wasn't involved in the setup of the solution, but when it comes to maintenance, we have security engineers who maintain our alerts, in case there are false positive alerts coming in.
What other advice do I have?
Work on Sentinel. It has a lot of power versus the Microsoft Defender solution.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Network Engineer at a real estate/law firm with 51-200 employees
Covers everything that we want from our security platform, integrates with all enterprise services, and is infinitely scalable
Pros and Cons
- "It is a very advanced system based on AI. It has a very large database of places or sites on the internet where you should not go. It is continuously online."
- "It makes your Surface devices hot. It is resource-intensive. It strains your CPU, not more than other file scanners around, but it also does a lot more. When you are transmitting files or data, it is continuously scanning the traffic and analyzing it bit by bit to see what's going on, and that, of course, is costly in terms of CPU. It is CPU intensive, and if you are on battery, it drains your battery fast. That's the only drawback that it has."
What is our primary use case?
We are a property investment company, and people here use Microsoft Surface devices for their daily job. We are a Microsoft-oriented company, and we use it for our basic endpoint security implementation.
Our entire security is based on this endpoint solution. Sometimes you have centralized security where you scan all traffic going through a central firewall and you also check through several types of solutions. You also check HTTPS connections. Basically, for all the traffic going inside and outside the company, you use a security firewall, and this endpoint solution is actually a firewall solution or security solution that is distributed. So, all the traffic coming from and going into the end-user device is basically submitted for scanning. If you download an ISO on a website or an email, everything is scanned for security to check whether it contains any malicious data.
We are using Microsoft Defender for Endpoint Plan 2, which is the enterprise version of Microsoft Defender for Endpoint. We are using the most recent version of it.
We deploy it via Intune. The feature is called Microsoft Intune Autopilot. We have a hardware hash. A colleague of mine prepares the configuration and then based on the hardware hash and Autopilot, the devices are completely installed and joined to Azure AD and then to our enterprise. Intune is a Microsoft device management platform that comes with Microsoft solutions. When you buy a new device, based on the hardware hash, it can automatically find that device through Autopilot and do the specific deployment for your company. So, the users can use any type of device, start it, and then it will automatically be joined to our environment.
How has it helped my organization?
It is a completely integrated platform with advanced threat analysis, SIEM features, updated inventory, and so on. It is an all-in-one solution. Microsoft is taking over lots of companies to provide more and better services to its clients. This is one of the best solutions around at the moment.
It protects our organization from all kinds of attacks, such as ransomware attacks and any malware downloads. It is like an oracle who knows everything about:
- What is around at the moment?
- From where the attacks are coming?
- What is currently going on security-wise?
It knows about all the software that you have installed on the laptop, and whether they are not patched or have security issues. It covers everything you want from your security platform.
What is most valuable?
It is a very advanced system based on AI. It has a very large database of places or sites on the internet where you should not go. It is continuously online.
It is completely self-sufficient. You don't have to install anything. It is completely integrated into the operating system, and it also has a centralized information dashboard where you can immediately see:
- Are all your devices up to date?
- Are there any threats?
- Are the devices having problems with updates?
- Are they infected with anything?
- Was something blocked?
You can immediately see what is going on in your enterprise, in different networks, and also in people's homes in terms of endpoint security.
It is a zero-trust platform, and it integrates with all types of enterprise services that we run. It also integrates with the Office 365 environment where you can securely connect from anywhere.
What needs improvement?
It makes your Surface devices hot. It is resource-intensive. It strains your CPU, not more than other file scanners around, but it also does a lot more. When you are transmitting files or data, it is continuously scanning the traffic and analyzing it bit by bit to see what's going on, and that, of course, is costly in terms of CPU. It is CPU intensive, and if you are on battery, it drains your battery fast. That's the only drawback that it has.
They're continuously improving it. You can compare it with Teams. About a year ago, the codex and the presentation of the Teams application were not very well optimized, and if you were using the Teams application, it used to drain your battery. It still drains your battery, but they have improved it a lot, and it is a lot less CPU intensive after one year. They're working on Defender for Endpoint to make it less CPU intensive.
For how long have I used the solution?
We have been using Microsoft Defender for Endpoint for more than six months.
What do I think about the stability of the solution?
Its stability is quite good, especially with Windows 11, which is a very stable operating system. Of course, you can run into some issues. We have some issues with docking stations for Surface and screens, but generally, the operating system together with the endpoint security solution is very stable.
What do I think about the scalability of the solution?
It is the most scalable solution around. You can create an Azure tenant, and with a script, you can deploy 1,000 user accounts. There is no actual limit to it, so the scalability is infinite.
How are customer service and support?
Their support has improved. They're quite good. I would rate them an eight out of ten.
How would you rate customer service and support?
Positive
How was the initial setup?
It has the easiest setup that I've ever seen. It's completely integrated with Microsoft. When you deploy your machine through Autopilot and Intune and assign the license, everything is done automatically. Of course, you have a lot of possibilities and a lot of freedom for detailed configuration, but out of the box, it comes completely self-sustained. You don't have to do anything. This is one of the easiest solutions that I've seen.
You just apply for the plan in Office 365, and you set up your very basic Autopilot template where you would specify the types of software that have to be installed. For instance, you want Office or other types of software. The very basic template is enough to roll it out fully automatically.
It takes a couple of hours. If you apply for a tenant on Azure, you pay for the licenses, and you can roll out with a click on 200 to 1,000 endpoint devices within the hour. This cloud is really amazing.
What about the implementation team?
We are a small company with a few technical engineers, and we provide services for our clients. We provide all kinds of services such as maintaining endpoints and Azure cloud solutions with virtualized services and SaaS services.
Its implementation is more or less handled by my colleague. I do a little bit of configuration but not so much. My colleague knows about all the technical details. He does the complete installation and the complete central management of policies and templates. However, a basic part with basic software is very quickly implemented. You just create a tenant on microsoft.com, and then you can very easily roll out to as many workstations as you would like the necessary configuration for Defender for Endpoint.
What's my experience with pricing, setup cost, and licensing?
Its price at the moment is very good because you get a lot of value for your money, especially with the subscriptions. If you have the E1, E3, or E5 enterprise subscription, you pay per month per user, and you get almost an infinite number of solutions. If you compare the price to the number of solutions that you get, it is a very good deal.
I'm only concerned about the future because Microsoft is taking over one company after another. In the end, there will be no alternative and then they can do whatever they like, but for now, in terms of price, Microsoft is one of the best performers.
What other advice do I have?
At the moment, it is one of the best security platforms for endpoint security in the market. It is comparable to SentinelOne in terms of features and functions.
It is part of Microsoft's ecosystem. If you need a reliable and secure work environment, and you are bound by GDPR and other standards where you have to take care of your data and prevent breaches and unauthorized access, it is a great solution.
The E1, E3, or E5 license contains Defender for Endpoint along with many other solutions. Having just the scanner is not enough these days. You need an overview of your whole environment. You need to make sure that your endpoints are encrypted, they are up to date, and they are correctly using zero-trust relationships for your central services. All these things that you need these days are perfectly implemented in the solutions that Microsoft provides. This is the only way for a company that takes data seriously and has to give a guarantee to customers that data is protected.
It is resource-intensive, but you have to take into account that it is not only a file scanner. It is continuously scanning every connection you make on the internet. It is deeply investigating the data that you transport and the connections that you make. It is scanning your files, and it is scanning your software against all kinds of knowledge bases to identify whether there are vulnerabilities in the software that you use. It is a solution that integrates almost everything. It is doing what a central firewall did before, but it is doing that in a distributed way on your device. So, it does so much more than you expect. If you are providing it to your users, you have to take its CPU consumption into account, and you need to provide sufficient CPU power for this.
I would rate it an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner

Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2025
Product Categories
Endpoint Protection Platform (EPP) Advanced Threat Protection (ATP) Anti-Malware Tools Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
Microsoft Intune
Fortinet FortiEDR
Microsoft Defender for Office 365
Microsoft Sentinel
Microsoft Entra ID
Microsoft Defender for Cloud
SentinelOne Singularity Complete
Microsoft Defender XDR
Microsoft Purview Data Governance
Cortex XDR by Palo Alto Networks
Fortinet FortiClient
HP Wolf Security
Elastic Security
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Compare Microsoft Windows Defender and Symantec Endpoint Protection. How Do I Choose?
- Which product would you choose: Microsoft Defender for Endpoint vs Cortex XDR by Palo Alto Networks?
- What do you think of the integration of Azure AD Services, Defender for Endpoint, and Intune as comprehensive security solutions?
- CrowdStrike Falcon vs Microsoft Defender ATP: Comparison of features and performance
- How does Microsoft Defender for Endpoint compare with Crowdstrike Falcon?
- Running Carbon Black Defense Along with Windows Defender
- How is Cortex XDR compared with Microsoft Defender?
- Which offers better endpoint security - Symantec or Microsoft Defender?
- How does Microsoft Defender for Endpoint compare with Carbon Black CB Defense?
- How would you compare between Microsoft Defender for Endpoint and Tanium EDR?