Who are the top rated EDR vendors? (With comparison)

In this article, you'll find The Network Union's top/best 20 EDR vendors and service providers which fit the needs of most mid-market and Enterprise businesses.

A single attack from an advanced threat actor can cost millions of dollars and possibly even lives. The importance of security solutions for protecting companies, their data, and their users’ or customers’ data is becoming increasingly recognisable, even by organisations who aren’t the most security-conscious. As the enterprise technology landscape changes and evolves, so must the security products, services and tools that we use to provide an effective defence. As technology, device counts, digital information and operations in the enterprise grow, so too does the attack surface, which translates to a need for more coverage than ever before to keep everything safe.

Not too long ago, signature-based antivirus applications were considered a ‘silver bullet’ for protecting most of the endpoint attack surface.  While this was never really true, antivirus applications were relatively effective against malicious files which often served as the delivery mechanism for common attacks ranging from simple to sophisticated threats. Fast forward to today, and you’ll find that this technology is only a small piece of what you need to have a chance in defending endpoints against modern threats.  This is the problem which Endpoint Detection and Response (EDR) solutions aim to solve.

Many people consider EDR tools to be an evolution of antivirus applications. They are deployed in a similar manner, and some EDR vendors position themselves this way in the market with some even calling their solutions next-generation antivirus.  Almost all EDR solutions incorporate some form of signature-based malware detection, but they are a far cry from your grandfather’s antivirus application.

Security teams are looking for solutions that they hope will prevent breaches, or at least enable them to mount an effective response and minimise the chaos which follows. Vendors across the cybersecurity industry are providing new and innovative approaches to meet this challenge. It is important to find the right solution for any individual organisation based on their needs and business processes - especially when you’re dealing with endpoints that people use to do their jobs every day. In a marketplace filled with choices for endpoint security products, CISOs will succeed when they’re able to align their business needs with products that offer the most complementary technologies whether it be machine learning artificial intelligence, open architecture, agentless deployment, cloud-native, or on-premises.

Questions to ask your EDR vendor

• Do you deploy a single agent, no agent, or multiple agents?
• Do you have an on-premises, cloud or hybrid solution available?
• Does the solution stand alone as a complete endpoint security solution, or is it highly recommended (or even required) to pair with another security product?.
• Does the solution provide online and offline offerings or is an Internet connection required?
• What type of resource overhead is required on our endpoints to properly implement this solution?
• Is there a path to a single-pane-of-glass security solution beyond the endpoints, or are multiple management interfaces required?
• Does this solution lock me into a single vendor for complementary security solutions or is this solution compatible with the greater security ecosystem through integration?
• Is Managed Detection and Response (MDR) offering available, or is the solution designed for an in-house team of trained Security Operations Centre (SOC) operators and analysts?
• What is the pricing and licensing model, and will I be expected to pay separately for support?
• Do you offer professional services for implementation and upgrade assistance and are these included in subscription fees or additional?
• Are you migrating from a legacy anti-virus solution, or keeping a separate next-generation antivirus solution (NGAV) in place? Consider whether you want to run EDR alongside antivirus, or whether you're replacing antivirus completely. With this in mind, choose solutions that are known to play-well-with others will be necessary if you want to deploy EDR alongside another antivirus solution, or choose solutions that have built-in NGAV features AND make replacing the existing solution as easy as possible. For instance, McAfee has leading NGAV functionality and offers migration tools, but they likely won't play well on the same endpoints as the another legacy AV or NGAV solution.  In that case, Panda's lightweight agent could be a good choice to deploy alongside an AV solution.
• Do you have a specific requirement driving the need for EDR but you're happy with the rest of your security stack?  If not, you may want to consider choosing an EDR solution from a vendor like Palo Alto or Cisco who have large complementary security portfolios.  In contrast, if you are a small business and are just looking to upgrade your legacy antivirus software, then any EDR solution that has built-in NGAV may be the only solution you need.
• Do we have staff to manage, deploy, maintain and configure the solution as well as analysts to investigate incidents and alerts? If not, consider solutions that offer managed detection and response (MDR).
• What type of environment(s) does the solution we implement need to support? For instance, if your organisation is starting to embrace the cloud you should consider hybrid solutions or if your organisation has been an early adopter and is already fully on the cloud you would want to avoid hybrid and on-premises solutions. Or if your organisation is fully on-premises without a the ability to move to the cloud for regulatory reasons, knowing this will help narrow down the available solution providers and avoid making an oversight.
• What type of endpoints will need to be supported, and are you already standardised on a cloud productivity vendor like Microsoft or Google? If your organisation uses Microsoft products on all endpoints and servers, then you can likely choose from any of the products that match your other needs or even consider Microsoft Defender for the tightest possible EDR/OS integration.  While even Microsoft's Defender (and InTune MDM) can support macOS, Linux, Android, and iOS, if these endpoints make up a large portion of your endpoint population, you may want to consider solutions known to have good support for what you have.
• Does your organisation have in-house security tools or other IT applications that need to be integrated with the EDR solution?  If so, are these applications cloud hosted with out-of-the-box integrations?  If so, then it is important to look at the APIs and integrations offered by each EDR solution in order to determine if the solution will work within your environment and how difficult or easy will it be to deploy and maintain.  If not, you should consider the user interface including dashboards, visualisations, and search capabilities, as these features will be critically important if your EDR solution's interface will be the primary place to view security information.
• Are you interested in additional endpoint security features, like being able to control DNS or isolate web browsing sessions?  Most EDR solutions offered from different manufacturers will all have some sort of web security functionality, even if it is just basic static analysis of scripts running on the endpoint, but some solutions will include unique and targeted approaches to web security and privacy such as web browser control, auto-configuring VPN so web traffic is sent through the organisation's proxy for inspection, or even integration with email and collaboration tools to detect risky behaviour.  In Microsoft environments, Microsoft Defender offers all of this and more.  Otherwise, solutions like Sentinel One Singularity or Carbon Black offer great features for more granular control of endpoint security configuration.
• When looking at potential security solutions, where do you place more value - innovation or longevity? Some manufacturers will offer bleeding-edge technology to their customers in an effort to provide automated protection against threats that we don't yet know about which other signature/definition-based solutions wouldn't be able to find (like SentinelOne, for example).  Other manufacturers like McAfee or Symantec may offer the most trusted and proven solutions to known problems and will wait to offer their customers new technologies until they have been proven and gained some trust in the industry.
• Do we need an EDR solution with flexibility for in-house security professionals to perform their own detection engineering, run their own playbooks for responses,  deploy their own remediation scripts, or conduct in-depth threat hunting without pivoting to a SIEM?   If your organisation is looking for something that can be fully customised and is designed for use by security professionals on a regular basis, avoid solutions that target small businesses or consumers (for example, Malwarebytes, ESET, or Sophos) where their customers don't need or want the ability to fully manage their deployments, and where they need 100% automated remediation.  On the other hand, if you are an organisation with limited or no security staff, consider looking for solutions that offer more automation and are known to mitigate 'alert fatigue'.
• Does your organisation have requirements for investigation, analysis, and data collection surrounding potential or actual breaches? If so, consider a solution that can be hosted in your environment where you can provide the necessary storage while keeping the data fully under your control.

1. SentinelOne (Singularity)

SentinelOne’s Singularity offers multiple product tiers with Singularity Complete being the all-inclusive tier. Their EDR offering includes top-of-the-line threat hunting capabilities and allows for manual or automated “Active” responses including host isolation. Their storyline feature offers instant visibility into each threat’s life cycle along the kill chain without needing to piece things together using logged events. SentinelOne offers MDR services (called Vigilance), and they also offer an entry-level solution called Singularity Core which they market to organisations of all sizes as a legacy antivirus replacement.

Singularity EDR Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 174/174

[wpdatatable id=109 table_view=regular]

2. CrowdStrike (Falcon)

CrowdStrike Falcon is an industry-leading EDR solution designed to make  an organization’s analysts and investigating teams more efficient. They boast a “quick search” feature that returns results from logs, telemetry, threat hunting data and open investigations in less than five seconds. The prioritization and categorization of alerts into incidents keeps end-users from being overwhelmed with alerts that need their attention. Their Insights product also allows for the mapping of alerts to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework which is very helpful for red/blue/purple team operations. CrowdStrike also offers fully managed services with included threat hunting time focused on catching the most sophisticated Advanced Persistent Threats (APTs).

Their solution is tailored to provide everything an organization would need to identify and stop any threat on endpoints, their network, or in their data. Through recent acquisitions, they are beginning to roll out additional solutions beyond endpoint security including identity protection solutions and Security Orchestration, Automation, and Response (SOAR) solutions which tightly integrate with Falcon.

CrowdStrike Falcon Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 152/174

[wpdatatable id=97 table_view=regular]

3. Trend Micro (XDR)

Trend Micro’s solution is marketed as a solution that unifies endpoint defence for past, present, and future cyber threats. Like many other vendors in this market, their EDR solution is a part of a larger portfolio of security products.  Trend Micro’s EDR solution is designed to be combined with the rest of their Apex One solutions to bring MDR, EDR, email, web and SaaS application security into a single solution. This product aims to provide a single interface for full root cause analysis to give the deepest insight into any detection including “patient zero” identification. Threat hunting and search capabilities are solid, and their Advanced Indicators of Attack (IOA) and Indicators Of Compromise (IOC) search functionality give analysts and investigating teams an edge with both forensics and proactive defences from advanced threats.

Trend Micro XDR

MITRE ATT&CK® Evaluations 2021 Visibility: 167/174

[wpdatatable id=112 table_view=regular]

4. Microsoft (Defender for Endpoint)

Microsoft Defender for Endpoint (MDE) is a central component of the Microsoft 365 Defender suite which includes Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Cloud Application Security and Microsoft Defender for Identity. Their solution touts no agents or scans but instead uses sensors built-in to the operating system that detects vulnerabilities and misconfigurations, then prioritizes vulnerabilities based on many contextual factors including analytics available in their business and productivity tools.  Defender for Endpoint is no doubt one of the most comprehensive endpoint security solutions with features for threat hunting, vulnerability management, attack surface reduction, cloud-security, augmented proactive antivirus, automated investigation and remediation and an MDR offering that puts Microsoft Threat Hunters at your service. This solution is especially ideal for an organization that uses Microsoft products throughout the rest of the business and wants to implement world class protection for endpoints, given that their product works seamlessly with all the other Microsoft 365 products and services.  That said - Apple and Linux endpoints are supported, as well as Android and iOS mobile endpoints that are managed by Intune, Microsoft’s Mobile Device Management (MDM) solution.

Microsoft Defender Endpoint Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 151/174

[wpdatatable id=106 table_view=regular]

5. VMware (Carbon Black EDR/Cloud)

VMware Carbon Black is targeted at organizations that need an entirely on-premises and self-managed solution for endpoint security without sacrificing capability. It includes features such as threat hunting and incident response designed for online or offline SOCs.  Incident responders can quickly access continuously recorded endpoint data from a central location, and they’re able to pull or push files, kill processes and perform memory dumps remotely from an intuitive user interface.  There is also a Carbon Black Cloud solution that enables organizations of any size to modernize their endpoint protection with sophisticated cloud-native detection, threat intelligence, automation and a plethora of integrations to most security stacks.

Carbon Black also offers various advanced prevention methods for potential ransomware attacks, claiming to be able to detect and stop future threats based on behavioral analysis and sandboxing techniques. This is both a legacy AV replacement and full-featured EDR solution which is known for reliable detection and solid incident response functionality when it counts.

VMware Carbon Black Cloud EDR Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 154/174

[wpdatatable id=113 table_view=regular]

6. Symantec (Broadcom) Advanced Threat Protection Endpoint

Symantec Advanced Threat Protection (ATP) is a flexible solution that provides combined attack indicators from endpoint, network and e-mail sensors to deliver robust endpoint protection.  Customers who use other Symantec products will benefit the most from their EDR offering as it integrates to the industry giant’s suite of security solutions to enable automate response as well as content analysis which provides another layer of protection from APTs and targeted attacks.  The solution can be deployed onsite, virtually or in a cloud-hosted environment. This solution is well-suited for organizations looking to take their security to the next level with a single-vendor portfolio of products including secure messaging, analytics, reporting, secure web gateways, and MDR services.

Symantec Advanced Threat Protection EDR Dashboard

MITRE ATT&CK Evaluations 2021 Visibility: 159/174

[wpdatatable id=111 table_view=regular]

7. Malwarebytes (Endpoint Detection and Response)

Malwarebytes Endpoint Detection and Response for Business is geared toward organizations looking for a simple but effective endpoint security solution that can stand alone or augment an existing solution. Their unique machine learning algorithms are meant to detect zero-day attacks and isolate processes, networks and applications while countering threats such as malicious executables or file changes. Their ransomware protection offering provides 72 hour rollback for Windows workstations which they claim carries little to no performance cost, and a Indicators Of Compromise (IOCs) search functionality to make remediating attacks efficient.

Malwarebytes EDR Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 116/162 (No Linux agent)

[wpdatatable id=104 table_view=regular]

8. Panda (Adaptive Defence 360)

Panda Adaptive Defense 360 is a well-rounded EDR solution that claims to enable 100% detection and classification of processes across all endpoints.  While Panda also offers traditional antivirus solutions, Panda Adaptive Defense 360 is designed to provide complete visibility into threats that bypass traditional security measures like antivirus, and can be installed alongside them. Alerts are mapped to MITRE ATT&CK™ Framework and monitored continuously with cloud-based machine learning algorithms that detect IOCs and even Living off the Land attacks (LotL). Response features include containment and remediation capabilities that can block applications identified by multiple methods including hash or name. Adaptive Defense 360 is a robust solution that covers a lot of attack surface as their Aether interface combines several security technologies into a unified EDR platform.

Panda Adaptive Defence 360 Dashboard

Image Source: WatchGuard Technologies, (2022)

MITRE ATT&CK® Evaluations 2021 Visibility: Did not participate

[wpdatatable id=108 table_view=regular]

9. Check Point (Harmony)

Check Point's EDR solution, Harmony Endpoint, is a complete endpoint protection solution touting the automation of 90% of attack detection, investigation and remediation by automatically containing and remediating the entire chain of events behind the attacks and providing complete recovery. After an incident occurs, they continue automating processes by automating forensic reports which are correlated to the MITRE ATT&CK™ Framework for contextual insights and recommendations for preventive security controls. With Harmony Endpoint’s ability to identify and drill-down into incidents from intuitive dashboards and offer automated remediation options, this solution provides advanced protection for organizations with or without their own SOCs. Harmony Endpoint is available as an on-premises or cloud solution for Windows, macOS and Linux environments. Their unified agent for EDR, VPN, NGAV, DLP and web protection makes this a very powerful endpoint security solution for organizations across verticals and ranging from SMB to Enterprise.

Check Point Harmony EDR Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 162/174

[wpdatatable id=95 table_view=regular]

10. Palo Alto Networks (Cortex EDR)

Cortex XDR is Palo Alto’s Extended Detection and Response (XDR) solution and is designed to augment the security team’s capabilities with bleeding-edge approaches to detection and response.  The solution offers a single cloud-delivered agent that can stop Zero Day attacks with advanced Artificial Intelligence (AI) and Machine Learning (ML) models. Endpoint security features also include management of USB devices, host firewall configuration and disk encryption for Windows and macOS endpoints. Cortex XDR breaks security silos by integrating data and providing behavioural analytics across endpoint, network, cloud and identity data sources for comprehensive threat detection. This approach minimises the time needed for hunting, investigation and remediation as everything is centralised in one place. Their dashboards are very intuitive and modern with complete command and control capability for endpoint security across an entire organization’s estate. As with other Palo Alto solutions, this product is built for larger organizations with many endpoints, although smaller organizations with limited human capabilities can also benefit from efficiencies gained by its powerful automation capabilities.

Palo Alto Cortex EDR Dashboard

MITRE ATT&CK Evaluations 2021 Visibility: 169/174

[wpdatatable id=107 table_view=regular]

11. Cybereason (XDR Platform)

Cybereason’s XDR solution is designed for organizations that need to take proactive defence and investigations to the next level with threat hunting. Although it’s primarily an endpoint security solution, it aims to protect assets across an organization's entire IT stack, including user data, email and networks.  The solution also includes behavioral analytics which correlate events across sensors to provide context.  The interface makes it easy to visualize correlations between events and it is definitely designed for teams who spend a lot of time on threat hunting investigation, and remediation activities.

Cybereason XDR Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 169/174

[wpdatatable id=98 table_view=regular]

12. Sophos (Intercept X Advanced with EDR)

Sophos’ Intercept X Advanced with EDR solutions provides exploit prevention and anti-ransomware features with detection of both known and unknown threats enabled by deep learning technology. Cloud-based endpoint protection provided by Intercept X Advanced with EDR allows the synchronization between Sophos firewalls and endpoint security to provide a defence that is strengthened by its ability to communicate real-time insight, intelligence and visibility into all applications on an organization’s network. This solution can be a fit for organizations of any size although it is often found in small-to-medium sized organizations and it offers support for a variety of endpoint types including desktops, laptops, servers, tablets and mobile devices.

Sophos EDR Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 118/162 (No Linux agent)

[wpdatatable id=110 table_view=regular]

13. Cisco (Secure Endpoint)

Cisco Secure Endpoint is a cloud-native endpoint detection and response solution that offers protection, detection and response while dramatically reducing time to remediation. This is achieved with integrated risk-based vulnerability management powered by Kenna Security. This solution is great for organizations that are looking for comprehensive coverage of their endpoints with a trusted product that integrates seamlessly into an existing Cisco environment. Cisco offers a fully-managed MDR service as well as co-managed or DIY deployment. Cisco’s SecureX platform comes built into the EDR solution and integrates seamlessly with their XDR solution to provide enhanced protection beyond the endpoints. Cisco Secure Endpoint can be leveraged for endpoint security by any organisation, although enterprises who are already Cisco users can realise massive security benefits considering seamless integrations across other Cisco security products including Duo, Umbrella and Meraki.

Cisco Secure Endpoint Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 122/174

[wpdatatable id=96 table_view=regular]

14. Kaspersky Endpoint Detection and Response (KEDR)

The Kaspersky EDR solution is meant to be an enhancement to their award winning Endpoint Protection Platform (EPP). This is a single agent solution for automated protection against common and advanced threats alike. Their solution claims to collect full endpoint telemetry for analysis and further enhancement when combined with their Anti Targeted Attack Platform for advanced network-level threat discovery, investigation and remediation. A single user interface provides visibility into the threat and alerts with views for monitoring, incident response and investigation.  The interface also includes features to assist with alert management and triage users who may not be experienced security analysts.

Kaspersky EDR Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: Did not participate

[wpdatatable id=103 table_view=regular]

15. FireEye (Endpoint Security)

FireEye’s Endpoint Security solution is deployed using a single agent with a multi-engine approach. It uses a signature-based engine, a machine learning engine, and a behavioral analysis engine. The result is a lightweight but powerful endpoint security solution that can provide reliable real-time detection and deep forensic insights with its Indicator Of Compromise (IOC) engine. The endpoint security solution can be further extended by streaming events to FireEyeHelix XDR, the extended detection and response solution by FireEye. The company is known for introducing cutting edge technology and techniques developed by front line responders. This solution continuously monitors and identifies suspicious behavior and presents it to an organization's security team for manual action, or it can isolate and deflect attacks automatically. Although the solution is usually integrated with FireEye Helix or another SIEM, the centralized management console can standalone to enable threat hunting, investigations with team collaboration, incident response and reporting.

FireEye Endpoint Security Dashboard

Image Source: Cybersecurity-excellence-awards, (2021)

MITRE ATT&CK® Evaluations 2021 Visibility: 136/174

[wpdatatable id=102 table_view=regular]

16. BlackBerry (Optics)

BlackBerry Optics provides millisecond threat detection and remediation with on-device security. The focus of BlackBerry’s solution is to speed the response time up in order to prevent minor incidents from turning into breaches. BlackBerry’s inclusion of Cylance AI uses next generation continuous machine learning for threat analysis and prevention. One of the key differentiators for BlackBerry’s solution is their online and offline capabilities. The IOC search capabilities through the lightweight InstaQuery (IQ) tool provided with this product makes an efficient solution for those organizations with an online or offline need for a data driven approach to threat detection, hunting, investigation and remediation. When milliseconds matter, BlackBerry is a solution to consider.

BlackBerry Optics Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 141/174

[wpdatatable id=94 table_view=regular]

17. Cynet (360 Autonomous Breach Protection Platform)

Cynet’s solution aims to be the one stop shop for endpoint protection by providing a platform that natively integrates NGAV, EDR, network security, user behavior analysis and advanced threat detection. The advanced threat detection uses deception to detect and isolate advanced threats that generally bypass traditional endpoint security solutions. Their contextual view of endpoint, network and user data organizes alerts and data into incidents in a format that visualizes well, making it easier for security teams to quickly detect and respond to attacks. The solution provides automated responses which can enable immediate remediation when predefined alerts are triggered. Cynet also offers MDR services which provide 24x7 threat hunting, investigation and remediation from a dedicated SOC with experienced analysts.

Cynet 360 Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 153/174

[wpdatatable id=99 table_view=regular]

18. McAfee (Endpoint Threat Defence and Response)

McAfee’s EDR solution contains tools for real-time analysis using machine learning techniques to do both pre-execution analysis and dynamic behavioral analysis for sophisticated threat detection without relying on signatures.. It also dynamically contains application processes at the endpoint allowing users to still be productive while offering security tools and teams to perform in-depth investigations into potential threats. Even though McAfee is well-known as one of the leaders in the early days of antivirus, they’ve made a complete 180 degree turn by delivering an EDR solution with high detection rates for sophisticated attacks that doesn’t need signature-based detection.

McAfee EDR Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 151/174

[wpdatatable id=105 table_view=regular]

19. ESET (Enterprise Inspector)

ESET Enterprise Inspector is ESET’s EDR solution and it’s designed to be paired with ESET Endpoint Protection Platform to provide a complete prevention, detection and remediation solution for detecting APTs, stopping fileless attacks, stopping zero-day attacks and ransomware, as well as preventing organisational policy violations. They have an open architecture that promotes integration into other security products like SIEM, or IT issue trackers.  ESET’s solution can be deployed as a do-it-yourself solution, but they also offer MDR services for those organizations without security teams. ESET is another solution that is most often found in small-to-midsize organizations.

ESET Dashboard

MITRE ATT&CK® Evaluations 2021 Visibility: 147/162 (No Linux agent)

[wpdatatable id=101 table_view=regular]

20. WatchGuard (Cytomic Platform)

The Cytomic Platform is WatchGuard’s EDR solution. The solution can be self-managed or fully-managed with options for MDR. The Cytomic Platform uses a single agent to proactively stop attacks, malware and exploits with behavioral analysis at the endpoint. Additionally, their Zero-Trust Application Service allows organizations to leverage the EDR agent for implementing application whitelisting. Their API first architecture allows them to easily integrate into the rest of the security stack and for automated response capabilities. Finally, while their user interface may be a bit bland for experienced SOC analysts or seasoned threat hunters, its simplicity lends itself to less-experienced users who may not perform security duties as a full-time job.

Cytomic EDR Dashboard

MITRE ATT&CK Evaluations 2021 Visibility: Did not participate

[wpdatatable id=114 table_view=regular]

Conclusion

The importance of EDR in the current IT landscape is becoming more obvious with further increases of ransomware attacks and Advanced Persistent Threats. Detecting modern threats isn’t as simple as matching malware signatures anymore. These advanced threats gain access through user error, misconfigurations and advanced infiltration techniques such as chained zero-day attacks. In order to detect and try to prevent never-before-seen attacks, modern endpoint security tools are a necessity for any organisation.

EDR Vendor Comparison Matrix

[wpdatatable id=100 table_view=regular]