The solution is used for XDR (extended detection and response), threat hunting, endpoint protection, and device filtering. The solution works wonderfully to defend endpoints against malware, ransomware, and malicious scripts. The solution’s machine learning capabilities are wonderful. We extensively tested the solution's machine-learning capabilities, and deploying it to several hundred machines was easy. The solution has capabilities to extend it to protect against AI attacks, deepfake videos, or deepfake emails. In the email protection module, the solution has a writing style analyzer. You can pinpoint the most important entities or people in the company, and the tool will learn how they write and communicate from their emails. This allows the tool to protect against the business being compromised, and that's a very useful feature. It's a statistical analyzer based on machine learning that observes how you communicate. It needs time, but you can make it learn faster to see the emails. However, it's more useful if you work with current emails, not just the old ones. You should give the tool two weeks for the current emails, and after two weeks, you can close the learning mode. The solution alerts if it thinks that a business email has been compromised. You have to give it two weeks before it can reliably say whether it's written by the actual user or if it's a fake. Trend Vision One Endpoint Security provides a single console for cross-layer detection, threat hunting, and investigation. It will collect and show through alerts what is connected from other modules. When something happens on the node that originally came from an email the user clicked on, the tool can pinpoint where the email came from and who else in the company got it. You can block, delete, or put those emails in quarantine before other users click and open them. You can see all the network activities they have done or tried to do. You can also see where they tried to communicate from the URL filtering and what they dropped. In the solution's new version, a privileged user has access to a predictive attack vector. The single console's end-to-end visibility has reduced our response time because we have automated responses called playbooks. You can decide whether the probability is small, medium, or high and whether it comes from an email or file. You can also decide whether to block the user, kill the process, send an email, or create the workbench automatically to see what happened and what was the case. You can manually generate workbenches for the hunting, but if you use the automation playbooks, it can respond faster automatically. The customer bought and managed the MDR (managed detection and response) service. Other professionals bought this managed service for all the products. For the price of one SOC Analyst a year, a medium-sized bank got 24/7 service with extra help. It was pretty cheap compared to competitors or to the fine they would have to pay if something happened and they could not report back in a timely manner. They wanted to make sure they had double protection. The solution's end-to-end visibility has reduced your response times. If something happens, the automation handles it pretty fast. Everything is filtered, and the workbenches are created automatically. There's also an auto-response. If something happens, we can block the user or disable the user's Active Directory. We can kill the process or isolate the machine. It happens almost in real-time when the detection happens. Still, we have an option to just give alerts because the machine or user is too important to block or isolate automatically. You just want to see what happens in the console. If somebody's online, the response time takes ten minutes or so. Users have to learn to use the solution because it's a bit complex. The solution is pretty straightforward in that the problem is not with the tool's usage but who works with it. Suppose a helpdesk person or an operator gets the alarms for the user laptops. It's not about where to click, how to use it, or which user is using that because it's super easy as it shows the username and where the user is logged in on other computers. You have all the information from the company if it's a clean alert. Sometimes, they have to verify the technical background. Based on the alerts, the knowledge base, and the preview setting, Trend Micro users can chat with an AI to find out how serious the problem is. Suppose there is a software that behaves badly and gives a false positive because it's poorly written. You excluded it on other machines or decided not to quarantine it because you know it is problematic. The software has a new version. It comes and is blocked again. It can learn that it has happened before in your environment, so that could be a false positive. You can chat with an AI there, and they can ask about the context. If you are in the workbench environment, you can ask about a user, and it will analyze. Previously, it was not so great. However, it's much better and more mature now because it has learned a lot from the company and what has happened inside it. They also could have just developed a new version. It's very easy to administer Trend Vision One Endpoint Security. The solution provides consolidated security across hybrid environments because users don't have to buy tools from three different vendors. Previously, there was an antivirus, an EDR, and a CM to analyze. They kept the CM because they already paid for it. The email protection was different. Right now, they see everything, including email protection, server protection, desktop or PC protection, and XDR. All the protection for PCs, servers, and emails by both modules is happening from the same console. The threat hunting happens in the same console because they have all the logs. They have everything in one console, including email protection, threat hunting, and server protection. They will introduce mobile protection from Trend Micro, which is XDR for mobile. All the threat hunting can happen. If something happens on one device, you can see the full context of the user in one console. This is the risk analysis for the C-level entities. It's the overall risk index, and it calculates the actual state. They have a module. The customer didn't buy it because they had already bought a tool for that. This module is more accurate and detailed because the default risk index shows you the overall risk or the ten most risky PCs and users. Suppose you want the Attack Surface Risk Management (ASRM), which is a more detailed module. It calculates the risk differently if you are inside the company network, on the road with a laptop and free Wi-Fi, or at home and you don't have patches. It calculates that if you have a very important system that you have marked, and if the user connects to that and it's not patched correctly, it has a higher risk. It could happen with another user who misses the same patches but doesn't have access to critical systems. It has a lower index because the impact will not be so high if the user is compromised. However, it will have a higher index if it's a privileged user. It's not like watching the software versions and the configuration options, but it also benchmarks the context of the user and learns from the AI as well. The PC product includes 300 of the most widely used virtual patches for ongoing attacks. For example, if there is a new Microsoft bug with a remote desktop, it will provide virtual patches. However, if there is a missing patch not on your system, it's used and gives you an alarm if somebody tries to take advantage of it. Even if you don't need a patch, you can see when an unmanaged computer on the network is trying to hack it. They have another virtual patching system for the servers in the server product, which is the cloud one and needs an extra license. It gives the host IPFs, and it analyzes traffic as well. If you have vulnerable systems, it will automatically use virtual patches, but it's an extra license for the servers. If it sees that you have a vulnerable Java application and an old Java version, it will activate the virtual patches for the vulnerabilities against it. However, if you patch, it will turn off automatically by default, so it doesn't consume resources. So, it can be all automated.