Jump ahead to:
- Key EDR trends
- Best EDR solutions for small business, security, and value
- The top EDR tools in depth:
- EDR product ratings comparison
- Other EDR vendors
- EDR ratings methodology
- EDR and EPP defined
- Key features of EDR tools
- Endpoint security practices
Key EDR Trends
It seems like it was just a couple of years ago that the big trend was that EDR and endpoint protection platforms (EPP) were increasingly coming together in a unified endpoint security offering.
We’re way beyond that now. EDR remains an important foundation for enterprise security, along with next-gen firewalls (NGFWs) and SIEM, but now extended detection and response (XDR), unified endpoint management (UEM) and managed detection and response (MDR) are becoming part of the conversation, and most of these EDR vendors are competing in those markets too. Gartner analyst Jon Amato said at the Gartner Security and Risk Management summit last month that he sees EDR evolving over time to become part of broader XDR, UEM and MDR solutions.
The best EDR solutions need to be ready to meet increasingly sophisticated threats. Some of the key features to look for include:
- Machine-learning based behavioral analytics for unknown and zero-day threats
- Sophisticated response, investigation and forensics tools
- Advanced threat intelligence and threat hunting
- Next-gen antivirus, including malware, ransomware, exploits and fileless malware
- Device control, protection and encryption
Best EDR Solutions for Small Business, Security, and Value
We’re adding a new aspect to this year’s rankings. The data is clear enough in a few cases that we’re naming top overall EDR products, plus best values, best for small business, best for incident response, and some Linux options too. Here they are.
Best Overall EDR Solution
We’re going to declare a tie here. Palo Alto Networks has posted consistently very high scores in the rigorous MITRE ATT&CK evaluations and gets high marks from users. SentinelOne has had some strong recent MITRE results, and users rank it highly in just about every category. You can’t go wrong with either EDR solution.
Best Value EDR Solution
Trend Micro manages to combine low pricing, strong security and happy users. Others combining good security and value include SentinelOne, Check Point, Malwarebytes, Cisco and Sophos.
Best EDR for Small Business
Trend Micro and Cisco provide good security and ease of use and deployment at low cost. A little further up market, Cynet provides strong security and ease of use for small businesses in need of high security but that still need ease of use and deployment. Check Point, Sophos and Malwarebytes are other good options for SMBs.
Linux Security Options
We’re not going to make a call here on a “best security tool for Linux,” but it’s noteworthy that MITRE added a new Linux protection test this year. Seven vendors aced that test and the 8 Windows security tests too: Cybereason, SentinelOne, Cynet, Palo Alto Networks, CrowdStrike, Microsoft and BlackBerry Cylance. If you want to dig into MITRE data deeper, you can see at what step each vendor stopped an attack by navigating to the Wizard Spider + Sandworm “Protections” tab, as in this example.
Best for Incident Response
CrowdStrike and SentinelOne are two EDR tools with high user ratings for the “response” part of EDR. And as the vast majority of security teams are overwhelmed, they tend to value tools that help them respond to attacks and clean up messes quickly.
Top EDR Tools In Depth
Without further adieu, here is our in-depth analysis of the top EDR security products. We’ve given our assessment of the best use cases and markets for each solution, but your own needs should be the driving factor in your decision. We’ve also included a comparison chart below giving overall ratings of these products in key functional areas.
Palo Alto Networks Cortex XDR
Key takeaway: A sophisticated security tool that surprisingly provides value and ease of use too.
Palo Alto Networks has been posting top independent test results for so long that we’ve made the vendor our top overall cybersecurity company. The target market for Cortex XDR is sophisticated security teams, with ML-based behavioral analytics, sandboxing, and sophisticated response, root cause, forensics and investigation tools, but we were surprised to see that users give Cortex pretty high marks for ease of use, a sign that development efforts there have met with some success. And Cortex XDR allows those capabilities to be extended to include network, cloud and third-party data sources. Pricing goes up as you add services, of course, but surprisingly, users give the company decent marks for value. In Cortex’s case, you get what you pay for. Users report that deployment can be a little challenging, but better than average support can help there.
- Sophisticated security and response features make Cortex XDR great for SOCs
- More user-friendly and value-conscious than you’d expect
- Might not be the tool for less sophisticated security teams
- Some implementation challenges
Key takeaway: Impressive security and features give SentinelOne a range of use cases.
SentinelOne is doing a lot of things right, between high MITRE evaluation scores and happy users. A few may quibble with ease of use and deployment, but those capabilities have plenty of fans too (and as initial deployment is a one-time event, it’s possibly the least important buying criterion, but ongoing ease of use is something all EDR buyers should be looking at). SentinelOne has assembled an impressive array of offerings, including XDR and managed services, so customers have room to grow. The company offers a range of offerings and pricing, from $4 per agent for network control to $6 per agent for next-gen antivirus and $8 to $12 per agent for endpoint control and EDR, with cloud and network security features available at additional cost. At higher price points, SentinelOne’s automated security features could be useful for overburdened or less sophisticated security teams.
- Impressive array of offerings combined with strong security
- Automation features could relieve pressure on security teams
- Pricing could climb quickly for organizations with more complex security needs
- Some challenges with deployment
Key takeaway: Not cheap, but users appreciate advanced management and response features that make their jobs easier.
CrowdStrike rivals SentinelOne in popularity, as the two frequently come out on top in user satisfaction surveys. CrowdStrike offers strong security, within a percentage point of the top MITRE scores in our analysis, but where the company really shines is in its management and response capabilities. An unfortunate fact is that security teams are so overwhelmed that they greatly value tools that make their jobs – and cleanup – easier. About the only place CrowdStrike scores below the highest-rated tools in our analysis is in value – those advanced EDR features come at a cost. AI- and machine learning-based features are appreciated by users. Ease of use is about average for the sector, while ease of deployment and support are above average. Threat hunting and intelligence, context and awareness, prioritization, containment, investigation and security posture assessment are some of the advanced features, and like most vendors on this list, CrowdStrike is expanding into XDR with cloud, network and managed services.
- Management and response features are popular with users
- Full range of advanced features
- Above average pricing
- MITRE scores a notch below the highest. With any other vendor that would be a positive, but with a high profile comes high expectations.
Key takeaway: Strong security and happy users make this relative newcomer one to watch.
The 7-year-old Israeli company has rocketed up the charts, boasting both stellar MITRE results and positive user reviews. Ease of use, deployment and support are all better than the industry average, and perceptions of value are a bit above average too. Like others on this list, Cynet is also making a play for the broader XDR market, and an MDR offering that’s free for users is a very nice added touch. Some say the product gives off a few too many false alerts at first, but EDR systems in general tend to require some tuning. Cynet hasn’t attracted much attention from analysts yet, but that’s likely to change if present trends continue.
- Strong security, positive user reviews, broader XDR capability
- Free MDR
- Not much analyst coverage yet, but as with all security purchases, talk to reference customers and your own network
Key takeaway: Good security, basic features and pricing makes Trend Micro a good choice for SMBs.
A first-gen antivirus vendor, Trend Micro is still going strong in its 33rd year. Independent security tests have been impressive, and users are generally pleased. Pricing can be difficult to compare across EDR vendors, but user perception of value is high, and it’s our impression too that Trend Micro is one of the best bargains on the EDR market. Basic EDR includes vulnerability protection and data loss prevention (DLP), but pricing goes up for email, mobile and web protection. Another vendor vying for the XDR space, Trend’s range of security offerings is impressive, spanning cloud, containers, network security, endpoint and more, plus managed XDR services too.
- Strong basic security at a good price
- Happy users
- Good XDR capabilities for those who want more
- Pricing climbs as additional protections are added
Key takeaway: Great security that comes at a price.
By our analysis, Cybereason came away with the highest score in this year’s MITRE evaluations. Given the strong competition in this key cybersecurity market, that’s a noteworthy accomplishment for the 10-year-old Boston-based company. Ease of use, deployment and support are above average, but user perception of value is about average. Packages start with EPP, and EDR and additional protections are extra. As an XDR provider, Cybereason’s platform covers network and cloud security too, plus managed services. While some XDR vendors offer more comprehensive product portfolios, none offer better security.
- Great security combined with ease of use and great support makes for a compelling endpoint security offering.
- XDR offerings aren’t as broad as other market leaders and pricing can be higher than other solutions.
Key takeaway: A great foundation for success, but now it’s time to execute.
The merger of the security product divisions of McAfee Enterprise and FireEye is still shaking out, but there’s no reason to think that Trellix will lose ground in the EDR market. McAfee made this list last year, and after posting one of the highest overall scores in MITRE testing this year, Trellix EDR customers have no reason to worry, and adding FireEye expertise can only help. Trellix has a strong base for its XDR ambitions and offers managed security services too. The one challenge we’d note is that user reviews for McAfee and FireEye endpoint security products have been at best average, so an improved management and deployment experience should be high on the combined company’s to-do list. For now, it’s an EDR product for sophisticated SOC teams.
- Very good security
- Comprehensive on-premises product portfolio
- Good value
- Management and deployment could be easier
- SASE offerings were spun out as Skyhigh, so Trellix buyers may need to partner for edge and cloud security
Key takeaway: Good security and value, and not just for Windows environments.
Microsoft has built a surprisingly strong security business, and consistently high scores in the MITRE evaluations is evidence of that. Of course, the product’s deep integration with Windows doesn’t hurt, but Microsoft has steadily added support for other operating systems – as evidence, look no further than the company’s successful MITRE protection test for Linux this year. Microsoft Defender for Endpoint offers good value and user reviews are pretty good, but ease of use and support have room for improvement. The product offers good vulnerability management and attack surface reduction. P2 is the package where advanced EDR features can be found, including automated incident response and investigation.
- Good security and value
- Deep Windows integration
- Ease of use and support could be better
VMware Carbon Black
Key takeaway: Good choice for sophisticated security teams but watch for merger-related uncertainties.
These next two could be considered together, because it’s going to be an interesting ride if Broadcom – which already owns Symantec – succeeds in acquiring VMware too. Both have top EDR products that have made this list both this year and in the past, so a lot of EDR users will be watching how the acquisition evolves. Carbon Black offers good security – one of 10 EDR vendors with an overall score of 90 or higher in our analysis of this year’s MITRE evaluations – but user reviews could be better, with ease of use, deployment and support showing room for improvement. Assessments of the product’s security capabilities tend to be positive, however, and it’s popular with sophisticated security teams. Investigation, response and threat hunting are standout features. Pricing is higher than average.
- Good security, investigation, response and threat hunting
- Complexity and cost makes it best for sophisticated security teams
Key takeaway: Innovative features, good security and value show Symantec’s not relying on name recognition.
Symantec is another first-gen AV vendor that’s still got game. R&D efforts are well focused, which may give Symantec less flash because it’s not out chasing the latest marketing buzzwords. One example: Adaptive Protection, a feature added last year that automatically shuts down processes and features that aren’t in use. A critically important feature for stopping living off the land (LOTL) attacks that in an ideal world would be a default function of every operating system. Symantec’s endpoint security solutions also cover mobile, containers, servers, Active Directory, remote workers, cloud workloads, applications and storage devices from a single agent and console. AI-based security posture, policy and configuration management is another example of well-focused R&D, contributing to the product’s overall user-friendliness. Oddly, turning off advanced features for the MITRE evaluations may have led to a lower overall score this year after last year’s terrific results, so don’t worry about that too much. User perception of value is about average, but given volume discounts and all that Symantec packs into the product that others might charge extra for, it seems like a pretty good value, particularly for larger customers. Here’s hoping that Broadcom maintains strong security R&D regardless of how the VMware merger shakes out.
- Good security, innovation, ease of use and value makes for a strong offering
- A focus on larger customers and uncertainty over the VMware acquisition may limit appeal for now
Key takeaway: There may be a learning curve, but strong security awaits those who put in the effort.
BlackBerry Security’s Cylance was another endpoint security solution scoring above 90 in our assessment of this year’s MITRE evaluations, and that includes going 9-for-9 in the important protection steps covering both Windows and Linux. CylanceProtect – BlackBerry Security’s EPP solution – tends to get better user ratings for value and ease of use than CylanceOptics, the company’s EDR tool. Users rate detection highly for both products, affirming the MITRE results. Investigation features also rank high, but containment and remediation could perhaps use some improvement, with some users reporting difficulty with rule creation and a steep learning curve that at least appears to be worth the effort in the end. CylanceProtect appears to be an effective AI-based EPP tool that requires little human intervention, but those seeking the centralized management, response, threat hunting, root cause analysis and investigation capabilities of an EDR tool should consider CylanceOptics.
- Strong MITRE protection results for Windows and Linux
- EPP that works with little intervention
- Good advanced EDR functionality
- A learning curve and price may limit EDR functionality to sophisticated users
Key takeaway: Good value and ease of use makes Malwarebytes a particularly good choice for smaller companies.
Malwarebytes is highly rated by users, with detection and response capabilities getting high scores, along with ease of use and deployment. Value and investigation features are rated about average, but at about $6 a month per endpoint for the full EDR solution, heck, consumer antivirus software often costs more than that. The company’s posted a couple straight years of good MITRE results too, coming in a fraction under 90 this year in our analysis. Primarily for Windows environments, Malwarebytes EDR checks a number of boxes, including automated response, guided threat hunting, remote work protection and ransomware rollback. A good choice in particular for small businesses that are primarily Windows shops, with some MacOS support too.
- Good value, ease of use and security, with a number of advanced features too
- Unfortunately all of that is largely limited to smaller Windows shops
Key takeaway: Good security, ease of use, value and automation makes Check Point a winning solution for SMBs in particular.
Strong MITRE results, good ease of use, good value – there’s little in Check Point Harmony endpoint solutions that’s not to like. Automated detection, investigation, remediation and forensics – coupled with low cost – makes Check Point a good choice for SMBs in particular, and for existing Check Point customers looking to expand beyond firewalls and network security and into EDR, XDR and cloud security.
- Good security, ease of use, valuation and automation
- Perhaps best suited for small businesses and those considering Check Point’s broader XDR offerings
Cisco Secure Endpoint
Key takeaway: A steadily improving product that has yet to break into the top tier
While Cisco Secure Endpoint (formerly AMP for Endpoints) may primarily appeal to Cisco shops, decent security and low cost coupled with good user scores for ease of use, deployment and support suggest that the product could find favor elsewhere too. Cisco has been steadily gaining in security, with zero trust, network security and XDR other areas to watch, but it remains to be seen if the company can move beyond its formidable networking presence.
- Steadily improving security, low cost, good ease of use
- Good vision for zero trust, network security and XDR
- Still very much a product for Cisco users and hasn’t reached the top tier yet
Key takeaway: Happy users. Period.
Yet another first-gen antivirus software vendor that’s still going strong. Sophos hasn’t posted terribly impressive MITRE results in the last couple of years, but that hasn’t stopped users from being very happy – they rate Sophos Intercept X highly for value, ease of deployment, support and overall security. Threat hunting, automated response and root cause analysis are a few of the standout features. As one user said, “The agent and EDR platform is extremely simple to administer with a low skill level requirement. Functionality-wise, Intercept X is powerful and hits all marks.”
- One of the most user-friendly products on the market
- Good value
- Recent independent evaluations haven’t been great
Key takeaway: Don’t overlook this one.
Fortinet may be best known for its very good firewalls, but endpoint security buyers may be overlooking an EDR product with high security and low cost. MITRE scores have been near the top, and FortiEDR has stopped all 18 of the MITRE protection tests it has faced in the last two years. Good for Fortinet users in particular, and XDR buyers in general.
- Great endpoint security from a top firewall vendor
- Doesn’t get nearly the visibility it deserves
EDR Product Ratings Comparison
Here’s our analysis of how the vendors stack up in key functionality areas.
|EDR vendor||Detection||Response||Value||Ease of Use||Deployment||Support|
|VMware Carbon Black||4.5||4.6||4.3||4.3||4.4||4.4|
Other EDR Vendors to Consider
There are a number of additional EDR vendors we considered but didn’t quite have enough data on, and some aren’t as full-featured as the above solutions; nonetheless, they’re worth evaluating.
- Deep Instinct: This 7-year-old NYC-based cybersecurity vendor wowed us with an 85 in this year’s MITRE evaluations, including an 8-for-8 performance in Windows protection tests. User reviews, while not numerous, are positive. Clearly one we’ll keep watching, and you should too.
- ESET: An unimpressive MITRE performance this year followed a good one last year. User reviews are positive. A good option for smaller businesses, and support for numerous languages gives users in other countries options too.
- Bitdefender: Didn’t participate in MITRE this year after an impressive performance last year. User reviews have been solid.
- WithSecure: The rebranded F-Secure enterprise business gets positive user reviews. It had strong MITRE results last year but didn’t participate this year.
- WatchGuard Panda: Good user reviews but no recent MITRE testing.
- Kaspersky: We’ve recommended them in the past. Good security and low cost, but for now we’ll heed the drumbeat of the (as yet unsubstantiated) concerns about the company’s Russian roots, even as they’ve taken steps to safeguard their product and data.
- Elastic: Decent user reviews and 2021 MITRE results.
- IBM ReaQta: Decent 2021 MITRE results, and you might have heard of their new owner, who definitely has the deep pockets to invest in its new EDR product.
See Our EDR Software Comparison Articles
- Bitdefender vs Kaspersky
- Carbon Black vs CrowdStrike
- Palo Alto vs Check Point
- CrowdStrike vs Symantec
EDR Ratings Methodology
We analyzed third-party test data, user reviews, product features, analyst reports and reseller pricing, and winnowed an initial list of more than 30 EDR vendors to come up with our list of 16 top vendors and 8 others worth considering.
Here’s an explanation of our ratings categories, in order of our weighting:
Detection: It’s important that EDR products stop a high percentage of threats, but detection is also about advanced features that protect more than a traditional endpoint security platform might, such as threat hunting, event correlation, and fileless threat detection. User opinions of the product’s capabilities also factor into our ratings.
Response: Here we judged how well the product removes threats, alerts security teams and guides response. Advanced features, such as automatically surfacing the most important threats and guided investigation, were also considered.
Management: Ease of use plays a role here, but more important are features that give a security team control over endpoints, such as vulnerability assessment, patching, endpoint control and more.
Ease of use: The higher the score, the more suitable the product may be for SMBs or less experienced security teams.
Support: Everyone contacting support has a problem that needs solving, so responsiveness matters.
Value: Value isn’t just price – where a product is truly low-cost, we note that – but is also about advanced features and high security that cost less than competing products and save companies data breach costs and security staff time in the process.
Deployment: This isn’t just about how easy a product is to implement, but also how well it integrates with user environments and how easy it is to deploy new endpoints.
What is EDR?
Endpoint detection and response (EDR) gives security teams a centralized platform for continuously monitoring and managing endpoints and responding to incidents as they arise, often via automated response.
What Is EPP?
One important trend to note: EDR software products have been rapidly converging with endpoint protection platforms (EPP), which go beyond traditional antivirus software to offer protection against advanced threats such as fileless malware, so one thing EDR buyers should look for is a product that combines both, or gets EPP and EDR tools to work together as seamlessly as possible. All our top EDR products have that feature, and they also all offer machine learning-based detection, advanced fileless threat protection, correlation and automatic Indicators of Compromise (IoC).
Key Features of EDR Tools
In addition to the features common to all our top EDR vendors, here’s a chart evaluating their capabilities in additional areas like behavioral detection, automated remediation, vulnerability monitoring, analyst workflow, guided investigation, threat intelligence feed integration, custom rules, advanced threat hunting, and device discovery and control. We note whether a feature is native to an EDR product, added via integration with another product, often as part of an integrated security suite, or not offered at all.
Compare Features Of EDR Software
Endpoint Security Practices
EDR is just one part of endpoint security. There are a number of other security practices and technologies that organizations should be looking at.
What Is Endpoint Security?
Endpoints are one of the most common entry points for malware and malicious actors – and thus one of the most important elements of IT security. Keeping endpoints safe and secure and catching attacks before they spread is one of the critical functions of EDR and EPP solutions (and of consumer-grade antivirus software too).
Endpoint Security Challenges
Complicating endpoint security is the myriad devices that connect to a corporate network, from laptops and workstations to servers, mobile devices, BYOD users, routers, WiFi access points, IoT devices and point of sale systems. All represent potential attack points.
The devices themselves aren’t even the weakest link of endpoint security: it’s the users themselves who click on malicious links and open questionable email attachments with little thought to what they contain. That alone makes employee security training an important part of endpoint security.
Unknown threats like zero-day exploits and advanced threats like fileless malware make it essential that your endpoint protection vendors have the research and development teams necessary to respond to the constantly shifting threat landscape.
Employee onboarding and departure can be security risks too, making account, network and application control other essential security tasks.
Endpoint Protection Steps
There are a dizzying array of endpoint security concerns, from malware to data theft to network and application access – and each one of them has a corresponding control or product that organizations can deploy.
EDR solutions can contain a great many of these security technologies, so create a checklist of what you need and look for the vendor that best meets your requirements. Possibilities include:
- Data loss prevention (DLP) and insider threat protection
- Vulnerability management
- Application whitelisting and control
- Identity and access management (IAM) and authentication
- Network access control (NAC)
- Data classification and protection
- Privileged account management
- Endpoint encryption
That last point merits its own discussion. Endpoint encryption has increasingly become a must-have for enterprises dealing with sensitive data, from corporate secrets to compliance regulations like PCI-DSS that require encryption. Encryption can protect data from unauthorized access, even when a device is lost or stolen.
There are two basic kinds of endpoint encryption: full disk and file-based. Full disk encrypts everything on a drive except what’s needed to boot up, but then is no longer encrypted once the user accesses the data. File-based, on the other hand, stays encrypted until an authorized user opens it. Both encryption types could be used together to maximize security.
EDR systems offer a way to centrally monitor and manage that encryption. Roughly half of EDR vendors offer encryption with their products, either as part of the product or an add-on solution. Some monitor the status of BitLocker, the native encryption tool that comes with Microsoft Windows. But regardless of how you implement it, encryption is becoming a must-have for organizations of all types and sizes.