Best Endpoint Detection and Response Tools

The use of end-user devices such as computers, mobile devices, Internet-of-things (IoT), and other network devices in corporate networks creates attack paths for security threats.This has created a big market for what is now known as endpoint security

The endpoint security market has evolved over the years from traditional antivirus software into a modern security solution that includes next-generation antivirus, threat detection, and response, firewall, device management, anti-theft, encryption, intrusion prevention, data leak protection (DLP), parental control, and other technologies to mitigate evolving threats. This modern endpoint security solution is now known as Endpoint Detection and Response (EDR).

Here is our list of the best endpoint detection and response tools:

  1. CrowdStrike Falcon This hybrid solution offers an on-device unit called Falcon Prevent that implements constant anti-virus vigilance and can be expanded via a cloud platform to implement companywide, coordinated threat protection. Installs on Windows, macOS, and Linux. Get a 15-day free trial.
  2. VMware Carbon Black A hybrid solution with an on-device AV for each endpoint coordinated by a clod-based coordinator. Protects endpoints running Windows, macOS, and Linux.
  3. Trend Micro Apex One A cloud-based platform that protects endpoints by installing an agent on each.
  4. Symantec Endpoint Security Complete This package protects mobile devices as well as workstations. Delivered from the cloud.
  5. Trellix Endpoint Security (ENS) A cloud-based threat detection system that looks for anomalous behavior and takes a global threat intelligence feed.
  6. SentinelOne Singularity A XDR that protects endpoints, networks, and cloud services through log-based threat hunting.

An EDR tool is a software solution that provides real-time monitoring and visibility of endpoint activity, allowing security analysts to quickly detect and investigate suspicious behavior or malicious activity. EDR tools help to detect and respond to cyber threats on individual endpoints, such as laptops, servers, and other network devices. An EDR tool typically operates by collecting and analyzing data from multiple sources on the endpoint, such as system logs, network traffic, and application activity. The tool uses advanced analytics and machine learning algorithms to identify patterns of behavior that are indicative of a security incident, such as the use of known malware, unusual network traffic, or abnormal system activity.

When an EDR tool detects a potential security incident, it can automatically take a variety of actions to help contain and remediate the threat. For example, the tool may quarantine a file or terminate a process that is exhibiting malicious behavior. Additionally, EDR tools can provide security teams with detailed reports and insights into the incident, helping them to understand the scope and impact of the attack and develop a remediation plan. In this article, we x-ray the 6 best EDR tools out there. Hopefully, this will guide you in choosing the right endpoint security solution for your business.

The Best Endpoint Detection and Response Tools

Our methodology for selecting an endpoint protection and response tool

We reviewed the market for EDR systems and analyzed tools based on the following criteria:

  • An on-device unit that provides constant virus scanning
  • Activity summaries from the endpoint unit
  • A central coordinator that receives endpoint activity reports
  • Centralized threat hunting
  • Response mechanisms that inform all endpoints of an attack on one
  • A free trial or a demo package that enables potential buyers to examine the system before paying
  • Value for money from an easily expandable package that is offered at a reasonable price

1. CrowdStrike Falcon

CrowdStrike Falcon

CrowdStrike Falcon is an award-winning endpoint security suite that combines next-generation antivirus, endpoint detection and response (EDR), cyber threat intelligence, managed threat hunting capabilities, and security hygiene — all contained in a tiny, single, lightweight sensor that is cloud-managed and delivered.  The lightweight Falcon sensor that runs on each endpoint includes all the prevention technologies required to protect the endpoint, whether it is online or offline. It uses a combination of cloud-based technology, artificial intelligence, and machine learning algorithms to detect, prevent, and respond to malware threats in real-time. It is ideal for businesses and the modern work environment with stringent compliance requirements.

Key Features:

  • Next-generation anti-virus
  • Blocks lateral movement
  • Combats ransomware
  • Easily expandable
  • Cloud-based coordinator

Why do we recommend it?

CrowdStrike Falcon provides two levels of protection because its on-device unit is a full anti-virus package that can continue to protect the endpoint even if it is disconnected from the internet. The central coordinator elevates this AV to an EDR by coordinating intelligence gathering, threat hunting, and response.

CrowdStrike Falcon operates by collecting and analyzing data from endpoints, such as laptops, servers, and other network devices. It uses machine learning and behavioral analysis to identify and prevent threats, and it can detect and respond to threats in real-time. CrowdStrike Falcon uses a lightweight agent to monitor endpoint activity in real-time. It analyzes endpoint data using behavioral analytics and machine learning algorithms to detect anomalies and potential threats. When a threat is detected, Falcon sends an alert to the security team with details on the type of threat and its location within the network. Falcon also provides additional features such as threat hunting, incident response, and vulnerability management capabilities.

CrowdStrike Falcon offers several protection and performance capabilities, including:

  • Next-generation antivirus (NGAV) to prevent known and unknown malware.
  • Endpoint detection and response (EDR) to detect and respond to threats in real-time.
  • Threat intelligence to identify and block known bad domains, IPs, and hashes.
  • Endpoint protection platform (EPP) to prevent attacks at the endpoint.
  • Falcon OverWatch, is a 24/7 threat-hunting service that proactively searches for threats across the entire environment.
  • Threat Hunting: Falcon provides a range of threat-hunting capabilities, including access to CrowdStrike’s team of experienced threat hunters, who use advanced tools and techniques to identify and eliminate threats.
  • Incident Response: Falcon provides incident response capabilities, allowing security teams to quickly respond to and remediate threats.
  • Vulnerability Management: Falcon provides vulnerability management capabilities, allowing security teams to identify and prioritize vulnerabilities and implement patches and other security measures to mitigate risk.
  • Compliance: Falcon provides compliance capabilities, allowing organizations to monitor and enforce compliance with industry regulations and standards.

Who is it recommended for?

This package is very easy to expand. You just buy another license for the AV to include another endpoint in its coverage. However, that AV, called Falcon Prevent, is quite pricey and beyond the budgets of small businesses. The Falcon package is successful at attracting sales to mid-sized and large companies.


  • Creates a private intelligence network
  • Dual-level threat hunting
  • Automated responses that can involve instructions to third-party tools
  • A local anti-virus package that will function independently
  • Anomaly detection


  • Too expensive for small businesses

CrowdStrike Falcon pricing varies depending on the level of protection and the number of endpoints to be protected. Licensing is typically done on a per-endpoint basis, with discounts available for larger deployments. CrowdStrike offers several support options, including phone, email, and online support, as well as a knowledge base, community forums, and training resources.

2. VMware Carbon Black

VMware Carbon Black

VMware Carbon Black EDR solution combines next-gen antivirus with EDR technology to create a comprehensive endpoint protection solution against cyberattacks. The solution includes an on-premises and cloud-based endpoint protection capability known as Carbon Black Cloud. This enables it to apply behavioral analytics to endpoint events to achieve greater efficiency in detection, prevention, and response to cyber-attacks.

Key Features:

  • On-device unit
  • Cloud-based coordinator
  • Container security
  • Ransomware detection

Why do we recommend it?

VMware Carbon Black provides security monitoring in a number of units, which includes Carbon Black Endpoint. Another unit on the Carbon Black platform monitors container activity, looking for security issues. All of the Carbon Black system looks for anomalous behavior to trigger further scrutiny. The package is able to notify other endpoints if one computer reports an attack.

Carbon Black EDR can be deployed on-premise, in the cloud, or a combination of both (hybrid deployment). It is also available via managed security service providers (MSSP) or directly as a subscription-based SaaS offering. Supported platforms include Windows, macOS, and Linux (Red Hat, CentOS, and SuSE).

The solution is ideal for Security Operations Center (SOC) teams responsible for threat hunting and incident response in a hybrid (on-premises and cloud) environment. Other common use cases include breach preparation, alert validation and triage, root cause analysis, forensic investigations, and host isolation.

More Key features and capabilities include:

  • Centralized access to continuously recorded endpoint data means that security teams have the information they need to detect and respond to threats in real-time.
  • Carbon Black’s robust partner ecosystem and the open platform allow security teams to integrate this EDR tool into their existing security stack.
  • Automated watch lists and multiple customizable threat intel feeds enable rapid identification of attacker activities and root causes.
  • Provides intuitive attack chain visualization to make identifying root causes fast and easy
  • Interactive attack chain visualization, and live response for rapid remediation

The real power of Carbon Black EDR comes from its ability to leverage AI and behavioral analytics to improve its ability to detect and prevent attacks. This sets it apart from traditional antivirus software, which relies primarily on file-based malware signatures. Carbon Black EDR works by deploying sensors and applying security policies to endpoints. Once you have deployed sensors to endpoints and applied policies, you will be able to view information such as attack vectors, prevented attacks, and a summary of overall endpoint health and your organization’s overall security status on the Carbon Black dashboard.

In recent AV-Test results, the VMware Carbon Black Cloud (Endpoint Standard) had a protection and performance score of 5.0/6.0 respectively in preventing attacks, and a usability score of 6.0/6.0, which measures its impact on the usability of the endpoint. Carbon Black also met all the certification criteria for AV-Comparatives and thus was given the AV-Comparatives Approved Business Security Product Award for December 2021. In the latest MITRE Engenuity ATT&CK, VMware Carbon Black Cloud delivered robust telemetry coverage with correlated, high-fidelity alerts at every step of the detection test, ensuring complete visibility into any similar real-world threat.

Who is it recommended for?

This package is aimed at large and mid-sized companies. Although it is a product of VMware, the tool isn’t focused on watching virtualizations – VM monitoring is part of the package’s remit. The system looks at all activities on each endpoint. It is able to protect computers running Windows, macOS, and Linux.


  • Spots automated and manual attacks
  • Looks for unusual activity and so can block zero-day attacks
  • Blocks lateral movement by informing all endpoints of an attack
  • Can also protect the computers of home-based workers


  • Not suitable for small businesses

VMware does not display Carbon Black pricing details publicly on its website and does not offer free trials. This seems out of tune with most modern security providers. Notwithstanding, a hands-on simulation lab and online demo are available on schedule, and the product can be purchased through a network of partners and resellers.

3. Trend Micro Apex One

Trend Micro Apex One

Trend Micro Apex One is a cloud-delivered endpoint security solution offered by Trend Micro, a leading provider of cybersecurity solutions. It provides comprehensive security for endpoints, including laptops, desktops, servers, and mobile devices. When deployed, the platform uses a lightweight agent that is installed on endpoints to monitor endpoint activity and report back to the Apex One console. Trend Micro Apex One can be deployed on-premises, in the cloud, or as a hybrid solution, depending on the specific needs of an organization.

Key Features:

  • Cloud-based
  • On-device agent
  • Companywide coordination

Why do we recommend it?

Trend Micro Apex One is a cloud-based system that reaches out to enrolled endpoints through the installation of an agent. This package isn’t limited to a single threat detection technique. It uses methods such as blacklisting, anomaly detection, and signature searching to expose malware. The system can also spot fileless malware.

Once deployed, Apex One uses advanced threat detection and prevention techniques, including behavioral analysis, machine learning, and threat intelligence, to detect and prevent known and unknown threats in real-time. It continuously monitors endpoint activity to quickly detect and respond to threats and provides automated response capabilities to remediate threats in real-time without requiring manual intervention. In addition to threat detection and prevention, Apex One provides comprehensive endpoint protection and security for organizations of all sizes.

Apex One includes advanced web and email protection features to block phishing attempts, malicious URLs, and other threats. It provides vulnerability management capabilities, allowing security teams to identify and prioritize vulnerabilities and implement patches and other security measures to mitigate risk. It also includes endpoint encryption features to protect sensitive data stored on endpoints and provides mobile device security features to protect against mobile threats and enforce security policies on mobile devices.

Who is it recommended for?

Trend Micro Apex One is suitable for any business of any size. It’s cloud base is able to reach out to endpoints wherever they are – they don’t have to be on a single network. Thus, this is a particularly good choice for businesses that operate a virtual office with many home-based workers.


  • A SaaS package that can protect home-based workers
  • A range of detection systems to detect ransomware, fileless malware, and other threats
  • A co-managed security package is available for MSPs


  • No price list

In recent AV-Test results, Trend Micro Apex One (version 14) had an average protection, performance, and usability score of 6.0/6.0 respectively. The performance results of Trend Micro Apex One from AV-Test indicate that it is an effective and efficient security solution that provides strong protection against a wide range of threats without significantly impacting system performance. Apex One pricing details are not publicly displayed on their website but are typically based on an annual subscription per endpoint and are calculated based on the number of devices and the edition of the solution that you choose. A free 30-day trial is available on request.

4. Symantec Endpoint Security Complete

Symantec Endpoint Security Complete

Symantec Endpoint Security (SES) Complete is an EDR solution that delivers comprehensive protection for all your traditional and mobile devices across the entire attack chain. The solution includes behavioral isolation, Active Directory security, and Threat Hunter technologies to protect your endpoints against sophisticated threats and targeted attacks. The Symantec EDR is a flexible solution that can be deployed on-premises or in the cloud. Symantec Endpoint customers can leverage integrated EDR capabilities in the Symantec Single Agent architecture.

Key Features:

  • Cloud-based
  • Protects workstations and mobile device
  • Global threat intelligence

Why do we recommend it?

Symantec Endpoint Security Complete is a cloud-based service that installs agents on enrolled endpoints. The package will protect workstations running Windows, macOS, and Linux plus mobile devices running iOS and Android. As well as sharing event information around a company’s endpoints, this service pools attack intelligence from all clients.

Symantec EDR exposes advanced attacks with machine learning and global threat intelligence, minimizing false positives and helping ensure high levels of productivity for security teams. Symantec EDR capabilities allow incident responders to quickly search, identify, and contain all impacted endpoints while investigating threats using a choice of on-premises and cloud-based sandboxing. Furthermore, Symantec EDR enhances investigator productivity with automated investigation playbooks and user behavior analytics that bring the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

Symantec’s EDR solution is equipped with a feature called Targeted Attack Analytics (TAA). This feature utilizes global activity data from all enterprises that form our telemetry set, which includes both benign and malicious activities. TAA applies advanced machine learning algorithms and cloud-based artificial intelligence to constantly adapt to emerging attack techniques. In case of a security incident, TAA generates a real-time incident report with a comprehensive analysis of the attacker, the techniques employed, the affected machines, and recommended remediation steps. The incident report is seamlessly streamed to the EDR console, enabling incident responders to quickly take appropriate action, thereby enhancing the overall efficiency and productivity of the security team.

Who is it recommended for?

This package appeals to large businesses and companies that have roaming and home-based employees will be particularly drawn to the Symantec service. The tool is able to spot zero-day attacks by focusing on anomaly detection. The company’s Global Intelligence Network means that details of an attack on one client are instantly communicated to all subscribers.


  • Global intelligence network
  • Anomaly detection based on machine learning
  • Protection for Amazon and Azure storage accounts


  • Broadcom doesn’t sell this product directly – you have to find a third-party supplier

In a recent AV-Test result, Endpoint Security (SES) Complete had the highest protection and usability score of 6.0/6.0 respectively, and a usability score of 5.0/6.0. Symantec EDR also provides tools to detect and visualize the attack lifecycle based on the MITRE ATT&CK framework.

5. Trellix Endpoint Security (ENS)

Trellix Endpoint Security (ENS)

Trellix is a high-flying modern business endpoint protection solution company. Trellix was launched in 2022 following the acquisition of McAfee’s Enterprise business and FireEye by Symphony Technology Group (STG). Trellix protects and empowers your workforce with an integrated security framework that protects every endpoint. Trellix Endpoint Security (ENS) solutions apply proactive threat intelligence and defenses across your hybrid cloud ecosystem, all while uniquely delivering security management, automation, and orchestration at scale. Trellix ENS offers several features, including real-time anti-malware protection, firewall, and network security, web and email protection, and extended detection and response (XDR).

Key Features:

  • Threat intelligence
  • Anomaly detection
  • Cloud-based

Why do we recommend it?

Trellix Endpoint Security is a very similar system to the Symantec Endpoint Security Complete package. The system operates on the cloud and interacts with endpoints through a local agent. Trellix aggregates the experiences of all of its clients into a global threat intelligence feed. So, as soon as one endpoint on a protected network gets attacked, all of Trellix’s customers know about it.

Who is it recommended for?

Trellix is a relatively new brand. The company was formed by a merger of FireEye and McAfee Enterprise in 2022. The Endpoint Security product is a legacy package, so it isn’t new – it just has a new name. The brand aims for mid-sized and large companies and its accounts are also available in a multitenant format for managed service providers.


  • Endpoint agents report to a cloud-based threat hunter
  • Automated response instructions are communicated to the agents for local implementation
  • There is a multitenant version available for managed service providers


  • The brand is in flux

Trellix is the most reviewed vendor on the Gartner Peer Insights for Endpoint Protection Platforms. Trellix Endpoint Security (ENS) earned the highest AAA rating in the SE Labs Endpoint Security (EPS) 2022 Q4 test for both Enterprise and Small Business categories. Trellix ENS also achieved a 100% detection rate for malware including ransomware with zero false positives. Trellix had an average protection, performance, and usability score of 6.0/6.0 respectively in a recent AV-Test result. With this high protection, detection, and performance power and non-reliance on signature detection, you can take its antivirus capabilities with confidence.

6. SentinelOne Singularity

SentinelOne Singularity

SentinelOne is a relatively young company that has emerged as one of the leading next-generation endpoint security solution providers. For SentinelOne to have gotten to this position within a short period, they must be doing something right. SentinelOne Singularity is an autonomous, single-agent solution that combines endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform that delivers top-notch enterprise-grade real-time protection against malware threats and advanced persistent threats across Windows, Linux, and macOS.

Key Features:

  • Security analytics
  • Anomaly-based detection
  • Automated responses

Why do we recommend it?

SentinelOne Singularity XDR acts like a SIEM system with added automated responses. This package scours log messages for signs of unusual activity. The service also gathers network activity data. Thus, the cloud-based detection system receives activity reports from all across the enterprise and can respond rapidly to any type of threat.

Who is it recommended for?

The Singularity platform is an XDR rather than an EDR. The difference between these two definitions is that an XDR interfaces with third-party security tools and doesn’t just rely on data uploaded by local agents. The package can shut down attacks by suspending accounts in Active Directory or writing new firewall rules to ban specific IP addresses.


  • Interfaces with third-party security tools
  • Processes log messages for threat hunting
  • Protects cloud services as well as on-premises systems


  • Too big for small businesses

SentinelOne Singularity uses a combination of artificial intelligence and behavioral analysis to detect and prevent cyber attacks in real-time. It provides a centralized platform for managing and securing endpoints, including desktops, laptops, servers, and mobile devices. The licensing and pricing for SentinelOne Singularity are typically based on an annual subscription per endpoint and are calculated based on the number of devices that need to be protected. The exact pricing will depend on various factors such as the size of the organization and the specific requirements of the customer.