I am the head of IT of the police force in the Madrid municipality. I have deployed the product to all 6,000 policemen and police women here and we are trying to protect all our devices with it.
Deputy Director of Infrastructures and IT Services at a government with 10,001+ employees
Integration with other Microsoft products has eliminated the need for multiple dashboards
Pros and Cons
- "The most valuable feature of all is the full integration with the rest of the software in the operating system and Office 365, as well as Microsoft SCCM. It is quite easy for us to work with the whole instance of Microsoft products. This integration improves the benefits of the whole suite of products."
- "I'd like to see a wider solution that includes not only desktop devices but also other devices, such as servers, storage cabinets, switching equipment, et cetera."
What is our primary use case?
How has it helped my organization?
It has helped eliminate having to look at multiple dashboards. This is a part of the benefit of the integration. It's quite helpful to receive information and data that is correlated with other information, in the form of a graph or chart. It's a good added value. We are provided with consolidated information, which is very valuable for making decisions and moving forward in improving our devices and our security.
It's very well known by all our technicians and it has helped to decrease the time to detection and response.
And while I can't demonstrate it with metrics, my intuition is that we have saved money. Because we are a very large organization, we have very large needs in IT systems. Perhaps the best thing we did, years before, was to have everything, all applications and the operating system, come from Microsoft. Perhaps that means potential money savings.
What is most valuable?
The most valuable feature of all is the full integration with the rest of the software in the operating system and Office 365, as well as Microsoft SCCM. It is quite easy for us to work with the whole instance of Microsoft products. This integration improves the benefits of the whole suite of products. Even the desktop devices seem more productive by having all these products integrated. That's the best advantage.
What needs improvement?
I'd like to see a wider solution that includes not only desktop devices but also other devices, such as servers, storage cabinets, switching equipment, et cetera. That is where they should put in more effort. I don't have a global risk solution coming from Microsoft, one that could help me in all these different IT areas.
Buyer's Guide
Microsoft Defender XDR
April 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
848,989 professionals have used our research since 2012.
For how long have I used the solution?
I have been using Microsoft 365 Defender for about two years.
What do I think about the stability of the solution?
I would rate its stability at seven or eight out of 10. It's quite good. Up until today, we haven't had any big problems with the solution. I'm quite comfortable with it.
What do I think about the scalability of the solution?
The solution is deployed to more than 25,000 in the municipality, but my responsibility is only over 6,000 people in the police corps.
How are customer service and support?
Microsoft provides quite good support across their different areas of activity. The people attending to your requests are quite professional. They take care of your requests and respond to your needs. They try to help you. The documentation is not the best in the world, but it's quite sufficient for our needs.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Years ago we had solutions from other companies, such as Trend Micro for the desktop devices, and Trend Micro and Sophos for servers.
We used to work in different ways. Some people were in the office with desktop devices, but most of our people work outside with mobile devices. The latter group is at much more risk and we wanted to protect all these devices from potential damage and risks.
The switch was a company decision made by higher management within the municipality. We started to work with Microsoft Office 365 years ago, and then a decision came down imposing the use of Microsoft 365. I feel comfortable with the decision, but I know inside our organization that we've had plenty of problems deploying all facilities given by M365.
How was the initial setup?
I'm not aware of having more or fewer problems with this product than the ones we had before, when it comes to deployment or interfaces. It's quite standard and the deployment was quite easy, but it was equally easy to deploy all the products years ago.
It has been easy to integrate with the rest of our devices and software. In addition, there was no impact on the user experience. The solution is transparent. The users may not even know of the existence of this product. There was no problem deploying and starting to use Microsoft 365 Defender. We have some other products, beyond the desktop level, that work in a coordinated way Defender.
The deployment took a few months, but we needed at least a year to stabilize our organization. The first days were awful because people couldn't understand the change in mentality required to work with this paradigm of software. During the first year, we had to cope with plenty of incidents and problems. Having passed the one-year mark since we deployed, we have started to see some of the benefits.
I generally use an "onion" deployment methodology. I start deploying new solutions in desktops that are quite close to my area of activity in the IT department. We implement, let's say, 50 to 100 desktops per day and we wait for a week to see if everything is okay and whether there are incidents. Once we are assured everything is fine, we implement by regional police units in different locations.
We had 10 to 12 operations technicians involved in the deployment.
Every software solution requires maintenance. In this case, there isn't a lot of maintenance. We have to keep an eye on the status of the solution every day. That process involves two or three people.
What's my experience with pricing, setup cost, and licensing?
As most software companies have done during the last few years, they have moved from a licensing model to pay-per-use. It was difficult to understand and accept this change. When we had to accept that model, it had a great risk for companies like ours that always have to cope with annual budgets. The question is: What happens if, for any reason, there's not enough budget to accept this model? That could be a great problem.
Which other solutions did I evaluate?
There was a possibility of continuing with the solutions we had been working with.
But we cannot compare them because the other solutions were built eight years ago. Technology has changed so much.
What other advice do I have?
Fortunately, we haven't had the chance to see if the solution's threat intelligence helps prepare us for potential threats before they hit. But I'm quite sure that it's working together with other tools to help us to stop potential breaches and risks.
Give this product a chance. Is it the best in the market? I don't know. Is it the worst? I don't know. But what is quite good is the integration with the rest of Microsoft's software products. That's the added value.
Try it, prove it, and see how it integrates. It depends on the situation. If a colleague is using Linux in their data center and desktops, of course, I wouldn't recommend this solution. But here in Spain, most companies have Microsoft products.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Senior Technical Consultant at Alfanar
Helped us significantly improve our security score and automatically blocks malware
Pros and Cons
- "I like that it's fully integrated with Windows, Microsoft 365 Exchange Online, and Outlook. It is better than other antivirus solutions because it's fully integrated with all Microsoft products. It's easy to integrate them and onboard all Windows devices from SCCM."
- "The dashboard should be easier to use. There is also improvement needed in the reporting when it comes to exporting or scheduling reports."
What is our primary use case?
We manage around 5,000 computers inside and outside our company. I use Defender to work on our security score by deploying security policies. We apply all the security recommendations to our computers and patch all third-party applications. We check every day for malware to alert our security teams.
How has it helped my organization?
Seven months ago, our security score was 50 score and it's now 84. We applied all the security policy recommendations coming from the solution and we became aware of the vulnerabilities and fixed them all, one by one.
We can also automate some tasks and that reduces daily work. And if we get an alert, and we know it is not a false positive, we automate things so that we don't get that alert again.
And if we find malware or a threat, we transfer it to level-one technical support to check and, after that, to the security team. But a lot of times, it catches malware and takes action to block it automatically.
Defender has also saved us money, about 30 or 40 percent. When we had Symantec, we suffered one attack against our company and we lost a lot of data and a lot of servers, and that was a lot of money. Since switching, Defender has been perfect, catching all malware and taking action automatically.
It has also decreased the time it takes me to check everything. I now spend only one or two hours a day monitoring things.
What is most valuable?
I like that it's fully integrated with Windows, Microsoft 365 Exchange Online, and Outlook. It is better than other antivirus solutions because it's fully integrated with all Microsoft products. It's easy to integrate them and onboard all Windows devices from SCCM. That is really amazing. Everything is clear in Defender. It's not difficult.
Also, everything for security is in one dashboard. It's great. It's not only for Defender but email and everything else. it makes things very easy. I can check everything at once.
What needs improvement?
The dashboard should be easier to use. There is also improvement needed in the reporting when it comes to exporting or scheduling reports.
For how long have I used the solution?
I have three years of experience with Microsoft 365 Defender.
What do I think about the stability of the solution?
It is very stable.
What do I think about the scalability of the solution?
It is also scalable.
On-prem, we have around 300 servers, a mix of Linux and Windows. We also have around 5,000 clients, all using Windows 10 and 11. We have a plan to migrate all on-prem servers to Azure. In the next six months we are looking to migrate 90 percent of them to the cloud.
How are customer service and support?
I like their support sometimes.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We used Symantec for antivirus and security and we migrated all users from Symantec to Microsoft 365 Defender. It's easier to use than Symantec or McAfee and we can use it anywhere because it's a cloud solution. Also, with Symantec, we suffered an attack and it did not do anything. In addition, we already had an E5 license with security so we decided to use this license more fully.
How was the initial setup?
I onboarded it to all machines using the configuration in SCCM. It was very easy. It didn't take much time.
Which other solutions did I evaluate?
We checked McAfee but we went with Microsoft because it has improved its product very quickly. Microsoft Defender of five years ago is not like it is now. Five years ago it was nothing, but Microsoft has improved it very quickly.
What other advice do I have?
It works with Microsoft Sentinel and integrates well with that, but we do not use Sentinel in our company.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Microsoft Defender XDR
April 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
848,989 professionals have used our research since 2012.
Consultant at a computer software company with 51-200 employees
Provides advanced threat detection, investigation, and response capabilities
Pros and Cons
- "Microsoft Defender XDR provides strong identity protection with comprehensive insights into risky user behavior and potential indicators of compromise."
- "Improving scalability, especially for very large tenants, could be beneficial for Microsoft Defender XDR."
What is our primary use case?
Extended XDR expands threat protection across endpoints, email, identities, and cloud environments.
What is most valuable?
Microsoft Defender XDR provides strong identity protection with comprehensive insights into risky user behavior and potential indicators of compromise. It includes capabilities for monitoring Active Directory against attacks and threats, making it a broad and deep solution for identity security.
What needs improvement?
Improving scalability, especially for very large tenants, could be beneficial for Microsoft Defender XDR. Additionally, enhancing the privilege access management capability would make it a better solution overall.
For how long have I used the solution?
I have been using Microsoft Defender XDR for about a year and a half.
What do I think about the stability of the solution?
Microsoft Defender XDR is very stable. I would rate the stability as a 10 out of 10.
What do I think about the scalability of the solution?
I would rate the scalability of the product as a 10 out of 10.
How are customer service and support?
Microsoft's customer support for Defender XDR is generally very good and I would rate it at around an eight out of ten. Larger customers like us, especially those partially owned by Microsoft, tend to receive excellent support. However, smaller organizations may not experience the same level of support.
How would you rate customer service and support?
Positive
How was the initial setup?
Microsoft Defender XDR is typically deployed at the organizational level across multiple locations and departments. Maintenance is required, and the number of people needed depends on the organization's size and complexity. It could range from a large team for a big organization to just a few individuals for smaller ones.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender XDR is expensive, especially for the full suite functionality. However, when compared to buying multiple-point solutions separately, it may be comparable in price. Overall, it is competitive within the market, but the broad capabilities make direct cost comparisons challenging.
What other advice do I have?
Clients implement this tool to address various security issues efficiently. Microsoft Defender XDR offers a unified solution for a wide range of security needs, including extended detection and response across multiple platforms like Office, endpoints, mobile, and identity.
Microsoft Defender XDR includes some identity and access management features, especially when used alongside Azure Active Directory's privileged access management capabilities.
While primarily focused on Microsoft technologies, Microsoft Defender XDR can integrate with third-party SIEM vendors and covers multiple operating systems, including macOS, iOS, Android, and Windows, through its Defender for Endpoint and Intune capabilities.
Microsoft Defender XDR is designed as an XDR solution, utilizing the Mitre ATT&CK framework to detect and correlate events across various areas of compromise. It can identify and correlate events related to advanced attacks, such as business email compromise and ransomware, affecting security operations by providing insights into the events leading up to such attacks.
When security products like antivirus and vulnerability management software are discontinued in favor of Microsoft Defender XDR and other Microsoft 365 tools, it streamlines operations but may require less manual correlation of security events.
Some organizations might experience a 10-20% cost reduction with Microsoft Defender XDR, but for me, the main goal is to improve detection and response capabilities, not just save money. It is about adapting to the evolving threat landscape rather than focusing solely on cost savings.
Microsoft Defender XDR has saved time for our security team, making our operations more efficient.
For those evaluating Microsoft Defender XDR, my advice is to understand your requirements and map them to the appropriate licensing capabilities. It is not a one-time project but an ongoing process, so plan for continuous improvement of your security posture.
Overall, I would rate Microsoft Defender XDR as an 8 out of 10.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer:
Project Manager at Freedom Systems Inc.
A time-saving and easy-to-integrate product that needs to offer a control center to users
Pros and Cons
- "The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products."
- "Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides."
What is our primary use case?
My company operates as a service provider, so we use Microsoft Defender XDR in our office to provide our customers with security services.
How has it helped my organization?
I won't say that the product helped improve how my organization operates, but there is a need to build trust between the user and the product. Microsoft Defender XDR has been used in my organization since we purchased Windows 10 or 11, after which a user does not need to install any products from Microsoft separately. Some of my company's customers insist they want to install antivirus software separately in their environment due to trust issues.
What is most valuable?
The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products. Some other vendors of security products provide great features or capabilities of detection, but the best feature of Microsoft is its integration capability.
What needs improvement?
One important point about the solution that is an area of concern where improvements are required is related to the control center it provides. Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides.
For how long have I used the solution?
I have been using Microsoft Defender XDR for three years. My company has a partnership with Microsoft. My company is also a reseller of Microsoft products.
How are customer service and support?
As a part of Microsoft's attempt to reduce costs, there has been a direct cut down of the local technical support team. Sometimes, you have to use the technical support offered by Microsoft from other countries, but at times, we speak different languages, just like how people speak in Chinese or Mandarin, but there are still some differences between them. The front-line support from Microsoft has only limited technical abilities or access to their internal system. Sometimes, my company cannot even escalate an issue to Microsoft's senior team members.
The support team of Microsoft is nice as they attempt to solve the problems together with you, but I believe that due to some cost-related issues, they don't have enough permissions. Sometimes, users might feel blocked when trying to connect with the support team.
I rate the technical support a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
My company started with Microsoft Defender XDR when we partnered with Microsoft. Some of our company's customers prefer CrowdStrike, Fortinet, and FortiSIEM.
How was the initial setup?
You don't need to indulge in troubleshooting, making the initial setup phase an easy process because you could just use a GPO on your server to deploy everything. When there comes a problem to onboard some specific devices, and you need to indulge in troubleshooting, sometimes Microsoft Defender XDR's team says it is a problem with the devices a user is trying to onboard, and it's really hard for our company as service providers since we cannot always ask customers to reinstall their server.
What's my experience with pricing, setup cost, and licensing?
Microsoft purposely makes its license combinations complex and includes combinations like Microsoft 365 E3 and Microsoft 365 E5, Office 365 E3, Office 365 E5, and Office 365 E1, so you get confused. Microsoft tries to sell you a bundle of a lot of things together. The licensing model of the product should be made more understandable.
Which other solutions did I evaluate?
There are other good products in the market, and it is difficult to state which one is better since all of them have micro differences in terms of pricing. There may be components like the user interface or maybe some other elements to judge other products, but when it comes to Microsoft, the most important factor stems from the fact that most people use Windows, so it's all integrated.
What other advice do I have?
The product provides unified identity and access management as long as I use all of the products offered by Microsoft.
It is important for me that identity and access management are included within Microsoft Defender XDR because everything is controlled by your identity in the digital world, making it look like a user's government ID in the digital world. My company has tried a lot to talk to and educate our customers since some try not to use a complex password or MFA, which is the most important thing to protect your identity.
Some integration functions in Azure portal allow users to integrate their third-party applications. With the solution, it is not easy to track third-party applications. For transactions recognized by your credentials, it is not easy to track as they would stop, after which we are informed there is a problem. In my organization, we only know how some third-party applications ask to check the credentials, but we don't know what Microsoft Defender XDR does with it, so the product's security doesn't extend beyond just Microsoft technologies.
The product does stop lateral movement and advanced attacks like ransomware or business email compromise. The product blocks a lot of ransomware, which is good. It is considered to be a strict product, so if some of our customers use some local mail service, they have been blocked because Microsoft considers it to be not secure. Microsoft puts a lot of effort into security.
Microsoft Defender XDR's ability to stop attacks covers the product's ability to adapt to evolving threats. It is better to use it as a cloud-based solution that keeps adapting to changes and providing new features.
The product must adapt and evolve to manage threats since there is a new zero-day vulnerability every day, and there is no way to get protection from it. You cannot rely on the users or the admin to upgrade the features daily, so it's better to adopt it automatically with a cloud-based solution like Microsoft Defender XDR.
There were some problems when my organization tried to discontinue other products during the implementation phase of Microsoft Defender XDR since Microsoft tried to integrate all the products in our organization's environment together. If you have used Microsoft Defender XDR, you have to use an antivirus from Microsoft along with Microsoft Identity Platform Endpoint to get the best results. Sometimes, some customers may try to install some third-party antivirus in their environment other than the one provided by Microsoft, which gets blocked. Sometimes, antivirus software from a vendor goes into passive mode. When an antivirus software is in passive mode, some of its advanced features are not usable, causing some problems the user needs to deal with when using it.
The product's ability to save costs depends on how a user looks at a problem while using the solution. I worked as a part of the security team, and we always used to talk to our company's customers. The solution is sometimes like insurance, especially if you want to avoid some bigger problems and you need to spend some money to protect your environment. In some other IT teams or from some other client's point of view, Microsoft Defender XDR costs a lot of money, and they don't see anything. In the security world, no news is good news. You don't want to have to see everything happen and get plenty of alerts trying to prove the product's worth. The product has to control the attack surface so that you won't be attacked that much, or if there are any attacks, it can reduce the impact.
The product definitely saves time for my organization and our company's client teams, especially considering that it is not possible to manually go through the logs every day. The product did help pop up the abnormal activities so that my organization could just review the important things or abnormal activities.
It is hard to say how much time the product saves since it depends on factors like whether you are using some other products or using Microsoft Defender XDR alone. I guess that the product can save over 60 percent of my organization's time. When you use Microsoft Defender XDR in your IT infrastructure, and it works for you, then you just put it in there, and you will come to know when there are some abnormal activities or when you are attacked. With Microsoft Defender XDR, you can get some signs if you are being attacked.
Microsoft Defender XDR is a nice solution and can be combined with other solutions from Microsoft, but they offer limited flexibility. I want the product to be a high surveillance solution for me and not just an information-oriented tool, but nowadays, Microsoft doesn't provide any options to help choose the users' preferences.
I rate the overall product a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Microsoft Security Solution Architect at a tech services company with 1,001-5,000 employees
It's easy to ensure compliance with data regulations through the portal, which has templates for various regulations on medical privacy and personal data
Pros and Cons
- "The most valuable feature depends on the scenario. For compliance, I like Microsoft Purview Information Protection and Data Loss Prevention. Sentinel is the most helpful feature for security. 365 Defender helps us prioritize threats across an enterprise. It's a crucial feature for the managed services team."
- "365 Defender has multiple subsets, including Defender for Cloud Apps. When integrating Defender for Cloud Apps with apps on third-party cloud platforms like AWS or GCP, there are limitations on our ability to control user activities. If Microsoft added more control over third-party products, that would be a game-changer and help us quite a lot."
What is our primary use case?
I'm a Security and Compliance consultant providing 365 Defender as a security solution for my clients.
How has it helped my organization?
All our solutions are Microsoft 365 products, including security, identity, etc., so we have better protection from advanced cyber attacks. It's also easier to ensure compliance with data regulations through the Microsoft Purview portal, which has templates for various regulations on medical privacy and personal data.
365 Defender helps us automate routine tasks and prioritize high-value alerts. Automation allows us to use time more efficiently. It makes functions easier by consolidating data from multiple Microsoft portals into a single dashboard. You can customize the playbook however you like and get a centralized view of the various components.
The Threat Explorer feature helps us understand emerging threats in real-time and take steps to safeguard our environment. 365 Defenders saves us money because it's a bundle. If you purchased each of these solutions as a standalone product, it would cost you more than $60 per user per month, but you get them for $12 a month in a package.
365 improved our detection and response times because we catch issues earlier in the chain of events. All the components of 365 Defender work together to provide instant detection.
What is most valuable?
The most valuable feature depends on the scenario. For compliance, I like Microsoft Purview Information Protection and Data Loss Prevention. Sentinel is the most helpful feature for security. 365 Defender helps us prioritize threats across an enterprise. It's a crucial feature for the managed services team.
I also have Defender for Cloud Apps and Defender for Office. Integrating other Microsoft solutions with 365 Defender is seamless. Microsoft has better documentation than some other solutions. I also work on AWS, but I feel more comfortable with Azure. There are some limitations with a standalone license, but integrating Microsoft products is a seamless experience that produces insightful analytics.
Sentinel enables us to ingest data from our ecosystem, giving us a complete picture of the entities associated with an incident. Those analytics are pretty helpful. We develop playbooks customized for any executive or developer-based summary. It depends on what we want to show and our creativity.
What needs improvement?
365 Defender has multiple subsets, including Defender for Cloud Apps. When integrating Defender for Cloud Apps with apps on third-party cloud platforms like AWS or GCP, there are limitations on our ability to control user activities. If Microsoft added more control over third-party products, that would be a game-changer and help us quite a lot.
For how long have I used the solution?
I have used 365 Defender for five years.
What do I think about the stability of the solution?
365 Defender is stable.
What do I think about the scalability of the solution?
365 Defender is scalable. It's easy to create and manage groups, set policies, and add users.
How are customer service and support?
I rate 365 Defender support a seven out of ten. When I raise a ticket, I'm usually redirected to a third-party vendor like Convergence. I would prefer it if Microsoft India handled our tickets instead. That would be helpful. The third-party vendor sometimes doesn't have comprehensive knowledge of the product.
How would you rate customer service and support?
Neutral
How was the initial setup?
The deployment varies from client to client. Our implementation strategy is based on the client's business requirements and the RFP. You need at least two people to deploy 365 Defender, but you might need more support staff for larger jobs.
It all depends on how a client wants to proceed, but we typically perform an audit before consulting to identify missing components or security controls. For example, if the client requires HIPAA compliance, we must control the data about specific patients. After following up on everything, we recommend the appropriate Microsoft product, and each has a separate timeline.
I'm on the consulting side, so once we are done with the implementation, a managed services team takes over the maintenance on an SLA of one to three years.
What's my experience with pricing, setup cost, and licensing?
The price of 365 Defender is reasonable.
What other advice do I have?
I rate Microsoft 365 Defender a ten out of ten. Microsoft is a one-stop solution, and it has an answer for any problem you're facing. Before implementing 365 Defender, you should be clear about the problem you want to solve. Hiring a consultant can help, but typically, my clients know maybe three out of the five things they should know.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Reseller
Senior Network Technician at a insurance company with 51-200 employees
Improved our security posture and reduced phishing incidents
Pros and Cons
- "The email protection feature is the most valuable because our risks primarily lie there, and it seems to be the most popular target."
- "The stability has been great."
- "Sometimes, digging into the information and knowing where to go can be difficult. It would be better if much of that information were immediately visible, especially when looking at endpoints or users."
- "Sometimes, digging into the information and knowing where to go can be difficult. It would be better if much of that information were immediately visible, especially when looking at endpoints or users."
What is our primary use case?
Microsoft Defender XDR is used as an additional layer of protection we moved to Microsoft 365. It helps protect both our cloud infrastructure and endpoints.
How has it helped my organization?
We conduct regular phishing tests and have seen a decline in breaches because our users pay more attention to what's coming into their inboxes. We've seen fewer incidents.
What is most valuable?
The email protection feature is the most valuable because our risks primarily lie there, and it seems to be the most popular target.
What needs improvement?
Sometimes, digging into the information and knowing where to go can be difficult. It would be better if much of that information were immediately visible, especially when looking at endpoints or users.
For how long have I used the solution?
I have used Microsoft Defender XDR for around four years now.
What do I think about the stability of the solution?
The stability has been great. I haven't noticed many issues.
What do I think about the scalability of the solution?
Regarding scalability, we're not a very large organization, with about three hundred people worldwide, so it has worked for us so far.
How are customer service and support?
I rate Microsoft customer service seven out of 10. I have been able to get the help I need, but I know other technicians have had difficulty getting support.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
Previously, we had on-prem solutions and used Cisco Firepower as our main security. The pandemic accelerated our switch to Microsoft Defender XDR in 2020, as Skype for Business was going away, leaving Teams as the only option and leading us to look more to the cloud.
How was the initial setup?
Moving all our mailboxes up to the cloud was pretty seamless. There weren't many hiccups, so I thought it went well.
What about the implementation team?
We worked with Softchoice to initially get the ball rolling. They had someone come in to guide us through the steps.
What was our ROI?
On my side, it's difficult to speak about the return on investment, but we've improved our security posture.
What other advice do I have?
I rate Microsoft Defender XDR an eight out of 10. It functions well for our needs and has not presented many performance issues. It's easy to take action, and we have not found many pain points.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Dec 18, 2024
Flag as inappropriateSecurity Engineer at a financial services firm with 10,001+ employees
Enables users to access any application and system within the organization
Pros and Cons
- "The best feature is probably the alert generation. When I do a security reset, the other session triggers instantly from the Defender console, and I can work on it. The policies are three times, but they are also ready to install it."
- "Defender XDR could provide recommendations for threat-hunting queries. Some people do not know how to write an advanced threat query, so we need to spend time training them."
What is our primary use case?
We use Defender XDR to assign roles and monitor based on the analytics report from Microsoft.
How has it helped my organization?
Defender XDR has improved the organization's confidentiality. If there's a DLP violation, such as someone sharing documents inappropriately, a notification will automatically trigger. Defender stops the movement of advanced attacks. We first need to set up some independent indicators of compromise. The IOCs are connected to some attack surface reduction rules.
We get alerts if someone tries installing something on the system or adding an external hard drive. We get security recommendations from Microsoft, but our security implements them on their own. We don't use the AI feature. We see significant time savings from the alerts based on the indicators of compromise. It saves us about 10 to 15 percent.
What is most valuable?
The best feature is probably the alert generation. When I do a security reset, the other session triggers instantly from the Defender console, and I can work on it. The policies are three times, but they are also ready to install it.
The identity management feature is something we need for our use case. It wraps up the access management and XDR components, so it's not just Defender. It works well with Azure AD for access management. I didn't think I needed identity and access management in the past, but it's nice to have if you're performing a significant migration on a tight schedule.
Defender XDR's coverage extends beyond Microsoft technologies. It covers all the endpoints of users in the organization. I can manage access to any application and system within the organization.
What needs improvement?
Defender XDR could provide recommendations for threat-hunting queries. Some people do not know how to write an advanced threat query, so we need to spend time training them.
For how long have I used the solution?
We have used Defender XDR for about 15 months.
What do I think about the stability of the solution?
I rate Defender XDR 10 out of 10 for stability. It's a stable solution. We've had no outages.
What do I think about the scalability of the solution?
The scalability depends on the number of licenses you can purchase. If I want to add more endpoints or solutions from Microsoft XDR, I have to pay more. The scale depends on the pricing.
How are customer service and support?
I rate Microsoft support eight out of 10. Some cases are easy fixes, so they don't take much time, whereas some of our more complex tickets take some time.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I've also worked with Trellix. Microsoft provides better recommendations for protecting our tools, devices, and files. Trellix has XDR capabilities, too, but Microsoft's recommendations are more robust.
How was the initial setup?
Defender XDR is a SaaS solution. The deployment is ongoing because we're constantly onboarding and retiring endpoints. Microsoft handles most of the maintenance for it. It rarely requires maintenance from our end.
What's my experience with pricing, setup cost, and licensing?
Defender XDR is fairly priced and cost-effective.
What other advice do I have?
I rate Microsoft Defender XDR eight out of 10. If you want to implement this product, you should have a team who understands the product well. It's SaaS-based, so the Microsoft team is delivering everything to you. However, you still need to know the product.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Helps us reduce the security solutions used, provides unified identity and access management, and saves our security team time
Pros and Cons
- "The most valuable features are spam filtering, attachment filtering, and antivirus protection."
- "Microsoft Defender XDR is not a full-fledged EDR or XDR."
What is our primary use case?
We use Microsoft Defender XDR to protect our endpoints, computers, mobile devices, and emails.
How has it helped my organization?
In part, Microsoft Defender XDR provides unified identity and access management.
Microsoft Defender XDR can protect 98 percent of devices.
With Microsoft Defender XDR we can now manage all of our non-critical computers from one console. The management level and implementation level are easy. Microsoft Defender XDR is also cost-effective.
We have been using Microsoft solutions for over 25 years so it didn't take much convincing to start using Microsoft Defender XDR.
Microsoft Defender XDR has enabled us to discontinue the use of Kaspersky in our safe computers.
Being able to reduce the number of solutions used has been helpful to our security team's operations. The discontinued use of other security products has reduced manual correlation. Using Microsoft has a lot of advantages, especially in management. The reduction in manual correlation is important for our organization.
Microsoft Defender XDR saves our security team around three hours a day.
What is most valuable?
The most valuable features are spam filtering, attachment filtering, and antivirus protection.
What needs improvement?
Microsoft Defender XDR is not a full-fledged EDR or XDR. Any true XDR should be more powerful than what Microsoft is currently providing. For some public-facing companies, computers, and endpoint computers, we need additional security from CrowdStrike or other third-party XDR.
Microsoft Defender XDR does not stop 100 percent of the lateral movement or advanced attacks. Our machines use both Microsoft Defender XDR and Crowdstrike and we have had instances where attacks were missed by Microsoft Defender XDR but caught by Crowdstrike.
For how long have I used the solution?
I have been using Microsoft Defender XDR for four years.
What do I think about the stability of the solution?
Microsoft Defender XDR is stable.
What do I think about the scalability of the solution?
Microsoft Defender XDR is scalable.
Which solution did I use previously and why did I switch?
We previously used Kaspersky, Norton, and CrowdStrike. We switched to Microsoft Defender XDR because of its streamlined management capabilities.
How was the initial setup?
The initial deployment was straightforward. We pushed Microsoft Defender XDR remotely across our system consisting of 300 computers. We are a team of seven people and each of us was involved in the deployment process.
What about the implementation team?
The implementation was done in-house.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender XDR is expensive.
Which other solutions did I evaluate?
We did not evaluate other security solutions because I have extensive knowledge of most products, their strengths and weaknesses, and their overall capabilities. Additionally, considering all our products are on Microsoft 365, a cloud-based platform, and we already utilize its various components like mail, documents, and more, integrating Microsoft Defender for threat detection and management was a natural choice due to existing ecosystem compatibility and streamlined administration.
What other advice do I have?
I would rate Microsoft Defender XDR an eight out of ten.
Microsoft Defender XDR is deployed across multiple locations and departments.
Minimal maintenance is required for patching.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: April 2025
Product Categories
Extended Detection and Response (XDR) Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
SentinelOne Singularity Complete
Cortex XDR by Palo Alto Networks
IBM Security QRadar
Elastic Security
Trellix Endpoint Security
Intercept X Endpoint
Trend Vision One
Forescout Platform
Vectra AI
Rapid7 InsightIDR
Mandiant Advantage
Stellar Cyber Open XDR
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the best EDR or XDR product for a company with 9000 employees?
- When evaluating Extended Detection and Response (XDR), what aspect do you think is the most important to look for?
- How do you decide about the alert severity in your Security Operations Center (SOC)?
- Which is better for Endpoint Security: EDR or XDR solutions?
- What are the main differences between XDR and SIEM?
- Why is Extended Detection and Response (XDR) important for companies?
- How do you use the MITRE ATT&CK framework for improving enterprise security?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- FortiXDR vs Cortex Pro - which is the best?
- What is Cognitive Cybersecurity and what is it used for?