Top 8 Endpoint Detection and Response (EDR) Tools

CrowdStrike FalconSentinelOneCarbon Black CB DefenseCisco AMP for EndpointsSophos Intercept XCheck Point Harmony EndpointBitdefender GravityZone UltraMicrosoft Defender for Endpoint
  1. leader badge
    As long as the machine is connected to the Internet, and CrowdStrike is running, then it will be on and we will have visibility; no VPNing in or making some type of network connection. CrowdStrike always there and running in the background; for us, that is big. We wanted something that could give us data as long as the machines connected to the Internet and be almost invisible to the employees.
  2. leader badge
    The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes.When there is an incident, the solution's Storyline feature gives you a timeline, the whole story, what it began with, what it opened, et cetera. You have the whole picture in one minute. You don't need someone to analyze the system, to go into the logs. You get the entire picture in the dashboard. The Storyline feature has made our response time very fast because we don't need to rely on outside help.
  3. Find out what your peers are saying about CrowdStrike, SentinelOne, Carbon Black and others in Endpoint Detection and Response (EDR). Updated: April 2021.
    501,499 professionals have used our research since 2012.
  4. leader badge
    The solution is extremely scalable.Technical support is excellent.
  5. leader badge
    Among the most valuable features are the exclusions. And on the scalability side, we can integrate well with the SIEM orchestration engine and a number of applications that are proprietary or open source.
  6. leader badge
    Synchronization with the firewall is most valuable.Very stable solution.
  7. leader badge
    The technical support is good.The most useful feature so far has been having a functioning and up-to-date anti-malware scanner.
  8. report
    Use our free recommendation engine to learn which Endpoint Detection and Response (EDR) solutions are best for your needs.
    501,499 professionals have used our research since 2012.
  9. The performance is great.With Bitdefender GravityZone Ultra, we don't have to worry about our endpoints or attacks. Our security has become stronger. This has been a reliable solution for our company.
  10. Microsoft Defender is always running. It is doing its job, so it is fine. I don't have any issues with the way it was implemented or how we are running it. We have been upgrading the stuff throughout the years, but there have been no issues.

Advice From The Community

Read answers to top Endpoint Detection and Response (EDR) questions. 501,499 professionals have gotten help from our community of experts.
How can businesses protect themselves against Mimikatz malware?
author avatarTechnicalconsult568

Mimiktaz is a post exploitation tool that dumps passwords from memory (credentials theft) and exploit phase generally is the 2nd stage in attack life cycle as mostly said attacker exploit a vulnerability The collected credentials can then be used to access unauthorized information or perform lateral movement attacks.

EDR most probably helps you in detection and protection as it is works in monitoring and collects events,memory dumps...etc

EDR works by providing IOCs which is already provided by EDR vendor and you can also create custom IOCs and also TTPs and front line threat intelligence all those gives you capabilities in early detection exploit phase and knowing who is targeting your organization.

author avatarAlex Vakulov

Mimikatz is not the only one. Actually, there are for example also AzorULT and Cobalt Strike described here - The main methods of infection

author avatarBryan Hurd

Besides having Microsoft Defender which detects this threat, also the newest versions of the Microsoft Operating Systems for endpoints and servers have new functionality to reduce the threat from Mimikatz. Making sure individual users do not have admin rights, implementing least privilege and multi-factor authentication also will help. Drop me a note here or on LinkedIn if additional discussion desired. 

author avatarBozhin Bozhinov
Real User

Um, this is Mimi's cat stealing the gold ticket.

author avatarParesh Makwana

Protection against ransomware requires a multi-layered approach, with both preventative measures and recoverability capabilities. Due to the variety of attack methods, there is no single silver bullet that will provide comprehensive protection. As no protection is 100% effective, organizations must ensure they have recoverability capabilities in place for when they are compromised. Mimikatz malware is mainly used for Password stealing from your device, First we talk about protection that can be happen with couple of tools and awareness .

Preventative Measures

1) End Point Protection -AV product which does not require signature updates or endpoint device scanning, but uses Machine Learning (ML) techniques to identify malware.

2) Perimeter Protection - Sits inline between your company and the Internet, protecting your enterprise from cyberthreats, stopping intellectual property leaks, and ensuring compliance with corporate content and access policies. Product security capabilities provide defence–in– depth, protecting you from a broad range of threats including malicious URL requests, viruses, Advanced Persistent Threats (APTs), zero–day malware, adware, spyware, botnets, cross–site scripting, and much more.

3) Implementation of Privilege Identity Management with 256bit encryption Password vault. Look Out for an Unnecessary Amount of Requested Permissions

4) Recoverability - Offline Backups - This protection essentially involves maintaining an inaccessible, offline backup of data. I believe this offline copy is best offered in the Cloud, so therefore recommend a Managed Backup service for backups.

5) Download Apps Only from Official App Marketplaces.

With remote work having become the norm for many, what security should businesses have in place? Do you have suggestions of specific products that businesses should look at?
author avatarPhilippe Panardie
Real User

There is not a single answer.

In our company, we use only company devices for workers at home and VPN appropriate clients to control the internet flows towards our company firewall.

A behavioral endpoint product is recommended. This product is likely to cooperate with your corporate signature-based antivirus.

Any good product could be used in that way. We chose well known Israel products, combined with our standard US products, at that time.

author avatarOmer Mohammed
Real User

Wearing a mask while accessing your service is not a joke hardening tunneling protocols and uses the most updated one it's kind of like wearing masks.

author avatarLetsogile Baloi

Security is a multi-layered problem and as always the human end is the weak layer

Increasingly I believe the human layer-layer8 needs more attention. This requires getting the basics right. How are we allowing external devices into our networks? DO we own these devices? VPN Tunnels?

Or are creating a virtual working place and focus on IAM? 

This is BYOD on steroids and multiplies the attack zone. A line has to be drawn and a Trust Zone created. Traditional devices have native encryption so we allow them as trusted devices and use their native encryption. Then other policies are made. Does the employee have access to good internet(In Africa this is an issue) or do they have to go to a coffee shop or some such place? A good behavioral endpoint product will help. In some cases a company intranet. Microsoft teams are proving very accessible in Africa.

Menachem D Pritzker
On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass. Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber. The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned. How could Twitter have been better prepared for this? How do you rate their response?
author avatarKen Shaurette
Real User

I like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  

author avatarPrasanna VA
Real User

It's understood that internal tool probably shared by Internal Employee as RCA. The tool was used to reset associated Mail Address of account thereby Password Reset of Choice. In MFA of Identity related features, it's more secured on keeping it with associated Mobile Secure Pin or SoftCrypto Code in Future to avoid compromise at this moment is the lesson learned. 

author avatarreviewer989748 (Security Analyst at a financial services firm with 201-500 employees)
Real User

The use of two factor authentication by Twitter

author avatarParesh Makwana

This is one of the Identity theft issue, which means some one hack your password or account and do activity which he she is not suppose to do. basic reason of hack of your identity or password is Social engineering. second reason is system has week privilege access management. If you have less control on admin id or privilege id then enter firm has to suffer along with the customer of that firm. For me the take away of this event is to protect privilege ID and you good PAM PIM tool with two factor and UBA included.  

author avatarRussell Webster
Real User

Span of control, Solid RBAC, Privileged Access Management (PAM) 

How can businesses ensure that they are protected from EternalBlue attacks?
author avatarRicardoGranados (Ingram Micro Inc.)

You can use Palo Alto Cortex XDR networks to protect against this type of attack at the endpoint level.

author avatarDawid Van Der Merwe

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.


author avatarNikki Webb

EternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block.

So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch.

Microsofts Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilising the latest version.

Additionally, you should ensure that the following safeguards are in place:

  • Anti-virus software - AI product like SentinelOne is needed, traditional anti virus is just not up tot he job anymore

  • Secure offsite backup with “attack-loop” prevention

  • Filter for .exe attachments in emails

  • Encrypt sensitive data

PATCH PATCH PATCH - is the answer every time 

author avatarDr Trust Tshepo Mapoka

EternalBlue exploits officially named MS17-010 by Microsoft is a vulnerability that affects outdated versions of Microsoft Server Message Block (SMB). The quickest mechanism to protect against EternalBlue is through system PATCHING, i.e. download the latest version of Windows software update and install the patch.

author avatarMarc Vazquez
Real User

The best part of AI products like Sentinel one is they are monitoring for this type of exploit. It's not just anti virus software. There is also a SOC that reacts when a machine is compromised. The hacker would use the exploit to get onto the machine this would alert the SOC. As soon as the hacker executes the cypto code the connection is severed with the hacker, the code is frozen and reversed. The machine would be kept offline until the security is checked. You would then unfreeze the machine. All this is automatic. As support you would get 10 to 15 emails explaining what was done. You would log into the portal to verify and unfreeze the machine.

author avatarSteve Pender
Real User

By far the most important thing to do to prevent attacks utilizing Eternalblue is to make sure that you’ve updated any older versions of Windows to apply the security patch MS17-10.

If, for some reason, that’s not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.

Ensuring you have a capable EDR security solution should go without saying, but if your organization is still behind the curve on that one, remember that passive EDR solutions are already behind-the-times and active EDR is required.

Please contact me on for more information on SentinelOne and Cyber Protection Services

author avatarParesh Makwana

EternalBlue” exploit that targeted open server message block (SMB) ports and was used to great effect in the recent WannaCry ransomware attack.

Attacks leveraging the EternalBlue exploit generally follow this pattern:

  1. A vulnerable system with an open, unpatched port is identified.

  1. EternalBlue (or another exploit) is used to achieve remote code execution.

  1. The DoublePulsar backdoor is uploaded. This allows remote control of the infected system and the upload of an additional payload.

  1. An arbitrary payload is injected into the target system’s memory using the DoublePulsar backdoor. In the case of WannaCry, this payload was ransomware, but it could potentially be any payload, including malware that does a much more effective job at hiding on a system.

  1. In the case of WannaCry, the payload also contained code that attempted to spread additional infections with the EternalBlue/DoublePulsar attack chain. This effectively made WannaCry a worm, a kind of malware that could spread without any kind of user intervention.

Though Microsoft published a patch for a number of the exploits contained in the Shadow Broker’s dump, unpatched systems still remain vulnerable to this kind of attack. It is important to note that a potential attacker could use any payload in the attack chain described above.

Basic tool to protect from EternalBlue

1) Second generation AV 

2) Cloud Backup

3) Cloud Second generation VPN and Firewall

Can EDR replace antivirus, or are both needed?
author avatarShreekumarNair
Real User

You can use EDR solutions to track, monitor, and analyze data on endpoints to enhance the fortification of your environment. Generally, EDR tools do not replace traditional tools like antivirus and firewalls; they work beside them to provide enhanced security capabilities. It is becoming the preferred technology for enterprises to provide better security for their networks when compared with the traditional antivirus.

EDR solutions have many capabilities and advantages which are not offered by traditional antivirus programs. It comes loaded with different analytical tools that run in the background to ensure the monitoring and reporting of threats. However, all EDR solutions do not perform the same range of functions. Their scope and nature of activities differ depending on the type of EDR solutions that you choose.

Traditional antivirus programs are more simplistic and limited in scope compared to the modern EDR systems. Antivirus is generally a single program which serves basic purposes like scanning, detecting and removing viruses and different types of malware.

Antiviruses are more of a decentralized security system that falls short of providing adequate security to the ever-expanding digital networks. The IT network and perimeter of enterprises have witnessed even faster growth due to the mobile revolution.

author avatarMatthias De Toffol

Hello EDR can replace a normal AntiVirus and can offer even more, as they can effictively can respond to an attack, isolate the end device or restore destroyed data. After that you can analyse the attack. We're using SentinelOne for us and our customers and are more than happy, as we're protected against new and old ransomware

author avatarITSecuri7cfd (IT Security Coordinator at a healthcare company with 10,001+ employees)
Real User

So this is what WIKI says about EDR.
EDR systems detect all endpoint threats and provide real-time response to the identified threats. ... EDR systems also collect high-quality forensic data which is needed for incident response and investigations. Overall, EDR security systems are much better equipped at handling cyber threats than traditional antivirus.

But INHO, it depends. It depends on the products you are looking at, it depends on the cost, it depends on what you are trying to cover or prevent from happening and it depends on the tools' capabilities. Some tools are better than others. Some a/v is better then EDR, Some EDR is better than a/v. It's a very active space with a HUGE amount of contenders all vying for your security dollars. You just have to ask them the right questions and bounce their answers against their competitors, your bosses, and your friends opinions to get out of it what you need, for the least cost and most coverage. Do some POCs, RFIs to see what fits for you and your environment and needs first before you decide. Then spend the next 3 yrs extracting every bit of juice out of the tool you can to make it purr like a kitten.

If you don't need it and you can get by on defender as a 80% solution then go with defender. If you need carbon black and mcafee do that. It comes down to your needs and what's good enough for you.

author avatarRicardoGranados (Ingram Micro Inc.)

EDR is an add-on for Endpoint Protection. EDR is for detecting post-intrusion threats or persistent advanced threats. EDR enables identification and prevention of reconnaissance attack, lateral movement, command and control channel and data filtering. EDR can also analyze user behavior against a baseline.

author avatarreviewer1272021 (IT Security Architect at a tech vendor with 51-200 employees)

Yes, EDR will replace traditional A/V with most solutions. Make sure to validate with your vendor but the reputable ones certainly cover A/V. You do not need to have both as this is unnecessary overhead. Any (reputable) EDR will have known bad MD5 already included.

author avatarNikki Webb

EDR can replace antivirus, if you get the right EDR solution. A solution that comprises EPP and EDR into one is a replacement for traditional antivirus. EPP provides all the protection you would get from antivirus and more. Happy to discuss further if you have anymore questions

author avatarMatthias De Toffol

There is never 100% security and I'm warning of using too much end-point-protection on the client, as each one has a little bad impact of performance.
And when using two they will slow down each one.
To replace an Anti-Virus just use a good EDR, which replaces the AV and which does even more.

author avatarCesar Eterovich Rodrigues
Real User

Yes, it is a good level of protection to have EDR alone, but for better protection I recommend having the two solutions together but with different manufacturers between EDR and AV

See more Endpoint Detection and Response (EDR) questions »

Endpoint Detection and Response (EDR) Articles

Freelance Writer – B2B Technology Marketing
Journal of Cyber Policy
May 11 2021

On Saturday, May 8, 2021, major media outlets reported that Colonial Pipeline, whose fuel pipeline network supplies gasoline, jet fuel, and other petroleum necessities to over 50 million Americans, had suffered a ransomware attack and shut down its pipeline as a precaution. The disruption in supply sent gasoline prices rising over the weekend, with financial markets on edge in anticipation of economic impacts in the coming weeks.

Colonial, which is one of the largest pipeline operators in the US, has hired Mandiant, a division of FireEye, to investigate the attack. The FBI and Critical Infrastructure Security Agency (CISA) are also investigating the incident to determine the source of the ransom attack. Their goal is to help Colonial understand the nature of the malware that has affected its operations. According to the company, the attack only affected its business systems, not the pipeline management technology itself. However, they shut down the pipeline as a precaution.

The source of the attack has not been confirmed, but according to government sources, an Eastern European cybercrime gang known as DarkSide is a leading suspect. At this point, it is unclear who is behind DarkSide. In some cases, such criminal gangs operate either with the consent of nation-state actors or even under their direct instruction. By having a criminal group perpetrate an attack on another country, nation-state actors preserve deniability. The vulnerabilities that were exploited by the attackers are unknown at this time.

Detecting and Preventing Ransomware Attacks

IT Central Station members would not be surprised by the Colonial attack. Many of them have spent their careers detecting and preventing such events, using anti malware solutions as well as tools for endpoint protection and more. Hasnae A., presales engineer at DataProtect, uses Cisco Umbrella for ransomware protection. As a system integrator, they implemented Umbrella to protect the network of a client in Morocco against ransomware and phishing attacks. Hasnae characterized the solution as “easy to use” and valued its ability to integrate with eBay.

Network security solutions are just one of many countermeasures that IT and security professionals are deploying to combat the ransomware threat. Email defense, endpoint protection, and secure browsers can also help mitigate ransomware risks. Backup and disaster recovery solutions fit into the ransomware defense mix as well.

Reducing Ransomware by Protecting Email

Ransomware malware needs to enter a target’s network in order to encrypt data and hold it for ransom. Email, especially phishing attacks, is one of the most potent vectors of attack. For this reason, security managers often try to stop ransomware as it enters the organization through email. An IT manager at a mid-sized healthcare company, for instance, uses Forcepoint for email filtering. He explained that “the spam filter is very effective. It does a good job of detecting ransomware links in email and then blocking them.”

Protecting End Users by Securing their Browsers

Ransomware attackers may deliver their malicious payload through infected websites. An end user might click on a link and accidentally download ransomware onto their device in the process. To reduce this risk, some security teams deploy secure browsers, such as Comodo, on end user devices. Principal enterprise architect Donald B. takes this approach at Aurenav Sweden AB, a business services company. As he put it, “If you open up an application or a web browser, it [Comodo] runs within a container (sandbox). So if there's some malicious code, it will be contained within the sandbox.”

He further noted that “ransomware prevention and zero-day exploits were a driver for adopting Comodo. From our research lab results working with live ransomware, Comodo has been very effective in preventing infection. We've done a lot of tests with numerous types of live malware, and it works really well.”

Protecting Endpoints to Stop Ransomware

The endpoint is a logical place to fight against ransomware. After all, if the security team can kill ransomware on the end user’s device, they’ve gone a long way toward winning the battle against the attacker. IT Central Station members discussed their experiences with a variety of endpoint protection solutions that help them with ransomware. These include a technical manager at a small tech services company who uses Malwarebytes to prevent ransomware and malware. He also deploys the solution’s endpoint detection and response (EDR) functionality. He related, “This means if the data is attacked, I'll be able to recover my data - that is, roll back the data and go to the pre-attack state.”

“The most valuable feature is its ability to detect and eradicate ransomware using non-signature-based methods. It is not a traditional EDR,” said the owner of a small software company. He added, “We think of this product as a fishing net that fits into the computer and has all of the capabilities and understanding of what ransomware and malware look like. It reacts to the look of ransomware, as opposed to trying to detect it by using a signature.”

For Imad T., group CIO at a large construction company, the Carbon Black solution “ensures the probability that any ransomware will be stopped before spreading.” It is an endpoint line of defense against malware and ransomware with scheduled network scans. A senior security consultant for Checkpoint Technologies at a small tech services firm had a similar use case. He remarked, “We had a ransomware attack and the SandBlast agent automatically picked up the ransomware. It automatically deleted the ransomware and restored the encrypted files.”

Mitigating the Impact of Ransomware with Backup and DR

As the Colonial attack reveals, even strong defenses can be breached. Ransomware is able to get through and wreak havoc on important systems. Anticipating this potential, some organizations prepare to respond to an attack by restoring lost data through backup. This way, they can ignore the ransom demand. Anti-ransomware processes should be part of a thorough Disaster Recovery (DR) plan. Such an approach has been taken by Sastra Network Solution Inc. Pvt. Ltd. As their CTO, Shrijendra S., noted, they use Quorum OnQ for backup, cloud service, and disaster recovery as a service [DRaaS]. In particular, they have found that Quorum OnQ has a good ransomware protection feature. Deven S., director at a small tech services company, similarly relies on Acronis as a file- and data-backup solution. In his view, Acronis is “easy to use, performs well, and provides built-in ransomware protection.” He described this as “a great advantage.”


The attack on Colonial Pipeline is getting attention because it is a piece of critical infrastructure that can affect the general public. However, as security experts know, it is just one of thousands of such attacks that have occurred in the US in the last year. Many more are likely coming. Security teams must be eternally vigilant against increasingly brazen and sophisticated attackers. As the IT Central Station reviews show, many validated solutions are available. The challenge is to deploy them effectively in order to detect and prevent ransomware attacks over the long term.

Find out what your peers are saying about CrowdStrike, SentinelOne, Carbon Black and others in Endpoint Detection and Response (EDR). Updated: April 2021.
501,499 professionals have used our research since 2012.