Top 10 Endpoint Detection and Response (EDR) Solutions


Download our free EDR Vendor Report based on nearly 300 real user experiences.

Endpoint Detection and Response (EDR) is a cybersecurity technology that addresses the need for continuous monitoring and response to advanced threats. It is a subset of endpoint security technology and a critical piece of an optimal security posture. EDR differs from other endpoint protection platforms (EPP) such as antivirus (AV) and anti-malware in that its primary focus isn't to automatically stop threats in pre-execution phase on an endpoint. Rather, EDR is focused on providing the right endpoint visibility with the right insights to help security analysts discover, investigate and respond to very advanced threats and broader attack campaigns stretching across multiple endpoints. Many EDR tools, however, combine EDR and EPP.

Jump ahead:

The EDR market is booming, and with good reason. Security breaches are more prevalent than ever, and most enter networks via endpoints. All it takes is one gullible user and the bad guys can sneak inside.

EDR revenues more than doubled in 2016, reaching $500 million, according to Gartner. Four vendors account for more than half of that total – Tanium, FireEye, CrowdStrike and Carbon Black. But there are others worthy of inclusion. This guide also examines Guidance, Symantec, Cyberreason, RSA, Cisco, and Countertack. But that list is destined to become shorter.

"We expect to see considerable consolidation in the endpoint security market going forward," said Avivah Litan, an analyst at Gartner. "Endpoint security products need to elevate the information and alerts they provide to the user and data level and further automate their response and remediation capabilities."

Despite that consolidation, Gartner's forecast is for almost 50% annual growth for EDR at least through 2020. That puts it way out in front of most areas of IT, where the overall growth rate is only 7%. Another factor in EDR's explosive growth is the fact that only 40 million EDR endpoints are currently installed, compared to the estimated 711 million desktop, laptop and other devices that can utilize the software.

The features that most EDR solutions have include:

  • The ability to detect and prevent hidden exploit processes that are more complex than a simple signature or pattern and evade traditional AV
  • Threat intelligence
  • Visibility throughout endpoints, including applications, processes and communications, to detect malicious activities and simplify security incident response
  • Automation of alerts, as well as defensive responses such as turning off specific processes when an attack is detected
  • Forensic capabilities, because once an attacker is inside, you need the ability to take a deep dive into their activities so you can understand their movements and minimize the impact of the breach
  • Data collection to build a repository used for analytics

Here, then, are 10 top EDR solutions worth considering. Gartner named each of these vendors as the top ten providers in terms of market share in its report "Competitive Landscape: Endpoint Detection and Response Tools." That document also laid out the various required features for EDR solutions that are considered here.

We summarize the EDR solutions below and link to a deeper analysis of each product, and at the bottom of this article is a chart comparing EDR product features.

FireEye Endpoint Security

FireEye serves organizations with anywhere from 250 to 350,000 endpoints, and is also beginning to penetrate smaller companies with a network security endpoint product called CloudHX. The company has more than 1,000 experts responding to incidents and researching attacks, and its network scanning appliances have boosted throughput to more than 1,000 Mbps.


Carbon Black Cb Response

Carbon Black boasts a CIA and NSA cybersecurity pedigree and supports 150,000 endpoints per cluster with unlimited scalability. It can be deployed as software or in the cloud, with a one-year subscription starting at $30 per endpoint.


Guidance Software EnCase Endpoint Security

EnCase boasts a majority of the Fortune 500 as customers. The EDR solution can scale to hundreds of thousands of nodes and has also been used to secure ATMs, POS systems and manufacturing devices.


Cybereason Total Enterprise Protection

Cybereason was launched by Israeli cyber intelligence professionals and is aimed at companies of any size with little IT security expertise. It has no limit in number of endpoints supported and can process 8 million questions a second.


Symantec Endpoint Protection

Symantec stops nearly all advanced threats, and the company's EDR add-on adds incident investigation and response. It can scale to hundreds of thousands of nodes and is supported by the world's largest threat intelligence network.


RSA NetWitness Endpoint

NetWitness offers more than 300 behavioral indicators that users can customize. The EDR solution uses behavior analytics, machine learning and threat intelligence to detect and prioritize threats.


Cisco Advanced Malware Protection for Endpoints

Cisco AMP boasts rapid detection capabilities and a 100% score from NSS Labs for malware and exploit detection. Its 14 integrated detection techniques can block 20 billion threats a day.



Tanium EDR boasts more than $400 million in funding from top-tier venture capital firms and more than doubled its sales last year. Its architecture can scale to millions of endpoints without requiring additional infrastructure. Twelve of the top 15 banks are customers.


CrowdStrike Falcon Insight

Falcon Insight is a cloud-based platform that collects and analyzes more than 30 billion endpoint events per day from millions of sensors deployed across 176 countries. It performs analysis of more than 70 adversaries, their tactics, techniques, procedures and campaigns.


CounterTack Endpoint Threat

CounterTack uses a strategic partnership with SAP's HANA in-memory analytics platform to perform billions of scans per second. CounterTack applies a combination of behavioral analysis, machine learning and reputational techniques to counter threats.


Product vs. Product Comparisons

See these pages to compare two EDR products against each other:

Top EDR Solutions
VendorUse CasesMetricsIntelligenceDeliveryPricing
FireEyeFrom 250 to 300,000 endpoints; cloud for SMBs1,000+ researchers; 1,000 Mbps throughputAutomated threat detection and prevention for known and unknown threatsCloud or applianceStarts at $30 per endpoint, plus intelligence feeds and appliance costs
Carbon BlackAll markets and sizes, but strongest in high-risk industriesUp to 150,000 endpoints per cluster, with unlimited dustersDefense Cloud analytics engine identifies malicious activitySoftware or cloudStarts at $30 per endpoint per year
Guidance SoftwareLarge organizationsCan scale to hundreds of thousands of nodesAutomated alert response, validation, triage and incident responseSoftwareStarts at $57,995 for up to 2,000 nodes on a perpetual license
CybereasonOrganizations of any size or vertical with little security talentCan render 8 million questions per second with unlimited scalabilityMachine learning and analyticsCloud or on-premisesStarts at $50 per endpoint before volume discounting
Symantec Endpoint Protection with EDRBoasts 25% of all deployments worldwide and 350,000 customersScales to hundreds of thousands of endpointsAI and world's largest threat intelligence networkPhysical or virtual applianceStarts at $40 per seat per year
RSA NetWitness EndpointStrongest in finance, healthcare, government, energy, telcosMore than 300 behavioral indicators can be customizedBehavioral-based analytics engine and machine learningAgents deployed across multiple form factors; management console on-premisesPricing on a per-endpoint basis
Cisco AMP for EndpointsStrong in high-risk verticalsTop score from NSS Labs; 20 billion threats blocked per dayAdaptive intelligence, automated detection and responseCloud, private cloud, or on-premises appliancePricing is based on length or subscription and number of endpoints
TaniumLarge organizationsMillions of endpoints and 15-second visibility across all endpointsAutomation workflows data collection and corrective actionsAppliance, virtual machine, or standalone serverCompany doesn't disclose pricing
CrowdStrikeLarge organizationsMore than 30 billion events per day from millions of sensors across 176 countriesAPls and feeds for integration with SIEM, IDS, and Threat Intelligence platformsCloudSubscription-based pricing
CounterTackFrom SMBs to enterprisesCan complete billions of scans per secondVia a strategic partnership with SAPPlatform or cloud$14,000 per perpetual seat; $7,500 annual subscription seat