Try our new research platform with insights from 80,000+ expert users
it_user1583334 - PeerSpot reviewer
Network & Security Manager at SNP Technologies, Inc.
Real User
Combined with Sentinel, we get a wholesale view over entire infrastructure
Pros and Cons
  • "The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it."
  • "There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff.... There is no direct way to go ahead because it's a SaaS platform."

What is our primary use case?

We use 365 Defender with Outlook, Teams, and SharePoint. Our organization extensively uses these products as do the clients we serve. Our goal is to secure those email, SharePoint, and Teams environments.

How has it helped my organization?

Our Microsoft security solution has helped eliminate having to look at multiple dashboards. For a wholesale view over the entire infrastructure, Sentinel is the place to go. But M365 Defender alone only covers 30 to 40 percent of the infrastructure.

We have saved a lot of time compared to having to do tasks with other tools. With Microsoft, it's easier for us to manage and handle them. It saves us about 40 percent of the time it would have taken us. That includes the automating of detection and response.

What is most valuable?

The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it.

The information that the solution provides is pretty clear because I have an overall picture from the compliance dashboard, which is now called the Azure Purview Compliance dashboard or manager. It has all the information, including the DLP information, sensitive data being shared, threat protection, and attacks. All of that is on a single dashboard where I see what the state of security is.

We use the entire suite of Purview features, including Sentinel, Defender for Cloud Apps, Defender for Endpoint, and even new features like Microsoft Defender for DevOps. Sentinel is the out-of-the-box SIEM tool that should definitely be used for more visibility on the M365 side. Of course, we have the compliance dashboard, but Sentinel acts as the single point of contact for visibility into all devices. That way we can see, if there are any threats or vulnerabilities, what the dependent resources are. Sentinel helps give us that bigger picture. We also use Defender for Identity and Defender for Cloud, with different features for the different aspects within the cloud, such as various servers and DNS, et cetera.

With its different connectors, Sentinel enables us to collect data from our entire ecosystem. All the logs are injected into a workspace in Sentinel where Sentinel can analyze them. If we unlock the Microsoft threat intelligence program, which is part of Sentinel, we can investigate threats and respond holistically from one.

Integrating these products is pretty simple. Microsoft Sentinel integrates really fast. Obviously, it's from the same stack so it's easy for us to integrate with just the click of a button. The connectors then help us integrate these services.

If we have all these products in use, we can achieve a 90 to 95 percent security maturity model, without requiring any other vendors' solutions to protect resources.

What needs improvement?

There are two areas where I feel there is no Microsoft solution. One is vulnerability management, where Microsoft is partnered with Qualys. The other is a penetration testing tool on the preventive side. That would be more for an ad hoc request and not for everyday functions. Apart from these, all the other areas can be covered with Microsoft solutions.

There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff. By integrating Microsoft 365 Defender with Sentinel, we can definitely automate things. We can leverage playbooks, and execute Terraform scripts. But directly automating tasks in the 365 Defender is something we have to do with PowerShell, which is then connected to Exchange Online. There is no direct way to go ahead because it's a SaaS platform. But if you integrate it with Sentinel, where all the alerts are created and action needs to be taken, it is pretty comfortable for automation.

Also, I would like to see it be a lot less policy driven. On the M365 side, there are a lot of policies that we need to enable to achieve a certain task. There is no direct solution; rather, there are a lot of workarounds.

I understand that Microsoft is dealing with a lot of tools at once and having a direct solution is not viable. But I would hope that Microsoft can improve that side of it.

Buyer's Guide
Microsoft Defender XDR
August 2025
Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,370 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Microsoft 365 Defender for more than five years.

What do I think about the stability of the solution?

It's a pretty stable solution and in terms of the SLAs it is pretty good. When it comes to applying policies and the standard documentation that Microsoft provides, everything works according to that. I would rate the stability a nine out of 10.

What do I think about the scalability of the solution?

It surely is a scalable solution, being a service that Microsoft offers.

How are customer service and support?

The technical support is not great. I have been working with these Microsoft products for quite some time, and I have raised issues and contacted them. Every support case I have raised has needed escalation. From my experience, the first-line support team doesn't have anything other than out-of-the-box solutions. Everything with that level of support is pretty standard, SOP-driven, and documentation driven. That is nice, but only to a certain point. When we are talking about the SOP that a level-one engineer does, that's when the support is very poor.

How would you rate customer service and support?

Negative

Which solution did I use previously and why did I switch?

We previously had on-prem solutions. For Exchange and for endpoints, we used to have McAfee, but that was more than five years ago. Previously, Defender for M365 used to be ATP, Advanced Threat Protection, and that's when we started using it.

Previously, we had many things on-prem, such as Exchange Servers, SharePoint, and database servers. But as Microsoft drove toward cloud-native solutions and moved Exchange, SharePoint, and Dynamics 365 online, moving to M365 was a part of the move.

How was the initial setup?

There is no straightforward solution with Microsoft. There are definitely a few restrictions and limitations. We should go ahead and call that out and there were definitely challenges.

The major challenge was moving the mailboxes from on-prem Exchange to Exchange Online. That was not straightforward because the goal was not to lose any emails, and that certain format-related issues be taken care of.

We followed a waterfall method with a proper plan of action. We performed a PoC first, to make sure that the test users were migrated successfully. Once that was done, we did a proper plan in terms of department hierarchy for migrating our departments and detailed a plan of action in case there were any failures. We then did a proper pilot where we chose about 25 mailboxes for migration, and then we went ahead and migrated everyone. 

One of the reasons it took six months was there were only five of us involved.

Because it is a SaaS service, Microsoft promises three nines of uptime. There is no maintenance on our side.

What was our ROI?

We are seeing a return on investment compared to the same types of solutions that we used to have five years ago. We would have spent more than what we are spending right now. It's not just about the licensing, it's also about the team that manages it and the operations side of it. But compared to how things were, the return on investment has been positive.

I doubt that we are saving money with this solution because all the features are only available with a Microsoft 365 E5 license, which is the highest. And that doesn't come cheap because it's on a per-user basis. If there are 1,000 users, you are investing a lot.

What's my experience with pricing, setup cost, and licensing?

The pricing model of Sentinel is entirely different from any other standalone SIEM tool. Other tools work on a licensing model with a fixed price based on the different modules that are enabled. Sentinel is not a fixed price. It depends on how much data is injected into it. With Microsoft, if there are 100 GB per month, it's about $2.30 per GB, or around $2,000 on a monthly basis. Compared to a fixed licensing cost, where organizations know that there is a certain budget they need to put aside for the license, on the Microsoft side, we really can't anticipate the cost.

The pricing of Microsoft 365 Defender is definitely on the costly side, but with the features and services that Microsoft provides, such as the seamless integration of all the Defender tools, while the price is on the higher side, there is no alternative.

What other advice do I have?

My advice would be to try out Microsoft and compare it with other vendors. If your vision for Microsoft includes needing customizations and a lot of use cases, I don't think Microsoft M365 would support that. Where Microsoft shines is the seamless integration and dealing with less configuration management. But at the same time, organizations are adopting other solutions, such as Linux, and they want customization and that is not possible on the Microsoft side.

Microsoft 365 Defender helps prioritize threats to the enterprise, but not alone. Rather, it is through combining it with other Defender products like Defender for Cloud Apps and Defender for Endpoint. All these, in combination, can provide really good security, visibility, and threat protection against any vulnerabilities or threats. But with just M365, our hands are tied with the scope, which is limited to emails, Teams, and SharePoint.

We can't 100 percent automate things, but we can automate about 80 percent of our tasks. It has made life easier. But, at the same time, if a scenario is not something that repeats, performing an activity automatically would reduce the time spent, but not by that much. We have automated a few areas for things that occur on a regular basis, but at the same time, we come across situations now and again that we think about automating, but we also think about the effort that we would have to put into doing so. Will it be a recurring solution or not?

There are also some advancements that Microsoft has launched to automate threat surface reduction, some features that we could try to help us analyze steps to be taken before an attack happens, but nothing that I have tried yet.

Hypothetically, when looking at whether a single vendor or a best-of-breed strategy is best, being an architect the last couple of years, what I've seen is that having a multi-vendor system is definitely a good approach rather than going with a single vendor solution. Even though Microsoft has all these tools, we can't achieve 100 percent security. There are the areas for improvement that I mentioned, where Microsoft doesn't have a single solution, like pen testing and vulnerability management. My suggestion is always to go with a multi-vendor solution. Microsoft might reach a level where, at a certain point, they will have 100 percent coverage, but my approach would still be multi-vendor.

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Security Consultant at G.Network
Consultant
Top 20
Effective OS threat detection with room for enhanced threat hunting capabilities
Pros and Cons
  • "Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans."
  • "Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans."
  • "Microsoft could improve on threat hunting and build more on threat detection and handling."
  • "Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products."

What is our primary use case?

We are yet to use Microsoft Defender XDR for ourselves as we are yet to procure the product.

What is most valuable?

Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans. Additionally, the threat detection at the OS level is a very good feature of Defender.

What needs improvement?

Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products.

For how long have I used the solution?

We have not yet used Microsoft Defender XDR as we are yet to procure the product.

Which solution did I use previously and why did I switch?

I was working with CrowdStrike before Microsoft Defender XDR. CrowdStrike has advantages in terms of threat hunting.

What was our ROI?

We are doing it for the first time, so I have nothing to compare in terms of ROI.

What's my experience with pricing, setup cost, and licensing?

The pricing is a little high, however, it is on par with other competitive tools in the market.

Which other solutions did I evaluate?

I have not evaluated other XDR solutions besides CrowdStrike.

What other advice do I have?

I would recommend Microsoft Defender XDR to others as long as they are aligned with Microsoft products, cloud, or on-prem, especially if they are using Microsoft Windows architecture. I would rate Microsoft Defender XDR six out of ten overall.

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Buyer's Guide
Microsoft Defender XDR
August 2025
Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,370 professionals have used our research since 2012.
reviewer2595324 - PeerSpot reviewer
Owner at a consultancy with 11-50 employees
Real User
Offers capabilities that other solutions don't offer
Pros and Cons
  • "The feature I find most valuable is Defender for Endpoint."
  • "The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users."
  • "The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users."

What is our primary use case?

Our primary use case for Microsoft Defender XDR is to serve as our email security solution, offering file protection, scanning, alerts, and incident management. It is a part of every Microsoft 365 deployment we do.

How has it helped my organization?

The integration of Microsoft products simplifies management, reporting, and investigations. It offers capabilities that other solutions don't offer.

What is most valuable?

The feature I find most valuable is Defender for Endpoint. It's because endpoint management is my primary focus, and this feature integrates well with my other skills.

What needs improvement?

The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users.

For how long have I used the solution?

I've been using Microsoft Defender XDR for about ten years since it was known as Office 365 Advanced Threat Protection.

What do I think about the stability of the solution?

I have no concerns about the stability of Microsoft Defender XDR.

What do I think about the scalability of the solution?

We are only a small organization, and our operations don't even challenge Microsoft Defender XDR's capabilities.

How are customer service and support?

The customer service and support have been good. Whenever it is needed, they are fast to respond.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used various solutions over the years, but since then, we've been using the Defender variants.

How was the initial setup?

The initial deployment was straightforward.

What about the implementation team?

We implemented Microsoft Defender XDR ourselves in-house.

What's my experience with pricing, setup cost, and licensing?

There are no issues with pricing, but sometimes, the clarity in licensing is a concern. I still need to verify what's included with each license occasionally.

What other advice do I have?

I would rate Microsoft Defender XDR a ten out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Brian Mulambuzi - PeerSpot reviewer
IT Technician Engineer at Nevasa Foundation
Real User
Top 20
Helps improve our visibility, our security posture, and defends against advanced threats
Pros and Cons
  • "The ability to isolate and address viruses is the most valuable feature of Microsoft Defender XDR."
  • "Just like in any solution, the price can always be cheaper."

What is our primary use case?

Microsoft Defender XDR is our antivirus solution.

How has it helped my organization?

Microsoft Defender XDR provides a unified identity and access management platform.

It does a good job with identity protection.

Including identity and access management within Defender XDR is valuable because it streamlines our organization's security by consolidating multiple tools into one. This eliminates the need to manage and pay for separate solutions and licenses, simplifying our security posture.

Microsoft Defender XDR has improved our visibility, making us more efficient by providing threat details and remediation steps as well as improving our security posture.

It safeguards our organization by preventing advanced threats like ransomware and business email compromise, along with stopping lateral movement within our network that could enable attackers to spread and gain wider access.

It includes the ability to stop attacks and adapt to evolving threats. This is an important feature for us.

We have been enabled to discontinue using Microsoft Sentinel.

Microsoft Defender XDR helps save costs through the licensing for businesses which is around $20 each and helps save time for our security team.

What is most valuable?

The ability to isolate and address viruses is the most valuable feature of Microsoft Defender XDR.

What needs improvement?

Just like in any solution, the price can always be cheaper.

For how long have I used the solution?

I have been using Microsoft Defender XDR for three months.

What do I think about the stability of the solution?

Microsoft Defender XDR is stable. It has been running smoothly for us.

How are customer service and support?

The support has been perfect.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

To consolidate our security tools and avoid additional costs for a separate EDR solution, we leveraged our existing Microsoft Sentinel license to migrate to Microsoft Defender XDR, which already includes EDR capabilities.

How was the initial setup?

Our initial deployment of Defender XDR onto machines was simple. Onboarding a machine involves configuring settings within Intune for our tenant, allowing Defender XDR to communicate and collect data. The entire deployment process took only two hours and required just one person.

What about the implementation team?

The implementation was completed in-house.

What other advice do I have?

I would rate Microsoft Defender XDR ten out of ten.

No maintenance is required.

I recommend Microsoft Defender XDR for small businesses like ours.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer2313252 - PeerSpot reviewer
Senior Infrastructure Engineer at a manufacturing company with 51-200 employees
Real User
Top 20
Reduces our reliance on other products, adapts to threats, and saves us time
Pros and Cons
  • "The threat intelligence is excellent."
  • "Advanced attacks could use an improvement."

What is our primary use case?

We use Microsoft Defender XDR for antivirus, threat intelligence, and email blocking.

How has it helped my organization?

Microsoft Defender's XDR platform provides unified identity and access management. It has improved significantly, although other products remain slightly ahead. I would rate it among the top four or five XDR platforms I've used, and Microsoft is continuously enhancing its capabilities. Overall, it's a fairly good solution.

Consolidating identity and access management under one umbrella within Defender 365 offers significant advantages. This unified approach simplifies control and visibility, eliminating the need to navigate through different screens from multiple vendors. With everything centralized, we gain a comprehensive overview of all IAM activities and can easily access specific details through subcategories. The main page provides a clear starting point, highlighting key information and granting quick access to deeper levels of detail when needed.

While Microsoft Defender can effectively impede the lateral movement of advanced ransomware, it cannot guarantee complete protection. No system is perfect, and vulnerabilities will always exist.

Defender's ability to stop attacks includes its adaptability to evolving threats. Microsoft has been steadily improving Defender over the past few years, and they continue to do so. Several updates in recent months have changed Defender's functionality, making it more effective. While technology advances and tools like Defender improve, the skills of hackers and their tools also evolve. This necessitates continuous improvement to keep pace.

Adaptability to evolving threats is crucial. A static system is vulnerable to attack. Its unchanging vulnerabilities can be readily identified and exploited, allowing unauthorized access and manipulation. Constant improvement is necessary to maintain security.

While we have reduced our reliance on other products, we haven't eliminated them at this time. We are actively reducing our use of other products as we progress. Once we have completed the configuration and setup process for Defender XDR, we can then fully transition to using it as our primary product.

Defender XDR has saved our security team approximately two hours per day. Automation is improving steadily, allowing us to automate audit file processing and scheduling. This provides us with continuous insight into our environment. The main page offers a high-level overview of current activity, enabling us to quickly identify any anomalies. Our security team can then address these anomalies promptly.

What is most valuable?

The threat intelligence is excellent. Email collaboration is very good. Device protection is useful. Overall, 90 percent of Microsoft Defender XDR is used weekly, primarily for email collaboration.

What needs improvement?

Advanced attacks could use an improvement.

For how long have I used the solution?

I have been using Microsoft Defender XDR for almost four years.

What do I think about the stability of the solution?

I would rate the stability of Microsoft Defender XDR a nine out of ten.

What do I think about the scalability of the solution?

Microsoft Defender XDR is scalable and we are planning to increase the usage.

How are customer service and support?

The Microsoft technical support I used in the past was quite good. They were typically responsive and efficient, providing solutions quickly. However, I haven't needed their assistance in the last year, so I can't offer an updated assessment.

Which solution did I use previously and why did I switch?

Our past experience includes Sophos, Check Point, and ESET. We briefly utilized SentinelOne as well, but ultimately opted for Microsoft Defender XDR. We had Defender included in our purchases but it wasn't being utilized fully until I fine-tuned and set it up to work more efficiently.

What other advice do I have?

I would rate Microsoft Defender XDR an eight out of ten.

We require three people for maintenance.

We have Microsoft Defender XDR deployed across multiple locations, roles, and teams.

Before implementing Microsoft Defender XDR, ensure that all the features will be utilized otherwise it is more cost-effective to go with a smaller package that includes only the features needed by the organization.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
SysAdmin Engineer at FileVine, LLC
Real User
Features a straightforward and user-friendly interface, excellent visibility into threats, and integration with other Microsoft security products
Pros and Cons
  • "The Endpoint Manager is incredible; it has a very straightforward interface and is exceedingly easy to use. Pulling out and deploying different tags or resources is a simple task across various departments with different levels of security. The notifications are also simple and satisfying; it's great to see the bubble informing us which devices are compliant and which are waiting to update."
  • "Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed."

What is our primary use case?

At FileVine, we provide case management software for attorneys, so we have considerable SOC 2 compliance requirements. We need more than a firewall; we also need a solution that helps us upkeep and manage devices, laptops, etc. 365 Defender fulfills these requirements, and SOC 2 compliance is our primary use case.

We're a hybrid company using both Macs and Dells, deployed across multiple regions.

How has it helped my organization?

The solution helps us improve compliance regarding end users installing updates. It clarifies which users need to update and how they can go into Terminal or PowerShell to perform that process. We don't have to waste time looking for what needs to be done, which is a useful functionality. The product automatically informs us of high and low priorities, which is great; it allows us to deal with the most significant priorities first.

365 Defender helps us automate routine tasks, and we get updated daily. We can integrate Splunk to see what's going on and what needs to be updated. Automation significantly impacts our security operations; it feels like we have a vault around us that nobody can breach.  

What is most valuable?

The Endpoint Manager is incredible; it has a very straightforward interface and is exceedingly easy to use. Pulling out and deploying different tags or resources is a simple task across various departments with different levels of security. The notifications are also simple and satisfying; it's great to see the bubble informing us which devices are compliant and which are waiting to update.

The visibility into threats provided by the solution is excellent. When a threat triggers a response based on our set rules, it's stopped, and we are notified via email. We can then analyze the threat and make a decision; this entire process is straightforward and user-friendly. 

The product helps us prioritize threats across the enterprise, especially in the legal domain. It is very valuable, and one of the reasons we have been so successful at Filevine is the security measures we have in place. We use many tools, one of them being Microsoft 365 Defender, which significantly contributes to our IT team and company's success.   

Our integration of multiple solutions helps to deliver a coordinated detection and response in our environment. We integrate with Zscalar, which is very easy and manageable. We thought it might be difficult, but it works very well. Much like a car, our security system is composed of many moving parts working together, which helps us move forwards as a company and thrive in a relatively challenging economic time. 

The comprehensiveness of the threat protection provided by using multiple Microsoft security products is excellent. It's a simple system; we have incoming and outgoing traffic rules. When a rule is triggered, we are notified by email to look over the situation. For example, we can see viruses and malicious actors attempting to breach our security and respond by blacklisting the IP address. Sometimes, we gather information and pass it on to the FBI, as we have many SOC 2 clients.

365 Defender helped eliminate multiple dashboards, which is great because I like to be as minimalistic as possible regarding dashboards. Now, I only have to look at one or two at most, simplifying the security landscape, and I love that about the tool.  

The solution's threat intelligence helps us prepare for potential threats before they hit; most recently, we were protected from the August 2022 Apple hack. We had measures in place, so none of our devices were affected. We were spared any data compromise, and it's an excellent example of why we invest in security solutions. It builds our confidence and strengthens our case with the higher-ups for increasing and maintaining our cybersecurity budget. 

The product certainly saves us time. We trust in the protection and can focus on different projects, including automation, so we don't have to spend time dealing with issues and security breaches. I'd say we save four or five hours a week.  

365 Defender saves us a lot of money because we don't have to recover data or hire outside lawyers to help us with legal trouble. We don't need to invest in physical products or external security teams and solutions. We can keep our security operation within the company, so all our money is invested in people who care about our product and business.  

The solution quickly notifies us when a threat is detected, increasing our response speed. Other products I used in the past sometimes had significant delays with notifications, which is far from ideal when dealing with potential security threats. 

What needs improvement?

Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed.

For how long have I used the solution?

I have been using the solution for a few years. 

What do I think about the stability of the solution?

The solution is very stable with low latency. 

What do I think about the scalability of the solution?

The product is highly scalable, which is fantastic because we have been expanding significantly. It's up and running and good to go very quickly, which has been excellent for our expansion in Florida, New York, Maine, and Canada.

How are customer service and support?

I have yet to contact support. One thing that helps in this regard is that I have an AZ-900 handbook with Microsoft fundamentals. 

Which solution did I use previously and why did I switch?

365 Defender was already in place when I was brought into the company, but they previously used Jamf Protect. They switched because it cost too much and wasn't fulfilling the requirements. It didn't perform as well as 365.

How was the initial setup?

I can't speak to the setup as the solution was in place when I arrived at the company. However, 365 Defender is one of the most lightweight tools we use in terms of maintenance. We keep it up to date, and it works very well.

What was our ROI?

I would say the solution gives us a significant ROI, especially considering the issues in the industry recently. Russia and China hacked many companies, but we never had that problem, and that's a lot of money saved for us. That's not entirely because of 365 Defender, but also thanks to our excellent security team and the robust toolset at our disposal to protect our operation.

What's my experience with pricing, setup cost, and licensing?

The solution is affordable, and we haven't been hit with any hidden costs. The subscription model is straightforward, and it's easy to understand how much additional features cost. If we need to cancel a license or feature, we do that well in advance to avoid being charged for it, but overall, the pricing and licensing are simple and easy.

What other advice do I have?

I would rate the solution an eight out of ten. 

We use multiple Microsoft security products, including Defender for Endpoint, MFA as a standard on all work laptops and computers, and Endpoint Manager. We use additional tools to protect the Mac side of our operation. We use Microsoft Intune, some other MDMs, and some other assets from Defender for Cloud, and for cloud security, we use GCP, Azure, and AWS. 

Many of these products are integrated, and the integration was relatively straightforward. It was somewhat time-consuming as we previously used Jamf Protect for a long time, so switching our entire infrastructure over to the new products took some time.   

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Paul Cooke - PeerSpot reviewer
Consultant at a computer software company with 51-200 employees
Reseller
Top 10
Provides advanced threat detection, investigation, and response capabilities
Pros and Cons
  • "Microsoft Defender XDR provides strong identity protection with comprehensive insights into risky user behavior and potential indicators of compromise."
  • "Improving scalability, especially for very large tenants, could be beneficial for Microsoft Defender XDR."

What is our primary use case?

Extended XDR expands threat protection across endpoints, email, identities, and cloud environments.

What is most valuable?

Microsoft Defender XDR provides strong identity protection with comprehensive insights into risky user behavior and potential indicators of compromise. It includes capabilities for monitoring Active Directory against attacks and threats, making it a broad and deep solution for identity security.

What needs improvement?

Improving scalability, especially for very large tenants, could be beneficial for Microsoft Defender XDR. Additionally, enhancing the privilege access management capability would make it a better solution overall.

For how long have I used the solution?

I have been using Microsoft Defender XDR for about a year and a half.

What do I think about the stability of the solution?

Microsoft Defender XDR is very stable. I would rate the stability as a 10 out of 10.

What do I think about the scalability of the solution?

I would rate the scalability of the product as a 10 out of 10.

How are customer service and support?

Microsoft's customer support for Defender XDR is generally very good and I would rate it at around an eight out of ten. Larger customers like us, especially those partially owned by Microsoft, tend to receive excellent support. However, smaller organizations may not experience the same level of support.

How would you rate customer service and support?

Positive

How was the initial setup?

Microsoft Defender XDR is typically deployed at the organizational level across multiple locations and departments. Maintenance is required, and the number of people needed depends on the organization's size and complexity. It could range from a large team for a big organization to just a few individuals for smaller ones.

What's my experience with pricing, setup cost, and licensing?

Microsoft Defender XDR is expensive, especially for the full suite functionality. However, when compared to buying multiple-point solutions separately, it may be comparable in price. Overall, it is competitive within the market, but the broad capabilities make direct cost comparisons challenging.

What other advice do I have?

Clients implement this tool to address various security issues efficiently. Microsoft Defender XDR offers a unified solution for a wide range of security needs, including extended detection and response across multiple platforms like Office, endpoints, mobile, and identity.

Microsoft Defender XDR includes some identity and access management features, especially when used alongside Azure Active Directory's privileged access management capabilities.

While primarily focused on Microsoft technologies, Microsoft Defender XDR can integrate with third-party SIEM vendors and covers multiple operating systems, including macOS, iOS, Android, and Windows, through its Defender for Endpoint and Intune capabilities.

Microsoft Defender XDR is designed as an XDR solution, utilizing the Mitre ATT&CK framework to detect and correlate events across various areas of compromise. It can identify and correlate events related to advanced attacks, such as business email compromise and ransomware, affecting security operations by providing insights into the events leading up to such attacks.

When security products like antivirus and vulnerability management software are discontinued in favor of Microsoft Defender XDR and other Microsoft 365 tools, it streamlines operations but may require less manual correlation of security events.

Some organizations might experience a 10-20% cost reduction with Microsoft Defender XDR, but for me, the main goal is to improve detection and response capabilities, not just save money. It is about adapting to the evolving threat landscape rather than focusing solely on cost savings.

Microsoft Defender XDR has saved time for our security team, making our operations more efficient.

For those evaluating Microsoft Defender XDR, my advice is to understand your requirements and map them to the appropriate licensing capabilities. It is not a one-time project but an ongoing process, so plan for continuous improvement of your security posture.

Overall, I would rate Microsoft Defender XDR as an 8 out of 10.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer.
PeerSpot user
MuhammadBilal6 - PeerSpot reviewer
Cyber Security Analyst at a manufacturing company with 1,001-5,000 employees
Real User
Top 20
It also has an AI-assisted automated feature that cuts off access to persistent attacks
Pros and Cons
  • "I like how Microsoft XDR and the other Microsoft products are integrated into a single unified security stack covering identity access management, endpoint protection, email, cloud applications, etc."
  • "Because of the training model, Defender XDR's automatic response sometimes blocks legitimate users and activities. Also, the UI sometimes responds slowly."

What is our primary use case?

I work at a SOC, and we use Microsoft XDR to provide 24/7 monitoring for our clients. We use it to monitor all types of incidents, including attacks on endpoints and email-related threats. It's integrated with other Microsoft solutions.

What is most valuable?

I like how Microsoft XDR and the other Microsoft products are integrated into a single unified security stack covering identity access management, endpoint protection, email, cloud applications, etc. The Kubernetes security feature hasn't been released yet, but we're looking forward to that. I'm just focusing on that because it will be a game-changer.

The integrated identity and access management is helpful because sometimes you don't have the information you need inside XDR, so you can go to Entra for more details.

XDR can stop advanced attacks like ransomware and BEC attacks. It also has an AI-assisted automated feature that cuts off access to persistent attacks. This feature disrupts the attack by disabling user access. A person needs to analyze if the response is correct and reject or approve. 

Through integration with Microsoft Lighthouse, we can manage multiple tenants on one screen, and prioritize which areas of the environment to address first. Sometimes, one tenant may be inaccessible to you. It will show an error, but then it will start working again automatically. 

What needs improvement?

Because of the training model, Defender XDR's automatic response sometimes blocks legitimate users and activities. Also, the UI sometimes responds slowly. 

For how long have I used the solution?

I've been working with Defender XDR for the last six months.

What do I think about the stability of the solution?

I rate Defender XDR 8 out of 10 for stability. 

What do I think about the scalability of the solution?

Defender XDR is scalable. 

How are customer service and support?

We had a problem once getting a feature to work correctly after an update. We contacted Microsoft, and it took about 2 or 3 days to resolve.

Which solution did I use previously and why did I switch?

I previously used QRadar and Splunk

How was the initial setup?

Deployment is easy. It requires some maintenance on the Microsoft side. 

What other advice do I have?

I rate Defender XDR 9 out of 10. I would recommend Defender. It's easier to use than other products I've worked with, such as Splunk and QRadar.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2025
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros sharing their opinions.