Microsoft Defender XDR Reviews

I'm a deployment engineer for Microsoft products, and we work with multiple SMEs. Customers adopting Microsoft products want the same features they had in their third-party solutions. We look at their requirements and the types of features they need. We determine the security mechanism that best addresses their vulnerabilities. We might suggest Defender for Identity,  Defender for Endpoint, 365 Defender, and Defender for Cloud Apps. In addition to those security solutions, we offer device management. We provide everything.

Defender improves our security operations. I've had chances to collaborate with our SOC team. Our customers face many random attacks they don't know how to prevent, and the SOC team handles them remotely. The security engineers can investigate the incident or use the information from the customer's environment to offer a recommendation. If the customer doesn't have the detection mechanism, we can recommend a product or find a solution for them. 

The solution can help customers save money because we can bundle it with all the other Microsoft solutions, like email and Defender for endpoint, identity, and cloud apps. Most of our customers use Windows 10 devices and Microsoft Active Directory, so everything is on the same page. Defender can save time by automating investigation and response. We don't need to spend much time because it'll automatically take action in many cases. 

The best feature is threat hunting. There are a lot of other features I like, such as the alert mechanism. The chain alert mechanism has a huge impact. It combines all the alerts into one incident and automatically correlates them with AI. 

Defender has integrated identity access management, and you can add DLP features through a separate solution called Microsoft Purview. Within the cloud, we can create access policies based on each user's risk. It's integrated with Azure AD and on-prem Active Directory, so all the user identities can be managed in a single portal.

We use the multi-tenant management capability, so we can cover customers that have multiple regions. We can easily investigate across tenants based on severity. For high-priority alerts, we start from scratch and ignore what's happening on the endpoints or emails. We isolate the device and ensure that nothing will be released from it. Next, we check this device and some more details.

There is no common area where we can manage all the policies for the EDR, third-party solutions, devices, servers, Windows, Mac, etc., but it's on the roadmap, and we were waiting for that feature. 

I have used 365 Defender for about four years.

365 Defender is stable. There is no downtime. Still, Microsoft is constantly rolling out features, so there are sometimes bugs after new releases. Our customer experience team is collaborating with Microsoft and sharing feedback with them. 

365 Defender is scalable 

I rate Microsoft support nine out of 10. The support depends on the product and the customer's issues. 

Positive

I work with customers coming to Microsoft from other third-party products, so I try to understand what the product does and suggest a solution. The names are different, but all the technology is the same.

Deploying Microsoft Defender isn't complex if you have experience. The deployment depends on the number of users, apps, and the client's requirements. If the client wants to implement XDR, it takes about a month to achieve full functionality.  Endpoint protection takes around five to ten days. It's a cloud product, so it doesn't require any maintenance. 

Defender XDR is agentless, so you don't need to install an agent anywhere. It's a cost-effective option.

I rate Microsoft 365 Defender nine out of 10. We recommend it to our customers. 

We provide services to medium-sized businesses in the banking and administrative sectors. We are also using Microsoft Sentinel and Defender for 365. 

Defender helps our clients protect against any threats from outside the organization. Defender XDR helps our clients save about 25 percent by offloading some on-prem functions to the cloud. It also saves time because the cloud interface is manageable, and we can investigate incidents quickly. It's easy to create reports and share information with other teams. 

I like Defender XDR's threat detection and prevention capabilities. Defender's built-in identity and access management features are critical. The solution's coverage extends beyond Microsoft software. Defender is easy to use. It has a nice console, and everything is all in one place. 

The console is missing some features that would be helpful for a managed services provider, like device and user management. 

I have used Defender XDR for the last two years. 

I rate Defender XDR nine out of 10. 

I rate Defender XDR eight out of 10 for scalability. 

I rate Microsoft support nine out of 10. 

Positive

Some aspects of the deployment were not straightforward. It was moderately complex. I enabled all the connections and onboarding process, then implemented a basic set of configurations. It took about seven to 10 days to deploy. 

My clients have seen an ROI from using Defender XDR.

Defender XDR is reasonably priced but may be less affordable in certain countries. For example, it might be expensive for some customers in India. 

I rate Defender XDR eight out of 10. I would recommend Defender XDR. It's a fast solution, and it's easy to train people to use Defender. 

I use 365 Defender to protect against phishing attacks and filter out our email to pick up certain vulnerabilities. For example, if someone sends out their credentials, it triggers an alarm. 

Features like filtering and phishing simulation increase our email security. The main purpose is to protect employees and sensitive company information. Everything is connected, so an intruder can potentially access sensitive, confidential information by breaching just one account. 365 Defender is a good way to protect the entire environment. 

Defender helped us automate tasks because we had everything preconfigured. We create alerts and automated responses, which save us some time. Threat intelligence is helpful. For example, if there is a suspicious IP address based in Russia, we can block that address. I didn't do much of that, but it's possible.

365 Defender provides solid visibility because we can map out what's happening and get a good overview of the intelligence. The timeline feature is excellent. I also like the phishing simulation. We have phishing campaigns to educate employees and warn them about these threats. 

I also like that Microsoft has a lot of resources online. It's easy to Google information about the tool and what it can do for your organization. 

The interface could be improved. For example, if you want to do a phishing simulation for your employees, it can take a while to figure out what to do. The interface is a bit messy and could be updated. It isn't too bad, but doing some things can be a long process. 

I used Microsoft 365 Defender for 10 weeks during an internship. 

365 Defender is highly stable. I've never had any issues with it. It can be slower at times, but that may not be product's fault. Maybe there's too much traffic or an issue with the connection. 

365 Defender can scale. More than a thousand people work for this company, and some of them have multiple endpoints, like laptops, workstations, phones, etc. 

I've used CrowdStrike and some other tools for endpoint and email security. Microsoft Defender is excellent because it covers everything in one place, including endpoint protection, email security, phishing simulation, spam filtering, etc.  

365 Defender is billed per account. I don't know the exact price, but my supervisor told me that Microsoft Defender is cheaper than the alternatives. It's bundled, so you get all the features in one place. 

I rate Microsoft 365 Defender a nine out of ten. It's an excellent product that protects employees and organizations from attacks. If you have it configured correctly, you should be good. It's an ideal solution for new companies that are starting up and need protection. 

If I were asked to pick between a best-of-breed strategy or getting all of my solutions from one company, I would say that it depends on the product. Many companies have products that offer the same quality as others. The Microsoft family covers so much, but you can also try CrowdStrike for endpoint protection or Proofpoint for email security. 

Each platform offers flexibility, and some can be better than Microsoft, but when it comes to creating configurations, I feel that it's a better option. Also, you can get a better price by purchasing all your solutions from one company. 

Microsoft Defender is used for email protection. 

Microsoft Defender helps stop advanced attacks. We use PII disclosure, we track sensitive data in emails, ransomware, and phishing emails.

Microsoft Defender has saved us costs. 

Microsoft Defender has helped save us investigation time.

Microsoft Defender is slow to adapt to evolving threats.

I was using Microsoft Defender for one and a half years until a month ago when I switched to a different team.

Microsoft Defender is stable. 

Microsoft Defender is scalable.

I previously used Rapid7 InsightIDR for Security Information Event Management and Extended Detection and Response. While InsightIDR offered a user-friendly dashboard for managing detected incidents, its limitation of creating only around 25 custom rules restricted our ability to identify emerging threats. With the ever-evolving threat landscape, I believe a solution with a more adaptable defense system, like Microsoft Defender, is necessary to keep up with the pace of new incidents.

Microsoft Defender was straightforward to set up. It came with a lot of useful documentation to help.

The deployment took almost two months. 

Microsoft Defender falls within a mid-tier price range compared to other security solutions.

I would rate Microsoft Defender eight out of ten.

Microsoft Defender is well-documented and we can find answers to our questions from the user community.

I recommend Microsoft Defender for organizations that are already using other Microsoft products. Since they're likely within the same ecosystem, integrating Defender for antivirus protection should be a smooth process.

We implement it on client endpoints and server endpoints. We also integrate it with Microsoft Entra ID for the identity part because the security part of Microsoft Defender is completely correlated to user activity.

Microsoft Defender XDR is important for the mitigation of threats, visibility of vulnerabilities, and identification of issues within the environment. It has been a leader in the market for consecutive years.

We have a single pane of glass for servers, endpoints, and mobile devices. It makes it very easy to identify which devices are at risk when you go to the vulnerability part. There are also recommendations. Especially for me, these recommendations are gold. You see exactly what you need. Microsoft Defender XDR is completely different from your antivirus solution. It detects based not only on signatures but also on the policies, so you are forced to harden your servers or client endpoints, which makes a much stronger solution.

Being a Microsoft solution, it integrates well with other Microsoft systems. The majority of the systems are Microsoft-based. This integration comes without the need to install a client on the local machine. It makes the life of the operators and whoever implements it way easier.

Microsoft has a range of Defender products. There is Defender XDR, Defender for Endpoint for clients and servers, and Defender for Office 365 which protects mailboxes, SharePoint, and OneDrive. Then you have Defender for Identity, which is integrated with Defender XDR. You also have Defender for Cloud Apps that is connected to Defender XDR. When integrated, you can get sources of threats, for example, from Defender for Identity connected directly on the endpoint. Defender for XDR protects the endpoint devices against ransomware and different threats. We need to see more holistically at all the Defender solutions instead of isolating them. There is an element of correlation of identity. For me, nowadays, it is much more important to protect the identity than the endpoint device itself because the majority of the vectors are coming from identity attacks. They are more than the viruses attacking the endpoints.

I do not have much experience with Linux as such. I am very focused on Microsoft solutions. I never focused on Linux, but I have worked with my peers, for example, on projects to enroll Linux devices. We needed to prepare simple scripts or puppet scripts to automate the process of pushing policies and automate the update of the antivirus. It is trickier. It is more complex to manage because of the nature of Linux itself. It is not as straightforward or integrated as Microsoft solutions, such as Microsoft Windows 11 or Windows Server, but Microsoft Defender still covers everything. There are some limitations regarding Linux servers and endpoints because you need to have the version of Linux that is supported by Defender, but at the same time, with whatever is supported, Microsoft Defender does the job. Linux and Windows operating systems work in different ways, and the way that antivirus interacts with the operating system is completely different. There is role-based access control in Windows. You have local administrators and domain administrators. On Azure, you define roles for users to access certain environments. On Linux, you have the root user, and as a core front operation system embedded in it, you do not have the least privileged access management solution. This comes with a price because you need to control much better to whom you give access. SSH keys, for example, are very important to be protected, which is a different protocol than the Remote Desktop Protocol (RDP). You need to protect Linux servers in different ways, which is very different from Windows. Defender or Defender XDR extends the protection, especially when you need to connect with Azure Ark, which is part of Microsoft services.

Microsoft Defender XDR has consolidated security solutions. Previously, you had an antivirus, and you had a different type of endpoint protection for servers, and then you had a web content filtering solution, which is part of Microsoft Defender XDR. It consolidates all the extra products that you require, but it does not give all the elements. It is not a firewall. It is not a web application firewall (WAF). It does not give you everything required as a security solution, but as an extended detection and response system, it gives a lot of leeway for you to meet your security objectives. If we compare it with other products, Defender XDR is much more complete than the competition.

The integration, visibility, vulnerability management, and device identification are valuable. You can automatically deploy the clients depending on how you are implementing the solution. 

The web filtering solution needs to be improved because currently, it is very simple. It is very important.

Integrations with Linux should be done in a better way. With the AI world and the security part, things are going to be much simpler and easier to set up, configure, deploy, and maintain. I am looking forward to new releases of Microsoft Defender XDR to have better integrations, but the web filtering solution is the main pain point.

I have been working with Microsoft Defender since it was released. It has been about four years. I started working with it when it was not even called Defender. It was Advanced Threat Protection. It then changed to Defender for Endpoints and then to Defender XDR.

I have not experienced many bugs or issues. Sometimes, you have delays in the response, but that is due to connectivity issues. It is a cloud-based solution, so you cannot expect to have a real-time response, but this can be improved by Microsoft. I know that they are trying to improve. I would rate it a nine out of ten for stability.

It is ultra-scalable. I would rate it a ten out of ten for scalability. 

I love Microsoft, but due to its growth, the overall support quality has decreased a lot. My recent experience with support was not that good. For the Defender part, it was not that bad. I would rate their support a six out of ten. Their response time and knowledge could be better.

Neutral

I work with Trend Micro. I work with Kaspersky. Trend Micro has its own cloud-based solution similar to Microsoft Defender XDR, but it is not the same. It has some problems. It is not as effective as Microsoft Defender XDR. Especially whenever it comes to vulnerabilities and recommendations, Microsoft Defender XDR is amazing because of its integration with Microsoft operating systems. Microsoft is much ahead of the competition.

I would never touch Kaspersky again. It is not because it is a bad product. It has been a very good product for several years, but because of the Russia and Ukraine war, it has become a prohibitive product at least in Malta to use. A lot of customers moved from Kaspersky immediately to different products. The majority of them went to Microsoft Defender XDR, especially because it also comes integrated with some products. Microsoft is bundling its own products, and Microsoft Defender XDR is very attractive to implement as a cloud solution. It is a no-brainer for the customer. That is where Microsoft has an advantage over Trend Micro, Kaspersky, and other vendors.

With Cloud servers, it is easy and very straightforward. You can almost do it automated, but in a hybrid environment, you have the element of the on-prem servers, which becomes a little bit more complex. You also have the element of Azure that simplifies the deployment process.

It can be difficult to deploy in the beginning because you need to consider different products and elements, but the deployment is the simplest part of the onboarding process. The configuration process is much more difficult, especially because on servers, you need to deploy group policy objects (GPOs) and set all the policy options to protect from the vulnerabilities. You need to configure the antivirus to protect from exploits. There are so many features and configuration possibilities that it becomes more complex to implement on server endpoints. On the client side, it is easy, especially when you implement Defender through Intune, which is the mobile device management solution of Microsoft. With a platform like Intune, it becomes easy because you have policies that assist you already out of the box, such as security baseline policies. With Intune, it is much easier to set a policy. It is way less complex to implement. When you have a hybrid environment with endpoints joined on a local active directory, the complexity increases because you need to deploy GPOs as well if you do not have Intune involved. It is complex to implement.

The deployment takes a few weeks, but it also depends on the size of the customer. If you have just Windows 11 client endpoints, it is easier to implement. Client endpoints are easy to implement because you do not need to test that much. You configure the policies. The policies are all known because of our experience. When it comes to servers, it depends on the server's workload. It depends on what type of service you have installed on the server side. If it is the IIS web server, you need to test certain policies that can block that service. You cannot simply go and implement the best practices of the policies because then you are going to make the server unusable. You are going to generate downtime, which is not ideal and also not the objective, so you need to be very knowledgeable on the infrastructure side and the security side of all applications. You need to study. You need to create a test environment and start implementing server by server. You require details, and it is complex to implement because of this reason.

I am currently doing an implementation for a company with 300 people, and it would take around two months to implement because of the number of servers and endpoints. You need to go into each and every device and analyze the environment. It takes a while. In smaller companies, it is very quick. Within a week or two, you can manage to implement it.

In terms of maintenance, there is no maintenance of the product, but there is maintenance of the environment. Microsoft releases frequent recommendations, and they detect new vulnerabilities very frequently, which requires constant maintenance of policies.

I usually allocate two people. There is one person more focused on the client endpoints, and the other one is more focused on the servers because of his expertise. We split the roles and responsibilities within the team.

It has not saved us costs, but we have invested in a proper solution. We have a better return on investment. We now have better visibility. We are investing in a product that gives what we need instead of a product that does not fulfill our requirements and our customers' requirements.

As a service provider, it is very hard to calculate an ROI. For customers, it is more of a return on value rather than a return on investment. If you have not been under any threat after implementing the solution, it provides the value you need. This is my point of view on security because there is no perfect solution, but there is a solution that works better than the others where you have much more control. With Microsoft Defender XDR, in my experience, we have managed to give that to our customers. Our customers are satisfied with the product, and none of them have replaced or changed Microsoft Defender XDR.

There is the cost of the license, and there is the cost of implementation services. Only by enabling a license for your user, all the features are not going to be enabled and the policies are not going to be configured. It does not work like this. You need specialized people to implement, monitor, and maintain the systems. It comes as a package.

I would rate Microsoft Defender XDR a seven out of ten for pricing. It is costly, especially on the cloud part. There is also Defender for Cloud, which is part of Microsoft Defender XDR. It is 15 dollars per server per month. It is worth it, but it can be costly. It depends on the company's size. That is the big issue.

If you have a company with ten employees and ten servers because you have your own infrastructure hosted within virtual machines, you need to protect ten client endpoints. It is cheap if you get a business premium license. It costs around 17 euros per user. To protect the servers, you need to pay an extra 14 euros per server per month. For ten servers, it is 140 euros per month. Per year, it is around 1600 euros. Small companies or companies with a small budget would not go for it because they do not want to invest in IT. They do not see this value. In my opinion, big companies can justify this cost.

In the countryside of Malta, it is tricky to sell the solution. I have to give them all the advantages. I always have a test environment, so I show them how it works, how the automated detection works, how it behaves, and how it acts on the threats. I give them an overview, and they get amazed. When it comes to the pricing, they get a little bit scared, but ultimately, they go because they see value in it. Everything depends on the value that a product gives and how you sell a product as a solution provider. An XDR solution provides value because it protects your assets. Your data is your major asset. If you do not have it protected, you can get hacked or have a ransomware attack. Companies are now starting to understand the importance of it, and they are starting to invest more. It is still a long way for us to have the mindset where they say that it does not matter how much it costs, we need to invest in security.

I would recommend Microsoft Defender XDR. It is the best solution in the market.

For me, Microsoft Defender brought a career change. It made me go deeper into the security products. Previously, I was more of an infrastructure guy. I was more focused on on-prem and Windows servers, but then I moved away from infrastructure. I work for a data center company, and I am a presales solutions architect designing solutions for financial companies, banks, and gaming companies or companies with online casinos.

A lot of people did not like Microsoft Defender because Microsoft was not known as a security company, but Microsoft has been investing billions of dollars every year in security, and now, they provide cutting-edge technology, especially with AI.

I have been following Microsoft, and I go to Microsoft events. There is a new product called Security Copilot that is going to be completely connected to Defender XDR. It will give much faster feedback and response to threats by issuing reports. Today, a security analyst takes four to five hours to prepare a report. With Microsoft Security Copilot and Defender, it is going to change massively. Within five to ten minutes, you can prepare a report with the Security Copilot solution. It is going to be released very soon, and I am looking forward to it.

Overall, I would rate Microsoft Defender XDR a ten out of ten.

Defender XDR is a solution that protects your enterprise systems and devices.

Defender XDR has helped a lot in terms of capturing all kinds of activities happening on the endpoints where it is. If you want to know what happened at a point in time, you can go to the history and search everything. This helps you investigate exactly what happened if you have a security breach. It doesn't take much time, but I don't have anything to compare it to because Defender is the only XDR we've used. 

Defender XDR has a feature called the timeline that lets you track all activities. It helps a lot with investigations. Microsoft has many identity management features and products that complement each other.

It covers the weaknesses and vulnerabilities of non-Microsoft solutions, but it will not help you to do the remediation. You need another third-party tool to do the remediation. 

Defender protects against advanced attacks like ransomware or email phishing. The protection Defender provides is excellent. It's a great product for preventing attacks and reducing risks for organizations. 

There are a few technical issues with Defender XDR that can be improved. Sometimes, the endpoint devices are not reporting properly to the Defender 365 portal. When you're getting all the information from the Microsoft portal, the devices are sometimes not in sync. We have hundreds of endpoint devices, some needing to be onboarded again. 

I have used Defender XDR for three years.

I rate Microsoft support nine out of ten. It's excellent. 

Positive

We did a POC for a McAfee product. There weren't many differences, but Microsoft Defender was included with our E5 license. The major difference is that we saved money by not purchasing another product. 

Defender XDR is a cloud-based solution. You can access it and see all the information you need inside the Microsoft portal. 

Defender XDR is not expensive. It's average compared to other products. 

I can get Defender bundled with the E5 package. We had considered replacing it, but after evaluating some competing products, we decided there was no significant difference between the third-party products and Defender. 

I rate Microsoft Defender XDR eight out of ten. I think there is room for improvement in terms of its coverage of non-Microsoft technologies. 

The product replaced Sophos, a third-party product we used, helping us save money equal to its yearly subscription. The product saves us time. We do not have to interfere. It just keeps running.

Considering we haven't encountered any technical problems since we started using it. It is working as intended. It has great stability.

I don't know if that is Defender's feature, but more active monitoring for data breaches would be beneficial. There could be a way to proactively monitor unusual activity versus just depending on viruses and malware. If the traffic seems unusual, it could detect anomalies and update us. It would help us stop malware attacks ahead of time.

I have been using Microsoft Defender XDR since 2015.

We never encountered stability issues.

Whenever we add a license, it automatically sets the account for a new user.

The initial setup process was fine and similar to Office 365. We had to get our email server lifted externally from the premises to the cloud. It is easy to use once all applications are deployed.

Microsoft Defender XDR is already included in our Office 365 licensing. It is better because we're saving money by using it.

The product was included with the Office 365 licensing that we had. So, we decided to try it out. Before that, we were using Sophos.

I haven't run into that particular instance where the security features have extended beyond Microsoft technologies. The only products we use outside of Microsoft are proprietary lockdown applications, and it's not really an issue there.

During staff training, we've been using Intune to detect phishing attempts. It hasn't detected anything in that aspect. However, it has the ability to check for malicious attacks preemptively.

I rate it a ten out of ten.

It's the main tool that we use for the customer that we support. We don't use any other tools to monitor the environment.

It helps us prioritize threats.

In addition, Microsoft Sentinel enables you to ingest data from your entire ecosystem. One of the main reasons we use Sentinel is to receive logs from different sources and create analytical routines to generate alerts. Sentinel enables you to investigate threats and respond from one place and that is also very important because it becomes part of the monitoring team.

Microsoft 365 Defender has also helped eliminate looking at multiple dashboards, giving us one XDR dashboard. That means we don't have to spend too much time checking different pages. We just have one specific portal with all the information.

The solution has saved us time, although we haven't measured how much. It has reduced our time to detection and time to response by about 20 percent.

The most valuable features are the 

• integration among all the Microsoft tools
• details of the alerts.

We also use Microsoft Sentinel, Defender for Cloud, Defender for Identity, and Microsoft Defender for Cloud Apps. They are all integrated and it was very easy to integrate them. In my experience the with the integrations, it was just a click of a button and things were integrated. It's just a button.

They work natively together to deliver coordinated detection and response across the environment. We get more details when we integrate more tools, so it's relevant to have integration enabled. When it comes to monitoring an environment, this is very important, because you get different perspectives and points of view on the same alert.

I have a positive impression of the visibility into threats that the solution provides. It brings a lot of information and details related to the alerts or any security threat.

There are other SIEM solutions that are easier to use, mainly based on the creation of rules, use cases, and groups.

There could also be an improvement on the customization part. Sometimes we need to customize a few configurations but we can't.

I have been using Microsoft 365 Defender for a year and a half.

We have never had any problem with downtime.

The scalability is good.

Sometimes, they still take too much time to reply. But when they do reply, it's positive support.

Neutral

I was not involved in the initial setup, but there is no maintenance involved now.

My advice would be to have someone from Microsoft involved in the deployment part to help. There are a lot of details that they have information about, and it's impossible to know everything.