Microsoft Defender XDR Reviews

Our main use cases include securing critical university services and establishing a research tenant for researchers to store and manage their findings across both everyday machines and dedicated research spaces. It involves dealing with malware and managing server security through tags. Additionally, a significant portion of our work involves exploring and investigating emails using the Explorer tool. It is well-suited for addressing these scenarios and ensuring robust security measures.

It enables us to respond to incidents more swiftly, pinpointing root causes with greater speed. Retrieving emails is now a much smoother process compared to the previous method using Power Shell. With Explorer, it's a more straightforward and visually intuitive approach, eliminating the previous concerns associated with Query Drive and reducing any associated anxieties. It allowed us to phase out the use of other security products entirely. Initially, we managed this transition through SXM, and later migrated it to the online version of Defender. It has had a notable impact on the operations of our security team. We've had to reshape our procedures, particularly focusing on alerting. There has been a significant upskilling effort, shifting from the previous model where Cisco admins primarily dealt with alerts within SSC or through email.

The most valuable aspect is undoubtedly the exploration capability. Given that we are consistently engaged in exploration, constantly seeking reasons for message delivery issues and searching for malicious attachments, the Explorer feature stands out as the primary and most beneficial tool for our needs.

I'd like to see more integration with various components. While the ecosystem is quite impressive, there's a noticeable back-and-forth between the Defender console and the Exchange console. It would be beneficial to have a more seamless experience with everything consolidated in one place, particularly when dealing with aspects related to the Exchange console. Currently, we rely on a third-party service for the majority of our IAM needs. The data center extension of security coverage has proven to be highly significant for us. Given our extensive use of Linux and third-party applications, having the capability to monitor these aspects within the Defender console would be immensely valuable.

I have been using it for four years.

The stability is quite high. Despite various outages, we've experienced consistent reliability.

Scalability is indeed very impressive. We can deploy resources globally with just a few clicks, and the use of Terraform to create VMs adds a fast and efficient dimension to the process. In terms of end-users, if we focus on mail and overall usage, we currently have around 105,000 users of VMs. Specifically in Azure, we're nearing the 100,000 mark with more migrations in progress, making the average user count approximately 100,000.

Microsoft support has been performing well, promptly addressing any conflicts that arise. Our account manager is quick to respond and provides additional resources when needed. The frequent check-ins, with calls every hour, contribute to a positive experience. I would rate it eight out of ten.

Positive

The initial deployment was quite straightforward.

The deployment process went smoothly, with check-ins and some policies to configure. Overall, it didn't feel cumbersome.

In the long term, there is potential for significant time savings for our security team. Although currently, many of us are investing time in upskilling and adapting to the new system, overall, I believe that as we become more familiar with it, there will be noticeable efficiency gains.

There has been a noticeable reduction in costs. We've managed to navigate it effectively through our enterprise agreement, and Microsoft's academic discounts have proven to be quite generous. The overall expense is significantly lower, approximately fifty percent less than what we would incur with a traditional enterprise license.

Especially with an enterprise license, the transition is relatively low-risk. If you're currently using the old-school Defender SCCM, moving to the new system is not a challenging shift. It's worth picking a few machines, testing them out, and seeing if it suits your preferences. Overall, I would rate it nine out of ten.

I've been using it for endpoints and for Microsoft 365, along with Microsoft Defender for Identity. I use it to create policies for anti-spam, anti-malware, anti-phishing, as well as safe links.

I also use it for the security score, making sure that our company achieves a good security score across the organization.

It has helped us increase our rules and policies, protecting our users, information, and data.

When I deploy a policy for anti-spam or anti-phishing, the solution automatically helps us mitigate those kinds of attacks that could expand across the organization. The automation stops those attacks and emails and sends the emails to a secure place where the admins can accept or eliminate them.

It has also eliminated having to look at multiple dashboards, which not only makes things easier, but helps us detect, and see for ourselves, the threats that are happening across the organization.

In addition, the threat intelligence helps prepare us for potential threats, providing us with security steps to take based on what other experts have done, the steps and recommendations, to prevent those threats. It collects information from the website that Microsoft has where security experts provide information.

And with our endpoints, it has helped us save time because, before we installed Microsoft 365 Defender, we had an antivirus solution that took our time. In addition, by using Defender for Identity, we have been saving time with the password self-reset, because we no longer need IT members or administrators to help reset users' passwords. They can do it by themselves. And with Microsoft Defender for Cloud, we're no longer installing the software on their computers, so there are time-savings as a result.

And one of the greatest characteristics of 365 Defender is that it natively helps you coordinate, detect, and prevent threats, and it provides investigations across the organization's domain. And with the responses across the endpoints and various resources in the cloud, it has many sophisticated solutions integrated to protect against cyberattacks. It has absolutely helped us to save money because it is just one solution, rather than paying for multiple services at the same time.

The security score and the threat intelligence are really good features. I also like the Exchange message trace.

The visibility into threats is also very impressive because Microsoft helps you predict things and provides analytics to help you really improve your security. And all of this technology works across the domain, so it is pretty helpful in terms of threat analytics. It immediately detects and tells you what you can do, with recommendations.

The solution also indicates threats as high, medium, or low priority. When the priority is high, that is when I put all of my effort and knowledge into it, and focus on it, because it is valuable for the enterprise.

We also use the solution's role-based access control across the organization. Because, as a company, we work remotely, we make sure that our users have access to what they need and we better protect our company from intruders and cyberattacks.

Intrusion detection and prevention would be great to have with 365 Defender.

I've been using Microsoft 365 Defender for nearly a year.

The stability has been great so far.

It's very scalable. That's one of the benefits of the cloud. You can scale or downsize it whenever you want.

We have many locations and departments around the world. I'm located in the Dominican Republic, but there are people in Europe and the United States.

Their technical support is great because they mostly provide responses in less than 24 hours.

We were facing downtime with our Outlook email, and they told us what was happening with our data center. After they responded to us, we provided the information to the head administrators. After two hours, they restored our services.

Positive

The solution doesn't require any maintenance, as far as I have seen.

Between a single- and a multi-vendor security solution, it depends on whether you are using multiple technologies. Microsoft solutions are pretty much integrated, and help you with the pre- and post-breach. If you are using Microsoft, I would absolutely recommend Microsoft 365 Defender. But if not, I would recommend something else because, with just Microsoft, you probably would not be getting the best solution. There would probably be latency.

In our organization, we are mainly using it for email security and SharePoint security.

It has been great for us. Previously, we didn't have a solution to protect us, especially from malware, whereas now, we are getting protection up front, especially from the malware attacks coming through emails or endpoints.

It helps us to prioritize threats across our enterprise, which is very important. It has sorted many things.

We use Defender for Endpoint, and we also use Sentinel. In my organization, they are all integrated. Sentinel pulls the data from M365 Defender via connectors. The integration is very easy. There are no problems. These solutions work natively together to deliver coordinated detection and response across our environment, which is good. We rely a lot on Microsoft products. Together Defender for Endpoint and Sentinel give me a clear picture to defend against threats and investigate the threats.

Sentinel enables us to ingest data from our entire ecosystem. It's always good to get a centralized, holistic view of our security operations. We are using centralized Sentinel dashboards mainly to get all the threats and information in one place. It's good.

Microsoft security products provide comprehensive and deep threat protection. I'm pretty satisfied with that.

It has saved us time. It has saved more than 50% of our time. 

It has decreased our time to detect and time to respond. It has been helpful, and the time to detect is really fast. We don't have to do anything. We just have to rely on it. In terms of the time to respond, if something is under the radar or intelligence of Defender, the tool itself responds and gives us what happened. When it comes to something that is not on Defender's radar, Sentinel is generally where we go. So, it saved more than 50% time in terms of detection and response.

Email security and endpoint security are valuable.

It provides good visibility of Microsoft products but not for third-party products. It's a good product if we have Microsoft product lines to protect or defend, but it lags when it comes to a mixed environment or non-Microsoft products. The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category.

On the Defender side, for custom detection queries, KQL and the dashboard are not that great, but we are not doing automation directly from the Defender side. We leave Defender intelligence as it is, and we collect everything from Defender to Sentinel and handle the response from the Sentinel side. So, all our automation is happening through Sentinel only. We don't have any extra customization on top of Defender.

The maturity of the portal or dashboard is missing. The dashboard is something that Microsoft is changing every month, and we are seriously not liking it. As a management person, I am not bothered about it, but my team is suffering because there are many versions. You are working on a version and then a new version comes and then the preview toggle button comes. Now, they are combining all the parts into a single console. It confuses technical teams a lot. I'm not happy with their approach or experiments when it comes to the Defender portal. They shouldn't change it again and again.

The SOAR side of Sentinel is zero. If any subscriber subscribes to Azure Sentinel, SOAR is zero. Microsoft says that Sentinel is a SOAR solution, but I don't agree because they are only exposing the existing Azure automation engine towards Sentinel. My automation ask is that when there are already so many detection rules and connectors, why is the SOAR capability not in-built? Why can't they make the Azure functions behind it available in a template form and let us modify and use them? It will save my team's time in preparing the automation of the response. If my team has to create the logic, they have to invest a lot of time.

Their support needs to be improved. I'm not happy with their support.

I have been using this solution for more than a year.

For stability, the product must be mature enough. It should not keep on changing every month.

It's scalable. Target points are in my capacity, and I can scale it without any problems. There is no limit to the agents for Defender, but on the server side, Microsoft would have the answer. 

Location-wise, we are spread in five locations within one country, and department-wise, we have around 11 departments.

Their support is bad. They weren't at all able to solve my problems. They buy the time but never get back. I have to follow up with them again and again. They just take the logs and sleep on them. I'm not happy with their support. I would rate them one out of ten.

Negative

We were using another solution. Our organization at the time was too much dependent on the on-premises infrastructure. We were using Symantec, but it was a very quick shift within one quarter or two toward the cloud products and services. We are now heavily reliant on Microsoft Cloud products. We have the Azure environment and a lot of cloud applications, and we have shifted to M365 and Sentinel.

We have a hybrid deployment. Within the cloud, it's straightforward, and when it comes to the target points, it's doable. 

Our biggest challenge was removing the old Symantec signatures from the registries, devices, and servers. That was what we mainly struggled with a lot. Otherwise, deployment was going very smoothly. We had around 46 virtual machines or servers. The problem was that the MDATP agent was not ready to protect them. We struggled a lot there. We went to Microsoft, and Microsoft said to go back to Symantec, and when we went to Symantec, they asked us to go back to Microsoft. That took a long time for us. Everything else was smooth. When the target point is Windows, it's very smooth.

It took around 20 to 25 working days. In terms of the staff, other than the infrastructure team, there were five people including me.

In terms of maintenance, we have to just work on the detection rules and nothing else. There is no other maintenance. It's a complete cloud solution.

It's quite hard to measure the money saved from using this solution because we have not got any attacks that have resulted in any kind of ransom or monetary loss. It's defending us, and as of now, as per my report, there are no financial losses due to any attacks.

Microsoft's pricing differs geographically. We are based in India, and we have India-based licenses. Money-wise, it varies from product to product or OEM to OEM. We pay less for some, and we pay more for some. 

Microsoft has a lot of CSPs, indirect partners, and direct partners to deal with customers. There is so much difference in the price, which is something we are a little confused about. For Defender, they have Endpoint Plan 1 and Endpoint Plan 2, but I don't know on what basis they have classified Endpoint Plan 1 and Plan 2, but it has given me enough pain to pick and design Endpoint Plan 1 or Endpoint Plan 2 for my organization. In fact, we are still struggling with it. Too many SKUs are confusing. There should not be too many SKUs, and they shouldn't charge for every new feature.

We evaluated Okta products and QRadar.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single vendor security suite is always better. It's simple. It saves the time to detect and respond and administer.

This product is best if you have mostly Microsoft solutions in your ecosystem. If more than 20% of your solutions are third-party solutions, you can also look at and compare other products.

Sentinel enables us to investigate threats from one place, but when it comes to response, we have to put a lot of effort into it because Microsoft is not giving anything ready-made on the SOAR side. We have to put a lot of effort into orchestration and automation. The SIEM of it in terms of the collection of security events and information is wonderful, but when it comes to the SOAR capabilities, there is nothing in-built. They are just the analytical rules for the detection purpose, not for the response. The response is something we have to sit and design. So, the defending capabilities of Defender are good. It has some intelligence, but on the response side, Sentinel is blank. We have to start from scratch. It's a circle, and we have to keep on evolving. When comparing the cost, I am not that exposed to other products' costs, but as per my understanding, the cost of Sentinel is a little bit on the higher side because Microsoft generally charges on a log ingestion basis. It also depends on the amount of log data we are ingesting in Sentinel.

Its threat intelligence hasn't helped to prepare us for potential threats before they hit and to take proactive steps because it depends on the type of attack, the type of payload exploits, and other things. However, as per my previous report, in the last six months especially, there have been quite impressive preventive features, especially related to the process memory injection attacks or attacks coming from emails and links. It's very good for those.

Overall, I would rate this solution a seven out of ten.

Almost every use case is about security layers for messaging in Teams and for email. It especially used for phishing filters, spam filters, and composite authentication, as well as Zero-day advanced protection, and for protection within already received emails. Clients are also looking for link protection in Teams and in SharePoint.

The solution has improved the remediation steps we take for each threat. That has been the biggest impact on our organization because we need fewer human resources to deal with a bigger attack surface.

And for routine tasks and alerts on issues of high importance, the automation that the system provides has helped greatly. You can set up customized alerts and categorize trends to see a quick overview. As a result, our security officers can focus on the really important tasks, without noisy alerts. Previously, there was a procedure with a rule that was sending all emails that resulted from the SPF and DMARC controls failing to the phishing mailbox. Our security officers had to review every email and accept or decline. Now, using the automation tools within the Microsoft 365 Defender, they don't need to do that. They can check that the tool is working fine from time to time, but they don't need to do that task on a daily basis. It gives them a lot of time to do more important and creative stuff.

In addition, especially when it comes to Zero-day attacks, the solution's threat intelligence helps prepare you for potential threats before they hit. It identifies, for example, attachments containing something malicious and remediates by blocking additional delivery to other users. For example, an email may only be delivered to three users instead of 100 users. Even if somebody didn't open the email, the Zero-day attack protection has removed the email from their mailbox. This is a great remediation step for protecting that attack surface. Then I can observe how the tool is dealing with the attack instead of trying to figure out how to approach it, what to do, who I should contact, et cetera.

It also saves me time every day. It was taking me really long to review the message headers to identify what happened. It could take an hour or even more if it was a really complicated case. I needed to check the headers, the content, the links, the attachment. Using Microsoft 365 Defender, I can see in Explorer at a glance, or by clicking through one or two tabs, what is happening. It gives me a lot more time to do more interesting work and to close other cases. Instead of an hour, it takes five or 10 minutes now.

It's a lifesaver for me and keeps my clients from being threatened and attacked every day. It's not about the money, it's about the information. Attackers can use information to make money.

I can check the overviews and see trends where somebody wants to use some kind of open gate to gather my information. But the solution does the work on my behalf, so I don't need to observe the environment, traffic, and user behavior. And we don't have to invest a lot of money on repetitive training for users. Training is also good, but I don't need to invest so much money and effort in that process, and that results in savings.

For me, the email protection features are the most useful because I focus on that area.

I also really like the integration with the entire Microsoft 365 service because it's not really common to have a tool that is integrated well with Teams, SharePoint, and Exchange. 

Another feature I like is that inside Explorer I can perform an investigation to check, for example, if any accounts have been breached or accessed by a malicious actor. I can also check the source of emails from which we are receiving something that was not expected by us, such as 

• XML attachments 
• meeting invitations with the malicious links
• JavaScript. 

And I really like that the tool checks attachments within the hash so that we can investigate who received the malicious file and where.

There is also one dashboard that shows us the status of many controls at once and the details I can get. Sometimes I'm on a call with somebody from the security team who is asking why we received something or how we can better protect our environment. I can even show them the analysis of a particular Excel file and a macro inside that file. That is something I really like. It gives me a lot of information and I can respond very quickly to a particular case.

It gives a great overview of many areas, such as files, emails, chats, and links. Even with the apps, it gives you a great overview. In one place you can see where you should look into things more deeply and get knowledge of the details, instead of browsing the details and looking for something that might be of interest.

And, of course, it helps prioritize threats across the enterprise. The solution identifies threats and categorizes them. I can assess which category is more important for me and react accordingly. This categorization is really important because it gives something like an SLA for each case. You always have limited resources to deal with cases. For example, in one of the companies which I support, over half of the email traffic is filtered by Microsoft 365 Defender's tools as malicious traffic, amounting to about 5,000 emails a day. I can use the tool to see an overall view of the threats, instead of just going through each one, one by one. It gives a great overview and the ability to see trends for a day or a month and I can adjust my focus according to the trends.

With Defender on end-user devices, we have the ability to monitor them without the need to have them connected to the same network. People are working from home and sometimes they are working on their own devices. We can use conditional access policies to ask them to provide the minimum security standards. That gives us a lot of peace of mind when using Microsoft Defender. We can create rules that look for users who are uploading malicious content to Teams, SharePoint, Android, et cetera.

There should be better information for experts on features in the solution. What I see when reading about features in Microsoft 365 Defender is that it is always general information.

If Microsoft could go deeper into details for the experts about how to use the tools, usage of it would be more familiar and it would be easier to use. Right now, I need to spend a lot of time using Defender to check the possibilities and how to connect them together to see things better. If I could read a more detailed article about it and see some use cases and how some threats are remediated, that would be great. Maybe I'm not looking deep enough or maybe there is some room for them to improve in this area.

And I would really like to see new features.

I'm a Microsoft 365 consultant and have been using Microsoft 365 Defender for about three or four years.

It is really stable.

Sometimes, when there is a problem with the Microsoft infrastructure, for example, in India, then it can be hard because it's not just that somebody may have a problem. It's not about only one business unit but all of Europe. But it's not that problematic for us because usually this kind of situation is very limited and the fix is delivered really quickly.

It is a scalable solution. I haven't had any problems with the scalability of Defender.

We have the solution deployed in 38 countries. People are connected to their local networks and they use the updates from Intune and SCCM.

I haven't had any situation in which I had to ask for support for Defender. 

But for Microsoft 365, overall, when we contact the exact, dedicated team, it's really good. But before that, when a ticket goes through the first and second lines of support, sometimes it's too repetitive. The first line asks the same things as the second line. I know that it's required because Microsoft is a huge company and it has a lot of customers, so some kind of triage is needed. But when an issue is well-known and there is already a solution or a workaround, the sharing of this knowledge should be better.

Neutral

I used regular filters on the email server, running on Linux, with some type of anti-exploit solution that checked for threats inside the files. I filtered the DMARC and SPF with regular controls. That was a nightmare and I'm really happy to now use Microsoft 365 Defender.

I don't deal much with the pricing aspect, but the companies I am supporting use an E5 license for Microsoft 365 because they want to include all the features and it's cheaper for them to use E5 than SE3.

Maybe the solution should be cheaper because I have heard that the licensing is pretty expensive. I can imagine why: The knowledge is expensive and the tests and infrastructure are expensive as well.

From time to time there is maintenance in reviewing the rules so that we can focus on how to use it better. But that's not "maintenance" in the standard meaning that you need to check if the processes are working properly. For example, our security department uses phishing attack simulations to check if users are aware of how the tool behaves when we receive a phishing attack and what actions are taken to remediate that attack.

When trying to decide between a best-of-breed strategy versus a single vendor for security, it depends on the approach, resources, and of course, money. You can have a single vendor and extensively use the solution and really invest time and effort into better understanding how it works. Or you can buy a few solutions but understand each of them less, because it's not possible to have deep knowledge of how every solution works. For me, it's better to use only Microsoft 365 Defender instead of having additional security providers. I can then go deeper into the details and ask the vendor to implement a feature that is useful, and that probably will not only be useful for me. We can build it together instead of blaming each about who should do better work.

My advice is to go deeper into the details to understand how remediation is utilized inside the solution. Notice that Microsoft 365 Defender is using data collected from every tenant that is using the solution, not only mine. If a company's controls have been attacked, the tool can already protect me because I'm not on the first line of fire. It's great to understand this fact and understand the idea behind it and what the benefits are.

At FileVine, we provide case management software for attorneys, so we have considerable SOC 2 compliance requirements. We need more than a firewall; we also need a solution that helps us upkeep and manage devices, laptops, etc. 365 Defender fulfills these requirements, and SOC 2 compliance is our primary use case.

We're a hybrid company using both Macs and Dells, deployed across multiple regions.

The solution helps us improve compliance regarding end users installing updates. It clarifies which users need to update and how they can go into Terminal or PowerShell to perform that process. We don't have to waste time looking for what needs to be done, which is a useful functionality. The product automatically informs us of high and low priorities, which is great; it allows us to deal with the most significant priorities first.

365 Defender helps us automate routine tasks, and we get updated daily. We can integrate Splunk to see what's going on and what needs to be updated. Automation significantly impacts our security operations; it feels like we have a vault around us that nobody can breach.  

The Endpoint Manager is incredible; it has a very straightforward interface and is exceedingly easy to use. Pulling out and deploying different tags or resources is a simple task across various departments with different levels of security. The notifications are also simple and satisfying; it's great to see the bubble informing us which devices are compliant and which are waiting to update.

The visibility into threats provided by the solution is excellent. When a threat triggers a response based on our set rules, it's stopped, and we are notified via email. We can then analyze the threat and make a decision; this entire process is straightforward and user-friendly. 

The product helps us prioritize threats across the enterprise, especially in the legal domain. It is very valuable, and one of the reasons we have been so successful at Filevine is the security measures we have in place. We use many tools, one of them being Microsoft 365 Defender, which significantly contributes to our IT team and company's success.   

Our integration of multiple solutions helps to deliver a coordinated detection and response in our environment. We integrate with Zscalar, which is very easy and manageable. We thought it might be difficult, but it works very well. Much like a car, our security system is composed of many moving parts working together, which helps us move forwards as a company and thrive in a relatively challenging economic time. 

The comprehensiveness of the threat protection provided by using multiple Microsoft security products is excellent. It's a simple system; we have incoming and outgoing traffic rules. When a rule is triggered, we are notified by email to look over the situation. For example, we can see viruses and malicious actors attempting to breach our security and respond by blacklisting the IP address. Sometimes, we gather information and pass it on to the FBI, as we have many SOC 2 clients.

365 Defender helped eliminate multiple dashboards, which is great because I like to be as minimalistic as possible regarding dashboards. Now, I only have to look at one or two at most, simplifying the security landscape, and I love that about the tool.  

The solution's threat intelligence helps us prepare for potential threats before they hit; most recently, we were protected from the August 2022 Apple hack. We had measures in place, so none of our devices were affected. We were spared any data compromise, and it's an excellent example of why we invest in security solutions. It builds our confidence and strengthens our case with the higher-ups for increasing and maintaining our cybersecurity budget. 

The product certainly saves us time. We trust in the protection and can focus on different projects, including automation, so we don't have to spend time dealing with issues and security breaches. I'd say we save four or five hours a week.  

365 Defender saves us a lot of money because we don't have to recover data or hire outside lawyers to help us with legal trouble. We don't need to invest in physical products or external security teams and solutions. We can keep our security operation within the company, so all our money is invested in people who care about our product and business.  

The solution quickly notifies us when a threat is detected, increasing our response speed. Other products I used in the past sometimes had significant delays with notifications, which is far from ideal when dealing with potential security threats. 

Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed.

I have been using the solution for a few years. 

The solution is very stable with low latency. 

The product is highly scalable, which is fantastic because we have been expanding significantly. It's up and running and good to go very quickly, which has been excellent for our expansion in Florida, New York, Maine, and Canada.

I have yet to contact support. One thing that helps in this regard is that I have an AZ-900 handbook with Microsoft fundamentals. 

365 Defender was already in place when I was brought into the company, but they previously used Jamf Protect. They switched because it cost too much and wasn't fulfilling the requirements. It didn't perform as well as 365.

I can't speak to the setup as the solution was in place when I arrived at the company. However, 365 Defender is one of the most lightweight tools we use in terms of maintenance. We keep it up to date, and it works very well.

I would say the solution gives us a significant ROI, especially considering the issues in the industry recently. Russia and China hacked many companies, but we never had that problem, and that's a lot of money saved for us. That's not entirely because of 365 Defender, but also thanks to our excellent security team and the robust toolset at our disposal to protect our operation.

The solution is affordable, and we haven't been hit with any hidden costs. The subscription model is straightforward, and it's easy to understand how much additional features cost. If we need to cancel a license or feature, we do that well in advance to avoid being charged for it, but overall, the pricing and licensing are simple and easy.

I would rate the solution an eight out of ten. 

We use multiple Microsoft security products, including Defender for Endpoint, MFA as a standard on all work laptops and computers, and Endpoint Manager. We use additional tools to protect the Mac side of our operation. We use Microsoft Intune, some other MDMs, and some other assets from Defender for Cloud, and for cloud security, we use GCP, Azure, and AWS. 

Many of these products are integrated, and the integration was relatively straightforward. It was somewhat time-consuming as we previously used Jamf Protect for a long time, so switching our entire infrastructure over to the new products took some time.   

Microsoft Defender is used for email protection. 

Microsoft Defender helps stop advanced attacks. We use PII disclosure, we track sensitive data in emails, ransomware, and phishing emails.

Microsoft Defender has saved us costs. 

Microsoft Defender has helped save us investigation time.

Microsoft Defender is slow to adapt to evolving threats.

I was using Microsoft Defender for one and a half years until a month ago when I switched to a different team.

Microsoft Defender is stable. 

Microsoft Defender is scalable.

I previously used Rapid7 InsightIDR for Security Information Event Management and Extended Detection and Response. While InsightIDR offered a user-friendly dashboard for managing detected incidents, its limitation of creating only around 25 custom rules restricted our ability to identify emerging threats. With the ever-evolving threat landscape, I believe a solution with a more adaptable defense system, like Microsoft Defender, is necessary to keep up with the pace of new incidents.

Microsoft Defender was straightforward to set up. It came with a lot of useful documentation to help.

The deployment took almost two months. 

Microsoft Defender falls within a mid-tier price range compared to other security solutions.

I would rate Microsoft Defender eight out of ten.

Microsoft Defender is well-documented and we can find answers to our questions from the user community.

I recommend Microsoft Defender for organizations that are already using other Microsoft products. Since they're likely within the same ecosystem, integrating Defender for antivirus protection should be a smooth process.

We primarily use it for endpoint security. Specifically, it serves as our solution for antivirus detection, malware detection, and related aspects focused on safeguarding individual devices. 

Its single-pane interface is a time-saving feature, as it eliminates the need to check different locations which is excellent for efficiency. It allows us to phase out the use of other security products. For example, we previously ran Sophos on-premises. However, upon transitioning to Microsoft 365 and leveraging the included Defender, we discontinued the use of Sophos. This shift not only streamlined our security approach with a unified solution but also contributed to cost savings, as everything is encompassed within the same license—a concept that aligns with the efficiency of a single-pane interface.

The most valuable aspect is that it comes included with the licensing, which is excellent. It provides a single pane of glass within the 365 admin interface, streamlining our experience by consolidating information in one place and eliminating the need to navigate through multiple interfaces.

It would be highly beneficial if CoPilot could identify anomalies within the network and notify the IT team. For instance, if a user typically accesses around a hundred megabytes of data daily from familiar files and locations but suddenly diverges to an uncommon destination, uploading ten gigabytes of data to an unfamiliar website, that would be a significant anomaly. Pausing such activity and alerting the IT team for a human assessment would be a valuable feature to ensure security.

I have been working with it for three years.

No stability issues noted, and there haven't been any concerns regarding false positives. Overall, the experience has been positive.

Scalability is straightforward; no issues are encountered. We predominantly use Windows 10, and so far, I haven't observed any issues. Some of us have transitioned to Windows 11, and it appears to function well.

We haven't contacted their tech support, which I consider a positive indicator.

In terms of ROI, our expectation is to gain a comprehensive analytical perspective by upgrading to E5, activating Sentinel, and deploying other products like Entra. This move aims to provide a more extensive understanding of user activities, login details, and other relevant metrics. Currently on a three-year Microsoft term set to end on April 1st, we've inquired with our vendor about transitioning from E3 to E5 immediately.

In our security solution evaluation, we considered Trend Micro and Sophos, focusing more on Sophos due to its cloud version. However, challenges in patching the on-premises Sophos led us to choose Microsoft Defender. The simplicity, inclusion in our package and regular patching made Defender more attractive. Additionally, our decision was influenced by community adoption, as no other law enforcement agencies in Canada were using Trend Micro. Defender's seamless integration and zero additional cost aligned with our strategy of opting for solutions without extra expenses.

Overall, I would rate it eight out of ten.

The summarization of emails is a valuable feature. I get more than 1000 emails a day. It is hard to read them all. Summarization makes it a lot easier. The solution also provides transcription features.

It doesn't work in Word, Excel, and PowerPoint consistently. We find it full of bugs. It doesn't work properly. The tool gives inconsistent answers and crashes a lot. I spoke with the Microsoft team regarding these issues. The person I spoke to said that our expectation was too high and that we should have expected that it would only operate at 70% accuracy, which was a bit of a shock.

I have been using the solution for four years.

We use most of E3 and E5. We're using 92% of the catalog. Everything runs in the cloud. In the past six months, there have been incidents where the cloud has had some issues. We've escalated them to Microsoft and have had a conversation about stability.

The tool is scalable.

The support is decent. It could be better in certain circumstances. Overall, it's acceptable for what we need it for.

We were using a Symantec tool before. We stopped using it because we were exiting a relationship with the Symantec tools. We chose Microsoft Defender for Office 365 because we had a relationship with Microsoft, and it did similar things to what we used the Symantec tool for. It was an easy choice.

The initial setup was complex. It doesn't work. Semantic Index takes 48 hours. Getting people to onboard is not as simple as turning it on and making it work.

We have to ensure that we are teaching people about these tools, their value, and the use cases to determine whether they will use them. If we turn it on and somebody is not trained to use the tool, they will abandon it. It's still not functioning properly. It's a bit of a risk for Microsoft to push out a tool that's not ready yet.

We did the implementation ourselves. We have a large enough internal team.

The solution is too expensive. Each license costs us $30.

Google is an alternative. The comparison is based on market share, penetration, usefulness of tools, and cost. Microsoft has the lead. It's embedded. We use it as a productivity suite for our company. Excel, Word, and PowerPoint are tools that people use on a daily basis.

The tool provides a little bit of unified identity and access management. It's not the most important thing for us. Security is a multi-layered strategy, and Defender is one aspect.

The product is one of the many tools we deploy to ensure that the lateral movement of advanced attacks does not occur. If it were the only tool we had, I wouldn't be as confident in saying that we have the proper levels of security, but it is one of the multiple tools we have. So, lateral movement is almost impossible.

The solution might be able to adapt to evolving threats in a smaller shop. However, it is not so in our organization.

We run a bank. We are testing out Copilot. We're about to roll it out to several thousand users. The tool hasn't yet helped improve things in our organization, but it has the potential. Copilot is new. It's difficult to determine the ROI and its value. It's hard to tell. We do get some value out of the product.

Overall, I rate the product a seven out of ten.