We are using Microsoft Defender for Office 365 for identity and email security, safe links, etc.
SecOps Lead at Barco
Works very well for vulnerability management but doesn't have many features available in other solutions
Pros and Cons
- "The portal is quite user-friendly. There is integration with Office, Intune, and other products from the same portal. From there, we can see which policies are installed on a particular machine. We also can manage devices, groups, and tagging."
- "The patching capability should be there. Patching is something that you cannot do even though you see the vulnerabilities present in your environment. For patching, you have to depend on another solution."
What is our primary use case?
How has it helped my organization?
It works as an antivirus, and it also works for any behavioral issues in a particular machine. It protects all the applications from any vulnerability. It works in both ways. It works for vulnerability management and also for the EDR part. Earlier, we had Qualys for vulnerability management, but Microsoft Defender takes care of both. It provides information about how vulnerable a machine is, and it also takes care of the antivirus and behavioral issues in a particular machine due to some threats or any unwanted applications installed.
It helps us manage vulnerabilities. If there are any vulnerabilities in a machine due to a lack of patches or end-of-life software installed on the machine, it gives us the report. After seeing the report, we can fix those vulnerabilities by uninstalling the vulnerable applications or by patching them.
It takes care of the antivirus part. The signatures are constantly getting updated related to new viruses. It covers any identity-related issues or device-specific issues. It covers the MITRE framework. If any threat or risk is present in our environment, it takes care of that and then tells us that these are the issues that we need to work on. After we get the alerts, we do the investigation and remediation.
It provides unified identity and access management. You can create role-based access. You can create policies based on different risk levels. You can also trigger password resets. There are a lot of capabilities that are built in. You can also create conditional access (CA) policies. If any vulnerable application is installed on a device, you do not want that device to be connected to your network, you can create conditional access policies. It will first check whether the integrity of the device is as per your organization's requirements. If it is compliant, then only that device will be allowed to connect to your network. The same goes for identity. If MFA is enabled in your environment, the users will be allowed to connect only if their accounts have MFA enabled. Otherwise, the access is blocked. You can automate such things.
It is important that identity and access management are included in Microsoft Defender rather than needing an additional solution. Nowadays, you see a lot of phishing emails and unsecure links being forwarded to user accounts. In Microsoft Defender, we have secure links and safe links. Once enabled, if any malicious link is sent to a user account, when the user clicks on a link, it immediately checks whether it is safe to access. If it is found to be malicious, it is immediately blocked. If a user mistakenly clicks on a link, the risk state is changed automatically in the web portal. If you have a conditional policy in place, the access is blocked for that user. Even if the attackers have access, they will not be able to do anything. In today's scenario, it is pretty important to have these in place.
As of now, the integration part is pretty limited to Microsoft products. However, by using Sentinel, which is a SIEM solution, you can integrate other products.
It stops the lateral movement of advanced attacks like ransomware or business email compromise. You can create lateral movement policies, and you also can create high-risk users or high-risk devices. You can have customized policies for them. You can create different policies, and the alerts triggered from those devices or users are put into high severity so that you can take immediate action.
You get the telemetry of any attack observed by Microsoft Defender. You can see everything from the starting point till the remediation steps automatically taken by Microsoft Defender. The investigations can be found easily. They are pretty detailed. Everything is there in the portal.
It has the ability to adapt to evolving threats. Threat intelligence is embedded in the portal itself for new threats, technologies, ransomware, or malware. All the latest threats are automatically handled by Microsoft Defender. Remediation is also automatically available.
It saves time. There is automatic remediation, and there are playbooks that you can configure. You can automate the remediation steps that you have already tried on a particular machine. If you want to suppress some of the alerts, you can create suppression rules so that your team does not spend time investigating them. Playbooks, automatic remediation, and suppression of similar alerts save a lot of time.
What is most valuable?
Vulnerability management is valuable. We had a different product for vulnerability management. We were using Qualys for that, but after we got Microsoft Defender, we also got the vulnerability management part. It is embedded in the portal itself. We do not have to look into another solution or tool. We did not have to install any additional sensor which reduces the overhead and does not affect the machine's capability. With the same sensor, we get the vulnerability report and threat report. We also get to know any risks and issues related to malware and other things.
The portal is quite user-friendly. There is integration with Office, Intune, and other products from the same portal. From there, we can see which policies are installed on a particular machine. We also can manage devices, groups, and tagging. For a different set of teams or departments, we can create different device groups. Based on the teams and their work portfolio, we can create different policies. It is quite handy, whereas with the Qualys solution, the portal was quite cluttered. To find a particular option, we had to look at many options, whereas Microsoft Defender is quite user-friendly.
We are also getting all the reports by using the same sensor. It is light on the machines as well. It consumes less resources than other solutions available in the market.
It is evolving. We are seeing new advancements and integrations. They have integrated Copilot, so going forward, we can take the AI advantage. It will be quite easy for us to run any queries. These are the advantages that I see in Microsoft Defender in comparison to others.
What needs improvement?
The patching capability should be there. Patching is something that you cannot do even though you see the vulnerabilities present in your environment. For patching, you have to depend on another solution.
Other than that, there are still limitations in creating device groups. You can create tags, but these tags are based on limited options. There are only a few categories based on which you can create a tag or device group. If there are other conditions that you want to put, such as creating a group based on the application installed on a particular machine, you cannot do that. There are some shortcomings. Also, if you want to whitelist a particular application for a set of groups, you cannot do that. We had an incident where we wanted to whitelist a particular application that was getting blocked by Microsoft Defender, but we were not able to create those groups. We were not able to whitelist the application for some of the devices. We had to whitelist it for the whole environment, which we did not want to do.
It only has pre-built dashboards. You cannot create customized dashboards. They have a set of dashboards, but they are not customizable.
We can create reports using KQL, but it is hard to create customized reports using KQL. You get a CSV, but you need to use Power BI or another reporting product to create the report. The other products available in the market give you customized dashboards, customized reporting, and customized workflows. This is pending in Microsoft Defender.
Buyer's Guide
Microsoft Defender XDR
June 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
860,592 professionals have used our research since 2012.
For how long have I used the solution?
I have been working with this solution for 1.5 years.
What do I think about the stability of the solution?
It is a Microsoft product. It is similar to any other Microsoft product in terms of stability. They do change the name and other functionalities, but it is pretty much similar to any other Microsoft product.
What do I think about the scalability of the solution?
It is pretty scalable. It does not stop you anywhere.
I am working in an MNC. We have more than 6,000 people.
How are customer service and support?
It depends upon the license that you have. They have a different set of licenses based on which you get support. It depends on the support packages you have purchased.
It is very easy to raise a request. They have a portal. From there, you can create a ticket by email or by chat. The response is based on the support package that you have. If you have premium support, you can get a response in minutes.
Which solution did I use previously and why did I switch?
In my previous organization, I worked with Palo Alto XDR. In this organization, we had McAfee, which is a signature-based solution. Microsoft Defender is more advanced than McAfee. It is EDR-based, whereas McAfree was signature-based. It was based on the signatures related to a particular threat or virus. It was handling threat prevention, but behavioral analysis and other functionalities that you see in EDRs were not there. We wanted to move to a behavioral-based antivirus solution. That is why we opted for Microsoft Defender.
Microsoft Defender also enabled us to discontinue the Qualys solution. It has many capabilities related to vulnerability management. They are available out of the box, but patching is something that is missing. For patching, you need to use Intune, whereas, in Qualys, you can also do patching, so patching is something that is missing in Microsoft Defender. However, Microsoft Defender is very good for the assessment of vulnerabilities.
You also get visibility of the devices that are still not onboarded to Microsoft Defender. You have something called Device Discovery in Microsoft Defender. Once enabled, you can get details of all the machines that still do not have Defender, whereas, in Qualys, you have to create customized or scheduled scans of your network. They then run on a periodic basis, but that is not the case with Microsoft Defender. It is on a real-time basis. The Microsoft Defender client continuously does the scanning, and you get visibility into all the machines on your network that still do not have Microsoft Defender onboarded. However, you cannot do patching with Microsoft Defender.
Microsoft Defender can save costs. Qualys is pretty expensive. Microsoft Defender does vulnerability management out of the box, so if you do not want to do patching and you have another solution for patching, you can save costs. It also has out-of-the-box functionality for identity protection.
How was the initial setup?
It is deployed on a public cloud. If you do not have people in your team who know about this product, Microsoft can give you a vendor to help with deployment, creating the policies, etc.
Overall, it is pretty straightforward because Microsoft Defender is enabled on all Windows machines. All you need to do is to activate the sensor that is already installed. The installation process is not much, but if you want somebody to help you, Microsoft can help you with a list of vendors at a particular location. The vendor can help you with configuring the policies and activating different licenses.
Documentation is available on the Microsoft portal to help you create policies and go forward as per your environment.
What about the implementation team?
We took help from somebody for implementation.
It does not require a lot of people because it is a cloud solution and the sensor is already available in the machine itself. It does not require a lot of manpower to get started with Microsoft Defender and do a migration. However, it also depends on how big your organization is. If it is an MNC with a presence in multiple countries, you might need at least one person per region. If any hands-on support is required on a client machine, you can do troubleshooting remotely or provide on-site support. If you have only one site, you do not need much manpower. A single person can do it.
Its maintenance is similar to any other solution. If you are changing any policy, you have to test them before putting them into production. Apart from that, it does not require anything. The Defender updates are automatically available. You can push them through your patching solution. Its maintenance is not hard.
What other advice do I have?
Every organization has different requirements. In my previous organization, we opted for Palo Alto even though we had Defender and CrowdStrike. CrowdStrike is also a best-in-class solution, but we opted for Palo Alto because it was giving something that was a requirement. In that organization, we also wanted to do some management. We wanted to run some scripts through our XDR solution. CrowdStrike had some limitations. We also wanted to do a console login for a particular machine. CrowdStrike gave that functionality, but it was pretty limited, whereas, in Palo Alto, it was limitless. We could straightaway see the files present on a machine by using the console view. We could run a different set of queries. It did not matter whether we were running a PowerShell script, a Python script, or any other language script because the compiler was embedded in the sensor. Palo Alto met the needs of that company. For the use cases, it was the best fit.
In my current organization, the use cases are different. We only wanted an EDR solution. Also, because most of the products in our environment are from Microsoft, the integration with them was pretty easy. That is why we opted for Microsoft Defender. An organization should look at its use cases and then decide on an EDR/XDR solution.
Comparing Microsoft Defender's EDR capabilities with other solutions, I would recommend going for another solution available in the market. I would rate it a 6 out of 10 because there are a lot of things that are available in other solutions, such as doing a remote of a particular machine and running other language scripts. Other solutions are also better in terms of the isolation of a particular device, removal from the isolation, and granularity of security control. I am not comparing it with others for vulnerability management because Palo Alto or CrowdStrike do not do that. If there are any vulnerabilities and you want to fix them, you have to do all the work.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Chief Information Officer at a university with 501-1,000 employees
Robust security with seamless integration into the Microsoft ecosystem
Pros and Cons
- "Its most significant advantage lies in its affordability."
- "The management features could be improved, particularly in terms of better integration with Intune, Microsoft's cloud-based management solution."
What is our primary use case?
It is a universal security tool across our organization, catering to staff members using standard laptops and PCs. Currently, we employ an in-house solution built upon a smaller product from a Finnish company.
Although it integrates with Microsoft AD, our solution remains somewhat proprietary as we've independently implemented and tailored it to our specific needs.
We do not leverage the multi-tenant management capabilities of the solution. In our scenario, we operate as a single organization, allowing us to utilize a straightforward, single-setup approach.
How has it helped my organization?
The identity protection offered by the solution has proven highly effective for us because we developed it in-house. Crafting it ourselves has allowed us to seamlessly integrate all of our specifications with the solution within a relatively short timeframe.
The significance of using the identity and access management integrated into Microsoft 365 Defender cannot be overstated, as it is vital for the proper functioning of the product. While it is crucial, the available functionality might not be entirely sufficient. We have opted for our in-house solution to complement and address the additional requirements.
It empowers us to phase out the use of other security products.
What is most valuable?
Its most significant advantage lies in its affordability. Being an integral part of the Microsoft Stack, it comes with a cost-effective package. Especially for higher education, there's an appealing pricing structure.
What needs improvement?
The management features could be improved, particularly in terms of better integration with Intune, Microsoft's cloud-based management solution. Enhanced integration would contribute to a smoother user experience, and ease of use is a key aspect that could benefit from such improvements.
For how long have I used the solution?
We have been using it for approximately four years.
What do I think about the stability of the solution?
It has demonstrated exceptional stability, with no concerns or complaints on my end.
What do I think about the scalability of the solution?
It exhibits sufficient scalability for our specific needs.
How are customer service and support?
We utilize extended support for Microsoft's stability, and the quality is excellent.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Within our network, we incorporate Cisco products, utilizing various security features and functionalities offered by Cisco. For instance, our firewalls are implemented using Cisco technologies. This adds diversity to our security landscape, as Microsoft alone may not cover all our security needs.
What about the implementation team?
It has been implemented across various locations, spanning our three campuses and multiple departments. Maintenance is handled by a team of four people.
What was our ROI?
It didn't contribute to cost reduction. Our expenditure has maintained a consistent level, with little change over the years, aside from factors like inflation.
Using it has resulted in time savings for our security team. Currently, the team comprises approximately four individuals working with these technologies, equating to a total of four times thirty-seven hours per week.
What's my experience with pricing, setup cost, and licensing?
It has consistently offered highly appealing academic pricing, with distinct rates for higher education and general educational purposes. This differential pricing is a significant factor and it influenced our choice to use Microsoft products.
What other advice do I have?
Overall, I would rate it nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Buyer's Guide
Microsoft Defender XDR
June 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
860,592 professionals have used our research since 2012.
Senior SOC Developer at XVE Security
Extends beyond Microsoft technologies, provides a centralized view, and reduces costs
Pros and Cons
- "The unified view of the threat landscape on a central dashboard is the most valuable feature."
- "The licensing is a nightmare and has room for improvement."
What is our primary use case?
We use Microsoft Defender XDR in our multi-tenant environment comprising Windows, Linux, and the Cloud.
We have Microsoft Defender deployed in a hybrid environment across AWS, Azure, and GCP.
How has it helped my organization?
Microsoft Defender XDR provides unified identity and access management. The identity protection the solution provides is good.
If we had to use a separate solution for identity and access management I believe the performance would be clunky.
Microsoft Defender XDR extends beyond just Microsoft technologies, encompassing a wider range of platforms and services. This broad coverage is a key strength of the solution.
Since implementing Microsoft Defender XDR, the centralized view and management console have been beneficial.
Microsoft Defender XDR limits the lateral movement of advanced attacks.
It integrated seamlessly into our SIEM environment so there are no disruptions to our security operations.
The ability to adapt to evolving threats is critical as the landscape is expanding daily.
The multi-tenant management capabilities for investigating and responding to threats across tenants are good.
We are enabled us to discontinue the use of other vulnerability management tools.
The reduction in the number of vulnerability management tools we use has helped reduce manual operations.
Microsoft Defender XDR has helped reduce our costs by ten percent.
Microsoft Defender XDR has helped save our security team between five and ten percent of their time.
What is most valuable?
The unified view of the threat landscape on a central dashboard is the most valuable feature.
What needs improvement?
The naming convention keeps changing and has room for improvement.
The licensing is a nightmare and has room for improvement.
For how long have I used the solution?
I have been using Microsoft Defender XDR for three years.
What do I think about the stability of the solution?
Microsoft Defender XDR is stable.
What do I think about the scalability of the solution?
Microsoft Defender XDR is a SaaS product so it is scalable.
How are customer service and support?
The technical support is good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used VMware Carbon Black and switched to Microsoft Defender for the multi-cloud environment support.
How was the initial setup?
The initial deployment is straightforward. We identify the critical assets and just deploy for those initially and then slowly roll out for the rest. Around five people were involved in the deployment.
What about the implementation team?
The implementation was completed in-house.
What was our ROI?
We have seen a return on investment.
What other advice do I have?
I would rate Microsoft Defender XDR a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Sr enterprise compute and storage engineer at a university with 1,001-5,000 employees
Offers robust security coverage for diverse use cases while demonstrating high stability and support efficiency
Pros and Cons
- "The most valuable aspect is undoubtedly the exploration capability"
- "It would be beneficial to have a more seamless experience with everything consolidated in one place, particularly when dealing with aspects related to the Exchange console."
What is our primary use case?
Our main use cases include securing critical university services and establishing a research tenant for researchers to store and manage their findings across both everyday machines and dedicated research spaces. It involves dealing with malware and managing server security through tags. Additionally, a significant portion of our work involves exploring and investigating emails using the Explorer tool. It is well-suited for addressing these scenarios and ensuring robust security measures.
How has it helped my organization?
It enables us to respond to incidents more swiftly, pinpointing root causes with greater speed. Retrieving emails is now a much smoother process compared to the previous method using Power Shell. With Explorer, it's a more straightforward and visually intuitive approach, eliminating the previous concerns associated with Query Drive and reducing any associated anxieties. It allowed us to phase out the use of other security products entirely. Initially, we managed this transition through SXM, and later migrated it to the online version of Defender. It has had a notable impact on the operations of our security team. We've had to reshape our procedures, particularly focusing on alerting. There has been a significant upskilling effort, shifting from the previous model where Cisco admins primarily dealt with alerts within SSC or through email.
What is most valuable?
The most valuable aspect is undoubtedly the exploration capability. Given that we are consistently engaged in exploration, constantly seeking reasons for message delivery issues and searching for malicious attachments, the Explorer feature stands out as the primary and most beneficial tool for our needs.
What needs improvement?
I'd like to see more integration with various components. While the ecosystem is quite impressive, there's a noticeable back-and-forth between the Defender console and the Exchange console. It would be beneficial to have a more seamless experience with everything consolidated in one place, particularly when dealing with aspects related to the Exchange console. Currently, we rely on a third-party service for the majority of our IAM needs. The data center extension of security coverage has proven to be highly significant for us. Given our extensive use of Linux and third-party applications, having the capability to monitor these aspects within the Defender console would be immensely valuable.
For how long have I used the solution?
I have been using it for four years.
What do I think about the stability of the solution?
The stability is quite high. Despite various outages, we've experienced consistent reliability.
What do I think about the scalability of the solution?
Scalability is indeed very impressive. We can deploy resources globally with just a few clicks, and the use of Terraform to create VMs adds a fast and efficient dimension to the process. In terms of end-users, if we focus on mail and overall usage, we currently have around 105,000 users of VMs. Specifically in Azure, we're nearing the 100,000 mark with more migrations in progress, making the average user count approximately 100,000.
How are customer service and support?
Microsoft support has been performing well, promptly addressing any conflicts that arise. Our account manager is quick to respond and provides additional resources when needed. The frequent check-ins, with calls every hour, contribute to a positive experience. I would rate it eight out of ten.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial deployment was quite straightforward.
What about the implementation team?
The deployment process went smoothly, with check-ins and some policies to configure. Overall, it didn't feel cumbersome.
What was our ROI?
In the long term, there is potential for significant time savings for our security team. Although currently, many of us are investing time in upskilling and adapting to the new system, overall, I believe that as we become more familiar with it, there will be noticeable efficiency gains.
What's my experience with pricing, setup cost, and licensing?
There has been a noticeable reduction in costs. We've managed to navigate it effectively through our enterprise agreement, and Microsoft's academic discounts have proven to be quite generous. The overall expense is significantly lower, approximately fifty percent less than what we would incur with a traditional enterprise license.
What other advice do I have?
Especially with an enterprise license, the transition is relatively low-risk. If you're currently using the old-school Defender SCCM, moving to the new system is not a challenging shift. It's worth picking a few machines, testing them out, and seeing if it suits your preferences. Overall, I would rate it nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Managing Director, TSG Engineering at a financial services firm with 10,001+ employees
The product is scalable and provides summaries of emails, but it is full of bugs and crashes a lot
Pros and Cons
- "The summarization of emails is a valuable feature."
- "The tool gives inconsistent answers and crashes a lot."
What is most valuable?
The summarization of emails is a valuable feature. I get more than 1000 emails a day. It is hard to read them all. Summarization makes it a lot easier. The solution also provides transcription features.
What needs improvement?
It doesn't work in Word, Excel, and PowerPoint consistently. We find it full of bugs. It doesn't work properly. The tool gives inconsistent answers and crashes a lot. I spoke with the Microsoft team regarding these issues. The person I spoke to said that our expectation was too high and that we should have expected that it would only operate at 70% accuracy, which was a bit of a shock.
For how long have I used the solution?
I have been using the solution for four years.
What do I think about the stability of the solution?
We use most of E3 and E5. We're using 92% of the catalog. Everything runs in the cloud. In the past six months, there have been incidents where the cloud has had some issues. We've escalated them to Microsoft and have had a conversation about stability.
What do I think about the scalability of the solution?
The tool is scalable.
How are customer service and support?
The support is decent. It could be better in certain circumstances. Overall, it's acceptable for what we need it for.
Which solution did I use previously and why did I switch?
We were using a Symantec tool before. We stopped using it because we were exiting a relationship with the Symantec tools. We chose Microsoft Defender for Office 365 because we had a relationship with Microsoft, and it did similar things to what we used the Symantec tool for. It was an easy choice.
How was the initial setup?
The initial setup was complex. It doesn't work. Semantic Index takes 48 hours. Getting people to onboard is not as simple as turning it on and making it work.
We have to ensure that we are teaching people about these tools, their value, and the use cases to determine whether they will use them. If we turn it on and somebody is not trained to use the tool, they will abandon it. It's still not functioning properly. It's a bit of a risk for Microsoft to push out a tool that's not ready yet.
What about the implementation team?
We did the implementation ourselves. We have a large enough internal team.
What's my experience with pricing, setup cost, and licensing?
The solution is too expensive. Each license costs us $30.
Which other solutions did I evaluate?
Google is an alternative. The comparison is based on market share, penetration, usefulness of tools, and cost. Microsoft has the lead. It's embedded. We use it as a productivity suite for our company. Excel, Word, and PowerPoint are tools that people use on a daily basis.
What other advice do I have?
The tool provides a little bit of unified identity and access management. It's not the most important thing for us. Security is a multi-layered strategy, and Defender is one aspect.
The product is one of the many tools we deploy to ensure that the lateral movement of advanced attacks does not occur. If it were the only tool we had, I wouldn't be as confident in saying that we have the proper levels of security, but it is one of the multiple tools we have. So, lateral movement is almost impossible.
The solution might be able to adapt to evolving threats in a smaller shop. However, it is not so in our organization.
We run a bank. We are testing out Copilot. We're about to roll it out to several thousand users. The tool hasn't yet helped improve things in our organization, but it has the potential. Copilot is new. It's difficult to determine the ROI and its value. It's hard to tell. We do get some value out of the product.
Overall, I rate the product a seven out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Principal Consultant - Cyber Security & Cloud Infra. at RPS Consulting Pvt. Ltd.
Provides good email and endpoint security, but needs mature dashboard and better support for third-party solutions
Pros and Cons
- "It has been great for us. Previously, we didn't have a solution to protect us, especially from malware, whereas now, we are getting protection up front, especially from the malware attacks coming through emails or endpoints."
- "The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category."
What is our primary use case?
In our organization, we are mainly using it for email security and SharePoint security.
How has it helped my organization?
It has been great for us. Previously, we didn't have a solution to protect us, especially from malware, whereas now, we are getting protection up front, especially from the malware attacks coming through emails or endpoints.
It helps us to prioritize threats across our enterprise, which is very important. It has sorted many things.
We use Defender for Endpoint, and we also use Sentinel. In my organization, they are all integrated. Sentinel pulls the data from M365 Defender via connectors. The integration is very easy. There are no problems. These solutions work natively together to deliver coordinated detection and response across our environment, which is good. We rely a lot on Microsoft products. Together Defender for Endpoint and Sentinel give me a clear picture to defend against threats and investigate the threats.
Sentinel enables us to ingest data from our entire ecosystem. It's always good to get a centralized, holistic view of our security operations. We are using centralized Sentinel dashboards mainly to get all the threats and information in one place. It's good.
Microsoft security products provide comprehensive and deep threat protection. I'm pretty satisfied with that.
It has saved us time. It has saved more than 50% of our time.
It has decreased our time to detect and time to respond. It has been helpful, and the time to detect is really fast. We don't have to do anything. We just have to rely on it. In terms of the time to respond, if something is under the radar or intelligence of Defender, the tool itself responds and gives us what happened. When it comes to something that is not on Defender's radar, Sentinel is generally where we go. So, it saved more than 50% time in terms of detection and response.
What is most valuable?
Email security and endpoint security are valuable.
What needs improvement?
It provides good visibility of Microsoft products but not for third-party products. It's a good product if we have Microsoft product lines to protect or defend, but it lags when it comes to a mixed environment or non-Microsoft products. The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category.
On the Defender side, for custom detection queries, KQL and the dashboard are not that great, but we are not doing automation directly from the Defender side. We leave Defender intelligence as it is, and we collect everything from Defender to Sentinel and handle the response from the Sentinel side. So, all our automation is happening through Sentinel only. We don't have any extra customization on top of Defender.
The maturity of the portal or dashboard is missing. The dashboard is something that Microsoft is changing every month, and we are seriously not liking it. As a management person, I am not bothered about it, but my team is suffering because there are many versions. You are working on a version and then a new version comes and then the preview toggle button comes. Now, they are combining all the parts into a single console. It confuses technical teams a lot. I'm not happy with their approach or experiments when it comes to the Defender portal. They shouldn't change it again and again.
The SOAR side of Sentinel is zero. If any subscriber subscribes to Azure Sentinel, SOAR is zero. Microsoft says that Sentinel is a SOAR solution, but I don't agree because they are only exposing the existing Azure automation engine towards Sentinel. My automation ask is that when there are already so many detection rules and connectors, why is the SOAR capability not in-built? Why can't they make the Azure functions behind it available in a template form and let us modify and use them? It will save my team's time in preparing the automation of the response. If my team has to create the logic, they have to invest a lot of time.
Their support needs to be improved. I'm not happy with their support.
For how long have I used the solution?
I have been using this solution for more than a year.
What do I think about the stability of the solution?
For stability, the product must be mature enough. It should not keep on changing every month.
What do I think about the scalability of the solution?
It's scalable. Target points are in my capacity, and I can scale it without any problems. There is no limit to the agents for Defender, but on the server side, Microsoft would have the answer.
Location-wise, we are spread in five locations within one country, and department-wise, we have around 11 departments.
How are customer service and support?
Their support is bad. They weren't at all able to solve my problems. They buy the time but never get back. I have to follow up with them again and again. They just take the logs and sleep on them. I'm not happy with their support. I would rate them one out of ten.
How would you rate customer service and support?
Negative
Which solution did I use previously and why did I switch?
We were using another solution. Our organization at the time was too much dependent on the on-premises infrastructure. We were using Symantec, but it was a very quick shift within one quarter or two toward the cloud products and services. We are now heavily reliant on Microsoft Cloud products. We have the Azure environment and a lot of cloud applications, and we have shifted to M365 and Sentinel.
How was the initial setup?
We have a hybrid deployment. Within the cloud, it's straightforward, and when it comes to the target points, it's doable.
Our biggest challenge was removing the old Symantec signatures from the registries, devices, and servers. That was what we mainly struggled with a lot. Otherwise, deployment was going very smoothly. We had around 46 virtual machines or servers. The problem was that the MDATP agent was not ready to protect them. We struggled a lot there. We went to Microsoft, and Microsoft said to go back to Symantec, and when we went to Symantec, they asked us to go back to Microsoft. That took a long time for us. Everything else was smooth. When the target point is Windows, it's very smooth.
It took around 20 to 25 working days. In terms of the staff, other than the infrastructure team, there were five people including me.
In terms of maintenance, we have to just work on the detection rules and nothing else. There is no other maintenance. It's a complete cloud solution.
What was our ROI?
It's quite hard to measure the money saved from using this solution because we have not got any attacks that have resulted in any kind of ransom or monetary loss. It's defending us, and as of now, as per my report, there are no financial losses due to any attacks.
What's my experience with pricing, setup cost, and licensing?
Microsoft's pricing differs geographically. We are based in India, and we have India-based licenses. Money-wise, it varies from product to product or OEM to OEM. We pay less for some, and we pay more for some.
Microsoft has a lot of CSPs, indirect partners, and direct partners to deal with customers. There is so much difference in the price, which is something we are a little confused about. For Defender, they have Endpoint Plan 1 and Endpoint Plan 2, but I don't know on what basis they have classified Endpoint Plan 1 and Plan 2, but it has given me enough pain to pick and design Endpoint Plan 1 or Endpoint Plan 2 for my organization. In fact, we are still struggling with it. Too many SKUs are confusing. There should not be too many SKUs, and they shouldn't charge for every new feature.
Which other solutions did I evaluate?
We evaluated Okta products and QRadar.
What other advice do I have?
To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single vendor security suite is always better. It's simple. It saves the time to detect and respond and administer.
This product is best if you have mostly Microsoft solutions in your ecosystem. If more than 20% of your solutions are third-party solutions, you can also look at and compare other products.
Sentinel enables us to investigate threats from one place, but when it comes to response, we have to put a lot of effort into it because Microsoft is not giving anything ready-made on the SOAR side. We have to put a lot of effort into orchestration and automation. The SIEM of it in terms of the collection of security events and information is wonderful, but when it comes to the SOAR capabilities, there is nothing in-built. They are just the analytical rules for the detection purpose, not for the response. The response is something we have to sit and design. So, the defending capabilities of Defender are good. It has some intelligence, but on the response side, Sentinel is blank. We have to start from scratch. It's a circle, and we have to keep on evolving. When comparing the cost, I am not that exposed to other products' costs, but as per my understanding, the cost of Sentinel is a little bit on the higher side because Microsoft generally charges on a log ingestion basis. It also depends on the amount of log data we are ingesting in Sentinel.
Its threat intelligence hasn't helped to prepare us for potential threats before they hit and to take proactive steps because it depends on the type of attack, the type of payload exploits, and other things. However, as per my previous report, in the last six months especially, there have been quite impressive preventive features, especially related to the process memory injection attacks or attacks coming from emails and links. It's very good for those.
Overall, I would rate this solution a seven out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Security Engineer at Secure Networks
Helps stop advanced attacks, saves costs, and time
Pros and Cons
- "Microsoft Defender is stable."
- "Microsoft Defender is slow to adapt to evolving threats."
What is our primary use case?
Microsoft Defender is used for email protection.
How has it helped my organization?
Microsoft Defender helps stop advanced attacks. We use PII disclosure, we track sensitive data in emails, ransomware, and phishing emails.
Microsoft Defender has saved us costs.
Microsoft Defender has helped save us investigation time.
What needs improvement?
Microsoft Defender is slow to adapt to evolving threats.
For how long have I used the solution?
I was using Microsoft Defender for one and a half years until a month ago when I switched to a different team.
What do I think about the stability of the solution?
Microsoft Defender is stable.
What do I think about the scalability of the solution?
Microsoft Defender is scalable.
Which solution did I use previously and why did I switch?
I previously used Rapid7 InsightIDR for Security Information Event Management and Extended Detection and Response. While InsightIDR offered a user-friendly dashboard for managing detected incidents, its limitation of creating only around 25 custom rules restricted our ability to identify emerging threats. With the ever-evolving threat landscape, I believe a solution with a more adaptable defense system, like Microsoft Defender, is necessary to keep up with the pace of new incidents.
How was the initial setup?
Microsoft Defender was straightforward to set up. It came with a lot of useful documentation to help.
The deployment took almost two months.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender falls within a mid-tier price range compared to other security solutions.
What other advice do I have?
I would rate Microsoft Defender eight out of ten.
Microsoft Defender is well-documented and we can find answers to our questions from the user community.
I recommend Microsoft Defender for organizations that are already using other Microsoft products. Since they're likely within the same ecosystem, integrating Defender for antivirus protection should be a smooth process.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Pre-sales Engineer at Cryon
Helps stop the lateral movement of advanced attacks, provides unified identity and access management
Pros and Cons
- "The integration between all the Defender products is the most valuable feature."
- "The management and automation of the cloud apps have room for improvement."
What is our primary use case?
We use Microsoft Defender XDR to secure all data transfers between the company network, databases, and user devices. It also protects against malware, ransomware, and other security threats.
How has it helped my organization?
Microsoft Defender XDR provides unified identity and access management.
Microsoft Defender XDR can extend beyond to cover more than just Microsoft technology.
The most beneficial aspect of Microsoft Defender XDR is the integration with Office 365.
We can realize the benefits of Microsoft Defender XDR anywhere from two weeks to three months, depending on the organization.
Microsoft Defender XDR stops the lateral movement of advanced attacks.
When a user exhibits suspicious activity, Defender XDR and Microsoft Sentinel work together to provide real-time protection and automation for prevention. This includes threats like insecure connections, lateral movement by malware, and unauthorized email sending. While Microsoft Defender XDR is a powerful solution on its own, combining it with Microsoft Sentinel and automation creates an even more robust defense.
Microsoft Defender XDR helps to discontinue other third-party solutions in our environment.
The cost savings potential of Microsoft Defender XDR depends on the size of an organization and the specific licensing chosen.
Microsoft Defender XDR streamlines security team workflows by offering a unified console for investigation, blocking, and mitigation.
What is most valuable?
The integration between all the Defender products is the most valuable feature.
What needs improvement?
The management and automation of the cloud apps have room for improvement.
For how long have I used the solution?
I have been using Microsoft Defender XDR for 3 years.
What do I think about the stability of the solution?
Microsoft Defender XDR is stable.
What do I think about the scalability of the solution?
The scalability of Microsoft Defender XDR depends on your organization's network for on-premises deployments, but it offers excellent scalability for cloud deployments.
Scaling Microsoft Defender XDR on-premises can lead to network and access control list problems, as well as VPN restrictions.
How was the initial setup?
Microsoft Defender XDR boasts a straightforward setup process. This ease of use stems from its integration with existing Microsoft products. Once we have the appropriate license, we can be up and running quickly. Extensive documentation is available, and Defender XDR enjoys broad industry compatibility. Many other security solutions readily integrate with Defender XDR, opening their products to its robust security features.
The deployment time depends on each environment and can take anywhere from a couple of days to one month.
The number of people required for deployment also depends on the environment and varies between two to eight people.
What's my experience with pricing, setup cost, and licensing?
The price we see for Microsoft Defender XDR is typically the discounted rate we offer to our customers. However, when we bundle Defender XDR with other Microsoft products, the overall bundle price may differ. Despite any initial price considerations, Defender XDR offers excellent value. It's important to compare similar products to make a fair assessment. For organizations already using Microsoft products, which applies to roughly 90 percent of our customers, Defender XDR is easy to set up. Unlike some third-party security solutions, Defender XDR integrates seamlessly with our existing Microsoft environment, eliminating the need for complex identity management configurations and development efforts.
While the standalone price of Defender XDR might seem high, its value becomes clear when considering the ease of implementation and smooth integration with our existing Microsoft infrastructure, especially when bundled with other Microsoft products.
What other advice do I have?
I would rate Microsoft Defender XDR nine out of ten.
Between one and two people are required for maintenance which is conducted twice a month to roadmap Microsoft and check new features.
I recommend thoroughly reading the documentation. Additionally, if there are opportunities to attend Microsoft events, such as a partner workshop focused on Defender, these would be valuable resources. By participating in these activities, you can gain a deeper understanding of what needs to be done within your environment to successfully implement Microsoft Defender XDR.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. reseller

Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2025
Product Categories
Extended Detection and Response (XDR) Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
Microsoft Intune
Microsoft Defender for Endpoint
Fortinet FortiEDR
Microsoft Defender for Office 365
Microsoft Sentinel
Microsoft Entra ID
Microsoft Defender for Cloud
SentinelOne Singularity Complete
Microsoft Purview Data Governance
IBM Security QRadar
Cortex XDR by Palo Alto Networks
HP Wolf Security
Elastic Security
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the best EDR or XDR product for a company with 9000 employees?
- When evaluating Extended Detection and Response (XDR), what aspect do you think is the most important to look for?
- How do you decide about the alert severity in your Security Operations Center (SOC)?
- Which is better for Endpoint Security: EDR or XDR solutions?
- What are the main differences between XDR and SIEM?
- Why is (XDR) Extended Detection and Response important for companies?
- How do you use the MITRE ATT&CK framework for improving enterprise security?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- FortiXDR vs Cortex Pro - which is the best?
- What is Cognitive Cybersecurity and what is it used for?