CylanceOPTICS Reviews

One of the main use cases for CylanceOPTICS is endpoint detection and response, which even works without internet, unlike some other solutions. For example, CrowdStrike only works when connected to the internet, but with BlackBerry Cylance, it's functional offline.

Additionally, a key distinction between Arctic Wolf and other products I've worked on is that CylanceOPTICS not only is signature-based but also integrates AI, allowing it to remain effective even without the latest updates.

For instance, if Microsoft releases a patch, CrowdStrike might prevent you from reversing the changes, whereas CylanceOPTICS allows you to revert to the last recovery point if something goes wrong, which is a major advantage.

As for threat detection, we have not encountered any issues with customers using CylanceOPTICS; everyone has been satisfied with the product. I believe Cylance was renamed Aurora Endpoint last month, as they have shifted from EDR to an MDR model, but I'm still acquiring knowledge on how this changes our approach with customers. In terms of advanced behavioral threat detection, it performs excellently, as we have not faced any problems in that regard.

The standout features of CylanceOPTICS include the AI integration and its ability to function offline, which enhance its utility in relation to MITRE ATT&CK compared to solutions like Sophos Endpoint Detection and Response.

In terms of integration with SIEM systems, CylanceOPTICS enhances network visibility by creating logs efficiently. Integrating with an API for any SIEM tool is very easy, and the software is lightweight, requiring minimal RAM, which contributes to its overall versatility.

Regarding the endpoint data collection feature, it indeed contributes to the forensic analysis capabilities.

One improvement I suggest for CylanceOPTICS is more robust marketing efforts from their side. Many customers gravitate towards popular EDRs like CrowdStrike or Sophos, largely due to better marketing, despite BlackBerry Cylance being a superior product. The lack of marketing from distributors or vendors is a critical area where they are falling short.

Apart from marketing, it would be beneficial for CylanceOPTICS to establish a dedicated team in GCC since I coordinate with the UK team to handle support. Whenever a ticket is raised by one of our customers, we have to wait for responses which can take a whole day due to the time zone differences, and a local team could expedite this process.

In terms of scalability, CylanceOPTICS is indeed easy to scale, but one issue I face is related to visibility; while it is scalable, the security teams struggle with limited visibility as we need to gather data from multiple sources.

I have been working with CylanceOPTICS for the last one and a half years.

Regarding stability, I have no complaints as CylanceOPTICS has proven to be totally stable, and as of now, we have not encountered any instability.

When it comes to technical support provided by BlackBerry, my experience has been somewhat slow; if a problem arises, we often have to wait for a reply.

The response time can vary; sometimes it takes a day, while other times they get back to us within four to five hours, depending on the ticket raised.

Positive

The initial setup for CylanceOPTICS is straightforward; it is not complex at all, making it easy for users.

Many customers observe a return on investment with CylanceOPTICS since it works effectively without the need for an internet connection. However, some have chosen not to renew their licenses the following year because they are satisfied with its performance and do not see the need to pay more, which sometimes leaves me in a tough situation.

In terms of cost, I find CylanceOPTICS to be reasonable; it's not overly expensive, nor is it at the lower end of the market—it's positioned in the medium range.

My recommendation for anyone considering using CylanceOPTICS is to give it a try at least once; despite numerous EDRs on the market, BlackBerry Cylance stands out as exceptionally useful. I rate CylanceOPTICS eight out of ten.

I might not be the right person to answer questions about risk mitigation as I'm not a technical person and have not handled those aspects directly.

We completed the deployment of approximately 300 users in a span of 10 days. There were many dependencies because we had to remove the existing AV product from the systems, and then we had to deploy the agents of CylanceOPTICS. While 10 days is a considerable amount of time, this was not due to CylanceOPTICS. The CylanceOPTICS deployment typically should take approximately two to three days maximum.

CylanceOPTICS has a beautiful behavior analytics feature. I witnessed it when an application was attempting to install itself automatically. It analyzed the behavior and blocked it. This is a very good feature they have.

CylanceOPTICS needs to incorporate a threat kill chain similar to what CrowdStrike offers. It should be presented graphically for users and admins to understand exactly what has occurred.

I am not aware of the exact pricing and list prices currently. We received special pricing on multiple occasions.

We have been using the solution for the last three years.

Recently, we have considered moving away from Splunk and ArcSight. We are now focusing more on Elastic and Wazuh because customers are unwilling to pay for expensive solutions. If it is open-source, there isn't much payment required.

From an experience and technical perspective, I don't have any issues with products such as Splunk or ArcSight. The main concern is that customers are unwilling to pay high amounts. They want to maintain their compliance level with other products while minimizing costs. This led us to consider open-source alternatives where we can provide more service.

The solution is very stable and reliable.

The solution is very much scalable.

The support is inadequate because their technical people are not supportive. Since the support is not based in India, there are numerous issues. Customers are very unhappy with the support aspect. While we have been providing support, it is expected that the OEMs should also be supporting customers. In contrast, CrowdStrike has an excellent support team based in India.

Neutral

The setup is not particularly difficult. It requires expertise to implement it effectively.

This feature is something people should be looking into. The threat monitoring in CylanceOPTICS is very good. While CrowdStrike has similar features, CylanceOPTICS is more cost-effective. They use AI/ML technology. If the intelligence of the BlackBerry or the CylanceOPTICS main server has detected a particular threat anywhere across the globe, they update their signatures accordingly, and the CylanceOPTICS Command Center responds to the threat monitoring.

From a technical perspective, the product has no issues. The main consideration is cost, as customers are unwilling to pay high amounts for security solutions.

I purchase the product from CrowdStrike and sell it to customers. CylanceOPTICS is now owned by North Arctic, after being acquired from BlackBerry, who had previously acquired it from Cylance.

When customers approached us wanting an EDR product with technical capabilities, we presented two choices: CrowdStrike and CylanceOPTICS. While both products were good, CylanceOPTICS was chosen based on price-performance ratio.

The solution serves primarily data center businesses and other companies. The product's features, reporting, and alert generation were well-received by customers. Though CrowdStrike has excellent features, CylanceOPTICS proved more cost-effective.

The interface is somewhat complex, but this is appropriate for a security product. A technical team is essential for successful implementation.

I rate this solution 8 out of 10.

We use CylanceOPTICS primarily to understand what happened after any of the alerts. You can use the solution to query certain things. If you're looking for a certain hash or file name, we can run searches on it.

I would say it's not the best product. We're currently using CrowdStrike EDR, which is far superior to what CylanceOPTICS offers. What I liked and didn't like about it is that everything runs in real time. If you're searching for something, CylanceOPTICS pulls only on online devices because it doesn't have a database. In a way, it might work to some benefit, but a lot of times, we might not have the full picture.

The solution's contextual analysis is sometimes not very clear compared to some modern EDRs like CrowdStrike. Compared to other EDR tools, CylanceOPTICS lacks some information. It takes more time to investigate or dig up and understand what's going on.

I have been using CylanceOPTICS for three years.

We initially found that the level-one support person couldn't help. My main person was more knowledgeable than their primary level-one support. However, their level two engineers were more knowledgeable. If the problem persists and is escalated, you can solve it. However, level-one support is usually just a waste of time.

Neutral

We also use CrowdStrike. Protection-wise, we haven't had any major issues with CrowdStrike. It is easy to manage, and the EDR is fairly straightforward to understand. Any analyst needs very minimal training to really understand it. It's super easy to do integrations as well.

The solution is not complex to set up, but there were two different agents to deploy. One is for CylancePROTECT, and the other one is for CylanceOPTICS. Therefore, deploying two different agents was more cumbersome than having one unified agent. This was on the road map three years ago, and it's still on the road map. However, I haven't heard any updates

It didn't take us long to deploy the solution per se. However, we had to do additional packaging for CylancePROTECT and CylanceOPTICS. Only one person from my team was involved with the solution's deployment. He was the one who primarily managed the endpoint security. In total, two or three people, including people from SCCM and packaging, were involved in the deployment.

We have seen a very minimal return on investment from CylanceOPTICS. We found it useful in maybe one or two instances or major incidents, as opposed to CrowdStrike, which we use on a daily basis.

CylanceOPTICS is probably priced equal to other EDRs in the market. Price-wise, considering what it has to offer, you could probably get a better product.

Just one person is primarily responsible for maintaining CylanceOPTICS. However, it takes somebody to package it and deploy it. At least two people are needed to upgrade it, but it's not a dedicated person per se.

They are needed only when there's an upgrade needed. A dedicated person is responsible for maintaining the tool from my side. He is responsible for managing and looking at alerts.

I would not recommend CylanceOPTICS to other users unless they have CylancePROTECT and have no intention of moving away. They should have CylanceOPTICS only if they have CylancePROTECT.

Overall, I rate the solution a four out of ten.

The reason why I choose SentinelOne right now is that I can fork timelines. I can create serialization or my own fingerprints for the use cases. Or I can actually look for unknown unknowns. Where in CylanceOPTICS, I don't have that functionality, but what you can do in Cylance is, like, you can create artifacts.

Cylance also lets you classify different severities of AV detections, while SentinelOne uses signatures. So, they work slightly differently. In my opinion, Cylance might be lighter, but both are competitors with similar functionality, just a different approach. That's about it.

It's the whole suite. Like, you can't really use one aspect of it without having to use the other. Unless you can resolve it using the built-in AV detector.

In future releases, I would like to see more features around analysis for remote devices. 

CylanceOPTICS could benefit from more granular control in the timeline-building process. Ideally, users would be able to drill deeper into the analysis rather than have the machine dictate the direction. 

For example, if you want to open and analyze a specific driver, SentinelOne allows you to do that, but CylanceOPTICS currently doesn't offer that flexibility.

I used it more than two years ago. But then, once I started using SentinelOne, I got much more familiar with that. And then I seldom use it now.

I work with the latest because I'm grandfathered into a major distributor's program. I've been using it since practically the beginning before it was widely known. So, updates are automatic for us. Though I haven't used it recently, I'm sure logging into the cloud would show me the latest version.

I would rate the stability a nine out of ten. I would give it a close ten as possible because, like SentinelOne, I've seen incompatibility. Whereas Cylance, I've seen none. So I can play nice with products that are like Kaspersky or Bitdefender or something like that or even Windows Defender; it plays very nice with it. But it does not play nice with SentinelOne. I tried putting them both on the same machine once, and it actually killed it; the machine was, like, gone.

It is a very scalable product. I can go from, like, five hundred to a million copies. So if I want, I'm not limited.

So, I would rate the scalability a nine out of ten. I plan on using it more on remote devices.

The customer service and support were okay. The tier I support is not great, but the higher support is great. 

Positive

I'm getting more familiar with SolarWinds, but it's more of a monitoring tool. I also use SentinelOne. CylanceOPTICS and SentinelOne Singularity are both Endpoint Detection and Response (EDR) solutions, but they differ in their technical approaches.

CylanceOPTICS is similar to SentinelOne's singularity, but it's a different pro. It's almost the same thing, but you can list artifacts and look at other correlation points within the actual, like AV. It communicates within all the agents; they communicate together to make this, like, big picture of, like, timelines and extrapolation of, like, anti-malware information.

So, you could find all the threats in your environment. But it's very similar to SentinelOne. It's using a different methodology, like deep machine learning for antivirus. And it's a component of the protection, but it's more geared towards, like, SIEM, right, where it collects information.

And then you can upload packages where, let's say, you get a solution for a virus. That's moving laterally. You can upload the solution to a product; let's say that the product, for whatever reason, lost capability and can't communicate on the network, but the virus can. Then, you can isolate the product and upload the packages. And then, with the packages, it's not upgrading the software. It's, like, the solution to the AV. Then, once you inoculate the AV using CylanceOPTICS, you can move from one machine that has been isolated to another that has been isolated. You get me in the environment. So CylanceOPTICS allows you to do something like that.

The initial setup is easy peasy. I would rate my experience with the initial setup a nine out of ten, with ten being easy. 

The only thing that's interesting that the configuration of it is has become a little bit more complex. But the initial setup is easier than anyone can imagine.

I did it myself. I went out to a site. I also did a POC for Cylance because we were testing it. We found it worked in our environment, so my current company asked me to check out what was going on with this other company. They had been breached, and I was able to isolate the problem and inoculate it. They were impressed and wanted Cylance. So, in a way, we were the third party that took care of Cylance for them.

For the deployment process, we install an agent. Download it from the cloud or the tenant suite, deploy it with a remote tool, GPO, or even manually download and install it. Then, from the cloud, we can uninstall it without being present on the device. We can also remove it from the cloud, but that's one thing we have to do manually. We can't just delete it and forget it. We have to go in and remove that license, which would be nice to automate. 

In SentinelOne, you delete it, and it's really gone. But here, it sits there. It might not do anything, but it'll still detect malware, even if it's not connected to the cloud. But you're still getting billed on the cloud because we have to manually go in there and remove it.

The product itself communicates to the cloud when it does deep analysis. It uses a mathematical algorithm to detect whether a product on our computer is malicious or not. We can log into a website portal that shows all the information collected by the agents we've installed in your environment.

So it's, like, a tenant collector, and we go there, and we can rate things, observe things, change things. It's a full-blown product. It's a website within their organization that extrapolates information from all the agents. We're basically using their software. So, imagine everything is using the cloud right now. We log into a website server, but rest assured; it's in the cloud.

The actual Cylance itself, the Protect, depends on how many machines there are. When I did it, I didn't have GPO functionality, so I did everything manually. It took a while. But with GPO, I could get it done in one afternoon. So it depends on the number of machines. I did it on 300-400 machines, which took about a week. But, with GPO, I can get it done in an afternoon. 

For the OPTICS, once the Protect is on the machine, it's within seconds. I just download and flag it, and it creates a client and installs it. I can install it from the web interface for the machine or upload it directly from the interface. Basically, I create it like the main client. I can download it or be on the machine physically; it's the same.

It's like yet another small client that attaches to the main one. But they're very small, only 30-50 megabytes. These client installation files are very small.

That's basically it. It's very simple.

For the OPTICS, we don't need many people for maintenance. CylanceOPTICS has administrators who come in to make sure it's doing things as it should. We can't buy  OPTICS an administrator overseeing things, like making sure signatures are being kept and updated.

The product itself updates automatically, but every six months, you'll get a new version regardless of whether you need it or not. We can choose to update, though, which is a feature I like. They have something called Test, Co-Pilot, and Absolute. The Absolute basically puts all your nodes in there, like user definitions, and the update or the Co-Pilot takes precedence over the Test. 

So, if we have machines in Test, nothing gets updated. But we can update, maybe one or two machines. If we have Co-Pilot and you could test it out, say, "Oh, let me test the new version, see how it goes," then we can reverse it if we want to, like, reverse the patch or reverse the update if you find any bugs in it. So that's a really cool feature.

The pricing for CylanceOPTICS is very good; I would rate it around a nine on a scale of one to ten, with ten being the lowest. It's one of the most affordable options I've seen. 

For example, I pay around $4.50 per month for Protect and $1.50 for Optics. So for both, it would be around $6 per month per client. Under $100 per client makes it affordable for what it does.

I don't consider CylanceOPTICS as an EDR. It's more like a collector for events on a machine. EDRs allow you to dig deeper into identifying malware and provide more information than traditional AVs. Additionally, you can configure them to look for specific indicators of compromise. 

While other AVs just do their basic function, CylanceOPTICS allows you to customize these detections. For example, you can tell it to scan for specific drivers or monitor the processor activity. No other product, including SentinelOne from what I know, offers this level of customization.

I started using CylanceOPTICS on my own because I'm a researcher who likes to analyze things in depth. When I transitioned to next-generation AV, CylanceOPTICS was one of the first options I tried, and I liked it so much that I kept using it. I also tried SentinelOne and compared them both, and CylanceOPTICS just allowed me to go deeper into the analysis, which is what I prefer.

Overall, I would rate the solution a nine out of ten. 

CyclanceOPTICS requires all devices to be online for it to run a search, so it didn't have any information saved up. It doesn't look for devices that are offline at the time of the search.

We've used this solution for four years. 

The technical support could be improved although it's probably better than you get with a lot of the other traditional antivirus solutions. My team had sufficient knowledge to deal with level-one issues but they had problems escalating tickets to the next level. 

Neutral

The initial setup was fairly straightforward. To get a large healthcare organization sorted, we had to create exemptions because some of the scripts and some of the automations were broken. 

I would rate CylanceOPTICS an eight out of ten. 

We use CylanceOPTICS for malicious URLs and malicious processes. 

Malicious processes that we're attempting to be notified about, and similar things.

We have been dissatisfied with CylanceProtect and CylanceOPTICS and want to leave within the next several months. It just hasn't been an effective tool.

The tools are ineffective. It flags a lot of things. To give you an example, it detected Google Chrome and blocked the user's access to it. That it mistook for malicious, which turned out to be a false positive. When this happened, I had to go in and perform something to get them access to Chrome; when they submitted the access to Google Chrome, they received a black screen and couldn't do anything whatever.

As you may expect, I received a lot of tickets for that.

It had to be addressed in order for the user to be able to go to what they were attempting to get to. I had to go in and temporarily apply for exclusion and open a ticket.

I don't feel like it is actually protecting us against anything, It provides too many false positives.

I have been working with CylanceOPTICS for just over two years.

CylanceOPTICS is pretty stable. 

We just didn't find any value compared to what it is doing.

CylanceOPTICS could be scalable. It just didn't work in our situation. Maybe in a different environment, it will work fine. 

We are not happy with the service. It wasn't really identifying potential threats.

I was under the assumption that we would be getting a technology that uses machine learning to identify and block threats. I don't see it doing anything like that right now.

We are an enterprise company.

The technical support personnel I interacted with were good. 

It was a long process with a lot of testing to attempt to get things to work. 

Overall, if I had to rate it on a scale of one to ten, I would rate the technical support an eight out of ten.

Positive

This is the first time of me dealing with mobile threat defense. We have a vendor in-house that I am going to be working with. They are enabled for our environment, but as far as actual experience with mobile threat defense, no. I don't have that type of experience at all.

I have experience with Blackberry Cylance.

I have some experience with CylancePROTECT, as well as CylanceOPTICS which is part of Cylance Gateway. 

The setup is straightforward. 

You may send it to a GPO, or if you have a tool that can do remote assets, such as Goverlan, you can send it through Goverlan. 

If you opt to push it via Goverlan, make sure the user is connected to the VPN. 

You normally need to be on a VPN, and you simply connect through 

Goverlan, press a button, and it installs.

There is no user participation required; the user just has to be connected to a VPN if you push through Goverlan press a button, and then install.

It was also the group policy, we chose to use Goverlan because the tools we use in our environment are routed through Goverlan.

It's really simple. There are two kinds of deployments. You can use the Universal Agent to install both Protect and Optic in one installation, or you can install Protect separately and then Optics separately. We decided to go with the Universal Agent.

Protect and Optic as a whole were just not a good fit. I have no positives. Even with exclusions, it just wasn't a good match. 

We don't believe we received what we paid for. We don't believe we received our money's worth. I have used it before at other companies. It worked great, but it wasn't effective for us. 

There are a lot of false positives. Even after applying several exclusions, there were numerous false positives.

We received both. We prepared a quotation for a year. It is based on a calendar year. We spent a year on both Protect and Optics.

I would rate the pricing a three out of five.

It wasn't a good fit for us. We were unhappy with it, and while it may have worked better in a different environment, it was not a good match for us.

I would rateCylanceOPTICS a three out of ten.

The solution is mostly for EDR stuff, basically, to protect a company if it got hit by ransomware. That was one of the biggest worries. That was the main use it, was to monitor and protect at this point.

It's pretty unintrusive. It's light and it's pretty effective in the level of response.

The tool itself, it's really good. The client never had any issues afterward.

The biggest thing about CylanceOPTICS is that it's really not that scalable for larger companies. We usually have a lot of large, really large companies. Even though some of them went to Cylance, they usually just use the PROTECT piece, and they couldn't scale it. They kept whatever they had - Symantec, McAfee, whatever it was. They went to Cylance due to the fact that it was effective, however, it's hard to segment into groups. It's just not as scalable as some of the more established tools. Most companies will use it as another protection piece, not a replacement. Just a second level.

The reporting is very weak and not very good at all. 

I've used the solution for over two years. That's when my company was partnered with Cylance and we installed it and used it ourselves.

The solution is pretty stable. It's pretty rock solid.

The largest client, which wasn't that huge, was 300 users on the cloud. We were managing it for them and it was an instance on our companies.

The solution doesn't work well with large companies. It doesn't scale well.

We didn't have to do much on that end. When we did, technical support was really good. It is a very good company.

The initial setup isn't easy or hard. It's in the middle. It requires tuning. You have to tune it due to the false positives and creating the exceptions and stuff like that. However, it was pretty straightforward for us.

In terms of maintenance, we did a lot of work, however, the day-to-day stuff was done by one person on their end. It was fractional. It was a fraction of a full-time person. It's pretty easy to maintain. I did a lot of work with Symantec Endpoint Protection and their ATP products and stuff like that. That took more effort since you had a lot more pieces to it, including firewalls and IPS and device control and a bunch of other things. Cylance, on the other hand, is pretty straightforward. It's just AV and then the ADR piece.

I don't deal with licensing and can't speak to the exact cost of the product. We bundle the cost with our services. We charge clients for our services as well, so it was combined. That said, it wasn't that much even from our side.

Installing the solution is a one-time effort. It's not excessive. The only advice I'd give is that everybody should follow when doing a new product, which is always doing a pilot. In fact, do a couple of pilots in different environments or different groups of people. It's always good to start with your IT people, some subset of it, and then go on to all the departments until it's clear that it's not impacting unsuspecting areas. Especially the main apps.

Overall, I'd give it a seven out of ten. It does a great job at preventing malware, however, the reporting is poor. It's really not very good. And it cannot scale well.

Typically, we use machine learning features that we developed over the last half a dozen years to build this product, and therefore we're not a signature-based solution. If there are some anomalies that are taking place, generally we can raise an alarm and beyond just raising an alarm, we can provide some other kind of mitigation. We can maybe block communications or sandbox communications or send an alert as another aspect of control or protection.

Their efficacy is pretty good. They're probably in that effectiveness rating of somewhere around 95%. I categorize the solution in that 94% to 97% range in terms of identifying any form of malicious content. 

Historically speaking, they were the technology that identified the big OMB cybersecurity event that happened back in 2015 or something like that. They are well-known for their efficacy, which is a huge plus.

The solution has a high level of trust in the industry. For example, they were used for maybe the Democratic party after the 2016 convention. They had high-ranking, well-known customers that they deal with. 

They do have some other nice features. They do have some behavior analytics features or UEBA features that I've heard are pretty interesting. 

The solution is stable.

I haven't heard anything really negative about technical support.

The initial setup isn't too difficult.

One minor issue that somebody mentioned was that they didn't like their management console. I've probably got dozens of people using the product and that was the only negative feedback I've heard. I would try to couch that in terms of saying that that's not the majority that's saying that. That's a small number of customers or even it's really in my case, a single customer kind of thing. However, I'd just like to flag it as a possible issue for some.

Getting into more user-behavior analytics might be interesting. It could, for example, say, "Well gee, what does Steve do on a day-to-day basis?" If I had analytics of that nature, I could see when users log in, check mail, and if they start doing suspicious things, I could get a flag that alerts me. That whole space of behavioral analytics is a hot topic in security and has been for the last half a dozen years. If there are features within the product for behavior analytics, that certainly is interesting.

I've been dealing with the solution for as long as I have been at my current job, and that's been about two years at this point.

The solution seems to be stable. I haven't heard of any clients complaining. There don't seem to be bugs or glitches. It doesn't crash or freeze. It seems to be reliable.

I haven't heard any negative feedback in regards to scalability. It probably scales to thousands, maybe even tens of thousands in terms of large customer organizations. However, I haven't personally attempted to scale it myself.

Overall, the technical support has a pretty good reputation. I've only ever heard one complaint about it out of all the clients we have. My sense is that they are knowledgeable and responsive. I would likely have heard otherwise if they weren't.

As far as I know, the initial setup is pretty straightforward. 

It's always hard to measure in terms of security. At some level, you think of this as table stakes. I have to have a firewall to get in the game. I have to have end-point protection to get in the game. How are we justifying it? Well, let's say that if we wanted to run the math, what would the risks be if we left ourselves open.

In a simple thought process, let's say a security breach costs us $10 million and there's a possibility we can reach five times in the next 10 years, right? That means our annual exposure is $2 million a year or something like that if we did this math. 30% of the time or 20% of the time that could come from an endpoint kind of exposure.

If we ran the math, maybe we could say, "Well gee, then this thing's worth $400,000 a year if it's 100% effective at reducing endpoint exposures." All right, maybe we take half of that number and say $200,000 a year from a cost-benefit analysis. Well, the product, depending on the size of our user community, the product costs maybe $100,000, so that's a good return on investment. I've got this annualized risk exposure of $200,000 and it's costing me $100,000 to protect against and so some would argue that's good business.

We're a reseller. We don't have a business relationship with Cylance.

I'm not sure which version of the solution our clients are using. It might be different versions.

Our clients use both on-premises and cloud deployments. It depends on the customer and their preference. However, generally, I would say most use on-premises more often.

I'd advise new users that they should always start small or start with a small set before they do a big rollout. It's a good idea to test the waters and get a feel for any type of solution before going big.

In general, I would rate it at an eight out of ten.

The primary use would mainly be for intelligent intrusion detection and response. Our biggest customers are two pharmacies and a bank, so it would be applied in the financial and healthcare industries.  

The most valuable part of this solution is that it is advanced technology. Cylance is an engine, it is not a signature-based antivirus protection solution. It is based on the AI (Artificial Intelligence) and the ML (Machine Learning) models. Apart from the issue with the false positives — which is a known issue — the product could really not be more proactive in the way works.  

A signature-based protection solution goes out to a central server and picks up whatever the latest antivirus definition is that is out there and uses it as a blueprint to see if you have anything that is running that is included in the definition. This is a pre-defined list of malware processes and even if it is updated frequently, it is static.  

What Cylance does that is different than signature-based systems is that it is processor-powered monitoring. It remains on guard looking to see if there is something that is running that is out of the ordinary on your machine. It basically looks for anomalies. So if there is a behavior that raises a flag and that something is going on that should not be happening — it discovers an inconsistent behavior that does not look kosher — it will cancel the process. That is basically how it works.  

So, for example, if you can imagine if something malicious enters your system and it wants to read something from the registry. Maybe for you and me reading from the registry is fine, but for this other entity (or program or malware), Cylance detects the unusual behavior and makes a decision. In this case, it might decide this entity is not supposed to be reading the registry because it might want to change something inside of it. If it wants to change something, then it is a malware or some other type of intrusion. So Cylance stops the process as it is happening and blocks whatever is making the bad action. That is actively patrolling for malicious behavior.   

False positives could be improved. Cylance picks up a lot of them.  

If the people who are looking for this type of review are more into the business perspective and they are from an SME (Small and Medium Enterprise), then it is a fine solution. But let's say it is an SMB (Small to Medium-sized Businesses). In that case, Cylance might seem pretty pricey. A cost of $55 per user is a lot for anybody, and imagine you are a small business paying that amount for 70 users monthly.  

Whether the added security is worth it would probably depend on what type of data you are protecting.  

It is hard to say what additional features I would like to see included in the next release. I do not think about features so much in an antivirus solution as I do functionality. The thing is that when you try and combine too much in one product, you might sometimes end up affecting the product as a whole. If you are a home user, having a lot of features is great, because then you say to yourself once a year you pay a fee for protection to Norton or Avast or whatever consumer antivirus vendor. At that point, you are covered in a variety of ways with one payment and you do not have to think about multiple solutions. I think those consumer products naturally have to do more to attract their audience. You could be fine with that because it does everything for you. It does the firewall. It does the VPN. It does the antivirus. It does internet security. It does a whole list of things. But when you are in an organization like an SMB or SME, the management of all of those things is decentralized.  

So I would say, from my perspective, what Cylance can work on that would be the best effort would be to fix their alerting system so that the endpoint reporting is a bit more streamlined.  

A second thing to do is to do a little bit more advertisement because not many people in the world even know that these solutions are available. It really almost gives them a license to freely broadcast that they are one of the best solutions. They are depending too much currently on word of mouth.  

I have been working with Blackberry Cyclance for about a year now.  

The stability of Cylance seems perfect. Compared to what McAfee was doing, we have left some boundaries behind. The good thing is that we did not have any breaches, ever, while using McAfee, so knock on wood for that. But Cylance found flaws inside of our security procedures that we had left vulnerable and the discoveries enabled us to close those holes and improve the reliability of our procedures.  

So, with McAfee, we did not have as good of a solution as we thought. It is not a solution that is proactive. I think that is a fair enough criticism of the product.  

From what we were told, we are going to keep on adding more licenses for our clients. The only thing that we might have to do is increase the capacity for the virtual machines, but that is about all that has to be done to increase the usage and scale up.  

We were actually using McAfee first and now we switched to Cylance last year. Cylance is a more advanced technology and that is why we chose to go with it.  

We engage with professional services to do the setup and deployment. On our side, there is not really much need for our input or involvement at that stage. But from what I know it is pretty straightforward for the clients.  

As far as the deployment, they put it on a virtual machine. Considering that, the deployment only takes about an hour. We have about 70 machines in total on the product at the bank. In order to have everything installed and everything running, it took about two days.  

I am the consultant, so I am just an intermediary. The clients have their own IDE (Integrated Development Environment). I do not have to get involved with that part of the implementation.  

For the license, we just paid for the number of endpoints we have and that is about it. In the end, the cost is about the same amount as McAfee, so they are definitely competitive when it comes to pricing.  

On a monthly basis, the licensing cost is $55 per user.  

We had been using McAfee for some time before considering Cylance. McAfee's performance seemed good and the support and everything are fine for us here. I have never had issues with them.  

But we saw a product demo of Cylance and we thought it was an interesting product and concept. We also know that the G7 countries in the world were the ones that used Cylance the most. We knew that was the case even before Cylance was bought over here by Blackberry. So the company already had a good standing and reputation before they started presenting demos. What had happened with the WannaCry ransomware virus about two or three years ago affected a lot of organizations. The people that were on Cylance were the ones who were not affected. So that fact alone was enough for us to strongly consider switching solutions. We ended up making the decision to migrate.  

Advice that I would give to anyone considering switching to this solution is you should go for it if you have the money set aside to switch. But also I would spend additional for professional services to handle your migration.  

On a scale of one to ten where one is the worst and ten is the best, I would rate the product as eight-and-a-half. That is because of all that it does, the comparison between the other products, and the fact that it is a vigilant AI / ML tool that proactively guards your system.  

The most valuable feature is the sandboxing.

The detection component is something that they have to work on.

The monitoring management is in need of improvement.

The detection and response are a little bit slow.

We are currently evaluating Cylance with a few other products in search of a replacement for our existing solution. We have been using it for approximately one month.

We have not been in contact with technical support.

The initial setup was of average difficulty. It was not that complex, but not easy, either. It was okay. We deployed it within a matter of hours, although this is not a full deployment. It is only on selected endpoints for evaluation purposes.

We are currently evaluating Cisco and Palo Alto Traps, in parallel with Cylance.

In this domain, Cylance is the newcomer. Symantec and Palo Alto Traps have been in operation for quite some time.

It is a bit early in our evaluation process to give proper feedback, although so far, the overall feedback is good.

I would rate this solution an eight out of ten.