Microsoft Defender for Endpoint Reviews

Our customers use Microsoft Defender for Endpoint to protect their hybrid environments. We onboard the hybrid environment to the Azure Security posture with proper Intune integration. This setup ensures that devices are protected and secured with anti-malware, antivirus, and other protective measures. We deploy this primarily in hybrid environments.

Microsoft Defender for Endpoint provides a unified management interface allowing customers to manage their on-premises and hybrid infrastructures from a single pane. The integration with Intune enables control over devices like laptops, enhancing security. Automated Investigation and Remediation features are vital for advanced threat protection and beneficial for device protection. The ability to manage both devices and users efficiently is advantageous.

One area that needs improvement is the integration cost of logs with external solutions like Sentinel, which can be expensive. Additionally, Microsoft could allow storing logs locally within the Defender panel to reduce costs. It would also be beneficial if policies could be configured without relying on Microsoft Entra ID, allowing for better integration with local directories.

I have been working with Microsoft Defender for Endpoint for three to four years.

Sometimes devices do not sync properly with the Endpoint. We often need to diagnose whether the issue lies with the Endpoint or the device. This can delay proper deployment.

Microsoft Defender for Endpoint is stable with no major issues reported. However, syncing of devices sometimes encounters problems, requiring us to investigate the root causes.

Microsoft Defender for Endpoint is scalable enough to handle various devices across environments, whether they are laptops, Android devices, or operating in hybrid environments. Customers mostly use it in hybrid setups.

The initial support process can be lacking as first-line support is sometimes not well-versed technically, resulting in repeated exchanges to finally engage a knowledgeable support person. This process is often slow and time-consuming.

Neutral

Setting up Microsoft Defender for Endpoint requires technical knowledge of Microsoft Entra ID and policy configurations. While it is not easy for all customers, skilled technical personnel can handle it without major issues.

The pricing of Microsoft Defender for Endpoint is reasonable. It costs $15 per VM for the P2 plan, which is seen as affordable for customers. Additional add-ons are priced at $5.

Microsoft Defender for Endpoint is a comprehensive and scalable solution for protecting on-premises and hybrid infrastructure. It provides strong protection and management capabilities. Customers are advised to use this solution for its robust features like advanced threat protection and easy integration with other Azure applications. I rate Defender for Endpoint nine out of ten.

Hybrid Cloud

Microsoft Azure

Our primary use case for Microsoft Defender for Endpoint is desktop security.

Defender for Endpoint has improved our security posture by ensuring that malicious websites aren't accessed, thereby enhancing desktop and network security.

The visibility into our attack surface provided by Defender for Endpoint is good.

Defender for Endpoint has significantly reduced our SOC team's workload by automating threat detection and response, allowing them to focus on other critical projects. This increased efficiency has minimized security concerns and freed up several hours per week for the team.

We are primarily a Microsoft environment, but we also utilize a few Macs. Microsoft Defender for Endpoint functions effectively across both platforms.

Web filtering is the most valuable feature of Microsoft Defender for Endpoint because it effectively maintains security for website access.

There is a need for improvement in reducing false positives. Defender flags vulnerabilities based on registry keys or temporary files that are not necessarily vulnerabilities. This creates a lot of false positives. There could also be better clarity in navigating through the GUI to identify and resolve vulnerabilities.

A disconnect exists between the subject-matter experts and Microsoft's Level One support teams, causing delays in issue resolution. Repeated interactions are necessary due to Level One's lack of tools and knowledge, hindering efficient problem-solving and negatively impacting our experience with Microsoft support.

I have been using Microsoft Defender for Endpoint for about three years.

Defender for Endpoint is a stable product with reliable uptime.

The support from Microsoft is somewhat lacking. The level-one support seems disconnected from subject matter experts, leading to back-and-forth delays in resolving issues.

Neutral

CrowdStrike's GUI is more user-friendly and provides easy-to-follow instructions, while Defender for Endpoint requires more effort to access detailed file information and vulnerability assessments. For instance, locating a specific device involves navigating through reported vulnerabilities, clicking on associated devices, and then searching for the device name to identify the vulnerabilities and their origins. The switch to Defender for Endpoint was likely motivated by cost savings and compliance requirements.

Defender for Endpoint is a good security product that provides a good return on investment.

I would rate Microsoft Defender for Endpoint a seven out of ten. It has effectively improved our security posture, but there are areas where support and usability can be enhanced.

On-premises

Currently, I'm working to build out DLP policies in Defender for Endpoints.

Defender for Endpoint enables us to see vulnerabilities on certain endpoints and investigate the attack surface. We've improved our Security Score to the industry standard. The solution has reduced the mean time to remediation, but it's hard to give a precise number because it varies on a case-to-case basis. Automatic remediation of certain vulnerabilities has allowed our SOC to work on other projects. 

Attack surface reduction and limiting attack surface vectors are valuable features. It's helpful to isolate specific devices and get super granular with the features they offer. The visibility into the attack surface is good. It gets highly granular. I don't work on that side, but the people who do tell me they get more visibility. 

Defender for Endpoint is complex, and the documentation is detailed. At the same time, it's hard to navigate sometimes. You have to go through tons of documentation to find what you want.

I have been using Microsoft Defender for Endpoint for one and a half years.

The stability is great. I haven't seen any outages with Microsoft.

It's pretty easy to scale with Microsoft, as they make it easy if you look into the documentation.

I rate Microsoft support eight out of 10. Customer service has been pretty good. I don't have any complaints.

Positive

We've had E5 licensing for a while now, but our security stacks were spread across multiple resources, so we are currently consolidating.

I don't work much with the costs, but I have not heard of any issues with pricing, licensing, or setup costs for Microsoft Defender for Endpoint.

I rate Microsoft Defender for Endpoint eight out of 10.

Public Cloud

Microsoft Azure

We are a Microsoft-heavy organization, so we use Microsoft Defender for Endpoint because of its compatibility with our environment and its reports, which provide good visibility into our environment and send telemetry logs to the server.

Microsoft Defender for Endpoint collects all system logs, activity logs, and threats. It then sends this data to the Office 365 security portal, where we can view all logs and use various analytics tools to forecast average bandwidth usage, identify programs used by users, and view which apps are running in our environment, including unauthorized apps. All of these insights are easily accessible if we have a complete Microsoft solution.

Microsoft Defender for Endpoint helps us prioritize threats across our enterprise. We have configured the standard settings and are using many Microsoft solutions, so we receive direct support from Microsoft. We have created many policies, including a standard policy for all apps and programs used in our organization. We have a list of these programs, and any that are in the Defender for Endpoint exclusion list, such as DLP software or trusted software, are excluded so that they do not slow down the process. We then prioritize the apps according to standard cybersecurity priorities. For example, if an application is vulnerable and not from a renowned vendor, it should be blocked.

We have integrated Sentinel with Defender for Endpoint. The integration was a few simple clicks.

Our integrated solutions work together seamlessly to provide coordinated detection and response across our environment. We like Microsoft's Advanced Threat Protection solution, which uses EDR and AI to protect endpoints. Recently, a user downloaded an unknown file, and ATP immediately flagged it. ATP then ran an automatic investigation and provided us with the results in the portal. We can then decide whether to quarantine, delete, or report the file to Microsoft Defender for Endpoint.

Microsoft provides comprehensive security products that have fulfilled all of our security needs and assured us that we have enterprise-grade security and do not need any other solutions. We have received positive results.

We use the cloud's bidirectional synchronization capabilities to synchronize our on-premises Sentinel agents with the Azure Monitor agents.

It is our requirement to have bi-directional synchronization between the cloud and on-premises environments because we now have users in both locations. This means that if a user changes their password in the cloud, it will also be updated in the local Active Directory. Additionally, we have some on-premises servers that require our SQL databases in Azure, so they communicate with the cloud bi-directionally.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. The whole point of Sentinel is to collect logs and notify us, showing us our cybersecurity posture and where we stand. It also advises us on the policies we define for our system and whether the system in our environment matches those policies, identifying any applications that are not fulfilling those policies.

Sentinel provides visibility into our environment and we can investigate and respond to threats through Defender.

In the context of user and entity behavior analytics, Sentinel is very effective. It can identify high- and low-risk users by analyzing their daily usage activities, such as the applications they access, the websites they visit, and how they handle data. Sentinel then segregates users into high-risk and low-risk groups based on this analysis. This gives us good visibility into user behavior, which is essential for protecting our organization. While Sentinel has other capabilities, we are currently using it for UEBA.

Microsoft security has helped us save about 30 hours per month, reducing our workload.

Microsoft security has helped us save costs. In our company, we have different Office 365 licenses, including E5, E3, and F5. Some of the security add-ins are free with these subscriptions. For example, the E5 license includes SIEM, Office 365, Defender for Endpoint, and an Active Directory P1 subscription. This means that we do not have to purchase these add-ins separately, as they are included in our licensing.

Defender for Endpoint has reduced our time to detect and respond. Once an incident has occurred the AI automatically takes action and provides us with a detailed report of the investigation. It takes five to ten minutes to resolve an incident.

To have full visibility, we must access multiple dashboards, which is a problem because they change frequently, with daily updates to naming conventions. A single dashboard would be a significant improvement.

I have been using Microsoft Defender for Endpoint for seven months.

Microsoft Defender for Endpoint is extremely stable.

Microsoft Defender for Endpoint is easily scalable because it is compatible with a variety of Windows and Linux machines.

Technical support is good. We usually receive a response with a solution within 24 hours.

Neutral

We are currently evaluating CrowdStrike and a few other solutions.

I would rate Microsoft Defender for Endpoint eight out of ten.

Microsoft-heavy organizations should avoid using third-party SIEM solutions, as the compatibility issues would require significant effort from the IT department to configure them with Microsoft applications.

Microsoft Defender for Endpoint is a detection system, not a prevention system. We receive alerts after a threat has occurred.

It is better to choose a single company security solution because it will free up time to focus on the environment and identify loopholes. Rather than using three or four third-party software programs, which would require us to spend more time learning about them and resolving compatibility issues, a single solution would provide a better view of the environment.

Public Cloud

Microsoft Azure

We want to find a solution that fits businesses of every size and type, but we primarily target small and medium-sized enterprises. 

Defender helps us prioritize threats across the organization. When we needed to update the patches on our endpoints, we could look at all the patches and see what still needed to be fixed. We could decide whether it's necessary to address something urgently or deploy it as part of routine monthly maintenance. It's crucial to have the insights and a report that I can show to an executive to demonstrate that we need to act fast. This is less common because most people accept your hotfixes and patches when they come out, especially monthly security updates. However, some older shops might be like, "I'm running Windows 10. No one's touching this." We still need to service and support those machines, too. 

The solution helps us automate routine tasks and alerts. There's a dashboard where I can see the statuses of my machines in the environment. It helps us breathe a little bit easier. We're responding to businesses that had shifting needs during COVID. How can we be more proactive and help them to be more proactive? We shifted from traditional PC antivirus software to stuff that's totally different. I can't say it's "set it and forget it" because that implies a lazy mentality. However, I know I have a level of protection that I can have faith in. 

Defender helps us be more proactive. I find value in the zero-day threats that get fixed from Microsoft bug fixes or security updates. I can read and research about those zero-day threats from Microsoft's public site without digging too deeply into the Defender side of things. 

We've saved some time with Defender for Endpoint because we were doing a lot of unnecessary remediation with the other products. We had a series of servers that our previous product was installed on. It would blue-screen the server at random, and you can't have that. I'm not worried about Defender impacting my system stability. We put a lot of high-performance systems out there, including PCs and backend compute. I want to ensure we won't be overburdened by unnecessary security software that may not be giving me the protection I want.

Defender's reporting saves us four hours to eight hours each month. It has many of the standard reports we need built in, so it's effortless to generate and pull from. The time we save in other areas isn't as easy to quantify. I don't have to worry about the stability of a box or a computer cluster. 

It has decreased my detection time. On Wednesday, I got emails notifying me that new vulnerabilities were detected. They weren't new, but they were newly disclosed because patches came out for them. It has enabled us to react much quicker. 

I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender.

Defender ties into the Microsoft 365 portal where many shops spend a lot of their time doing password resets or other tasks. There is much more in the Azure portal too, but the 365 portal has a list of open issues, bugs, and necessary remediation steps. If I'm working on my security score, I have all of those on an active list, which is nice.

Defender should be more accessible for small and medium-sized businesses. You have some organizations that maybe have a hundred employees, and they're focused on making their widgets. That's their nine-to-five every day. They're not thinking about that security side, but maybe they're already invested in 365 or the Azure ecosystem and having Defender as an add-on makes sense from a price perspective. It's easy to deploy, but it could be easier for some of those smaller businesses to onboard endpoints.

The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor.

We have used Defender for Endpoint for the last 18 months or so. 

Defender's stability is one of the things I love most about the solution. 

There are no limitations on Defender's scalability. I get the impression that it's designed to cater to massive enterprises with 20,000 or more endpoints, but I think there's a market for a simpler deployment, like 100 PCs, 10 servers, etc. Give me a deployment option that's simple. 

I rate Microsoft support eight out of 10. It's good overall, but it can be hit or miss depending on your issue, and sometimes you don't get the right level or technician. All of my 2023 support experiences have been stellar, but 2022 was a little inconsistent. 

Positive

The company evaluated other solutions in parallel and in tandem with it. Our trajectory shifted slightly during COVID-19, so we explored that more. We tried ESET and SentinelOne for a while. But those are apples-to-oranges comparisons. Defender for Endpoint is geared toward common reporting,  notifications, and backend stuff, whereas SentinelOne is designed to lock machines down. It has many more tendrils deep within, so they're not great comparisons. 

We decided to go with Defender because we're pretty heavily invested in the rest of the Microsoft Stack, so it made sense. However, we wanted to do our due diligence because we're already using other products. We wanted to ensure we were picking the best of breed for our customers fair enough.

We were having issues with other products like ESET, SentinelOne, and Symantec. SentinelOne is just too deep and heavy. It's like trying to shoot a fence post with a missile. It was too much. We rely on the product and trust it. It takes a little while to get there, but once you trust a product, you can move on to the next thing and know you're protected.

The onboarding process could be more straightforward. I wish the onboarding were simpler. It seems a little more ethereal than, "Hey, here's your executable, put this on every machine." That would be easier for a small shop. We're still deploying into a lot of our sites. It didn't take long at all, but it takes a while to get fully ready to deploy, 

Defender's pricing is competitive. There are ways to negotiate a better price with Microsoft or your reseller as your business grows. You can say, "Hey, I bought 365 Business, then E3, and E5. Now, I'm buying Defender, so give me bulk pricing."  There are opportunities to save as you grow that wouldn't exist if you picked a different vendor.

I rate Microsoft Defender for Endpoint eight out of 10. 

We use Microsoft Defender for Endpoint for our antivirus protection.

The visibility into threats that Defender for Endpoint provides is good because we are using all Microsoft products. 

Microsoft Defender for Endpoint assists us in prioritizing threats throughout our enterprise. This prioritization of threats is crucial for safeguarding end-user devices.

Sentinel allows us to gather data from our entire ecosystem, and the interface is highly impressive. Data ingestion is of utmost importance for our organization, especially concerning the security of our environment.

It allows us to comprehensively investigate threats and respond from a unified platform. This is of great significance to us, as Sentinel plays a pivotal role in our Security Operations Center.

Microsoft Defender for Endpoint assists us in automating the prioritization of critical alerts. I am certified in cybersecurity. Recently, I have begun the process of renewing my certification as it is set to expire next year. I have been reading numerous articles regarding Sentinel, Defender for Cloud, Identity, and Endpoint applications, and there is a multitude of information available. Automation is now fully integrated, which holds significant importance for enterprise-level customers.

The solution assists in eliminating the necessity of using multiple dashboards, providing us with a single XDR dashboard integrated across various Microsoft products.

The threat intelligence assists us in preparing for potential threats before they occur, allowing us to take proactive measures to prevent them. The assessment mechanism analyzes and identifies threats, providing clear instructions before we proceed to the security parameters.

It has saved our clients time, mainly with their SOC operations. 

The antivirus is the most valuable feature.

There are alternative solutions that offer a greater range of dashboard insights when compared to Microsoft Defender for Endpoint. The solution needs better integration with third-party vendors.

The analysis that identifies the threats and remedies them can be enhanced in a future release.

I have been using Microsoft Defender for Endpoint for almost four years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

The quality of technical support is determined by the customer's priority levels: P1, P2, and P3. Overall, they are known to provide good support.

Sometimes, the support takes a while to respond, and their shifts change, so we have to begin again with the new person on the shift.

Positive

The initial setup is straightforward for me. All Microsoft products are easy to configure and integrate data also. To properly utilize all the features the person integrating must understand the architecture code concept as well.

Before deployment, I consistently conduct a rapid assessment to comprehend the customer's infrastructure. Subsequently, I formulate a plan grounded in this information. Typically, we aim for minimal personnel involvement due to the centralized nature of cloud operations. Additionally, we can advocate for either GPO or CCM deployment software. Our approach entails utilizing a singular architect, one resource, and one SME for implementing and overseeing the infrastructure, aligning with the security prerequisites of the customer's locale. Continuous monitoring of the infrastructure is imperative, maintaining a 24/7 vigilance.

The implementation takes around three months to install and configure.

The pricing is competitive. The pay model is pay as we use.

For organizations that make use of all Microsoft solutions, the cost is lower, and the visibility is increased.

I rate Microsoft Defender for Endpoint nine out of ten.

Microsoft Defender for Endpoint is indeed a commendable product. However, despite its implementation, we should consider the integration of other security products. This is due to the escalating variety of cyberattacks prevalent today. While Windows consistently issues patches to update its existing products, I propose the adoption of a dual-product approach within our infrastructure. This approach aims to preempt eleventh-hour security breaches. By juxtaposing and scrutinizing the attributes of different solutions, we can better comprehend their nuances, specifically at the feature level. The pivotal factor lies in how adeptly a solution identifies and mitigates potential threats. Therefore, I advocate for the incorporation of two distinct solutions within our infrastructure. This strategy is poised to yield heightened efficiency, effectively mitigating the risks of both security breaches and data breaches.

We use Microsoft Defender for Endpoint to protect our work environment.

The endpoint provides good visibility into threats. However, working with Microsoft Defender for Endpoint and its control panel can be challenging, especially when dealing with features such as compliance and cloud app security details. Nevertheless, with enough experience, it becomes a useful tool for threat detection. Although it may be difficult to work with initially, it is an essential instrument for information security.

Microsoft Defender for Endpoint helps us prioritize threats across our enterprise.

The integration of Microsoft Defender for Endpoint with other Microsoft solutions is easy. The integrated Microsoft solutions work natively with each other.

The level of comprehensiveness provided by all of the integrated solutions is satisfactory.

Microsoft Sentinel allows us to investigate and respond to threats from one place.

Microsoft Defender for Endpoint helps automate routine tasks and find high-value alerts. The solution has a powerful advanced query that we can schedule to run automatically.

Microsoft Defender for Endpoint simplifies the use of multiple dashboards by providing a single XDR feature. This is a beneficial feature, but my reliance is on the 50 automated rules that run on a schedule to keep me informed of any incidents.

The automatic rules and policies that we apply using Microsoft Defender for Endpoint save us around four hours per day.

Microsoft Defender for Endpoint has saved our organization money by protecting the environment from threats.

Microsoft Defender for Endpoint has reduced our time to detect and respond to security threats by consolidating all relevant information in a single panel within a web portal. This enables us to quickly review and respond to potential threats, thus improving our ability to mitigate risks effectively.

Microsoft Defender for Endpoint has helped our organization by working to identify threats quickly before they become a problem. 

The integration with all variations of Microsoft Defender, for Endpoint, 365, and Cloud is valuable.

The time it takes to implement policies has room for improvement. When we create policies or configure file profiles and assign them to specific groups, Microsoft Defender for Endpoint will apply these rules accordingly. If we need to make changes to the policy, it can take up to thirty minutes or even two to three hours for the changes to take effect on Microsoft Defender for Endpoint. This waiting period can be a significant amount of time to implement changes. It is at times quicker to create new policies than to make changes to existing policies.

We are experiencing problems with certain Samsung Android mobile devices that have Microsoft Defender for Endpoint installed. Specifically, when attempting to log into the corporate profile, users are prompted multiple times to enter their credentials.

I have been using Microsoft Defender for Endpoint for two years.

Microsoft Defender for Endpoint is extremely stable.

Microsoft Defender for Endpoint is scalable.

The technical support team is professional.

Positive

We previously used a separate antivirus and endpoint solution called Cynet but it was not very useful. Our organization moved into the Cloud so we decided to use Microsoft Defender for Endpoint.

We deployed Microsoft Defender for Endpoint across multiple locations in our organization.

We evaluated Splunk and Microsoft 365 before the head of our company chose Microsoft Defender for Endpoint.

I give Microsoft Defender for Endpoint an eight out of ten.

No maintenance is required on our end for Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is a powerful tool and I recommend it.

Using a single vendor security suite carries inherent risks, but with a well-established company like Microsoft, those risks are significantly reduced, and it's more cost-effective than using multiple best-of-breed solutions to achieve the same level of security.

Public Cloud

Microsoft Azure

I worked for an enterprise client in the public sector with half a million endpoints. I'm in Canada, and that's bigger than most US companies. Defender is an endpoint agent, but it's tied into what I would call a SOC outsourcing stack. It's part of a security operations center that is getting threat intelligence, comparing that to endpoint detection and response, and feeding it all back into a SIEM.

I use either E3 or will upgrade to the E5 full suite, or will go a la carte. You can pick one or two off there, but it usually makes more sense to go all E5. Sentinel and Defender are the two things I like in E5 that I work together.

We use Defender's bidirectional sync capabilities at a high level. I'm more of a high-end security architect, so I do the conceptual designs but not the implementation. Even though I like it, I don't know if it gets implemented and used or not. As a capability, as an architect, that's a good thing to have.

Our deployment is still a work in progress, but it will enable us to mature and automate our cyber incident response and threat security posture. Defender helps us automate routine tasks and the findings of high-value alerts. That's the SOAR part we hope to achieve with the project reaches maturity.  

Defender simplifies things if you are managing a multi-cloud environment or a hybrid deployment. Instead of having 10 dashboards, you're now down to three. It creates a fabric. Do I have a single pane of glass? No. However, I have three panes instead of ten.

It can give early warning signs. I'd stop short of saying Defender protects, detects, responds, and remediates. It still doesn't do the remediate part. Defender will ultimately save time and money when we've fully implemented it. I'll find more problems, but I think the integration will save me a lot more time on the operations,  incident response, etc. It's all speculative until you're fully deployed and got key metrics to prove it.

The biggest reason I looked at Defender is that the world seems to have shifted to Office 365 and Azure in the last couple of years because COVID is forcing many people to work from home. Defender has better out-the-box integration with Office 365 and Microsoft security solutions like Sentinel, and its SIEM. CrowdStrike or other top products are excellent, but I'd still need to integrate them.

Defender is great at identifying threats on Windows and Azure products. If the threats aren't related to Microsoft, I will use something else. My view of Microsoft Defender changed significantly over the past five years. I used to think it couldn't compete with best-in-class solutions like CrowdStrike. It was like a Microsoft version of CrowdStrike. Today, I think it's on par pound-for-pound with CrowdStrike on the EDR Gartner MQ capability list. 

If you have multi-cloud like Google and AWS, the native solutions are better for those particular cases. But if you want Azure covered and you use Sentinel and Defender, you can also integrate Defender well with Zscaler. 

Zscaler is more of a multi-CSP fabric with zero trust capabilities that integrate with CrowdStrike and other third-party tools. I use Defender and Sentinel for Microsoft, but I also like that Microsoft integrates very well with Zscaler and vice versa.

The comprehensiveness of Microsoft threat-protection products is great. Five years ago, I would've said don't use it because other products are better. Today, Microsoft Sentinel by itself is a leading Gartner SIEM tool. It has advantages over competitors because of the ability to integrate with Microsoft solutions and automate continuous monitoring of Microsoft AD and Office 365 data.

Sentinel aggregates logs from everything. It's pretty good at that. If you were on Google Cloud or AWS, you would use the native products, but Sentinel is useful if you already have it and you want to use it as the central log aggregator.

Defender offers SOAR plus UEBA, and you can integrate it easily with the endpoint, making it a compelling security fabric as a SOC technology stack. I would put it in the top four along with IBM, Splunk, and maybe Fortinet as one of the better-integrated UEBA types of technology suites.

Microsoft Defender improved a lot. They weren't even on the Gartner Magic Quadrant, and now they've equaled or surpassed the leading solutions. I would suggest they continue doing what they're doing on their product roadmap and develop more SOAR. The last thing for them to tackle is multi-tenant and multi-cloud handling.

I have been using Defender for about five years.

Defender is robust.

I'm still in the early stage, but the scalability seems impressive based on my research and the size of reference clients.

I've mostly seen the pre-sales part, like doing demos and licensing. As far as doing demos and licensing. My experience with the sales organization has been awesome, but I'm not dealing with maintenance, rollover, or contract.

Five years ago, I looked at Micro Focus, ArcSight, and maybe some best-of-breed UEBA and EDR solutions, like CrowdStrike and Intercept. Business considerations led me to choose Defender. 

Security people will go for the top security solution, but executives are worried about enterprise and return on investment. They push for Microsoft security products because they've got Azure and Windows. I now agree that it also makes sense from a security point of view,

As an architect, my experience with the deployment is limited to evaluations and PoCs, and the full roll-out is ongoing. Ultimately, it's a low-maintenance solution. The payoff on automation and maturity is getting ongoing maintenance and support, training, patches, and new product upgrades. That's part and parcel of why it's a good idea.

The price was a problem for me three years ago, but they improved their E3, E5, and a la carte licensing. In other words, you have to get all of E5. That used to be a problem because you had E3, Defender, and guardrails, but you needed an E5 license to get the management suite and the analytics. 

It's more flexible now. You can switch from a la carte to the entire suite when it starts to make sense. It's becoming more economically competitive to go that route.

Defender is good enough if I compare it to the leading EDR solutions on Gartner. I would place it in the top quartile based on cyber threat intel. Cisco Talos and CrowdStrike are better, but Defender isn't that far behind. The payoff for me is the native Microsoft integration. 

Suppose most of my applications and data were still on-premise and I didn't need to work from home because of COVID. In that case, I'd be looking at IBM, Q1 Radar, Resilient, FortiSIEM, or ArcSight because the legacy SIEM products do on-premise security well. However, most of my cloud data is Office 365 in Azure, so that's what prompted me to start looking at Sentinel and Defender. 90 percent of my criteria shifted to the cloud, specifically Microsoft Azure.

I rate Microsoft Defender for Endpoint nine out of ten. If you're planning to use Defender, you need to understand the options around E3, E5, and a la carte licensing. This is also true if you do a bake-off between IBM, ArcSight, or other best-of-breed products, understand what capabilities you really need. If you're a small or medium-sized enterprise, you won't have the same needs as a corporation with half a million endpoints. 

Hybrid Cloud