Due to the nature of deep learning, it’s sometimes difficult to determine why the AI model has blocked a specific file, although this has improved over time. The downside of its intelligence and automation is we could use more logging details of what happened behind the scenes.

Enhancements for multi-tenant use cases will be a plus as we scale up usage. We're able to work around it within our own multi-tenant XDR platform, but the improved delineation of parties within an instance is beneficial.

Continuous improvement to the admin UI naturally will help improve the experience and allow us to work faster. Sometimes it can be chalked up to training, however, great UX makes a big difference in saving time.

Wider Linux flavors coverage also would be a plus.

We have a PHI (protected health information) committee, and some of the things that we review on a weekly basis are incidents. For example, if there was malware or adware or some kind of phishing attempt, or even ransomware, we would have to investigate and see if there was any PHI impact. We've seen small things because some kind of adware made its way through the browser from some malicious link, and it's really hard to prevent those. We're putting more levels of filtering around that.

There are some product development ideas that we have been working on alongside the DI team, and they've been super helpful. There are definitely a lot more little areas of improvement for the interface.

Also, we have talked with the DI team about adding the forensic piece, which is what we do a lot. That would be added value and they've just recently provided more individuals to think about the roadmap. That's part of their strategy and one of the good features that they want to bring on. Hopefully, they can bring that to fruition and that will ease our workflow a little bit more.

The additional predictive and prevention capabilities in the 3.0 version, that don't require special rules and configuration, help our organization. The only caveat is that when things get done automatically, I would appreciate more logging of what's happening in the background, if it is doing some kind of intervention. If we need to do some forensics, we should be able to backtrack from the log that gets uploaded to our cloud instance and see, forensically, what the root cause was. We should be able to see what instigated that trigger by DI and what exactly was done. That's a missing piece. It does a good job of preventing, but then we don't know what were the symptoms of the prevention.

Let's say that there was like a PowerShell block. We'll see an indicator on the dashboard and we'll look at the logs and investigate. Sometimes we find that the logs that are captured locally on the endpoint itself are not very thorough. We were coached through our training with DI that, when troubleshooting, the DI team would always ask for the logs from the endpoint. We know what we need to do to look at something. But the logging for DI doesn't capture everything. There are some things that are missing. When it comes to root-cause analysis, or kill-chain analysis, and figuring out exactly what happened, it's very hard to do that right now on the product. I have used Carbon Black before and they're pretty good with the forensic analysis. That does save some efforts of my one engineer and myself when we have to go through the PHI committee. Right now, with Di, that feels like a blind spot.

Another area for development is making the license clean-up a little bit easier. We always have to manually uninstall agents. If there were some way to remove the licensing and do better license management on the platform, that would help my team as well.

There is room for improvement in the setup process. I've had to raise it with the engineering team because there's an issue in the installation process where you can't install it unless you disable the built-in Windows Bitdefender antivirus. 

So, you have to manually disable Microsoft Bitdefender in order to install Deep Instinct. So, that makes it impossible to do a network rollout unless you manually visit each computer, which is ridiculous.  

So, I haven't completed the installation process because I'm blocked really because of this issue. Moreover, I don't want to because it's too much manual effort. Operationally, it makes no sense to me. So I told my customers that I'd consider the deployment of the product if it doesn't have these technical issues.

I would like a little more training for the admins.

The interface on the endpoint could be a little more descriptive and more valuable. It doesn't always tell you the data you need to see. Improvement there would be very helpful.

The solution's stability is good. If the tool was able to provide fine-tuning capabilities from the product's end depending on the environment of its user, then it would be a good improvement in the solution. The product can build prebuilt binaries for major providers, like infra or telecom agencies, who can fine-tune it according to the environments so that they know what applications are considered normal and what is considered abnormal. The tool provides additional support for areas like whitelisting and allowlisting, but it will be very useful to quickly deploy the tool in an environment if it comes in a prebuilt binary package.

I think it's probably the administration, especially the administration platform, which could be improved in the solution. It's clunky and hard to navigate, especially for inexperienced technicians. So, I want to see better platform administration and easy navigation in the future.

My primary concern is that there are elements of the MSSP model that need updating. Specifically, there are some technical controls that need to be updated and it means that rolling it out is a little bit more complicated than it has to be. If the client is working remotely and doesn't have a VPN then the deployment is difficult to do.

In the future, I would like to see additional reporting made available.

Adding a firewall would negate the need for some products by other vendors. More generally, adding traditional endpoint security features over time would mean that we would not have to support multiple platforms.

The Achilles heel in our industry is reporting. I would love to see exceptional, outstanding level of reporting. I know that's like asking for a unicorn to leap out of the sky with any of these products. But reporting is always the thing that it is challenging. Fortunately, because as operators we get information through the dashboard, it hasn't been an issue yet. But for us, to really differentiate and really squeeze the full value out of this with our clients, the reporting is critical. Why is that? When everything works, clients began to wonder: "Everything's fine. Why do we need you?" That's where the reporting capabilities would allow us to really demonstrate: "Hey, here's what's actually going on, Mr. Customer."

I would like to see improvement in the user interface so that the user has more control. For example, it would be good if a user could change their grouping if they want to be part of another group. Or if I want to right-click and scan a specific file that I just imported, that would be helpful. Sometimes you just want to do an extra scan to make sure you're safe.

Its support for Linux and Unix operating systems can be improved. Currently, they cover macOS and Windows, but they don't cover Linux and some of the Unix products.

Pricing is also an issue. Its pricing is not as aggressive as it could be, and its price makes it difficult to sell. Customers feel that they can get an antivirus for a lower price, even though it is not a similar product. It is technically different. 

Their SLAs can be better. They have to give you 24/7 support, but their SLAs are not very good. They should be better documented, and the offerings should also be a little bit better. What happens is that the SLAs end up in the hands of the intermediary, seller, or the local partner of Deep Instinct in a country. The customers want very fast SLAs in a very short time, but Deep Instinct doesn't give them at the same speed. Having said that, SLAs are important when you have a lot of issues, but this product doesn't have too many issues, so it is not a big concern. However, for a customer who doesn't know the product, it could be a concern.

If they can bring some additional, complementary solutions, like network scanning and the like, that will help. If they had some sort of a firewall which could help detect DDoS attacks and other things. It's just an extension of what they do, so it would not be just the endpoint. If they can take the technology and make it more useful across the network and add anything that could help improve the work environment, that would be good. 

I'm watching closely to see what they next bring onboard. But within the product itself, overall I don't see any required improvement because it has a very lightweight agent, it's fast and quick, and it detects everything. I haven't experienced any negativity on the Deep Instinct side.

The UI is pretty straightforward. It's very simple. It would be nice to have if there were options where, if I have to do SIEM integration, I could do so from the UI: Just pick and choose what SIEM solutions the customers use and have options to have out-of-the-box connection facility. If I had an option to do SIEM integration out-of-the-box from the user interface, that would be handy.

The Deep Instinct client stops working when you have two servers and you add high availability or Windows Failover Cluster mode. It doesn't work in a clustered mode. I haven't yet had time to go back and talk with their support and get it fixed.

It would be good if they can make the installation independent of an actual user. Currently, its installation is dependent on the actual user being logged in. For example, a computer has to be logged in for the installation to happen. If it is not logged in, then on the cloud platform, it is going to show that the client is offline. 

On the management side of the cloud platform, we would like to have the administrators segregated by logical entities. We have told them that on their cloud management platform, we would like to be able to segregate clients into different logical entities or organizations so that the administrators are able to manage only those entities that are within their designated organization.

I am looking forward to them adding Linux in Q1 or Q2 of 2019, as this is often requested by my partners and customers. Currently, Deep Instinct only has Windows, Mac, Android, and iOS.

At this point, they don't have a local quarantine feature that can be triggered by the agents. It has to be done by whitelisting. Deep Instinct has also said that this will be available in Q2 2019. 

The documentation could be improved. They have a manual, but it is not excessive.

Some of the features are very resource intensive, such as the ransomware detection. It consumed so much of the resource on the endpoints that we have disabled those functions. If they could improve the detection logic so that those elements would consume less resource, that'd be effective. They could also improve the reporting feature so it coul be more like you find in Maltego or IBM's i2. They could introduce a graph feature to coordinate between search and those things, perhaps a dashboard of some kind.

Reporting on incidents needs improvement. It doesn't give very much information compared to Sophos. Sophos will give you a graphic that you can zoom in on the subject and find out everything that the exploit tried to do. It gives you a visual sense of what is going on.

When it does find something I am not 100% sure that they are exploits or if they are false positives. At times, it can be difficult to tell what the problem is.

The deployment was a bit difficult. It was more difficult than Sophos, for example, with having to create an installer. I had to read through a lot of documentation to figure it out. It's clunky and cumbersome.

In Sophos, I can click what I want and it downloads an installer for each tenant. It just takes seconds. Whereas with Deep Instinct, I have to create a whole script and a lot more steps to deploy it.

You have to be more technical to deploy it. You can't just send a file to an end-user and have them install it. You have to have technical expertise.

The dashboards are quite primitive compared to Sophos, which is both good and bad. It's good because it's fast.

Easier Deployment would be better. More integration with RMMs, such as LabTech or Automate. Also, there should be more optics. When it does something, more information on what's happening would help us to make better decisions.

The Management Console is not localized.