Buyer's Guide
Anti-Malware Tools
March 2023
Get our free report covering CrowdStrike, Microsoft, Darktrace, and other competitors of SentinelOne Singularity Complete. Updated: March 2023.
685,707 professionals have used our research since 2012.

Read reviews of SentinelOne Singularity Complete alternatives and competitors

SimonThornton - PeerSpot reviewer
Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
Real User
Top 5
Provides good visibility and is fairly easy to set up within one tenant, but doesn't support multitenancy and is not as capable as other solutions
Pros and Cons
  • "I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible."
  • "A challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy."

What is our primary use case?

Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

Its version is usually up to date. It is a cloud solution. 

How has it helped my organization?

Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

What is most valuable?

I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

What needs improvement?

The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

For how long have I used the solution?

I have been using it for about two years. I've got a couple of customers today with it.

What do I think about the stability of the solution?

Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

What do I think about the scalability of the solution?

It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

How are customer service and support?

It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

How would you rate customer service and support?

Neutral

How was the initial setup?

It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

What's my experience with pricing, setup cost, and licensing?

The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

What other advice do I have?

A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

I would advise asking yourself:

  • What do your endpoints consist of?
  • Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
  • What is it that you're trying to achieve by taking Defender? 
  • Are there more capable XDR-type solutions out there? 

If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

I'd give it a cautious six out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSSP
Flag as inappropriate
VP of Info Security at SouthernCarlson, Inc.
Real User
Top 20
Does a good job of reporting when it detects anomalous behavior
Pros and Cons
  • "Morphisec makes it very easy for IT teams of any size to prevent breaches of critical systems because of the design of their tool. When we evaluated Morphisec, the CIO and I sat and listened. What attracted us to them is the fact that it stops activity at the point of detection. That saves a lot of time because now we are not investigating and trying to trace down what to turn off. We have already prevented it, which makes it very much safer and more secure."
  • "Morphisec is a venture startup. They are still early in their growth stage. They need to get mature on their customer support and on how they interface with system tools. For example, they need to get multifactor in place and an API for the major multi-factor systems, e.g., Okta, Duo, Ping, and Microsoft. They don't have them built in yet. They are working on them. It is just not there yet. Also, their stability, customer support, and processes need improvement, which is just part of maturity."

What is our primary use case?

We purchased Morphisec to protect our endpoints from anomalous behavior. The biggest use case would be to prevent ransomware, but also to detect other unnecessary programs running on devices. So, the use case has been endpoint protection, both for servers and endpoints, e.g., laptops and desktops.

We do a multi-layered defense in-depth. They are our primary prevention at the endpoints for anomalous behavior. I would classify it as a preventative tool, since Morphisec blocks and prevents execution. So, I would put it at the preventative layer.

We have agents on all of our endpoints and servers pointing to their cloud instance.

How has it helped my organization?

Morphisec makes it very easy for IT teams of any size to prevent breaches of critical systems because of the design of their tool. When we evaluated Morphisec, the CIO and I sat and listened. What attracted us to them is the fact that it stops activity at the point of detection. That saves a lot of time because now we are not investigating and trying to trace down what to turn off. We have already prevented it, which makes it very much safer and more secure.

What is most valuable?

The biggest feature is its ability to prevent. Here is the interesting thing with a tool like Morphisec. You implement it almost as an insurance policy. If it works, nothing happens. If it fails, you have bad things occurring. So far, nothing terrible has happened. It does a good job of reporting when it detects anomalous behavior so we can research it. However, the key is that we can research in a much calmer fashion, since we do not need to uninstall because it blocks the activity.

What needs improvement?

Morphisec is a venture startup. They are still early in their growth stage. They need to get mature on their customer support and on how they interface with system tools. For example, they need to get multifactor in place and an API for the major multi-factor systems, e.g., Okta, Duo, Ping, and Microsoft. They don't have them built in yet. They are working on them. It is just not there yet. Also, their stability, customer support, and processes need improvement, which is just part of maturity.

For how long have I used the solution?

My company has been using Morphisec since mid-December of 2020.

I have been aware of Morphisec since I worked for Optiv and met one of the key sales people back in 2015 or 2016. When I was at that company, I was a consultant helping companies with their roadmaps. So, we connected there and got Morphisec introduced to Optiv, the company I was working with then, who is also a VAR. Therefore, it was getting the product in via another sales route or sales channel.

What do I think about the stability of the solution?

It takes less than one person to deploy and maintain the solution. So far, we have not had to do maintenance. The biggest thing that we are working with Morphisec right now on is the multi-factor interface enhancement.

What do I think about the scalability of the solution?

We have had no issues with scalability. It's worked fine.

We have probably 10 people between our help desk, Tier 2, and executives accessing the system and using the dashboards, which has been pretty straightforward and easy to do.

In the system, our IT people research alerts. We get a daily report of all the events from the prior day. If there was a critical alert, the help desk will go out and research to see if they need to do anything with the endpoint. They have to go into the system to monitor and look at it. If we are running into an issue on a particular server and endpoint, we may go out there to see if there was any indication of an issue or if the actual agent is causing a problem. We have yet to find that the agent is causing a problem, but that is why they potentially would go out there.

It is on every endpoint, e.g., laptops, desktops, and servers, which is pretty extensive. We may expand into their incident response process and a number of other things that we can use them for, but that will be evaluated as we go into our budget cycle at the end of the year.

How are customer service and technical support?

I would rate Morphisec technical support as eight out of 10. They have just been very responsive. They are very strong at follow-up. They won't close tickets until we tell them to. They are very much a customer service focused group. They have been very good at tech support, providing knowledge, information, etc.

Which solution did I use previously and why did I switch?

Morphisec makes use of deterministic attack prevention that doesn’t require investigation of security alerts. We didn't have a protection layer prior to Morphisec, so we added it. The key is the amount of work by the team is minimal. So, it did not increase our workload. We did not have to add staff. It has been a positive benefit that way.

This solution was an additive layer that we didn't have before. So far, it has been successful in the sense that it has not caused us to add resources. So, we have been able to get layer protection without additional expense, in terms of staff. That is a good thing.

How was the initial setup?

The initial setup was very straightforward. It was simple to install the agent. They provided good support. It was just a push, then it just took minutes to get the process rolling. We could monitor how well it rolled out, and they were there to support us. This was one of the easiest that we have ever done.

The deployment took a day or two in total actual work time, so we could confirm it reporting in on the dashboard. 

It probably took us a week or two to get it rolled out to all the devices because of our change control windows. 

We put it in the most conservative setting that we could for prevention. We did roll through certain applications for the logic of what not to include, but they had a pretty good baseline for what we should reference. We then just pushed the agents with some logic on the change windows. So, we did all the desktops and laptops first, then the servers. It was a pretty straightforward implementation.

What was our ROI?

Morphisec helps us save money on our security stack. We probably would have spent $100,000 more on a different solution. So, it did save us on that expense.

What's my experience with pricing, setup cost, and licensing?

It is an annual subscription basis per device. For the devices that we have in scope right now, it is about $25,000 a year.

Which other solutions did I evaluate?

We also evaluated CrowdStrike, Cylance, and SentinelOne. CrowdStrike and Cylance were way too expensive. You could also throw in Sophos and Symantec in there. All those were too expensive and burdensome. SentinelOne was interesting. We were able to get better pricing and better access to the top people at Morphisec, and that is why we went with Morphisec.

We do not use Morphisec for antivirus at this time. We are using another tool for antivirus, but we will look at Morphisec Guard when that license is up.

What other advice do I have?

Don't overthink it. Just do it. Follow the directions of Morphisec and go for it, but make sure you understand what your application stack is before you go full bore, so you don't create false positives. However, they are easy to work with in those terms.

The reality is nobody ever gets to a single pane of glass or a single dashboard. Those claims are made by vendors, even Morphisec will make it. The problem is you have so many layers in your security stack that you will never get to a single pane of glass. So, I never have that as a requirement because I know it is not attainable.

We do not have Microsoft Defender in place, but so far it is providing visibility for what it is installed on.

While I have known of the company since 2016, they are still a startup. They are still equity-backed. I don't know where they are going to end up, but right now I am confident that they have good backing and financial resources. They got a new round of funding just after the first of the year. That is always a good sign.

Biggest lesson is the amount of discipline required in our company to stay current. Morphisec highlights breakdowns that we have in process and procedure, which is a good thing, but it's highlighted to us that we need to be a little bit more disciplined.

I would rate Morphisec as nine out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PratikSavla - PeerSpot reviewer
Principal Product Security Officer at a tech vendor with 201-500 employees
Real User
Top 5
It gave us more substantial visibility into our security, helping us increase our overall security posture and manage risks throughout the entire organization
Pros and Cons
  • "The vulnerability reporting is helpful. When we initially deployed Defender, it reported many more threats than we currently see. It gave us insight into areas we had not previously considered, so we knew where we needed to act."
  • "Microsoft sources most of their threat intelligence internally, but I think they should open themselves up to bodies that provide feel intelligence to build a better engine. There may be threats out there that they don't report because their team is not doing anything on that and they don't have arrangements with another party that is involved in that research."

What is our primary use case?

Defender acts as a CSPM solution, a post-share management solution for cloud security. We use it to find weak spots in our cloud configuration and strengthen the overall security posture of our cloud environment. With this particular tool, we seek to protect workloads across various environments. We have about 3,000 endpoints and 100 users in the United States alone. 

How has it helped my organization?

Defender gave us more substantial visibility into our security, helping us increase our overall security posture and manage risks throughout the entire organization. It helps us make decisions about specific kinds of risks. If we see a glaring vulnerability, we can determine whether this is an acceptable risk or something that requires urgent action. The risk level determines our investment and budgeting, and the amount of work needed to remedy that. It provides a lot of valuable information for informing our comprehensive risk management strategy.

The solution does a pretty good job of finding previously unknown threats. It helps keep us aware of the kinds of threats that are out there and how we could potentially be impacted. Defender gives us a high level of information about unknown or zero-day threats. It's sometimes hard to gauge whether everything is there because the report is customized based on our infrastructure and what might be pertinent to us.

They've always notified us when there was a zero-day threat. I think there have been a few instances where they altered us about a new threat before it was publicized, which is a good sign that they value us as a customer. They've warned us about something before releasing it to the wider public.

Defender improved our SOC efficiency and saved us from having to add more personnel on the SOC side. It definitely improved that whole area, giving us the bandwidth to work on other things. Defender reduced our detection time because they are proactive about notifying us. I haven't seen too much of a time lag. There were a few instances, but it was never something critical where we had to call them out and ask if this was an issue or something. 

Time-to-response has also gone down. The sooner we get the notification, the quicker we can jump on something. It helped us respond to any potential breach or attack faster. 

It also saved us money because we don't need to deploy a second product to get some additional coverage. It also saved us from adding more security staff. Overall, it has had a positive financial impact on the company. 

What is most valuable?

The vulnerability reporting is helpful. When we initially deployed Defender, it reported many more threats than we currently see. It gave us insight into areas we had not previously considered, so we knew where we needed to act.

Defender's ability to protect multi-cloud environments is essential for us. Our company's offerings are based on tasks, and these cloud service providers are critical infrastructure for us. If anything bad happens, it compromises our services. We need to understand and improve our posture.

It also seamlessly integrates with Sentinel. It was fairly easy because we already leveraged Microsoft 365 earlier, so adding the Sentinel piece was pretty quick. It took a day to figure out and go ahead with the actual deployment. This integration with 365 and Sentinel provided timely intelligence over time. It becomes a problem if we don't get a threat notification in time. They are highly proactive about delivering that information in the initial alert and backing it up with more details as the situation develops.

Microsoft has a relatively sizeable threat-hunting group constantly digging up many things. That helps because it gives us confidence if we face some threats that not many other players are exploring. With this particular product, we're confident they'll let us know where we stand. 

What needs improvement?

Microsoft sources most of their threat intelligence internally, but I think they should open themselves up to bodies that provide feel intelligence to build a better engine. There may be threats out there that they don't report because their team is not doing anything on that and they don't have arrangements with another party that is involved in that research. 

Opening up to more collaboration with different entities in the private or public sector would help them feed more information to the customers and improve their security posture. More partnerships with other players who can feed them intelligence will help them develop the engine powering this product, ultimately benefiting every customer who uses it. 

For how long have I used the solution?

I have been using Defender for Cloud for about a year and a half. 

What do I think about the stability of the solution?

We've had a positive experience overall with Defender's unified portal. We seldom see any bugs. Sometimes, there is a lag in the reporting and some inconsistencies with our searches, but it's rare. There were some periods when their service was not running properly.

While there hasn't been a significant outage, we've experienced some performance degradation where Microsoft notified us that they were having a problem. They informed us ahead of time when there are issues, but I've never had a complete outage thus far. 

What do I think about the scalability of the solution?

Defender for Cloud is scalable, given the licensing model. The performance doesn't suffer under a heavy workload. Many organizations I know have a massive workload, and they're still leveraging Defender without any issues. I rate Defender an eight out of ten for scalability.

How are customer service and support?

I rate Microsoft support an eight out of ten. Their support is great, so we have no complaints. They were responsive when we had issues.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used SentinelOne only for endpoint threat detection. That's probably the closest competitor. We haven't used any other solutions besides that. 

How was the initial setup?

Setting up Defender for Cloud was relatively straightforward. We worked with a person assigned from Microsoft, who gave us a walkthrough of the steps we needed to take.

Defender doesn't require much maintenance after deployment other than a few pieces of infrastructure we have internally. We need to monitor the solutions to check alerts and security advisories, but we've never had to deal with any maintenance.

What about the implementation team?

We ended up using a reseller. They were good. I used them for other vendors, and we've had a productive relationship working on multiple initiatives. This one was nothing new. 

What's my experience with pricing, setup cost, and licensing?

They have a free version, but the license for this one isn't too high. It's free to start with, and you're charged for using it beyond 30 days. Some other pieces of Defender are charged based on usage, so you will be charged more for a high volume of transactions. I believe Defender for Cloud is a daily charge based on Azure's App Service Pricing. 

It's a negligible cost if your usage isn't that high, like a few cents. It's appealing for people to try it. If you don't plan to use it much, you won't have a high bill.

Which other solutions did I evaluate?

Other options were considered, but it came down to the level of value we would get from a holistic vulnerability intelligence product like Defender for Cloud. Also, Microsoft products are pervasive, with a much broader customer base. That was a deciding factor. We saw much more potential from Defender compared to the alternatives. Even though the competition solutions may have functioned better in terms of providing more intelligence, other factors weighed in favor of Microsoft Defender.

What other advice do I have?

I rate Microsoft Defender for Cloud an eight out of ten. I recommend doing a PoC. You shouldn't implement something after only reviewing the documentation and marketing materials. Put it through a PoC for a month at least to get a feel for how it functions and whether it satisfies your requirements. 

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Director, Information Technology at a tech services company with 11-50 employees
Real User
Top 5
Frequent updates, plenty of features, and effective threat avoidance
Pros and Cons
  • "What I have found to be valuable is after every new release of the solution there are more features. At the time that we bought Bitdefender GravityZone, it was their top solution. We went from their Enterprise version to Elite, Elite HD, Ultra, and now there is an Ultra Plus available."
  • "I have not had used the EDR portion of the solution to do any custom scripting to allow further advanced operations on the endpoints. From what I understand from reading the comments on reviews is that it is not particularly flexible in this regard."

What is our primary use case?

We use this solution for advanced protection against threats for our endpoints.

What is most valuable?

What I have found to be valuable is after every new release of the solution there are more features. At the time that we bought Bitdefender GravityZone, it was their top solution. We went from their Enterprise version to Elite, Elite HD, Ultra, and now there is an Ultra Plus available. 

Overall the solution is working well, it can be a little intense and thorough at times, but I would rather have it be a little bit more thorough than not detect what it is supposed to. We have been running the solution for a long time through various versions and we have not had any viruses or malware breaches.

When comparing this solution to others it performs just as well as the majority of the top-level alternatives.

What needs improvement?

The whole suite is unlike most AV consoles, which will inform you when there is an infection or threat, for some inexplicable reason Bitdefender does not do that. The most you will receive is an hourly update or possibly if there is an outbreak that affects 30% of your machines, an email. There is no real-time alerting to inform the user there was a potential attack that recently happened on their system. They could improve by having real-time reporting which is important.

I have not had used the EDR portion of the solution to do any custom scripting to allow further advanced operations on the endpoints. From what I understand from reading the comments on reviews is that it is not particularly flexible in this regard.

Sandbox Analyzer is a feature that comes as part of the Bitdefender GravityZone Ultra Suite. It will start automatically unless you want to manually submit something which I have rarely done. When the feature is in use I do not get a reading back from the analyzer right away, it lacks real-time functionality. For example, if I was executing an admin tool and it was blocked because the Sandbox Analyzer wants to look at it on my local machine, it might take 10 minutes before I can successfully then launch that application to use it. The time it takes to analyze the software is too long. We are busy people and we end up just turning off the detection to allow the use of the program.

For how long have I used the solution?

I have been using the solution for approximately five years.

What do I think about the stability of the solution?

Bitdefender has been stable and reliable, there are a few key areas I always look for in an endpoint security platform. A few of them are, how much burden does it put on the endpoint, does it uses more than 10% of the system resources in order to function. If it does not then it is a pretty well-balanced client, it allows the systems to continue to perform at the appropriate level. If it catches a very high percentage of threats, it is doing what you bought it to do, and it does not give off a lot of false positives. However, in the EDR portion, you will receive more false positives, but outside of the EDR component with the client itself, if it has few false positives for viruses and malware detection that is good.

What do I think about the scalability of the solution?

They have done a decent job with scalability. The way they have their policies constructed and the ability to manage them. 

I think that the biggest challenge for Bitdefender is simply to move out of the SMB space and really become an enterprise platform.

How are customer service and technical support?

I have been in contact with technical support a few times. They are not the worst or the best. They provide an average quality level of support.

I rate Bitdefender GravityZone Ultra technical support a seven out of ten.

Which solution did I use previously and why did I switch?

We previously used Sophos and I recall, Sophos released an update for the AV software that destroyed the AV software on every endpoint that ingested it. It was a huge debacle and it took a long time to resolve because it left the solution in a state where you could not repair it, remove it, or update it. 

How was the initial setup?

The installation is straightforward, simple to understand and manage. 

What's my experience with pricing, setup cost, and licensing?

Bitdefender GravityZone Ultra is less expensive than other solutions, such as CrowdStrike. We had a really good deal because it was their year-end and they were trying to do a lot of sales that week. We bought a three-year contract from them and the cost was approximately $17 per endpoint, per year. It is was a very good price. I have spoken to other people who have purchased CrowdStrike at approximately $60 per endpoint, per year. I have no complaints about the price of this solution.

Which other solutions did I evaluate?

I put a lot of weight on third-party benchmark reviews and Bitdefender always reviews well overall on the spectrum. They review better even when compared to NSS Labs, MITRE, AV-Comparatives, and others. Bitdefender and Kaspersky both typically are the two solutions that are at the top month after month. There are the new technology solutions that are raved about often, such as SentinelOne, Cylance, and CrowdStrike, but they seldom review as well when it comes to defined tests where they test X amount of malware or types of attacks. It has been much harder to get independent confirmation of the efficacy of the new next-generation endpoint solutions than it has been to get the efficacy of the old generation products.

I am currently evaluating CrowdStrike and we considering moving to it once our Bitdefender contract is done.

What other advice do I have?

For those wanting to implement this solution, I would advise them it is worth it and to test it out.

I rate Bitdefender GravityZone Ultra a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technical Analyst - Desktop at a manufacturing company with 501-1,000 employees
Real User
Top 20
Managing multiple machines is a pain, but support is top notch
Pros and Cons
  • "It prevents our users from circumventing security. Everything is password protected so they can't get into it. They can't uninstall it. They can't do anything."
  • "It needs improvements in its EDR and its ability to manage all the nodes. I'd like better communication between the console and the nodes, so I don't have to remote into each individual machine that's having an issue with the protection."

What is our primary use case?

We use it for our endpoint security solution for 1,000 machines worldwide. We're one of the largest machine shops in the world. In just one building, I've got over 500 machines in there. Some of them are old and come from the World War II era. Some of my machines, like my laser hole poppers, are still running Windows 3.1. I've got a lot of older lathes and mills that are running Windows 95 and Windows 98.

How has it helped my organization?

It hasn't improved our company in any way. Panda is the most painful endpoint solution I've ever had to work with except SentinelOne. With Panda, if the protection is turned off or there is a problem on a machine, you have to access that machine remotely to fix it. You can't fix it via the console. I'm the network admin and security admin at my company I don't have the bandwidth to babysit an endpoint solution. 

What is most valuable?

It prevents our users from circumventing security. Everything is password protected so they can't get into it. They can't uninstall it. They can't do anything. 

What needs improvement?

It needs improvements in its EDR and its ability to manage all the nodes. I'd like better communication between the console and the nodes, so I don't have to remote into each individual machine that's having an issue with the protection. The console's intended purpose is to manage and I've got half the management capabilities in their console. I've got almost 1,000 machines worldwide. As one person, I don't have the capacity to take care of this.

For how long have I used the solution?

We adopted this one about three years ago.

What do I think about the scalability of the solution?

It's good for all platforms— iOS, Windows, Android, Linux—so its scalability is there.

How are customer service and technical support?

Technical support has always been top-notch when you can get through. Sometimes you're on hold for up to an hour, but their technical support has always been able to address the issue and get it resolved within 48 hours.

Which solution did I use previously and why did I switch?

Prior to Panda, we had SentinelOne. Panda is a lot less work than SentinelOne in our environment. We still use a lot of Excel macros. We've got applications that we created ourselves and are unsigned. We work with machines with extremely old operating systems, and these things run off of applications that we have built in-house. SentinelOne wanted to shut down the applications so that the machines couldn't connect. It was costing us money. I can't give SentinelOne a bad review just because of our environment. Our environment is very unique, so it's not fair to SentinelOne. But at the same time, we just weren't made for each other. 

How was the initial setup?

The setup is pretty easy. Deployment takes less than an hour. It's typically connected to the console, so it has already downloaded the latest and greatest updates or file hashes. Creating groups and policies for those groups can be a little complex but once you've got all that figured out, then you're good. The console needs a lot of help. Even downloading the installer for a new deployment on a PC is not very straightforward. 

What about the implementation team?

I have an in-house team. I've got two help desk guys that I've had to train to use the Panda tenant. I don't even know if they're doing it anymore — touching every machine that has a problem with the protection.

What's my experience with pricing, setup cost, and licensing?

I don't think Panda's license is too expensive, but they're charging more than it's worth. It's a yearly license. For 1,000 endpoints, it's around $18,000. 

Which other solutions did I evaluate?

We're considering switching to something else. Right now we're looking at ESET Endpoint Security and Trend Micro Apex One. Panda's EDR is rudimentary, so we're looking to upgrade because our insurance policy is asking us to find something better. Right now, we're leaning toward Trend because they're telling me that I can do everything from the console with their solution. That was the biggest pain with Panda.  

What other advice do I have?

I'd rate Panda five out of 10. I give it that high just because it does work to some extent and it's cost-effective. My attitude toward Panda is 50/50. I get probably 10 or 15 emails a day complaining that machines lack protection. But if the console can detect the machine and knows that it's lacking protection, then my logic says, "Update it." But for whatever reason, I have to manually do it again. It's painful. It shouldn't be as expensive as it is. And I think it's going to be a lot more expensive now that WatchGuard owns it. Hopefully, they make a lot of good changes, but I've had enough with Panda.

Another thing to note about Panda is that I haven't seen anything in the documentation about compliance with GDPR regulations. I've got 11 locations in Europe, and we're going to have a GDPR tenant for the most stringent country or area. So even being in the US, I'll have to abide by European GDPR here in the US for all the locations to share one tenant. Otherwise, we'd have to have multiple tenants, which will cost us more money and be more of a hassle to manage. 

Before you install it, do a 90-day proof of concept. Thirty days is too short. You need to see the failing endpoints and what you have to do to fix it.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Anti-Malware Tools
March 2023
Get our free report covering CrowdStrike, Microsoft, Darktrace, and other competitors of SentinelOne Singularity Complete. Updated: March 2023.
685,707 professionals have used our research since 2012.