We're using it for our email filtering to check incoming emails and URLs. We're also using it for vulnerability management to see the status of our assets that are registered on the system. We also check it to see what kinds of threats and campaigns are currently being launched via emails.
Contractor at a tech vendor with 11-50 employees
Provides us with better insight into what's going on across our platform
Pros and Cons
- "It's a great threat intelligence source for us, providing alerts for things it detects on the network and on the machines. We've used it often when there is a potential incident to see what was done on a computer. That works quite nicely because you can see everything that the user has done..."
- "In the beginning, it's difficult to navigate the system because it is quite large. Just trying to find your way and understand how the system works can be hard. After spending quite a lot of time searching it's a lot easier, but I wish it were a bit more user-friendly when you're trying to find things."
What is our primary use case?
How has it helped my organization?
It provides us with better insight into what's going on across our platform. It has also given us a very easy way to respond when threats or alerts come through. And when looking for someone in particular, it helps with that. It hugely improved our insight into what's going on inside the company's premises and environments.
365 Defender also helps find high-value alerts, but we haven't used it for complete automation. It has some automation features where it can try to block or quarantine things, but beyond the default automation configuration, we haven't explored deeper into using automation. The default settings work well.
And while we've always used one or two dashboards, this system has made it easier to have a quick overview on a single platform.
In addition, the threat intelligence helps prepare you for potential threats, to a certain limit, because it gives you insights into where your shortcomings are, your vulnerabilities. It also gives you some security recommendations to make improvements.
And the solution has decreased our time to respond because on high alerts you can get a quick response. The system will notify you very quickly if it detects something at a certain thread level or a custom threat level that you set.
What is most valuable?
Microsoft 365 Defender has a very great interface to help protect registered devices when it comes to web protection, which is very handy.
We also use the alert systems often. It's a great threat intelligence source for us, providing alerts for things it detects on the network and on the machines. We've used it often when there is a potential incident to see what was done on a computer. That works quite nicely because you can see everything that the user has done, including websites accessed, et cetera. And if something was on the machine, we can see what it was trying to do.
I use the alert system on a daily basis. It gives you a very good analysis of where something was found, which employee or which device. And it often gives you a good history on that. The alerts help me to monitor and check what is going on. That's a very valuable system to have.
We've also tried the attack simulation, which sends out phishing emails internally as a test to see how the users respond. We get feedback and use the training simulation as a result. We've only done that once, and it's something we want to work on a little more.
In addition, we're using the assets on the system as well as the inventory functionality. It checks all the machines to see what software is installed on them.
We've used a lot of the features on the cloud, although not everything to its full potential, but we've used 70 to 80 percent of all the features on the cloud.
What needs improvement?
In the beginning, it's difficult to navigate the system because it is quite large. Just trying to find your way and understand how the system works can be hard. After spending quite a lot of time searching it's a lot easier, but I wish it were a bit more user-friendly when you're trying to find things.
The information it provides is great, but for a newcomer, it is quite tedious and takes a long time to load. Here in South Africa, when you click, oftentimes you have to wait quite some time before you get to the next page. It's not necessarily internet-related. I think it's just that the service is a bit slow.
Also, while the solution does help to prioritize threats, unfortunately, it doesn't do so for the entire environment. The reason is that it only supports full integration from Windows 10 and up. It provides you certain information from your server environment, but when you start going with legacy services, it is a bit lacking.
Another issue that is sometimes a headache is that they constantly make changes. Things will be merged, they will get different names, or be moved around. Things will be added and other things go somewhere else. They do a lot of development to make the product better, but it's very frustrating having to search for stuff after they've moved it, because you don't always know that they have moved things. They might have little banners, but if you're just working and don't read them, you don't know where things have gone.
I would also really like to see better integration with the server platforms for managing your server environment. That's something it currently doesn't do. For all the server environments, you either need to make use of group policies or SCCM to manage that independently. It can provide you information on the system, but it doesn't have control over your server line.
Also, I make use of 365 Defender on a business level and on a personal level. On the personal level, there is a lot less functionality. Something that would be very nice is that, for the level you are on, you would only see the product you are subscribed to. For instance, if you log on via the business, you have all your action areas, anything you can do and see, on the left. Because you're using it at a corporate level, you can see and do everything. On the personal level, or in a small business where you're only using some of the features, you still have all the same options, but when you click on them, it tells you that you need to upgrade or subscribe. They should only show you what you have access to, and not all the tabs and then say, "You need to subscribe to get access to this." It just clutters the whole area.
Buyer's Guide
Microsoft Defender XDR
June 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
860,592 professionals have used our research since 2012.
For how long have I used the solution?
We have been using Microsoft 365 Defender for about two years.
What do I think about the stability of the solution?
Overall, it has 95 percent stability. We don't have any issues with it. It works well. Microsoft does provide frequent information when there are issues or delays. But the stability is very good.
What do I think about the scalability of the solution?
We're still learning a lot about its capabilities. It's more capable than what we use it for. That is due to a restriction on our resources and availability to get to know the system even better.
How are customer service and support?
We have contacted Microsoft tech support multiple times. They are quick to respond to the original request. Sometimes I have been quite surprised because they have replied within 15 minutes. Some of the questions we had were resolved quickly, on the order of 60 minutes. I had one that took almost two years to get resolved. But in general, they are quick to respond. Their support is very good and quick.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Before 365 Defender, we made use of Avast as our antivirus, which had its own web console. For malware protection, we used an on-prem Cisco IronPort system that was scanning all our emails. And most of our SIEM logging information was done manually. We had much less insight into what was going on in the company.
What about the implementation team?
Because it was a new solution for us, we had a company that works with Microsoft assist us, to make sure that all the configurations were standard. But since then, we've maintained most of it ourselves. On our side there were no more than five people involved.
What was our ROI?
It's a very expensive product, but for any threat it has definitely stopped or protected us from, in that sense, it has saved money and time, by preventing things that could have happened. But is it affordable? No, it's expensive.
What's my experience with pricing, setup cost, and licensing?
If you look at everything that the solution entails, and the big cost to companies, especially medium-sized companies, one would like to have a bit of a price decrease due to economic circumstances. The functionality is fantastic, but for medium and small-sized companies it's overpriced. It would be better if it were a little bit cheaper.
Which other solutions did I evaluate?
We did look at other solutions. In the end, we decided on 365 Defender because it was all integrated. It worked to our advantage because all the products that we needed were already on the machines. All the products that you get from the Defender area are part of the built-in Windows 10 features. It gave us a better way of controlling and managing things. Overall, it made more sense to have one central place to manage and control and be alerted.
What other advice do I have?
My advice is don't be frightened when you start getting into the solution. If you are not used to the environment, it is a mouthful, and it can really scare your socks off. There's just so much to it that you won't really know where to start.
The best thing I can recommend to anybody who is starting is to get somebody who knows the system to give you a walkthrough. Also, look at the tutorials to see what the functionalities are. It will be beneficial for any person to get a good overview of what's going on in 365 Defender, the capabilities and how it looks. But getting in contact with somebody who has some experience already in using it will help you to ask where to find things. "Where do I go from here? Show me how you're set up, so I can at least see some of the functionalities."
My very first impression of 365 Defender was that I was looking for something, but I didn't even know where to start. It was too overwhelming. As I spoke to other people who knew about the system, they gave me an overview and that made it easier for me to understand and to know where to go.
365 Defender is our main deployment, but we've got the endpoints also connected on Intune. They work together to deliver coordinated detection and response in our environment. Our complete suite is pretty much all Microsoft. Our environment is a 50/50 hybrid. We use Intune for certain policy changes and some of the deployments. But because our environment has a lot of legacy systems, we make use of the normal, on-prem deployment services as well.
Sentinel is linked to our on-premises Active Directory. It helps identify things that are happening on-prem. For example, when a user's account instance gets locked out, it will show you, on Defender, from which local machine it was locked out. Or if certain things are accessed, it will show that information on the on-prem Active Directory. It works well. For investigating and responding to threats, it definitely helps by dumping the information in a centralized location with the alerts to identify a bit more flow pattern. If something happens that's not on the cloud area, but it's on-prem, it helps track and identify movement. The information from Sentinel is an added bonus.
Overall, Defender 365 has saved us time, compared to the old ways of doing things, but at the same time, I wish the site was faster. Sometimes it can be very slow.
Best-of-breed solutions versus a single vendor's suite comes down to personal experience. With best-of-breed, at least you know that they have been tested in the industry and have a lot of history behind them. Also, the redundancy would be a lot better. Going with a single vendor sometimes makes it a little bit difficult, especially if they are only focusing on one area. It's a difficult question. It might come down to the way someone was "brought up" in the security industry or the way that they trust these companies.
I give Microsoft 365 Defender a nine out of 10. Once you get to know the system, it's really awesome. It provides a lot of insights.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Reseller

Helps us reduce the security solutions used, provides unified identity and access management, and saves our security team time
Pros and Cons
- "The most valuable features are spam filtering, attachment filtering, and antivirus protection."
- "Microsoft Defender XDR is not a full-fledged EDR or XDR."
What is our primary use case?
We use Microsoft Defender XDR to protect our endpoints, computers, mobile devices, and emails.
How has it helped my organization?
In part, Microsoft Defender XDR provides unified identity and access management.
Microsoft Defender XDR can protect 98 percent of devices.
With Microsoft Defender XDR we can now manage all of our non-critical computers from one console. The management level and implementation level are easy. Microsoft Defender XDR is also cost-effective.
We have been using Microsoft solutions for over 25 years so it didn't take much convincing to start using Microsoft Defender XDR.
Microsoft Defender XDR has enabled us to discontinue the use of Kaspersky in our safe computers.
Being able to reduce the number of solutions used has been helpful to our security team's operations. The discontinued use of other security products has reduced manual correlation. Using Microsoft has a lot of advantages, especially in management. The reduction in manual correlation is important for our organization.
Microsoft Defender XDR saves our security team around three hours a day.
What is most valuable?
The most valuable features are spam filtering, attachment filtering, and antivirus protection.
What needs improvement?
Microsoft Defender XDR is not a full-fledged EDR or XDR. Any true XDR should be more powerful than what Microsoft is currently providing. For some public-facing companies, computers, and endpoint computers, we need additional security from CrowdStrike or other third-party XDR.
Microsoft Defender XDR does not stop 100 percent of the lateral movement or advanced attacks. Our machines use both Microsoft Defender XDR and Crowdstrike and we have had instances where attacks were missed by Microsoft Defender XDR but caught by Crowdstrike.
For how long have I used the solution?
I have been using Microsoft Defender XDR for four years.
What do I think about the stability of the solution?
Microsoft Defender XDR is stable.
What do I think about the scalability of the solution?
Microsoft Defender XDR is scalable.
Which solution did I use previously and why did I switch?
We previously used Kaspersky, Norton, and CrowdStrike. We switched to Microsoft Defender XDR because of its streamlined management capabilities.
How was the initial setup?
The initial deployment was straightforward. We pushed Microsoft Defender XDR remotely across our system consisting of 300 computers. We are a team of seven people and each of us was involved in the deployment process.
What about the implementation team?
The implementation was done in-house.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender XDR is expensive.
Which other solutions did I evaluate?
We did not evaluate other security solutions because I have extensive knowledge of most products, their strengths and weaknesses, and their overall capabilities. Additionally, considering all our products are on Microsoft 365, a cloud-based platform, and we already utilize its various components like mail, documents, and more, integrating Microsoft Defender for threat detection and management was a natural choice due to existing ecosystem compatibility and streamlined administration.
What other advice do I have?
I would rate Microsoft Defender XDR an eight out of ten.
Microsoft Defender XDR is deployed across multiple locations and departments.
Minimal maintenance is required for patching.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Microsoft Defender XDR
June 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
860,592 professionals have used our research since 2012.
Project Manager at Freedom Systems Inc.
A time-saving and easy-to-integrate product that needs to offer a control center to users
Pros and Cons
- "The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products."
- "Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides."
What is our primary use case?
My company operates as a service provider, so we use Microsoft Defender XDR in our office to provide our customers with security services.
How has it helped my organization?
I won't say that the product helped improve how my organization operates, but there is a need to build trust between the user and the product. Microsoft Defender XDR has been used in my organization since we purchased Windows 10 or 11, after which a user does not need to install any products from Microsoft separately. Some of my company's customers insist they want to install antivirus software separately in their environment due to trust issues.
What is most valuable?
The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products. Some other vendors of security products provide great features or capabilities of detection, but the best feature of Microsoft is its integration capability.
What needs improvement?
One important point about the solution that is an area of concern where improvements are required is related to the control center it provides. Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides.
For how long have I used the solution?
I have been using Microsoft Defender XDR for three years. My company has a partnership with Microsoft. My company is also a reseller of Microsoft products.
How are customer service and support?
As a part of Microsoft's attempt to reduce costs, there has been a direct cut down of the local technical support team. Sometimes, you have to use the technical support offered by Microsoft from other countries, but at times, we speak different languages, just like how people speak in Chinese or Mandarin, but there are still some differences between them. The front-line support from Microsoft has only limited technical abilities or access to their internal system. Sometimes, my company cannot even escalate an issue to Microsoft's senior team members.
The support team of Microsoft is nice as they attempt to solve the problems together with you, but I believe that due to some cost-related issues, they don't have enough permissions. Sometimes, users might feel blocked when trying to connect with the support team.
I rate the technical support a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
My company started with Microsoft Defender XDR when we partnered with Microsoft. Some of our company's customers prefer CrowdStrike, Fortinet, and FortiSIEM.
How was the initial setup?
You don't need to indulge in troubleshooting, making the initial setup phase an easy process because you could just use a GPO on your server to deploy everything. When there comes a problem to onboard some specific devices, and you need to indulge in troubleshooting, sometimes Microsoft Defender XDR's team says it is a problem with the devices a user is trying to onboard, and it's really hard for our company as service providers since we cannot always ask customers to reinstall their server.
What's my experience with pricing, setup cost, and licensing?
Microsoft purposely makes its license combinations complex and includes combinations like Microsoft 365 E3 and Microsoft 365 E5, Office 365 E3, Office 365 E5, and Office 365 E1, so you get confused. Microsoft tries to sell you a bundle of a lot of things together. The licensing model of the product should be made more understandable.
Which other solutions did I evaluate?
There are other good products in the market, and it is difficult to state which one is better since all of them have micro differences in terms of pricing. There may be components like the user interface or maybe some other elements to judge other products, but when it comes to Microsoft, the most important factor stems from the fact that most people use Windows, so it's all integrated.
What other advice do I have?
The product provides unified identity and access management as long as I use all of the products offered by Microsoft.
It is important for me that identity and access management are included within Microsoft Defender XDR because everything is controlled by your identity in the digital world, making it look like a user's government ID in the digital world. My company has tried a lot to talk to and educate our customers since some try not to use a complex password or MFA, which is the most important thing to protect your identity.
Some integration functions in Azure portal allow users to integrate their third-party applications. With the solution, it is not easy to track third-party applications. For transactions recognized by your credentials, it is not easy to track as they would stop, after which we are informed there is a problem. In my organization, we only know how some third-party applications ask to check the credentials, but we don't know what Microsoft Defender XDR does with it, so the product's security doesn't extend beyond just Microsoft technologies.
The product does stop lateral movement and advanced attacks like ransomware or business email compromise. The product blocks a lot of ransomware, which is good. It is considered to be a strict product, so if some of our customers use some local mail service, they have been blocked because Microsoft considers it to be not secure. Microsoft puts a lot of effort into security.
Microsoft Defender XDR's ability to stop attacks covers the product's ability to adapt to evolving threats. It is better to use it as a cloud-based solution that keeps adapting to changes and providing new features.
The product must adapt and evolve to manage threats since there is a new zero-day vulnerability every day, and there is no way to get protection from it. You cannot rely on the users or the admin to upgrade the features daily, so it's better to adopt it automatically with a cloud-based solution like Microsoft Defender XDR.
There were some problems when my organization tried to discontinue other products during the implementation phase of Microsoft Defender XDR since Microsoft tried to integrate all the products in our organization's environment together. If you have used Microsoft Defender XDR, you have to use an antivirus from Microsoft along with Microsoft Identity Platform Endpoint to get the best results. Sometimes, some customers may try to install some third-party antivirus in their environment other than the one provided by Microsoft, which gets blocked. Sometimes, antivirus software from a vendor goes into passive mode. When an antivirus software is in passive mode, some of its advanced features are not usable, causing some problems the user needs to deal with when using it.
The product's ability to save costs depends on how a user looks at a problem while using the solution. I worked as a part of the security team, and we always used to talk to our company's customers. The solution is sometimes like insurance, especially if you want to avoid some bigger problems and you need to spend some money to protect your environment. In some other IT teams or from some other client's point of view, Microsoft Defender XDR costs a lot of money, and they don't see anything. In the security world, no news is good news. You don't want to have to see everything happen and get plenty of alerts trying to prove the product's worth. The product has to control the attack surface so that you won't be attacked that much, or if there are any attacks, it can reduce the impact.
The product definitely saves time for my organization and our company's client teams, especially considering that it is not possible to manually go through the logs every day. The product did help pop up the abnormal activities so that my organization could just review the important things or abnormal activities.
It is hard to say how much time the product saves since it depends on factors like whether you are using some other products or using Microsoft Defender XDR alone. I guess that the product can save over 60 percent of my organization's time. When you use Microsoft Defender XDR in your IT infrastructure, and it works for you, then you just put it in there, and you will come to know when there are some abnormal activities or when you are attacked. With Microsoft Defender XDR, you can get some signs if you are being attacked.
Microsoft Defender XDR is a nice solution and can be combined with other solutions from Microsoft, but they offer limited flexibility. I want the product to be a high surveillance solution for me and not just an information-oriented tool, but nowadays, Microsoft doesn't provide any options to help choose the users' preferences.
I rate the overall product a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer. Reseller
It helps us deal with unknown threats by creating custom policies
Pros and Cons
- "I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications."
- "The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform."
What is our primary use case?
We use 365 Defender to manage organization-level devices and vendor security compliance. We are a retail-focused organization that offers cloud services through Azure, GCP, and AWS, but we manage all the security through 365 Defender. Some of our users are based in other countries, and everything is centralized. We operate in multiple regions.
How has it helped my organization?
We can easily track any other malicious activities or additional applications that will prevent it. We can get it here. It will be a helpful tool once we create policies for DLP and third-party programs.
365 Defender stops the lateral movement of advanced attacks. It prevents something that happens on the device level from affecting us on the organization level. The solution enables us to track all the details, like the IPs and the device types.
365 Defender helps us deal with unknown threats by creating custom policies, which enable us to block access by specific unknown sources and unsafe links. 365 Defender has multi-tenant capabilities, and we have multiple tenants, but I'm only involved in the retail part, so I don't have authority over other tenants.
We were able to discontinue some of our other security products when we implemented 365 Defender, but there are some exceptions. We can use non-Microsoft solutions when the customer requires it. Mostly, we use cloud solutions. We've saved some costs on the security side at the organizational level by reducing equipment costs. Using 365 Defender's automation capabilities, we can cut our vulnerability management time by about 40-50 percent.
What is most valuable?
I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications.
What needs improvement?
The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform.
For how long have I used the solution?
I have used 365 Defender for more than two years.
What do I think about the stability of the solution?
365 Defender can have some performance issues during enrollment. It can take a while at times, but sometimes it's duplicated immediately. That's an issue with some other cloud-based programs like Intune and Azure products.
How are customer service and support?
I rate Microsoft 365 Defender support nine out of 10. Their support representatives provide solutions based on priorities. They prefer to follow the proper SLA part.
How would you rate customer service and support?
Positive
How was the initial setup?
The deployment is quick, straightforward, and involves only two people.
What's my experience with pricing, setup cost, and licensing?
Sometimes 365 Defender is expensive, but it can be moderate, depending on the organization's size and the license type. We're satisfied with the cost because it gives us a product that protects our entire environment with DLP. To compromise some cost, of course, we are to complete the most secure environment.
What other advice do I have?
I rate 365 Defender nine out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Cloud Security Engineer at Dialog Axita PLC
Offers antiphishing, antispam, and stage three antivirus but has poor support
Pros and Cons
- "All of the security components are valuable including, antiphishing, antispam, and stage three antivirus."
- "The support team is not competent or responsive."
What is our primary use case?
Microsoft 365 Defender is used for our threat policies, configuration, and security protection.
How has it helped my organization?
The current level of threat visibility is good.
Microsoft 365 Defender helps prioritize threats across our enterprise which is important for our organization.
The mail component within our organization is the most critical part and Microsoft 365 Defender plays a big part in protecting that component.
We have integrated Microsoft 365 Defender with Defender for Cloud, and Sentinel. Integrating the solution with Defender for Cloud is easy.
The integrated solutions work natively together to deliver a coordinated detection and response across our environment which is important for our organization.
The comprehensiveness of the threat-protection that Microsoft products provide is good.
The bidirectional sync capability of Defender for Cloud is important for our organization.
The bidirectional sync of Defender for Cloud helps us secure our network.
Microsoft Sentinel allows us to investigate data from our entire ecosystem.
The ingestion of data to our security operations is critical and Sentinel does a better job than the other solutions we tried.
Microsoft Sentinel enables us to investigate threats and respond holistically from one place which is important for us.
The built-in UEBA and threat intelligence capabilities are good.
Microsoft 365 Defender helps our organization by detecting false positives.
Our Microsoft security solutions help automated to retain tasks and help automate the finding of high-value alerts.
The automation has helped us with our playbook.
The solution has helped eliminate multiple dashboards by providing one XDR dashboard.
Having one XDR dashboard allows us to react to threats faster.
Microsoft 365 Defender's threat intelligence helps us prepare proactively for potential threats before they hit.
Microsoft 365 Defender has saved us between one and three months of time.
Microsoft 365 Defender has saved us time to detect and respond.
We have saved a significant amount of money with the implementation of Microsoft 365 Defender. Prior to using this solution, we encountered costly incidents.
What is most valuable?
All of the security components are valuable including, antiphishing, antispam, and stage three antivirus.
What needs improvement?
Additional visibility into log analytics would be beneficial. For instance, if an attachment was affected by malware, it would be helpful if Microsoft 365 Defender could provide more specific details about the origin of that particular malware, such as where it originated from. Any additional information in this regard would be greatly appreciated.
The integration of Microsoft 365 Defender with Sentinel is a bit complex when integrating custom connectors.
The cost of using Microsoft Sentinel is dependent on the size of the data the solution will ingest. I would like Microsoft to provide proper guidance on the sizing so we know what we will be spending.
Technical support has a lot of room for improvement. The support team is not competent or responsive.
For how long have I used the solution?
I have been using the solution for one year.
What do I think about the stability of the solution?
Microsoft 365 Defender is stable.
What do I think about the scalability of the solution?
Microsoft 365 Defender is scalable.
How are customer service and support?
The quality of technical support we receive is poor. We encounter difficulties while dealing with the support team, even for critical incidents. Moreover, we always receive a response from the same engineer. However, they are not cooperative in using Microsoft Teams or joining a call with our clients.
How would you rate customer service and support?
Negative
How was the initial setup?
The initial setup is straightforward. The deployment was completed by two people and required seven to eight days.
What about the implementation team?
The implementation was completed in-house.
What's my experience with pricing, setup cost, and licensing?
The licensing fee for Microsoft 365 Defender is fair.
What other advice do I have?
I give the solution a seven out of ten.
The solution is deployed across multiple locations.
We have 5,000 users.
We have three administrators for the solution.
When an organization is already using other Microsoft solutions it is best to use Microsoft 365 Defender because of the seamless integration.
Microsoft 365 Defender is not difficult to implement and can be utilized by anyone.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Security Consultant at G.Network
Effective OS threat detection with room for enhanced threat hunting capabilities
Pros and Cons
- "Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans."
- "Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans."
- "Microsoft could improve on threat hunting and build more on threat detection and handling."
- "Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products."
What is our primary use case?
We are yet to use Microsoft Defender XDR for ourselves as we are yet to procure the product.
What is most valuable?
Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans. Additionally, the threat detection at the OS level is a very good feature of Defender.
What needs improvement?
Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products.
For how long have I used the solution?
We have not yet used Microsoft Defender XDR as we are yet to procure the product.
Which solution did I use previously and why did I switch?
I was working with CrowdStrike before Microsoft Defender XDR. CrowdStrike has advantages in terms of threat hunting.
What was our ROI?
We are doing it for the first time, so I have nothing to compare in terms of ROI.
What's my experience with pricing, setup cost, and licensing?
The pricing is a little high, however, it is on par with other competitive tools in the market.
Which other solutions did I evaluate?
I have not evaluated other XDR solutions besides CrowdStrike.
What other advice do I have?
I would recommend Microsoft Defender XDR to others as long as they are aligned with Microsoft products, cloud, or on-prem, especially if they are using Microsoft Windows architecture. I would rate Microsoft Defender XDR six out of ten overall.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Last updated: Nov 24, 2024
Flag as inappropriateNetwork & Security Manager at SNP Technologies, Inc.
Combined with Sentinel, we get a wholesale view over entire infrastructure
Pros and Cons
- "The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it."
- "There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff.... There is no direct way to go ahead because it's a SaaS platform."
What is our primary use case?
We use 365 Defender with Outlook, Teams, and SharePoint. Our organization extensively uses these products as do the clients we serve. Our goal is to secure those email, SharePoint, and Teams environments.
How has it helped my organization?
Our Microsoft security solution has helped eliminate having to look at multiple dashboards. For a wholesale view over the entire infrastructure, Sentinel is the place to go. But M365 Defender alone only covers 30 to 40 percent of the infrastructure.
We have saved a lot of time compared to having to do tasks with other tools. With Microsoft, it's easier for us to manage and handle them. It saves us about 40 percent of the time it would have taken us. That includes the automating of detection and response.
What is most valuable?
The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it.
The information that the solution provides is pretty clear because I have an overall picture from the compliance dashboard, which is now called the Azure Purview Compliance dashboard or manager. It has all the information, including the DLP information, sensitive data being shared, threat protection, and attacks. All of that is on a single dashboard where I see what the state of security is.
We use the entire suite of Purview features, including Sentinel, Defender for Cloud Apps, Defender for Endpoint, and even new features like Microsoft Defender for DevOps. Sentinel is the out-of-the-box SIEM tool that should definitely be used for more visibility on the M365 side. Of course, we have the compliance dashboard, but Sentinel acts as the single point of contact for visibility into all devices. That way we can see, if there are any threats or vulnerabilities, what the dependent resources are. Sentinel helps give us that bigger picture. We also use Defender for Identity and Defender for Cloud, with different features for the different aspects within the cloud, such as various servers and DNS, et cetera.
With its different connectors, Sentinel enables us to collect data from our entire ecosystem. All the logs are injected into a workspace in Sentinel where Sentinel can analyze them. If we unlock the Microsoft threat intelligence program, which is part of Sentinel, we can investigate threats and respond holistically from one.
Integrating these products is pretty simple. Microsoft Sentinel integrates really fast. Obviously, it's from the same stack so it's easy for us to integrate with just the click of a button. The connectors then help us integrate these services.
If we have all these products in use, we can achieve a 90 to 95 percent security maturity model, without requiring any other vendors' solutions to protect resources.
What needs improvement?
There are two areas where I feel there is no Microsoft solution. One is vulnerability management, where Microsoft is partnered with Qualys. The other is a penetration testing tool on the preventive side. That would be more for an ad hoc request and not for everyday functions. Apart from these, all the other areas can be covered with Microsoft solutions.
There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff. By integrating Microsoft 365 Defender with Sentinel, we can definitely automate things. We can leverage playbooks, and execute Terraform scripts. But directly automating tasks in the 365 Defender is something we have to do with PowerShell, which is then connected to Exchange Online. There is no direct way to go ahead because it's a SaaS platform. But if you integrate it with Sentinel, where all the alerts are created and action needs to be taken, it is pretty comfortable for automation.
Also, I would like to see it be a lot less policy driven. On the M365 side, there are a lot of policies that we need to enable to achieve a certain task. There is no direct solution; rather, there are a lot of workarounds.
I understand that Microsoft is dealing with a lot of tools at once and having a direct solution is not viable. But I would hope that Microsoft can improve that side of it.
For how long have I used the solution?
I have been using Microsoft 365 Defender for more than five years.
What do I think about the stability of the solution?
It's a pretty stable solution and in terms of the SLAs it is pretty good. When it comes to applying policies and the standard documentation that Microsoft provides, everything works according to that. I would rate the stability a nine out of 10.
What do I think about the scalability of the solution?
It surely is a scalable solution, being a service that Microsoft offers.
How are customer service and support?
The technical support is not great. I have been working with these Microsoft products for quite some time, and I have raised issues and contacted them. Every support case I have raised has needed escalation. From my experience, the first-line support team doesn't have anything other than out-of-the-box solutions. Everything with that level of support is pretty standard, SOP-driven, and documentation driven. That is nice, but only to a certain point. When we are talking about the SOP that a level-one engineer does, that's when the support is very poor.
How would you rate customer service and support?
Negative
Which solution did I use previously and why did I switch?
We previously had on-prem solutions. For Exchange and for endpoints, we used to have McAfee, but that was more than five years ago. Previously, Defender for M365 used to be ATP, Advanced Threat Protection, and that's when we started using it.
Previously, we had many things on-prem, such as Exchange Servers, SharePoint, and database servers. But as Microsoft drove toward cloud-native solutions and moved Exchange, SharePoint, and Dynamics 365 online, moving to M365 was a part of the move.
How was the initial setup?
There is no straightforward solution with Microsoft. There are definitely a few restrictions and limitations. We should go ahead and call that out and there were definitely challenges.
The major challenge was moving the mailboxes from on-prem Exchange to Exchange Online. That was not straightforward because the goal was not to lose any emails, and that certain format-related issues be taken care of.
We followed a waterfall method with a proper plan of action. We performed a PoC first, to make sure that the test users were migrated successfully. Once that was done, we did a proper plan in terms of department hierarchy for migrating our departments and detailed a plan of action in case there were any failures. We then did a proper pilot where we chose about 25 mailboxes for migration, and then we went ahead and migrated everyone.
One of the reasons it took six months was there were only five of us involved.
Because it is a SaaS service, Microsoft promises three nines of uptime. There is no maintenance on our side.
What was our ROI?
We are seeing a return on investment compared to the same types of solutions that we used to have five years ago. We would have spent more than what we are spending right now. It's not just about the licensing, it's also about the team that manages it and the operations side of it. But compared to how things were, the return on investment has been positive.
I doubt that we are saving money with this solution because all the features are only available with a Microsoft 365 E5 license, which is the highest. And that doesn't come cheap because it's on a per-user basis. If there are 1,000 users, you are investing a lot.
What's my experience with pricing, setup cost, and licensing?
The pricing model of Sentinel is entirely different from any other standalone SIEM tool. Other tools work on a licensing model with a fixed price based on the different modules that are enabled. Sentinel is not a fixed price. It depends on how much data is injected into it. With Microsoft, if there are 100 GB per month, it's about $2.30 per GB, or around $2,000 on a monthly basis. Compared to a fixed licensing cost, where organizations know that there is a certain budget they need to put aside for the license, on the Microsoft side, we really can't anticipate the cost.
The pricing of Microsoft 365 Defender is definitely on the costly side, but with the features and services that Microsoft provides, such as the seamless integration of all the Defender tools, while the price is on the higher side, there is no alternative.
What other advice do I have?
My advice would be to try out Microsoft and compare it with other vendors. If your vision for Microsoft includes needing customizations and a lot of use cases, I don't think Microsoft M365 would support that. Where Microsoft shines is the seamless integration and dealing with less configuration management. But at the same time, organizations are adopting other solutions, such as Linux, and they want customization and that is not possible on the Microsoft side.
Microsoft 365 Defender helps prioritize threats to the enterprise, but not alone. Rather, it is through combining it with other Defender products like Defender for Cloud Apps and Defender for Endpoint. All these, in combination, can provide really good security, visibility, and threat protection against any vulnerabilities or threats. But with just M365, our hands are tied with the scope, which is limited to emails, Teams, and SharePoint.
We can't 100 percent automate things, but we can automate about 80 percent of our tasks. It has made life easier. But, at the same time, if a scenario is not something that repeats, performing an activity automatically would reduce the time spent, but not by that much. We have automated a few areas for things that occur on a regular basis, but at the same time, we come across situations now and again that we think about automating, but we also think about the effort that we would have to put into doing so. Will it be a recurring solution or not?
There are also some advancements that Microsoft has launched to automate threat surface reduction, some features that we could try to help us analyze steps to be taken before an attack happens, but nothing that I have tried yet.
Hypothetically, when looking at whether a single vendor or a best-of-breed strategy is best, being an architect the last couple of years, what I've seen is that having a multi-vendor system is definitely a good approach rather than going with a single vendor solution. Even though Microsoft has all these tools, we can't achieve 100 percent security. There are the areas for improvement that I mentioned, where Microsoft doesn't have a single solution, like pen testing and vulnerability management. My suggestion is always to go with a multi-vendor solution. Microsoft might reach a level where, at a certain point, they will have 100 percent coverage, but my approach would still be multi-vendor.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Owner at a consultancy with 11-50 employees
Offers capabilities that other solutions don't offer
Pros and Cons
- "The feature I find most valuable is Defender for Endpoint."
- "The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users."
- "The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users."
What is our primary use case?
Our primary use case for Microsoft Defender XDR is to serve as our email security solution, offering file protection, scanning, alerts, and incident management. It is a part of every Microsoft 365 deployment we do.
How has it helped my organization?
The integration of Microsoft products simplifies management, reporting, and investigations. It offers capabilities that other solutions don't offer.
What is most valuable?
The feature I find most valuable is Defender for Endpoint. It's because endpoint management is my primary focus, and this feature integrates well with my other skills.
What needs improvement?
The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users.
For how long have I used the solution?
I've been using Microsoft Defender XDR for about ten years since it was known as Office 365 Advanced Threat Protection.
What do I think about the stability of the solution?
I have no concerns about the stability of Microsoft Defender XDR.
What do I think about the scalability of the solution?
We are only a small organization, and our operations don't even challenge Microsoft Defender XDR's capabilities.
How are customer service and support?
The customer service and support have been good. Whenever it is needed, they are fast to respond.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used various solutions over the years, but since then, we've been using the Defender variants.
How was the initial setup?
The initial deployment was straightforward.
What about the implementation team?
We implemented Microsoft Defender XDR ourselves in-house.
What's my experience with pricing, setup cost, and licensing?
There are no issues with pricing, but sometimes, the clarity in licensing is a concern. I still need to verify what's included with each license occasionally.
What other advice do I have?
I would rate Microsoft Defender XDR a ten out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Last updated: Nov 30, 2024
Flag as inappropriate
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2025
Product Categories
Extended Detection and Response (XDR) Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
Microsoft Intune
Microsoft Defender for Endpoint
Fortinet FortiEDR
Microsoft Defender for Office 365
Microsoft Sentinel
Microsoft Entra ID
Microsoft Defender for Cloud
SentinelOne Singularity Complete
Microsoft Purview Data Governance
IBM Security QRadar
Cortex XDR by Palo Alto Networks
HP Wolf Security
Elastic Security
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the best EDR or XDR product for a company with 9000 employees?
- When evaluating Extended Detection and Response (XDR), what aspect do you think is the most important to look for?
- How do you decide about the alert severity in your Security Operations Center (SOC)?
- Which is better for Endpoint Security: EDR or XDR solutions?
- What are the main differences between XDR and SIEM?
- Why is (XDR) Extended Detection and Response important for companies?
- How do you use the MITRE ATT&CK framework for improving enterprise security?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- FortiXDR vs Cortex Pro - which is the best?
- What is Cognitive Cybersecurity and what is it used for?