Cisco Secure Endpoint Data Sheet

Data Sheet

Available Languages

Download Options

  • PDF
    (1.7 MB)
    View with Adobe Reader on a variety of devices
Updated:February 16, 2023

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (1.7 MB)
    View with Adobe Reader on a variety of devices
Updated:February 16, 2023


Product overview

Cisco® Secure Endpoint integrates prevention, detection, threat hunting, and response capabilities in a unified solution leveraging the power of cloud-based analytics. Secure Endpoint will protect your Windows, Mac, Linux, Android, and iOS devices through a public or private cloud deployment.

Cisco Secure Endpoint is a single-agent solution that provides comprehensive protection, detection, response, and user access coverage to defend against threats to your endpoints. The SecureX platform is built into Secure Endpoint, as well as Extended Detection and Response (XDR) capabilities. The newly introduced Cisco Secure MDR for Endpoint combines Secure Endpoint’s superior capabilities with security operations expertise to dramatically reduce the mean time to detect and respond to threats.


In the rapidly evolving world of malware, threats are becoming harder and harder to detect. The most advanced 1% of these threats, those that will eventually enter and wreak havoc in your network, could potentially go undetected. However, Secure Endpoint provides comprehensive protection against that 1%. Secure Endpoint prevents breaches, blocks malware at the point of entry, and continuously monitors and analyzes file and process activity to rapidly detect, contain, and remediate threats that can evade front-line defenses.

The recently introduced Cisco Secure MDR for Endpoint adds further value by combining human and machine intelligence, leveraging an elite team of Cisco security researchers, investigators, and responders who utilize integrated threat intelligence, defined investigations, and response playbooks supported by Cisco Talos threat research. We can identify and then stop threats, block malware, and contain and recommend remediation actions for even advanced threats that evade front-line defenses 24x7x365 from our dedicated, global Security Operations Centers (SOCs).


Stopping threats at the earliest point in time ensures minimal damage to endpoints and less downtime after a breach. Secure Endpoint employs a robust set of preventative technologies to stop malware, in real-time, protecting endpoints against today’s most common attacks as well as emerging cyberthreats.

File reputation: Secure Endpoint contains a comprehensive database of every file that has ever been seen and a corresponding good or bad disposition. As a result, known malware is quickly and easily quarantined at the point of entry without any processor-intensive scanning.

Antivirus: Secure Endpoint includes constantly updated, definition-based antivirus engines for both Windows and Mac or Linux endpoints. All endpoints benefit from custom signature-based detection, allowing administrators to deliver robust control capabilities and enforce blocklists. The antivirus signature database resides locally on each endpoint, meaning it does not rely on cloud connectivity to operate. This ensures that your endpoints are protected both on- and offline.

Polymorphic malware detection: Malware actors will often write different variations of the same malware to avoid common detection techniques. Secure Endpoint can detect these variants, or polymorphic malware through loose fingerprinting. Loose fingerprinting will look for similarities between the suspicious file’s content and the content of known malware families, and convict if there is a substantial match.

Machine learning analysis: Secure Endpoint is trained by algorithms to “learn” to identify malicious files and activity based on the attributes of known malware. Machine learning capabilities in Secure Endpoint are fed by the comprehensive data set of Cisco Talos™ to ensure a better, more accurate model. Together, the machine learning in Secure Endpoint can help detect never-before-seen malware at the point of entry.

Exploit prevention: Memory attacks can penetrate endpoints, and malware evades security defenses by exploiting vulnerabilities in applications and operating system processes. The exploit prevention feature will defend endpoints from exploit-based, memory injection attacks.

Script protection: Secure Endpoint provides enhanced visibility in Device Trajectory into scripts executing on your endpoints and helps protect against script-based attacks commonly used by malware. Script control provides additional protection by allowing the Exploit Prevention engine to prevent certain DLLs from being loaded by some commonly exploited desktop applications and their child processes.

Behavioral protection: Secure Endpoint’s enhanced behavioral analysis continually monitors all user and endpoint activity to protect against malicious behavior in real-time by matching a stream of activity records against a set of attack activity patterns which are dynamically updated as threats evolve. For example, this enables granular control and protection from the malicious use of living-off-the-land tools.

Device Control: Secure Endpoint lets you control the usage of USB mass storage devices and prevent attacks from these devices. With visibility, endpoint administrators can review device connect/disconnect events, access violation events, use the API to manage device control configurations and rules, among others. With control, administrators define the default behavior when devices are connected, and create granular rules to further support varied approaches to controlling these devices.


Though malware prevention techniques are necessary for a complete next-generation endpoint security solution, combatting advanced threats requires additional measures. Secure Endpoint continuously monitors endpoints to help detect new and unknown threats.

Malicious activity protection: Secure Endpoint continually monitors all endpoint activity and provides run-time detection and blocking of abnormal behavior of a running program on the endpoint. For example, when endpoint behavior indicates ransomware, the offending processes are terminated, preventing endpoint encryption and stopping the attack.

Cloud-based indicators of compromise: Cisco’s industry-leading threat intelligence organization, Talos, constantly analyzes malware to discover new threat types and build behavioral and forensic profiles for emerging threats, otherwise known as Indicators of Compromise (IoCs). The forensic data, such as file locations or modifications to registry key values, are all data that Secure Endpoint can use to help administrators identify systems that have been breached.

Host-based IoCs: Administrators can write their own custom IoCs for use in incident response to scan for post-compromise indicators across the entire endpoint deployment. Custom IoCs are written in an open standard format (OpenIOC) making it easy to leverage data from any existing intelligence feeds.

Vulnerabilities: For customers on Advantage or Premier Tier, Secure Endpoint integrates with Kenna Security to identify OS vulnerabilities in your environment to help reduce the attack surface. Endpoints that have vulnerabilities are marked with a Risk Score, which enables administrators to prioritize remediation.

Low prevalence: Secure Endpoint will automatically identify executables that exist in low numbers across your endpoints and analyze those samples in our cloud-based sandbox to uncover new threats. Targeted malware or advanced persistent threats will often fly under the radar and start on only a few endpoints, but with low prevalence, Secure Endpoint will automatically threat hunt to help easily uncover the 1% of threats that would have otherwise gone unnoticed.

Threat hunting

SecureX Threat Hunting is a proactive analyst-centric approach to detecting hidden advanced threats. This capability is offered exclusively as part of the new Premier license tier within Secure Endpoint. It tells the incident responders a narrative of how an attack was spotted or how it evolved and what to do next in terms of response. The purpose is to discover and thwart attacks before they cause any damage. As a side-effect of leveraging a regular and continuous threat hunting, an organization increases their knowledge of vulnerabilities and risks which further allows the hardening of their security environment.

SecureX Threat Hunting leverages the expertise of both Talos and the Cisco Research and Efficacy Team to help identify threats found within the customer environment. Cisco delivers highly automated human-driven hunts based on playbooks producing high-fidelity alerts. The process uniquely combines the Orbital Advanced Search technology with expertise from elite threat hunters, with 20 years of industry experience, to proactively find more sophisticated threats.

The Secure Endpoint Premier license is available to order globally in all regions. However, the SecureX Threat Hunting infrastructure that processes the customer telemetry and executes hunts is currently available only in North America.

Secure Endpoint response

As the number and variety of advanced threats designed to slip past preventative measures increase, the possibility of a breach should be treated as an eventuality. With that mindset, a powerful toolset should be deployed to help easily identify infected endpoints and understand the scope of an attack. In addition to multiple prevention and detection capabilities, Secure Endpoint offers granular endpoint visibility and response tools to handle security breaches quickly and efficiently.

Dashboards and inbox: Reports are not limited to event enumeration and aggregation. The actionable dashboards built into Secure Endpoint enable streamlined management and faster response. Events and endpoints are categorized by priority and tied into workflows to track progress during investigation.

Secure Endpoint dashboard

Figure 1.            

Secure Endpoint dashboard

Endpoint forensics: Powerful tools like file trajectory and device trajectory use Secure Endpoint’s continuous analysis capabilities to show you the full scope of a threat. Secure Endpoint identifies all affected applications, processes, and systems to pinpoint patient zero, as well as the method and point of entry. These capabilities help you quickly understand the scope of the problem by identifying malware gateways and the path that attackers are using to gain a foothold into other systems.

Secure Endpoint device trajectory

Figure 2.            

Secure Endpoint device trajectory

Dynamic analysis: Secure Endpoint includes a built-in, highly secure sandboxing environment, powered by Cisco Threat Grid, to analyze the behavior of suspect files. File analysis produces detailed information on files, including the severity of behaviors, the original file name, screenshots of the malware executing, and sample packet captures. Armed with this information, you’ll have a better understanding of what is necessary to contain the outbreak and block future attacks.

Retrospective security: Secure Endpoint employs patented technology that automatically uncovers advanced threats that have entered your environment. Powered by continuous monitoring, Secure Endpoint correlates new threat information with your past history and automatically quarantines files the moment they start to exhibit malicious behavior. This automated response to the latest threats provides a faster time to detection and greatly reduces the proliferation of the malware.

Command line visibility: Gaining visibility into command line arguments helps to determine if legitimate applications, including Windows utilities, are being used for malicious purposes. Secure Endpoint can uncover hard-to-detect behavior, such as the use of vssadmin to delete shadow copies or disable safe boots; PowerShell-based exploits; privilege escalation; modifications of access control lists; and attempts to enumerate systems.

Endpoint isolation: It is critical to isolate endpoints that have been compromised to stop threats from spreading and prevent them from communicating with their C&C while at the same time allowing information exchange with trusted resources such as the Secure Endpoint cloud. Endpoint Isolation allows one-click isolation of an infected endpoint along with the ability to whitelist trusted network resources. The endpoint can be de-isolated by a single click by the admin or through an unlock code by the user.

Advanced search: Advanced Search is an advanced capability in Cisco Secure Endpoint designed to make security investigation and threat hunting simple by providing over a hundred pre-canned queries, allowing you to quickly run complex queries on any or all endpoints. This enables you to gain deeper visibility on what happened to any endpoint at any given time by taking a snapshot of its current state. Whether you are doing an investigation as part of incident response, threat hunting, IT operations, or vulnerability and compliance, Advanced Search gets you the answers you need about your endpoints fast.

Cisco Secure MDR for Endpoint

Secure MDR for Endpoint is an optional managed endpoint detection and response (EDR) service where Cisco Security Operations Centers (SOCs) take in all events from Secure Endpoint, perform investigations, enrichments, and intelligence, and review them against playbooks and use cases (with extensive automation as well as human review and enrichment). These incidents are prioritized for you as P1-P4 (P1/P2 accompanied by direct communication) with mitigation implemented as fast as possible. Cisco will monitor the security alerts and respond appropriately within minutes of the initial event. This allows you to focus on what is important for your organization.

Dashboards and Inbox: The Secure MDR for Endpoint Service Portal is your main interface to the service. All incidents, support, feedback, metrics, and more are available there. You can quickly and easily contact the SOC directly via a new incident or an existing incident. The service portal provides widgets on the homepage to guide you to the latest incidents, all of which are listed by priority. The Approval Response Action interface provides a portal for rejection or approval of recommended remediation actions as well as links to incidents. We also provide a security news feed, incidents on hold for customer review, and the latest knowledge base articles.

Secure MDR for Endpoint portal

Figure 3.            

Secure MDR for Endpoint portal

The Service Catalog provides a way to give feedback, request support, request intelligence reports, and more.

The Secure MDR for Endpoint Knowledge base provides several useful guides and documentation around various aspects of the service and its products. Cisco Secure MDR for Endpoint provides release notes, product and service guides, best practices, license management info, and highly detailed intelligence articles and advisories directly from our dedicated intelligence team.

The Approval Response Action interface

Figure 4.            

The Approval Response Action interface

Cisco Secure Endpoint independent third-party tests

Cisco Secure Endpoint independent third-party tests

Platform support and compatibility

Secure Endpoint is compatible with the following operating systems:

      Windows (additional details here).

    Windows 7* (ESU required)

    Windows 8*, 8.1*, 10, 11

    Windows Server 2008 R2* (ESU Required)

    Windows Server 2012, 2012 R2, 2016, 2019, 2022

      Linux (additional details here)

    Red Hat Enterprise Linux 6, 7, 8

    CentOS 6, 7, 8

    Oracle Linux RHCK (Red Hat Compatible Kernel) 6, 7, 8

    Oracle UEK (Unbreakable Enterprise Kernels) 7, 8

    Alma Linux 8

    Rocky Linux 8

    Ubuntu Linux 18.04, 20.04

    Amazon Linux 2 - Kernel 4.14 and above

    SUSE Enterprise Linux 15 / openSUSE Leap 15

    Debian Linux 10, 11

      MacOS and iOS (additional details here)

    macOS 10.13, 10.14, 10.15, 11, 12

    iOS 14.4 and above


    Android 8.0 (Oreo) and above

*Limitations to legacy OS systems may apply

Warranty information

Find warranty information on the Product Warranties page.

Cisco environmental sustainability

Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.

Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table:

Sustainability topic


Information on product material content laws and regulations


Information on electronic waste laws and regulations, including products, batteries, and packaging

WEEE compliance

Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.

Ordering information

Find the ordering guide here.

Cisco Capital

Flexible payment solutions to help you achieve your objectives

Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

For more information

For more information, please visit the following link: Cisco Secure Endpoint.




Learn more