CrowdStrike vs Carbon Black: Top EDR Solutions Compared

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Carbon Black's and CrowdStrike's endpoint detection and response (EDR) offerings both made eSecurity Planet's list of top EDR solutions, and both have much to offer the enterprise customer looking for improved endpoint security. What follows is a look at key features and recent enhancements to each solution, as well as an assessment of their strengths and weaknesses.

The Bottom Line

These are two popular, cutting edge EDR solutions. Notably, both are cloud-based, enabling quick deployment with minimal impact on endpoints. Carbon Black's CB ThreatHunter is a relatively new offering that brings the company's EDR solution to its Predictive Security Cloud. Users of both solutions report high satisfaction with their deployments, with 92 percent of CrowdStrike users saying they would recommend it to others, and 87 percent saying the same of Carbon Black. CrowdStrike's managed detection and response service makes it a particularly good choice for smaller companies, while Carbon Black appeals to organizations with experienced security staff willing to pay more for advanced features.

CrowdStrike EDR Highlights

Overview: CrowdStrike Falcon Insight offers organizations total visibility over their endpoints and the ability to detect and respond to malicious activities before they become breaches. The solution leverages signatureless AI and Indicator of Attack-based threat prevention to stop known and unknown threats in real time. As a cloud-based SaaS solution, Falcon Insight deploys quickly with minimal impact on endpoint performance even when analyzing, searching and investigating.

Recent developments: CrowdStrike has added several features to Falcon Insight over the last 12 months, including:

  • Mapping of detection to a framework based on MITRE ATT&CK to accelerate understanding, triage and response
  • Expanded integration of the OverWatch managed detection and response service with the Falcon OverWatch dashboard, providing insight into the work the OverWatch team does to protect the customer's environment
  • Real-time response actions, providing direct access to endpoints under investigation, allowing security responders to run actions on the system and eradicate threats
  • Vulnerability Assessment, enabling the Falcon agent to identify vulnerabilities and missing updates on endpoints by automatically tracking and analyzing active patches on each system
  • Docker support, allowing the installation of the Falcon agent on hosts running Docker
  • A Device Control feature for visibility and management of USB devices

Analysts' take: Gartner says the attractive price point of the Falcon OverWatch managed threat hunting, alerting, response and investigation service makes the combination of Falcon Insight and OverWatch particularly compelling for smaller organizations – 98 percent of Falcon Customers use OverWatch. Customers report simple and easy Falcon deployments, in part thanks to the cloud architecture, which also enables additional security services like IT hygiene, vulnerability assessment and threat intelligence. Still, the research firm says Insight's EDR functionality requires skilled technical staff to use, and its offline protection is greatly enhanced when connected to the cloud-based Falcon platform, so it's not suitable for air-gapped networks.

Carbon Black EDR Highlights

Overview: CB ThreatHunter, a relatively new offering that expands on the core functionalities of Carbon Black's CB Response EDR solution, delivers unfiltered endpoint visibility for security operations centers and incident response teams. CB ThreatHunter continuously records all endpoint activity, overlaying custom and out-of-the-box sources of threat intelligence and visualizing the activity to help identify the root cause of an attack. Analysts can jump through each stage of an attack to gain insight into the attacker's behavior, close security gaps, and learn from new attack techniques.

Recent developments: The introduction of CB ThreatHunter last October brought all of CB Response's core functionality to Carbon Black's Predictive Security Cloud (PSC) platform, including the ability to capture and search unfiltered data from endpoints across the enterprise, as well as customizable watchlists, third-party threat intelligence feeds, automatic upload of each unique binary, expandable process tree visualization, an event forwarder API, and integrations with Splunk and IBM QRadar. The solution also now benefits from a cloud-powered deployment and elastic scalability, rapid release cycles on the PSC, more granular control over watchlist and threat feeds alerts, and enhanced search capabilities.

Analysts' take: Regarding CB Response, Gartner said Carbon Black's streamlined console provides simplified views of threats via visual alerts and triage, resulting in faster detection and response – and its advanced toolset has broad appeal with organizations that have mature security operations teams consisting of high-caliber, experienced personnel. Still, the research firm said Carbon Black continues to be at the premium end of cost per endpoint, in terms of cost to acquire and cost to operate.

EDR Product Ratings

Here are eSecurity Planet's ratings of each solution's key features.



Carbon Black – Very Good

Customers of both vendors report solid performance, with minimal impact on endpoints. The most recent Forrester Wave report on EDR solutions gave CrowdStrike the highest rating of all EDR vendors tested – 4.56 out of five – and gave Carbon Black 3.48 out of five (though the research firm evaluated CB Response, not CB ThreatHunter). The rating is based on a range of criteria including configurability, agent effectiveness, forensic capabilities, deployment options and response actions.

Detection and Response

CrowdStrike – Best

Carbon Black – Very Good

In recent testing, Forrester rated CrowdStrike's detection capabilities at 4.8 out of five, and its response capabilities at 4.6 out of five. Carbon Black's detection capabilities were rated at 4.0 out of five, and its response capabilities were rated at 3.8 out of five.


CrowdStrike – Good

Carbon Black – Good

Both solutions are more expensive than those from many competitors, but the performance and the range of included services provide solid value for the money.

Implementation and Management

CrowdStrike – Very Good

Carbon Black – Very Good

Users of both solutions report relatively easy deployments thanks to their cloud-based architectures. Both solutions require skilled technical staff to manage and use.


CrowdStrike – Good

Carbon Black – Good

Most reviewers report positive experience with both providers' support services, though in both cases some report frustration with inconsistent support experiences and relatively slow response times.

Cloud Features

CrowdStrike – Best

Carbon Black – Best

Both solutions are now fully cloud-based.

CrowdStrike vs Carbon Black

User Reviews

IT Central Station users give Carbon Black an average rating of 9.4 out of 10, and CrowdStrike 8.2 out of 10. On the other hand, Gartner Peer Insights users give CrowdStrike 4.8 stars out of five, and Carbon Black 4.5 out of five. Ninety-two percent say they would recommend CrowdStrike to others, and 87 percent say the same of Carbon Black.

CrowdStrike reviewers said the solution was "easy to set up," "integration has been pretty seamless," and that it "has helped us in terms of manpower and cost savings." One user called the reporting "crisp and to the point." Because it's cloud-based, one reviewer noted, "you can just get your installation agent, install it, authenticate the agent with your cloud instance and start managing the agent."

Carbon Black reviewers said the company's offering "gives us the ability to actively threat hunt," "has improved our detection to have less false positives," and "has a higher detection ratio because it's cloud-based and it also does a lookup to Virus Total." One user noted that "in the initial setup, Carbon Black was very responsive. They were really good at providing the assistance and the support we needed to get it set up, but it was not an extremely hard task."

Read more reviews written by users of CrowdStrike and Carbon Black.


The CrowdStrike Falcon platform is fully cloud-based, allowing it to be deployed within hours, and the company also offers a widely used managed service.

As part of the CB Predictive Security Cloud, CB ThreatHunter is also cloud-based, eliminating the need to purchase or implement any on-premises infrastructure.

Pricing Structure

CrowdStrike Falcon Insight is available for an annual subscription fee per endpoint, with a free trial available. AWS provides some pricing information.

CB ThreatHunter leverages a tiered yearly subscription pricing model. CDW provides some Carbon Black pricing.

Other EDR product comparisons