Netify have released our 2024 SD-WAN comparison blog article

Who are the top rated EDR vendors? (With comparison)

Who are the top rated EDR vendors? (With comparison)

How our Compare the Market Quiz can help you find the best fit SD-WAN Vendors

  • Answer 10 questions to find out which SD-WAN solution fits your business
  • Learn why each solution is a match for your business
  • Used by companies including CDC, Permira, Square Enix, British Legion and more
  • Totally free to use without commitment

Compare the SD-WAN Market

In this article, you'll find The Netify top/best 20 EDR vendors and service providers which fit the needs of most mid-market and Enterprise businesses.

A single attack from an advanced threat actor can cost millions of dollars and possibly even lives. The importance of security solutions for protecting companies, their data, and their users’ or customers’ data is becoming increasingly recognizable, even by organizations who aren’t the most security-conscious. As the enterprise technology landscape changes and evolves, so must the security products, services and tools that we use to provide an effective defence. As technology, device counts, digital information and operations in the enterprise grow, so too does the attack surface, which translates to a need for more coverage than ever before to keep everything safe.

Not too long ago, signature-based antivirus applications were considered a ‘silver bullet’ for protecting most of the endpoint attack surface.  While this was never really true, antivirus applications were relatively effective against malicious files which often served as the delivery mechanism for common attacks ranging from simple to sophisticated. Fast forward to today, and you’ll find that this technology is only a small piece of what you need to have a chance in defending endpoints against modern threats.  This is the problem which Endpoint Detection and Response (EDR) solutions aim to solve.    

Many people consider EDR tools to be an evolution of antivirus applications. They are deployed in a similar manner, and some EDR vendors position themselves this way in the market with some even calling their solutions next-generation antivirus.  Almost all EDR solutions incorporate some form of signature-based malware detection, but they are a far cry from your grandfather’s antivirus application. 

Security teams are looking for solutions that they hope will prevent breaches, or at least enable them to mount an effective response and minimise the chaos which follows. Vendors across the cybersecurity industry are providing new and innovative approaches to meet this challenge. It is important to find the right solution for any individual organization based on their needs and business processes - especially when you’re dealing with endpoints that people use to do their jobs every day. In a marketplace filled with choices for endpoint security products, CISOs will succeed when they’re able to align their business needs with products that offer the most complementary technologies whether it be machine learning artificial intelligence, open architecture, agentless deployment, cloud-native, or on-premises.

Questions to ask your EDR vendor

  • Do you deploy a single agent, no agent, or multiple agents?
  • Do you have an on-premises, cloud or hybrid solution available?
  • Does the solution stand alone as a complete endpoint security solution, or is it highly recommended (or even required) to pair with another security product?.
  • Does the solution provide online and offline offerings or is an Internet connection required?
  • What type of resource overhead is required on our endpoints to properly implement this solution?
  • Is there a path to a single-pane-of-glass security solution beyond the endpoints, or are multiple management interfaces required?
  • Does this solution lock me into a single vendor for complementary security solutions or is this solution compatible with the greater security ecosystem through integration?
  • Is Managed Detection and Response (MDR) offering available, or is the solution designed for an in-house team of trained Security Operations Centre (SOC) operators and analysts?
  • What is the pricing and licensing model, and will I be expected to pay separately for support?
  • Do you offer professional services for implementation and upgrade assistance and are these included in subscription fees or additional?
  • Are you migrating from a legacy anti-virus solution, or keeping a separate next-generation antivirus solution (NGAV) in place? Consider whether you want to run EDR alongside antivirus, or whether you're replacing antivirus completely. With this in mind, choose solutions that are known to play-well-with others will be necessary if you want to deploy EDR alongside another antivirus solution, or choose solutions that have built-in NGAV features AND make replacing the existing solution as easy as possible. For instance, McAfee has leading NGAV functionality and offers migration tools, but they likely won't play well on the same endpoints as the another legacy AV or NGAV solution.  In that case, Panda's lightweight agent could be a good choice to deploy alongside an AV solution.
  • Do you have a specific requirement driving the need for EDR but you're happy with the rest of your security stack?  If not, you may want to consider choosing an EDR solution from a vendor like Palo Alto or Cisco who have large complementary security portfolios.  In contrast, if you are a small business and are just looking to upgrade your legacy antivirus software, then any EDR solution that has built-in NGAV may be the only solution you need.
  • Do we have staff to manage, deploy, maintain and configure the solution as well as analysts to investigate incidents and alerts? If not, consider solutions that offer managed detection and response (MDR).
  • What type of environment(s) does the solution we implement need to support? For instance, if your organization is starting to embrace the cloud you should consider hybrid solutions or if your organization has been an early adopter and is already fully on the cloud you would want to avoid hybrid and on-premises solutions. Or if your organization is fully on-premises without a the ability to move to the cloud for regulatory reasons, knowing this will help narrow down the available solution providers and avoid making an oversight.
  • What type of endpoints will need to be supported, and are you already standardized on a cloud productivity vendor like Microsoft or Google? If your organization uses Microsoft products on all endpoints and servers, then you can likely choose from any of the products that match your other needs or even consider Microsoft Defender for the tightest possible EDR/OS integration.  While even Microsoft's Defender (and InTune MDM) can support macOS, Linux, Android, and iOS, if these endpoints make up a large portion of your endpoint population, you may want to consider solutions known to have good support for what you have.
  • Does your organization have in-house security tools or other IT applications that need to be integrated with the EDR,solution?  If so, are these applications cloud hosted with out-of-the-box integrations?  If so, then it is important to look at the APIs and integrations offered by each EDR solution in order to determine if the solution will work within your environment and how difficult or easy will it be to deploy and maintain.  If not, you should consider the user interface including dashboards, visualizations, and search capabilities, as these features will be critically important if your EDR solution's interface will be the primary place to view security information.
  • Are you interested in additional endpoint security features, like being able to control DNS or isolate web browsing sessions?  Most EDR solutions offered from different manufacturers will all have some sort of web security functionality, even if it is just basic static analysis of scripts running on the endpoint, but some solutions will include unique and targeted approaches to web security and privacy such as web browser control, auto-configuring VPN so web traffic is sent through the organization's proxy for inspection, or even integration with email and collaboration tools to detect risky behavior.  In Microsoft enviornments, Microsoft Defender offers all of this and more.  Otherwise, solutions like Sentinel One Singularity or Carbon Black offer great features for more granular control of enpdpoint security configuration.
  • When looking at potential security solutions, where do you place more value - innovation or longevity? Some manufacturers will offer bleeding-edge technology to their customers in an effort to provide automated protection against theats that we don't yet know about which other signature/definition-based solutions wouldn't be able to find (like SentinelOne, for example).  Other manufacturers like McAfee or Symantec may offer the most trusted and proven solutions to known problems and will wait to offer their customers new technologies until they have been proven and gained some trust in the industry.
  • Do we need an EDR solution with flexibility for in-house security professionals to perform their own detection engineering, run their own playbooks for responses,  deploy their own remediation scripts, or conduct in-depth threat hunting without pivoting to a SIEM?   If your organization is looking for something that can be fully customized and is designed for use by security professionals on a regular basis, avoid solutions that target small businesses or consumers (for example, Malwarebytes, ESET, or Sophos) where their customers don't need or want the ability to fully manage their deployments, and where they need 100% automated remediation.  On the other hand, if you are an organization with limited or no security staff, consider looking for solutions that offer more automation and are known to mitigate 'alert fatigue'.
  • Does your organization have requirements for investigation, analysis, and data collection surrounding potential or actual breaches? If so, consider a solution that can be hosted in your environment where you can provide the necessary storage while keeping the data fully under your control.

1. SentinelOne (Singularity)

SentinelOne’s Singularity offers multiple product tiers with Singularity Complete being the all-inclusive tier. Their EDR offering includes top-of-the-line threat hunting capabilities and allows for manual or automated “Active” responses including host isolation. Their storyline feature offers instant visibility into each threat’s life cycle along the kill chain without needing to piece things together using logged events. SentinelOne offers MDR services (called Vigilance), and they also offer an entry-level solution called Singularity Core which they market to organizations of all sizes as a legacy antivirus replacement.


MITRE ATT&CK® Evaluations 2021 Visibility: 174/174
SentinelOne Pros SentinelOne Cons
Good for threat hunting Integrations are still maturing
Fully-managed MDR available Reviews indicate occasional bugginess in the UI
Storyline feature Can be resource intensive

2. CrowdStrike (Falcon)

CrowdStrike Falcon is an industry-leading EDR solution designed to make  an organization’s analysts and investigating teams more efficient. They boast a “quick search” feature that returns results from logs, telemetry, threat hunting data and open investigations in less than five seconds. The prioritization and categorization of alerts into incidents keeps end-users from being overwhelmed with alerts that need their attention. Their Insights product also allows for the mapping of alerts to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework which is very helpful for red/blue/purple team operations. CrowdStrike also offers fully managed services with included threat hunting time focused on catching the most sophisticated Advanced Persistent Threats (APTs).

Their solution is tailored to provide everything an organization would need to identify and stop any threat on endpoints, their network, or in their data. Through recent acquisitions, they are beginning to roll out additional solutions beyond endpoint security including identity protection solutions and Security Orchestration, Automation, and Response (SOAR) solutions which tightly integrate with Falcon.


MITRE ATT&CK® Evaluations 2021 Visibility: 152/174
CrowdStrike Pros CrowdStrike Cons
Good for threat hunting Product portfolio was once simple, but now it’s so big it’s intimidating
Fast searches MDR is expensive
MDR available Learning curve

3. Trend Micro (XDR)

Trend Micro’s solution is marketed as a solution that unifies endpoint defense for past, present, and future cyber threats. Like many other vendors in this market, their EDR solution is a part of a larger portfolio of security products.  Trend Micro’s EDR solution is designed to be combined with the rest of their Apex One solutions to bring MDR, EDR, email, web and SaaS application security into a single solution. This product aims to provide a single interface for full root cause analysis to give the deepest insight into any detection including “patient zero” identification. Threat hunting and search capabilities are solid, and their Advanced Indicators of Attack (IOA) and Indicators Of Compromise (IOC) search functionality give analysts and investigating teams an edge with both forensics and proactive defenses from advanced threats.

Trend Micro XDR(USE)-1


MITRE ATT&CK® Evaluations 2021 Visibility: 167/174
TrendMicro Pros TrendMicro Cons
Seamless integration across Trend Micro’s portfolio Can be resource intensive
IOA/IOC search Many features are cloud-only
Root cause analysis is made simple Learning curve

4. Microsoft (Defender for Endpoint)

Microsoft Defender for Endpoint (MDE) is a central component of the Microsoft 365 Defender suite which includes Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Cloud Application Security and Microsoft Defender for Identity. Their solution touts no agents or scans but instead uses sensors built-in to the operating system that detects vulnerabilities and misconfigurations, then prioritizes vulnerabilities based on many contextual factors including analytics available in their business and productivity tools.  Defender for Endpoint is no doubt one of the most comprehensive endpoint security solutions with features for threat hunting, vulnerability management, attack surface reduction, cloud-security, augmented proactive antivirus, automated investigation and remediation and an MDR offering that puts Microsoft Threat Hunters at your service. This solution is especially ideal for an organization that uses Microsoft products throughout the rest of the business and wants to implement world class protection for endpoints, given that their product works seamlessly with all the other Microsoft 365 products and services.  That said - Apple and Linux endpoints are supported, as well as Android and iOS mobile endpoints that are managed by Intune, Microsoft’s Mobile Device Management (MDM) solution.


MITRE ATT&CK® Evaluations 2021 Visibility: 151/174
Microsoft Pros Microsoft Cons
Agentless Some features are Windows-only
Automated investigations UI could be improved
Good threat hunting capabilities Can’t deploy on-premise

5. VMware (Carbon Black EDR/Cloud)

VMware Carbon Black is targeted at organizations that need an entirely on-premises and self-managed solution for endpoint security without sacrificing capability. It includes features such as threat hunting and incident response designed for online or offline SOCs.  Incident responders can quickly access continuously recorded endpoint data from a central location, and they’re able to pull or push files, kill processes and perform memory dumps remotely from an intuitive user interface.  There is also a Carbon Black Cloud solution that enables organizations of any size to modernize their endpoint protection with sophisticated cloud-native detection, threat intelligence, automation and a plethora of integrations to most security stacks.

Carbon Black also offers various advanced prevention methods for potential ransomware attacks, claiming to be able to detect and stop future threats based on behavioral analysis and sandboxing techniques. This is both a legacy AV replacement and full-featured EDR solution which is known for reliable detection and solid incident response functionality when it counts.


MITRE ATT&CK® Evaluations 2021 Visibility: 154/174
VMware Pros VMware Cons
Good threat hunting capabilities Expensive
Similar features whether cloud or on-premise Can be resource intensive
Tons of integrations Agent doesn’t play nice with other security tools

6. Symantec (Broadcom) Advanced Threat Protection Endpoint

Symantec Advanced Threat Protection (ATP) is a flexible solution that provides combines attack indicators from endpoint, network and e-mail sensors to deliver robust endpoint protection.  Customers who use other Symantec products will benefit the most from their EDR offering as it integrates to the industry giant’s suite of security solutions to enable automate response as well as content analysis which provides another layer of protection from APTs and targeted attacks.  The solution can be deployed onsite, virtually or in a cloud-hosted environment. This solution is well-suited for organizations looking to take their security to the next level with a single-vendor portfolio of products including secure messaging, analytics, reporting, secure web gateways, and MDR services.


MITRE ATT&CK Evaluations 2021 Visibility: 159/174
Symantec (Broadcom) Pros Symantec (Broadcom) Cons
Seamless integration with other Symantec security products Licensing and purchasing has become a bit confusing since Broadcom acquisition
MDR available Many features aren’t available on-premise
Automated correlations between endpoints and other sensors Learning curve

7. Malwarebytes (Endpoint Detection and Response)

Malwarebytes Endpoint Detection and Response for Business is geared toward organizations looking for a simple but effective endpoint security solution that can stand alone or augment an existing solution. Their unique machine learning algorithms are meant to detect zero-day attacks and isolate processes, networks and applications while countering threats such as malicious executables or file changes. Their ransomware protection offering provides 72 hour rollback for Windows workstations which they claim carries little to no performance cost, and a Indicators Of Compromise (IOCs) search functionality to make remediating attacks efficient.


MITRE ATT&CK® Evaluations 2021 Visibility: 116/162 (No Linux agent)
Malwarebytes Pros Malwarebytes Cons
Simple Limited threat hunting capability
Ransomware roll-back No Linux agent
IOC search Expensive compared to others with more functionality

8. Panda (Adaptive Defence 360)

Panda Adaptive Defense 360 is a well-rounded EDR solution that claims to enable 100% detection and classification of processes across all endpoints.  While Panda also offers traditional antivirus solutions, Panda Adaptive Defense 360 is designed to provide complete visibility into threats that bypass traditional security measures like antivirus, and can be installed alongside them. Alerts are mapped to MITRE ATT&CK™ Framework and monitored continuously with cloud-based machine learning algorithms that detect IOCs and even Living off the Land attacks (LotL). Response features include containment and remediation capabilities that can block applications identified by multiple methods including hash or name. Adaptive Defense 360 is a robust solution that covers a lot of attack surface as their Aether interface combines several security technologies into a unified EDR platform.

Panda Adaptive Defense 360(USE)

Image Source: WatchGuard Technologies, (2022)

MITRE ATT&CK® Evaluations 2021 Visibility: Did not participate
Panda Pros Panda Cons
100% classification of processes UI doesn’t surface all available event data - some is only available upon request from support
Unmanaged endpoint detection Mixed reviews on customer service
Agent plays nice with other security tools Reviews indicate occasional bugginess in UI

9. Check Point (Harmony)

Check Point's EDR solution, Harmony Endpoint, is a complete endpoint protection solution touting the automation of 90% of attack detection, investigation and remediation by automatically containing and remediating the entire chain of events behind the attacks and providing complete recovery. After an incident occurs, they continue automating processes by automating forensic reports which are correlated to the MITRE ATT&CK™ Framework for contextual insights and recommendations for preventive security controls. With Harmony Endpoint’s ability to identify and drill-down into incidents from intuitive dashboards and offer automated remediation options, this solution provides advanced protection for organizations with or without their own SOCs. Harmony Endpoint is available as an on-premises or cloud solution for Windows, macOS and Linux environments. Their unified agent for EDR, VPN, NGAV, DLP and web protection makes this a very powerful endpoint security solution for organizations across verticals and ranging from SMB to Enterprise.

Check Point Harmony EDR (USE)

MITRE ATT&CK® Evaluations 2021 Visibility: 162/174
Check Point Pros Check Point Cons
Lots of automation Expensive
Intuitive UI Learning curve
On-premise or cloud Partner-channel only sales model

10. Palo Alto Networks (Cortex EDR)

Cortex XDR is Palo Alto’s Extended Detection and Response (XDR) solution and is designed to augment the security team’s capabilities with bleeding-edge approaches to detection and response.  The solution offers a single cloud-delivered agent that can stop Zero Day attacks with advanced Artificial Intelligence (AI) and Machine Learning (ML) models. Endpoint security features also include management of USB devices, host firewall configuration and disk encryption for Windows and macOS endpoints. Cortex XDR breaks security silos by integrating data and providing behavioral analytics across endpoint, network, cloud and identity data sources for comprehensive threat detection. This approach minimizes the time needed for hunting, investigation and remediation as everything is centralized in one place. Their dashboards are very intuitive and modern with complete command and control capability for endpoint security across an entire organization’s estate. As with other Palo Alto solutions, this product is built for larger organizations with many endpoints, although smaller organizations with limited human capabilities can also benefit from efficiencies gained by its powerful automation capabilities.

Palo Alto Cortex EDR(USE)

MITRE ATT&CK Evaluations 2021 Visibility: 169/174
Palo Alto Networks Pros Palo Alto Networks Cons
Lightweight Expensive
Good threat hunting capabilities Learning Curve
Management of endpoint security controls (USB, encryption, etc.) Lots of automation, but it takes work to implement

11. Cybereason (XDR Platform)

Cybereason’s XDR solution is designed for organizations that need to take proactive defense and investigations to the next level with threat hunting. Although it’s primarily an endpoint security solution, it aims to protect assets across an organization's entire IT stack, including user data, email and networks.  The solution also includes behavioral analytics which correlate events across sensors to provide context.  The interface makes it easy to visualize correlations between events and it is definitely designed for teams who spend a lot of time on threat hunting investigation, and remediation activities.

Cybereason XDR(USE)

MITRE ATT&CK® Evaluations 2021 Visibility: 169/174
Cybereason Pros Cybereason Cons
Behavioral analytics Limited integrations
Automated correlation Learning curve
Good threat hunting capabilities Can be resource intensive

12. Sophos (Intercept X Advanced with EDR)

Sophos’ Intercept X Advanced with EDR solutions provides exploit prevention and anti-ransomware features with detection of both known and unknown threats enabled by deep learning technology. Cloud-based endpoint protection provided by Intercept X Advanced with EDR allows the synchronization between Sophos firewalls and endpoint security to provide a defense that is strengthened by its ability to communicate real-time insight, intelligence and visibility into all applications on an organization’s network. This solution can be a fit for organizations of any size although it is often found in small-to-medium sized organizations and it offers support for a variety of endpoint types including desktops, laptops, servers, tablets and mobile devices.


MITRE ATT&CK® Evaluations 2021 Visibility: 118/162 (No Linux agent)
Sophos Pros Sophos Cons
Inexpensive Limited integrations
Easy to use Can be resource intensive
Good mobile protection Most features are cloud-based

13. Cisco (Secure Endpoint)

Cisco Secure Endpoint is a cloud-native endpoint detection and response solution that offers protection, detection and response while dramatically reducing time to remediation. This is achieved with integrated risk-based vulnerability management powered by Kenna Security. This solution is great for organizations that are looking for comprehensive coverage of their endpoints with a trusted product that integrates seamlessly into an existing Cisco environment. Cisco offers a fully-managed MDR service as well as co-managed or DIY deployment. Cisco’s SecureX platform comes built into the EDR solution and integrates seamlessly with their XDR solution to provide enhanced protection beyond the endpoints. Cisco Secure Endpoint can be leveraged for endpoint security by any organization, although enterprises who are already Cisco users can realize massive security benefits considering seamless integrations across other Cisco security products including Duo, Umbrella and Meraki.

Cisco Secure Endpoint(USE)

MITRE ATT&CK® Evaluations 2021 Visibility: 122/174
Cisco Pros Cisco Cons
Vulnerability prioritization (by Kenna Security) Expensive
MDR available Pricing and licensing model is complicated (it’s Cisco afterall)
Lots of integrations Can be resource intensive

14. Kaspersky Endpoint Detection and Response (KEDR)

The Kaspersky EDR solution is meant to be an enhancement to their award winning Endpoint Protection Platform (EPP). This is a single agent solution for automated protection against common and advanced threats alike. Their solution claims to collect full endpoint telemetry for analysis and further enhancement when combined with their Anti Targeted Attack Platform for advanced network-level threat discovery, investigation and remediation. A single user interface provides visibility into the threat and alerts with views for monitoring, incident response and investigation.  The interface also includes features to assist with alert management and triage users who may not be experienced security analysts.


MITRE ATT&CK® Evaluations 2021 Visibility: Did not participate
Kaspersky Pros Kaspersky Cons
Simple to use and deploy Threat hunting features are limited
Good visualizations and dashboards Limited integrations
Inexpensive compared to others No on-premise option

15. FireEye (Endpoint Security)

FireEye’s Endpoint Security solution is deployed using a single agent with a multi-engine approach. It uses a signature-based engine, a machine learning engine, and a behavioral analysis engine. The result is a lightweight but powerful endpoint security solution that can provide reliable real-time detection and deep forensic insights with its Indicator Of Compromise (IOC) engine. The endpoint security solution can be further extended by streaming events to FireEyeHelix XDR, the extended detection and response solution by FireEye. The company is known for introducing cutting edge technology and techniques developed by front line responders. This solution continuously monitors and identifies suspicious behavior and presents it to an organization's security team for manual action, or it can isolate and deflect attacks automatically. Although the solution is usually integrated with FireEye Helix or another SIEM, the centralized management console can standalone to enable threat hunting, investigations with team collaboration, incident response and reporting.


Image Source: Cybersecurity-excellence-awards, (2021)

MITRE ATT&CK® Evaluations 2021 Visibility: 136/174
FireEye Pros FireEye Cons
Lightweight Expensive
Forensics enablement is second to none, thanks to FireEye / Mandiant collaboration Learning curve
Great reporting and analytics  

16. BlackBerry (Optics)

BlackBerry Optics provides millisecond threat detection and remediation with on-device security. The focus of BlackBerry’s solution is to speed the response time up in order to prevent minor incidents from turning into breaches. BlackBerry’s inclusion of Cylance AI uses next generation continuous machine learning for threat analysis and prevention. One of the key differentiators for BlackBerry’s solution is their online and offline capabilities. The IOC search capabilities through the lightweight InstaQuery (IQ) tool provided with this product makes an efficient solution for those organizations with an online or offline need for a data driven approach to threat detection, hunting, investigation and remediation. When milliseconds matter, BlackBerry is a solution to consider.

BlackBerry Optics(USE)

MITRE ATT&CK® Evaluations 2021 Visibility: 141/174
BlackBerry Pros BlackBerry Cons
Rapid detection Expensive
Most features work regardless of cloud or on-premise Channel partner only sales model
Good threat hunting capabilities Learning curve, especially for on-premise deployment and maintenance

17. Cynet (360 Autonomous Breach Protection Platform)

Cynet’s solution aims to be the one stop shop for endpoint protection by providing a platform that natively integrates NGAV, EDR, network security, user behavior analysis and advanced threat detection. The advanced threat detection uses deception to detect and isolate advanced threats that generally bypass traditional endpoint security solutions. Their contextual view of endpoint, network and user data organizes alerts and data into incidents in a format that visualizes well, making it easier for security teams to quickly detect and respond to attacks. The solution provides automated responses which can enable immediate remediation when predefined alerts are triggered. Cynet also offers MDR services which provide 24x7 threat hunting, investigation and remediation from a dedicated SOC with experienced analysts.


MITRE ATT&CK® Evaluations 2021 Visibility: 153/174
Cynet Pros Cynet Cons
Intuitive UI Can be resource intensive
MDR available Limited integrations
Advanced threat detection using deception Relatively new to the industry (less than 10 years in business)

18. McAfee (Endpoint Threat Defence and Response)

McAfee’s EDR solution contains tools for real-time analysis using machine learning techniques to do both pre-execution analysis and dynamic behavioral analysis for sophisticated threat detection without relying on signatures.. It also dynamically contains application processes at the endpoint allowing users to still be productive while offering security tools and teams to perform in-depth investigations into potential threats. Even though McAfee is well-known as one of the leaders in the early days of antivirus, they’ve made a complete 180 degree turn by delivering an EDR solution with high detection rates for sophisticated attacks that doesn’t need signature-based detection.


MITRE ATT&CK® Evaluations 2021 Visibility: 151/174
McAfee Pros McAfee Cons
Doesn’t rely on signature-based detection Expensive
Good threat hunting capabilities Learning curve
Lots of integrations Can be resource intensive

19. ESET (Enterprise Inspector)

ESET Enterprise Inspector is ESET’s EDR solution and it’s designed to be paired with ESET Endpoint Protection Platform to provide a complete prevention, detection and remediation solution for detecting APTs, stopping fileless attacks, stopping zero-day attacks and ransomware, as well as preventing organizational policy violations. They have an open architecture that promotes integration into other security products like SIEM, or IT issue trackers.  ESET’s solution can be deployed as a do-it-yourself solution, but they also offer MDR services for those organizations without security teams. ESET is another solution that is most often found in small-to-midsize organizations.


MITRE ATT&CK® Evaluations 2021 Visibility: 147/162 (No Linux agent)
Simple UI for policy enforcement Open architecture allows for DIY integrations, but not a lot of integrations available out-of-the-box
MDR available Limited threat hunting capabilities
Easy to use No Linux agent

20. WatchGuard (Cytomic Platform)

The Cytomic Platform is WatchGuard’s EDR solution. The solution can be self-managed or fully-managed with options for MDR. The Cytomic Platform uses a single agent to proactively stop attacks, malware and exploits with behavioral analysis at the endpoint. Additionally, their Zero-Trust Application Service allows organizations to leverage the EDR agent for implementing application whitelisting. Their API first architecture allows them to easily integrate into the rest of the security stack and for automated response capabilities. Finally, while their user interface may be a bit bland for experienced SOC analysts or seasoned threat hunters, its simplicity lends itself to less-experienced users who may not perform security duties as a full-time job.


MITRE ATT&CK Evaluations 2021 Visibility: Did not participate
WatchGuard Pros WatchGuard Cons
Simple UI Limited integrations
Zero Trust Application Service (app whitelisting) Limited threat hunting capabilities
MDR available Can be resource intensive


The importance of EDR in the current IT landscape is becoming more obvious with further increases of ransomware attacks and Advanced Persistent Threats. Detecting modern threats isn’t as simple as matching malware signatures anymore. These advanced threats gain access through user error, misconfigurations and advanced infiltration techniques such as chained zero-day attacks. In order to detect and try to prevent never-before-seen attacks, modern endpoint security tools are a necessity for any organization.

EDR Vendor Comparison Matrix

EDR Vendor Standard EDR Features Unique EDR Features Specific Needs/Use Cases it Fits and Why
SentinelOne - Singularity Extended data retention, SentinelOne Cloud and Binary Vault store executables for future analysis, SentinelOne Cloud Funnel enables secure and near-real-time streaming of EDR telemetry from SentinelOne, Deep Visibility to your data lake via a Kafka subscription, Accelerated triage and root cause analysis with incident insights and MITRE ATT&CK alignments, Windows, Linux, macOS, APIs, integrations, automated detection and remediation. SentinelOne Storyline Active Response (STAR) actions are assigned a TrueContextID and built into "stories" and managed, on the device without cloud connectivity and sent to analysts with easy to digest "storylines", Deep Visibility (SentinelOne's data collection and query mechanism), Correlate MITRE attack detections to the Storyline, SentinelOne Hunter -- a Chrome Extension -- helps Security Operations and hunters by letting operators quickly scrape data from a browser and open a query in a SentinelOne Management Console to search for that data across an organization, SentinelOne Singularity Endpoint Protection (EPP+EDR) offers platform based protection. With this solution an organization can leverage proven AI to mitigate new and emerging zero-day threats and provide high confidence data and telemetry to existing solutions (SIEM) all with an intuitive interface that makes deployment and rollout easy across large organizations. Great for organizations looking ot implement reliable and robust EDR solution that can grow with the organization or fit inot the existing security stack of that organization.
CrowdStrike - Falcon Insight Automated event prioritization, Real-time forensics and comprehensive visualizations, Alignment to MITRE ATT&CK framework, AI & behavioral analytics and human threat hunters combine to stop the most advanced threats as they appear, APIs, blocks or alerts on detections based on policies, powerful response options, long storage options, Windows, macOS, Linu, Cloud-based solution. The CrowdStrike Security Cloud uses Threat Graph to find potential threats based on trillions of security events per day, Zero Trust Assessment (ZTA) provides real-time assessment and visualization of endpoint security health, Provides a unified cloud-based orchestration automation and response (SOAR) framework, Fully automated protection without affecting endpoint performance. CrowdStrike's Falcon Insight EDR product can provide the basis for a much larger and comprehensive security solution for organizations with maturing security operations that are looking to level up their security posture. It is also a good platform for SOAR with its variety of out-of-the-box integrations and APIs. Organizations looking to avoid endpoint performance impact will find the CrowdStrike solution appealing compared to other NGAV/EDR solutions.
Trend Micro - Vision One EDR Machine learning (ML), behavioral analysis, Application control, NGAM (Next-gen anti-malware), Endpoint encryption, Mobile security, Email and collaboration security, Gateway security, Windows, macOS, Cloud, On-premises, Hybrid. Pre-execution and run-time machine learning protection, XGen security offers layered and multi method analysis of real-time data to reduce false positives and prevent all malicious activity, Single agent, Ransomware rollback capabilities, can be used with Vision One XDR capabilities, MDR capabilities. TrendMicro offers a comprehensive solution that encompasses all data and communications on an endpoint so it is good for those with the strictest policies for their use cases. This solution will be great for organizations looking to get the most data and an extended suite of products, services and capabilities with their many solutions that all interconnect for a complete solution.
Microsoft - Defender for Endpoint Windows, macOS, Linux, Android, iOS, Agentless, Cloud based, Automation, Centralized configuration and management, APIs, Integrations, Automated investigation and remediation, (NGAV) Next-gen anti-virus, Machine learning (ML). Widest threat optics available (especially for Windows OS), Stops fileless and file-based zero-day threats with AMSI (Antimalware Scan Interface) integration, Memory scanning, Built by the OS manufacturer this product gains deeper insights on Windows machines than the rest of the industry. Microsoft Defender for Endpoint is great for organizations that are standardized on a Microsoft tech stack as they will benefit the most from the deepest available integration between EDR and the Windows OS, Defender for Endpoint provides the most granular insight into user and application behavior with telemetry provided by Windows itself and without an agent.  Even in environments that aren't 100% Windows, Defender for Endpoint has agents available for Linux and Mac, as well as with Apple and Android mobile devices via InTune.
VMware - Carbon Black  Attack chain visualization, APIs,Iintegrations, Continuous endpoint visibility, MSSP, On-premise, Cloud, SaaS solution availability, Customizable behavioral analysis and detection, Live response, Windows, Linux, macOS, host isolations, hash banning, execution chaining, AI and ML. Live response, Secure remote access to remediate and investigate detections, Unlimited retention and scale, Automated watchlists for query analysis, Ransomware mitigation through behavioral detection and "traps", File-less attack mitigation, This solution is part of a broader endpoint security platform (Carbon Black) that enables organizations to utilize many more products with seamless addition to the security stack. Large organizations who require centralized recording of endpoint data within their own environment should consider Carbon Black.  Its constant recordings of telemetry from endpoints gives Carbon Black the ability to conduct deep investigations during or after a breach is detected.  Organizations who need to be able to quickly respond and pivot to thorough investigations after a detection will benefit greatly from this solution.  Because organizations can store and manage endpoint data collected by Carbon Black within their environment, it's uniquely suited for organizations who have unusually long retention requirements.
Broadcom (Symantec) Endpoint Security Endpoint isolation,Remote secure shell for live remediation, Incident prioritization, Continuous recording, Threat hunter with machine learning (ML) and human analysis, behavioral analysis, integrations, APIs, Application control, Alignment and augmentation with MITRE ATT&CK framework, Windows, macOS, Linux, Android, iOS, Windows Phones, On-premises, Cloud, Hybrid. Antimalware Scan Interface (AMSI), Full system dump capability, Process dump capability, Largest civilian intelligence network, Active Directory security by obfuscation, AI-assisted policy management and guidance, Automated sandboxing, Lures and baits, Secure Web and Network connections, Single-agent solution. The Symantec (Broadcom) solution is a great option for those that need an intuitive and familiar solution that checks all the boxes (especially if they've used Symantec Endpoint Protection in the past). This solution is suitable for organizations of all sizes looking for endpoint support across all environment types and operating systems. 
Malwarebytes  EDR Windows, macOS, integrations, SSO with SAML 2.0, RBAC, Automated reports, Cloud-based, Continuous monitoring, Integrated cloud sandbox, Machine learning (ML) for behavioral analysis. Ransomware Rollback, Flight Recorder Search, Detects fingerprinting attempts, Web protection, Real time file-less attack detection, Forensics tool for Windows, Automated discovery and agent deployment.  This solution is suitable for organizations on a budget with an immediate need for solid next-generation antivirus (NGAV) coupled with bare-bones EDR features  that is easy to install and manage.  Not suitable for environments with full-time SOCs where the ability to conduct live and in-depth threat hunting or investigations is mission-critical.
Panda Adaptive Defense Sandboxing, Continuous recording, Threat hunting, Aligned and mapped with MITRE ATT&CK Framework, Cloud-based machine learning, Attack chain visualization, Windows, macOS, Linux. Automatically detect and respond to targeted attacks and in-memory exploits, Prevent unknown processes from executing, Pre-execution analysis, Running and post-execution analysis, Zero-Trust Application Service, Zero-Trust with 100% classification through AI and human analysis, Installs on top of traditional AV solutions to augment the security benefits, Ransomware mitigation through shadow copies. Panda's Adaptive Defense 360 solution is great for organizations that have an immediate need to centrally-manage or augment legacy anti-virus solutions, as it can install directly on top of existing AV solutions.  It can also help with asset management by using endpoints with installed agents to scan for unmanaged endpoints.  EDR features are there and create search queries is relatively simple, but there are limitations when compared to other solutions with a heavier focus on live threat hunting capabilities.  Also, while Panda boasts 100% classification through AI and human analysis, these classifications may not always include enough detail to avoid the need to contact their support team for clarification.
Check Point - Harmony Endpoint Remediation recommendations, Maps to MITRE ATT&CK framework, Malware and file-less attack protection with Endpoint Behavioral Guard, Ransomware detection and rollback, Threat cloud provides aggregated threat intelligence, Threat hunting, Attack chain visualization, (NGAV) Next-gen anti-virus, Cloud, On-premises, Windows, macOS, Linux, iOS, Android. MITRE based Machine Learning Sandboxing, Threat emulation and extraction, Credential theft prevention in real-time,  Zero-Phishing technology blocks malicious websites, Leverages more than 60 threat prevention engines to prevent attacks, Automated report generation, Host encryption, Mobile protection, Unified agent for EPP, EDR, VPN,  (NGAV) Next-gen anti-virus and web protection. CheckPoint's solution fits into their comprehensive security portfolio so it's a great fit for organizations that already have CheckPoint in their security stack.  Harmony Endpoint provides sophisticated threat prevention and detection by supporting their solution with both AI and human intuition making it a good solution for organizations with hands-on but limited resources approach to tehir EDR solution.
Palo Alto Networks - Cortex XDR AI based behavioral analysis, Cloud-based analysis, Technique-based protection from threats,  (NGAV) Next-gen anti-virus, Host firewall, Deep forensics even if endpoints are not connected to the network, Maps to MITRE ATT&CK framework, Attack chaining. Pre-execution analysis, Cloud-execution analysis, Post-execution analysis, Fingerprinting prevention and detection, Kernel protection,  USB device control, Disk encryption, Single-agent solution. Palo Alto's Cortex evolved from their Traps endpoint security solution, making it the first (or one of the first) XDR (Extended Detection and Response) solutions in the industry.  Cortex is highly configurable, built for automation, and provides enhanced threat intelligence and robust hunting capabilities which other Palo Alto security products are well-known for.  Regardless of whether Palo Alto is already in an organization's security stack, Cortex is a good fit for any organization looking to aggressively enhance their security visibility and expand security controls to endpoints across their entire estate.
Cybereason - Cybereason EDR  Threat intelligence,  (NGAV) Next-gen anti-virus & AV, Anti-ransomware, AI and machine learning (ML) powered detection and correlation technology, MITRE ATT&CK alignment, Attack chain visualization and correlation, APIs, Integrations, Deep insights. Automated detection and remediation of malicious operations based on contextualized and correlated insights from the attack chain visualization features, Part of Cybereason XDR platform that enables a very wide and powerful endpoint protection solution. Cybereason is another solution well-suited for organizations without full-time SOCs that need to automate as much of their security operations as possible.  It's a powerful solution that is capable of detecting and responding to attacks with high accuracy and effectiveness but requires skilled professionals to maintain, deploy and manage. 
Sophos - Intercept X Endpoint CLI (Command Line Interface) that runs forensic and administrative tools and tasks, Ransomware detection and rollback, Deep analysis with AI and machine learning (ML), Real-time event detection and remediation, File-less attack protection, Application control, Behavioral analysis, Pre-execution Behavior Analysis (HIPS). Solution can be managed detection and response (MDR), Can be upgraded to XDR,  Guided threat hunting, Secure remote access for remediation,  Potentially Unwanted Application (PUA) Blocking, Disk and Boot Record Protection, Customizable and pre-loaded SQL query library for detection and prioritization, Malware analysis forensic tools.  Sophos solutions are generally suitable for small and mid-sized organizations that need simple yet effective security.  The solution is easy to deploy and provides effective protection and centralized endpoint management without requiring increased headcount.
Cisco - Secure Endpoint (formerly AMP) Dashboard for broad visibility, Dynamic file analysis, continuous monitoring, Cloud-based AI and machine learning (ML) for behavioral analysis, Endpoint isolation, Windows, macOS, Linux, Android, integrations, Secure sandboxing for forensics and analysis. SecureX human-driven threat hunting that maps to the MITRE ATT&CK framework, Orbital advanced search, Vulnerability identification, Polymorphic malware detection (loose fingerprinting), Programmable IoC for incident response, CLI for analysis, SQL library of prewritten queries. The Cisco's Secure Endpoint solution combines their former AMP products with effective techniques for detecting, analyzing, and preventing threats at the endpoint. Organizations who already use Cisco will find easy integration with other Cisco network security products, including Cisco Meraki's cloud-managed networking products.  Cisco Secure Endpoint is proven technology from a trusted manufacturer.  The phrase 'no one's ever been fired for selecting Cisco for networking' can also apply to security with their Secure Endpoint product.  Also like Cisco network products, Cisco Secure Endpoint is on the higher-end of the market in terms of cost.
Kaspersky - Kaspersky EDR Expert Cloud, On-premises, Threat intelligence, Threat hunting, Behavioral analysis mapped with MITRE ATT&CK framework, Intelligence enhanced with Kaspersky Threat Intelligence Portal, Centralized management, Visualization with a seamless workflow, Enforce endpoint logs, Kaspersky Endpoint Agent is for Windows only and requires Google Chrome. Single-agent, Retrospective analysis, Guided investigation, Centralized and automated remediation, Ability upgrade to the Kaspersky XDR solution, Automatically handled alerts through automated analysis of irrelevant logs. This solution is a good starting point for any organization looking for a trusted manufacturer with a fine-tuned suite of endpoint security products that start with the EDR solution. Organizations with in-house analysts and threat hunters will greatly increase effectiveness and productivity of their cybersecurity professionals with the simple and intuitive UI and centralized/cloud-managed solution.
FireEye - FireEye EDR Windows, macOS, Linux, On-premises, Cloud, Hybrid, Automated responses to incidents', Threat intelligence, Multiple detection and prevention tactics provide layered security, AI, Machine Learning (ML), Behavioral analysis, End-to-end analysis. Pre-written workflows that stop multi-stage attacks, Single-agent, Endpoint forensics allows FireEye to stop threats before they are completed in real-time through constant analysis of behavior, Can be extended with FireEye XDR solution, Augmented with modules developed by Mandiant researchers. FireEye offers a very effective and intelligent solution that is a preferred solution for those with very complex needs and a solution that goes the extra mile with its research and intelligence features. It fits most organization's needs for compatibility while providing thorough and leading edge techniques for threat hunting and malware detection.
BlackBerry - CylanceOPTICS Cloud-native, Root cause analysis, Visualization of correlated and contextualized incident data thru pre-packed queries, Threat intelligence from the community, Aligned with MITRE ATT&CK Framework, Linux, Windows, macOS, Integrations, APIs, On-premises, Cloud, Hybrid. AI and machine laerning (ML) on the edge, Long retention time, Advanced scripting engine to create and deploy packages, Automated response playbooks, Pre-packaged scripts for common use-cases that can be deployed in multiple layers and customizable groups, Strong offering in Linux with targeted features, Large suite of leading products to add-on if desired. BlackBerry provides a very intelligent solution that aims to keep make threat hunting proactive by automating as much as possible and providing intuitive and powerful tools to mitigate and remediate security incidents.  This solution is ideal for enterprises with in-house SOCs who need to host their EDR solution on-premise.
Cynet - cynet 360 Continuous monitoring for known and unknown threats, Fully automated workflows, Attack chain visualization, Prebuilt remediation playbooks, NGAV (next-gen antivirus), Windows, Linux, macOS, Application control. MDR service add-on available, XDR upgrade available, Deception technology (traps and lures), Network analytics, Endpoint vulnerability assessments. This solution would fit well into an organization that needs a complete platform based EDR solution that they can implement from the beginning as the EDR solution is part of the platform-based EPP (Endpoint Protection Platform).
ESET - EDR Cloud-based console, File server security, Multilayered protection, Behavioral analysis and detection, Windows, macOS, iOS, Android, Linux, APIs, aligned with MITRE ATT&CK Framework, Attack chain visualization, Threat hunting and blocking. Disk encryption, Ransomware mitigation with cloud sandbox, Real-time intelligence through LiveGrid endpoint security data correlation,  Open Architecture provides rules written in XML and ready for integration, Secure remote access for remediation and investigation, Network analysis. The ESET EDR solution is an EDR solution that will fit into any stack and can be expanded to provide complete security for an organization while not overwhelming the opertaors and engneers with customizations. On the other hand, organizations with engineers to implement integrations and perform actions in the console provided by this solution will get the most benefit from the software.
McAfee MVISION / Trellix Integrations, APIs, Platform-based protection, "Story Graph" provides visualization of attack chains and incidents' in an easy to read format, Records and analyzes process-level data and behavior for prioritization alerting and remediation, Rollback remediation. Single-agent, ML (Machine Learning) pre-execution and post-execution threat detection and analysis, Application containment, Web security through the Microsoft Edge browser, Migration tool to help move to the McAfee product line, Integrates with MVISION XDR. The McAfee solution is a unique offering in the sense that it is part of the XDR offering which has much broader scope than a typical EDR offering. This being said, the solution is robust and comprehensive and due to recent acquisitions has the ability to grow and be very flexible with needs and product features. Organizations looking to take their endpoint security to the next level can gain tremendous control over their security posture by introducing McAfee MVISION to their security stack. 
WatchGuard Endpoint Security - See Panda (they use Panda Adaptive Defense) See Panda See Panda See Panda

Suggested Posts

Explore Topics

Popular Article Topics

Find articles and helpful resources about any of the following:

Subscribe to Notifications

The Netify Learning Center

Learn more about comparison of SD WAN and SASE Cybersecurity with the Netify Learning Center.

See All Articles