Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Compare Next-Generation Endpoint Security

Data valid as of February 2020.

Cisco AMP for Endpoints

VMware Carbon Black Endpoint Security

CrowdStrike Falcon

Microsoft Defender ATP

Expand all

Detection

Layers of integrated detection techniques15Cisco AMP for Endpoints employs a detection lattice: Exploit prevention uses deception technology to protect applications in memory and provides script and memory control. System Process Protection monitors all processes. AMP offers a 1:1 SHA matching engine (public, private, or hybrid); Tetra antivirus; Threat Grid sandboxing; ETHOS fuzzy fingerprinting; SPERO machine learning; cloud indicators of compromise (IOC) and reputation analytics; command-line interface (CLI) capture; memory, fileless, script, and mutation protection; vulnerable software; Cognitive Threat Analytics (CTA); custom hash detections; ClamAV signatures; and application blocking.4Carbon Black employs allowlisting, machine learning, behavioral analytics, and next-generation antivirus.5CrowdStrike Falcon employs cloud-based next-generation antivirus and IOC detection, indicators of attack (IOA) for fileless malware, machine learning and AI, blocklists and allowlists, and known-exploit blocking.10Microsoft Defender ATP is a post-breach detection, investigation, and response tool. Most of the Microsoft protections are built into the Windows 10 operating system, which customers get regardless of the endpoint security vendor. Threat and vulnerability management, attack surface reduction, (hardware-based isolation, app control, exploit protection, network protection, contolled folder access, network firewall, antivirus). AV Scan Engine, App Execution Restriction, Network File Quarantine, and Collect Investigation Package are part of Microsoft Defender ATP.
Cisco AMP for Endpoints employs a detection lattice: Exploit prevention uses deception technology to protect applications in memory and provides script and memory control. System Process Protection monitors all processes. AMP offers a 1:1 SHA matching engine (public, private, or hybrid); Tetra antivirus; Threat Grid sandboxing; ETHOS fuzzy fingerprinting; SPERO machine learning; cloud indicators of compromise (IOC) and reputation analytics; command-line interface (CLI) capture; memory, fileless, script, and mutation protection; vulnerable software; Cognitive Threat Analytics (CTA); custom hash detections; ClamAV signatures; and application blocking.Carbon Black employs allowlisting, machine learning, behavioral analytics, and next-generation antivirus.CrowdStrike Falcon employs cloud-based next-generation antivirus and IOC detection, indicators of attack (IOA) for fileless malware, machine learning and AI, blocklists and allowlists, and known-exploit blocking.Microsoft Defender ATP is a post-breach detection, investigation, and response tool. Most of the Microsoft protections are built into the Windows 10 operating system, which customers get regardless of the endpoint security vendor. Threat and vulnerability management, attack surface reduction, (hardware-based isolation, app control, exploit protection, network protection, contolled folder access, network firewall, antivirus). AV Scan Engine, App Execution Restriction, Network File Quarantine, and Collect Investigation Package are part of Microsoft Defender ATP.
Endpoint agents required1Our single, lightweight AMP for Endpoints agent and Cisco Threat Response provide all the capabilities listed in this chart. Unless otherwise noted, no other Cisco product is required to meet the listed funtionality.1One endpoint agent is required to achieve all the functionality described here.1One endpoint agent is required to achieve all the functionality described here.1One endpoint agent is required to achieve all the functionality described here.
Our single, lightweight AMP for Endpoints agent and Cisco Threat Response provide all the capabilities listed in this chart. Unless otherwise noted, no other Cisco product is required to meet the listed funtionality.One endpoint agent is required to achieve all the functionality described here.One endpoint agent is required to achieve all the functionality described here.One endpoint agent is required to achieve all the functionality described here.
Continuous analysis and retrospective detectionOne lightweight AMP for Endpoints agent and Cisco Threat Response provide all the capabilities listed in this chart. Unless otherwise noted, no other Cisco product is required to meet the listed funtionality.LimitedCarbon Black employs continuous analysis using VMware Carbon Black Cloud Endpoint Standard. It does not perform retrospective detection.LimitedCrowdStrike Falcon offers DVR capability down to a 5-second visibility of the endpoint. Retrospective detection is manual and part of threat hunting.LimitedDefender ATP employs continuous analysis. It does not perform retrospective detection.
One lightweight AMP for Endpoints agent and Cisco Threat Response provide all the capabilities listed in this chart. Unless otherwise noted, no other Cisco product is required to meet the listed funtionality.Carbon Black employs continuous analysis using VMware Carbon Black Cloud Endpoint Standard. It does not perform retrospective detection.CrowdStrike Falcon offers DVR capability down to a 5-second visibility of the endpoint. Retrospective detection is manual and part of threat hunting.Defender ATP employs continuous analysis. It does not perform retrospective detection.
Device trajectoryContinuous. The Cisco AMP for Endpoints client and Cisco Threat Response map how hosts interact with files, including malware, across your endpoint environment. It can see if a file transfer was blocked or if the file was quarantined. It can scope the threat, provide outbreak controls, and identify patient zero.Carbon Black has a very rich process tree for investigation and makes the investigation process visually appealing. CrowdStrike provides device trajectory on a per-host basis.Microsoft uses Investigation Graph to show details.
Continuous. The Cisco AMP for Endpoints client and Cisco Threat Response map how hosts interact with files, including malware, across your endpoint environment. It can see if a file transfer was blocked or if the file was quarantined. It can scope the threat, provide outbreak controls, and identify patient zero.Carbon Black has a very rich process tree for investigation and makes the investigation process visually appealing. CrowdStrike provides device trajectory on a per-host basis.Microsoft uses Investigation Graph to show details.
Multiple detection measuresCisco AMP uses several methods of detection, including fuzzy fingerprinting (ETHOS), machine learning (SPERO), dynamic file analysis (Threat Grid), and 1:1 SHA matching, all supported by Talos, the world's largest threat intelligence group.Carbon Black detects 150 behaviors but has no trajectory and no behavioral IOCs. Events are based on signatures, vulnerabilities, and point-in-time analysis.Falcon can detect 120 local event types streamed in real time and uses hash and behavioral blocking, credential theft and privilege escalation, boot sector, process, stack, and other techniques.Microsoft Defender ATP is a post-breach detection, investigation, and response tool. Most of the Microsoft protections are built into the Windows 10 operating system, which customers get regardless of the endpoint security vendor. Threat and vulnerability management, attack surface reduction (hardware-based isolation, app control, exploit protection, network protection, contolled folder access, network firewall, AV). AV Scan Engine, App Execution Restriction, Network File Quarantine, and Collect Investigation Package are part of Microsoft Defender ATP.
Cisco AMP uses several methods of detection, including fuzzy fingerprinting (ETHOS), machine learning (SPERO), dynamic file analysis (Threat Grid), and 1:1 SHA matching, all supported by Talos, the world's largest threat intelligence group.Carbon Black detects 150 behaviors but has no trajectory and no behavioral IOCs. Events are based on signatures, vulnerabilities, and point-in-time analysis.Falcon can detect 120 local event types streamed in real time and uses hash and behavioral blocking, credential theft and privilege escalation, boot sector, process, stack, and other techniques.Microsoft Defender ATP is a post-breach detection, investigation, and response tool. Most of the Microsoft protections are built into the Windows 10 operating system, which customers get regardless of the endpoint security vendor. Threat and vulnerability management, attack surface reduction (hardware-based isolation, app control, exploit protection, network protection, contolled folder access, network firewall, AV). AV Scan Engine, App Execution Restriction, Network File Quarantine, and Collect Investigation Package are part of Microsoft Defender ATP.
Dynamic file analysisThreat Grid is now fully integrated into AMP for Endpoints. This automated detonation engine observes, deconstructs, and analyzes using several methods. It is highly impervious to sandbox-aware malware.Needs an integration point with a partner for sandboxing technology. Vendors like Lastline and Palo Alto can provide functionality for Carbon Black.LimitedFalcon Sandbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, breach detection (BDS), or breach prevention (BPS).LimitedMicrosoft offers cloud-based sandbox protection but does not support on-premises deployments. It does not integrate with supporting systems such as NGIPS, BDS, or BPS.
Threat Grid is now fully integrated into AMP for Endpoints. This automated detonation engine observes, deconstructs, and analyzes using several methods. It is highly impervious to sandbox-aware malware.Needs an integration point with a partner for sandboxing technology. Vendors like Lastline and Palo Alto can provide functionality for Carbon Black.Falcon Sandbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, breach detection (BDS), or breach prevention (BPS).Microsoft offers cloud-based sandbox protection but does not support on-premises deployments. It does not integrate with supporting systems such as NGIPS, BDS, or BPS.
File analysis deployment modelBoth on-premises and cloud. Threat Grid detonation technology is fully integrated in AMP for Endpoints. File analysis can also be separated into an on-premises solution for customers who have cloud restrictions. Because AMP Threat Grid uses a proprietary analysis mechanism and 100 other anti-evasion techniques, it is undetectable by malware that is trying to avoid analysis and sandboxing. Threat Grid uses the widest set of analysis techniques, including but not limited to host, network, static, and dynamic analysis, as well as pre- and post-execution analysis of the primary boot record. Needs an integration point with a partner for sandboxing technology.LimitedFalcon Sandbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, BDS, or BPS.LimitedMicrosoft offers cloud-based sandbox protection but does not support on-premises deployments. It does not integrate with supporting systems such as NGIPS, BDS, or BPS.
Both on-premises and cloud. Threat Grid detonation technology is fully integrated in AMP for Endpoints. File analysis can also be separated into an on-premises solution for customers who have cloud restrictions. Because AMP Threat Grid uses a proprietary analysis mechanism and 100 other anti-evasion techniques, it is undetectable by malware that is trying to avoid analysis and sandboxing. Threat Grid uses the widest set of analysis techniques, including but not limited to host, network, static, and dynamic analysis, as well as pre- and post-execution analysis of the primary boot record. Needs an integration point with a partner for sandboxing technology.Falcon Sandbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, BDS, or BPS.Microsoft offers cloud-based sandbox protection but does not support on-premises deployments. It does not integrate with supporting systems such as NGIPS, BDS, or BPS.
API supportUse REST API access to pull events, indicators of compromise (IOCs), and device data. You can script and customize the API to fit the environment.Open API.Open API.API access with OAuth2.0 authentication.
Use REST API access to pull events, indicators of compromise (IOCs), and device data. You can script and customize the API to fit the environment.Open API.Open API.API access with OAuth2.0 authentication.
Low prevalenceAMP for Endpoints will automatically identify executables that exist in low numbers across the endpoints and analyze those samples in the cloud-based sandbox to uncover new threats. Targeted malware or advanced persistent threats often start on only a few endpoints but with low prevalence.LimitedA list of low-prevalence apps and executable can be manually extracted and sent for analysis.LimitedRequires Falcon Discover. A list of low-prevalence apps and executable can be manually extracted and sent for analysis.LimitedA list of low-prevalence apps and executable can be manually extracted and sent for analysis.
AMP for Endpoints will automatically identify executables that exist in low numbers across the endpoints and analyze those samples in the cloud-based sandbox to uncover new threats. Targeted malware or advanced persistent threats often start on only a few endpoints but with low prevalence.A list of low-prevalence apps and executable can be manually extracted and sent for analysis.Requires Falcon Discover. A list of low-prevalence apps and executable can be manually extracted and sent for analysis.A list of low-prevalence apps and executable can be manually extracted and sent for analysis.
File trajectoryAMP for Endpoints and Cisco Threat Response help gain visibility into the scope of a breach (how many endpoints are affected by subject malware). Discover patient zero: when the malware was first seen, on which computer in your environment, what its parentage is, and how it moves between hosts. No additional Cisco product is required.LimitedCarbon Black's scope focuses on local host processes and does not track from the aspect of the file and where it has traveled.LimitedCrowdStrike focuses on local host processes, using indicators of attack, and does not track from the aspect of a file and where it has traveled.LimitedDefender ATP does not show the initial point of malware infection/patient zero data and its movement inside the network.
AMP for Endpoints and Cisco Threat Response help gain visibility into the scope of a breach (how many endpoints are affected by subject malware). Discover patient zero: when the malware was first seen, on which computer in your environment, what its parentage is, and how it moves between hosts. No additional Cisco product is required.Carbon Black's scope focuses on local host processes and does not track from the aspect of the file and where it has traveled.CrowdStrike focuses on local host processes, using indicators of attack, and does not track from the aspect of a file and where it has traveled.Defender ATP does not show the initial point of malware infection/patient zero data and its movement inside the network.

Prevention

allowlists and blocklistsWith AMP for Endpoints, you can blocklist false negatives and allowlist false positives, giving you the power to override dispositions set by Cisco Talos.Bit9 was one of the first applications to allowlist and blocklist. Now called Carbon Black Enterprise Protection/App Control, it is the base of the endpoint security architecture that Carbon Black provides.CrowdStrike provides the ability to blocklist false negatives and allowlist false positives, giving administrators the power to override dispositions set by Falcon.Defender ATP provides the ability to blocklist false negatives and allowlist false positives, giving administrators the power to override dispositions.
With AMP for Endpoints, you can blocklist false negatives and allowlist false positives, giving you the power to override dispositions set by Cisco Talos.Bit9 was one of the first applications to allowlist and blocklist. Now called Carbon Black Enterprise Protection/App Control, it is the base of the endpoint security architecture that Carbon Black provides.CrowdStrike provides the ability to blocklist false negatives and allowlist false positives, giving administrators the power to override dispositions set by Falcon.Defender ATP provides the ability to blocklist false negatives and allowlist false positives, giving administrators the power to override dispositions.
Software vulnerabilitiesWith AMP you can view the number and severity of vulnerable applications, and how many endpoints the application has been seen on within the environment. You can link vulnerabilities for each application to the associated Common Vulnerabilities and Exposures (CVE) entries.LimitedCarbon Black needs to integrate with IBM BigFix to provide hosts with vulnerabilities related to CVE. Audit and Remediation (an add-on) can optionally be used to get vulnerability visibility manually. LimitedRequires CrowdStrike Falcon Spotlight. There is no way to specifically search for CVE related to hosts on the network. Falcon uses IOA to detect exploits on a system. CVEs are located in the research information on the system. Defender ATP can show app vulnerabilities on Windows 10 systems.
With AMP you can view the number and severity of vulnerable applications, and how many endpoints the application has been seen on within the environment. You can link vulnerabilities for each application to the associated Common Vulnerabilities and Exposures (CVE) entries.Carbon Black needs to integrate with IBM BigFix to provide hosts with vulnerabilities related to CVE. Audit and Remediation (an add-on) can optionally be used to get vulnerability visibility manually. Requires CrowdStrike Falcon Spotlight. There is no way to specifically search for CVE related to hosts on the network. Falcon uses IOA to detect exploits on a system. CVEs are located in the research information on the system. Defender ATP can show app vulnerabilities on Windows 10 systems.
Integrated advanced threat protection (attack detonation)AMP for Endpoints employs built-in sandboxing capabilities (via its full integration of ThreatGrid), plus event correlations, more than 1300 IOCs, billions of malware artifacts, and easy-to-understand threat scores. AMP Endpoint is a full AV client as well and meets PCI/HIPAA audit requirements as an AV replacement. LimitedBy itself, Carbon Black does not offer a closed-loop ATP. Carbon Black may integrate with other vendors such as Lastline and Palo Alto Networks with separate licensing, support, and management.CrowdStrike Falcon Sandbox includes 700 generic behavior indicators.Content analysis submits suspicious files identified by automated investigation to the cloud for additional inspection.
AMP for Endpoints employs built-in sandboxing capabilities (via its full integration of ThreatGrid), plus event correlations, more than 1300 IOCs, billions of malware artifacts, and easy-to-understand threat scores. AMP Endpoint is a full AV client as well and meets PCI/HIPAA audit requirements as an AV replacement. By itself, Carbon Black does not offer a closed-loop ATP. Carbon Black may integrate with other vendors such as Lastline and Palo Alto Networks with separate licensing, support, and management.CrowdStrike Falcon Sandbox includes 700 generic behavior indicators.Content analysis submits suspicious files identified by automated investigation to the cloud for additional inspection.
Sandbox-aware malwareAMP uses a proprietary analysis mechanism and 100 other anti-evasion techniques. It is undetectable by malware that is trying to avoid analysis and sandboxing.LimitedCarbon Black does not employ its own advanced threat protection (ATP) or sandbox. It must integrate with Palo Alto Networks, Lastline, or others to provide malware detonation capabilites. None of the third-party integrations can detect ATP or sandbox-aware malware.LimitedFalcon Sandbox cannot detect sandbox-aware malware. CrowdStrike collects both static file data and behavioral data as the file runs, sends this data to the cloud, and through machine learning gives the file a score that indicates how likely the file is to be malicious. If the file has a known behavioral capability, CrowdStrike will prevent the file from causing harm, but it does not remove it. If the file does not have an indicator (anti-exploit), then the asset may be at risk (action not blocked). If CrowdStrike gets disabled or removed, the asset is at risk, because the previous malware code still resides on the asset.LimitedCertain actions like quarantine and restore are limited by OSes. Microsoft Sandbox cannot detect sandbox-aware malware.
AMP uses a proprietary analysis mechanism and 100 other anti-evasion techniques. It is undetectable by malware that is trying to avoid analysis and sandboxing.Carbon Black does not employ its own advanced threat protection (ATP) or sandbox. It must integrate with Palo Alto Networks, Lastline, or others to provide malware detonation capabilites. None of the third-party integrations can detect ATP or sandbox-aware malware.Falcon Sandbox cannot detect sandbox-aware malware. CrowdStrike collects both static file data and behavioral data as the file runs, sends this data to the cloud, and through machine learning gives the file a score that indicates how likely the file is to be malicious. If the file has a known behavioral capability, CrowdStrike will prevent the file from causing harm, but it does not remove it. If the file does not have an indicator (anti-exploit), then the asset may be at risk (action not blocked). If CrowdStrike gets disabled or removed, the asset is at risk, because the previous malware code still resides on the asset.Certain actions like quarantine and restore are limited by OSes. Microsoft Sandbox cannot detect sandbox-aware malware.

Response

Threat huntingOrbital Advanced Search helps make security investigation and threat hunting simple by providing hundreds of pre-canned queries. It allows you to quickly run complex queries on endpoints and gain deeper visibility into what happened--whether as part of incident response, threat hunting, IT operations, or vulnerability and compliance.LimitedCarbon Black uses osquery for querying endpoints but does not offer integration with advanced sandbox solutions for behavioral indicators. It offers a limited (64) number of pre-built queries.LimitedCrowdStrike uses Splunk Search for querying endpoints but does not offer integration with advanced sandbox solutions for behavioral indicators. It offers a limited (11) number of pre-built queries.LimitedMicrosoft uses Kusto Query Language for querying endpoints but does not offer integration with advanced sandbox solutions for behavioral indicators. It offers no threat- or malware-focused pre-built queries.
Orbital Advanced Search helps make security investigation and threat hunting simple by providing hundreds of pre-canned queries. It allows you to quickly run complex queries on endpoints and gain deeper visibility into what happened--whether as part of incident response, threat hunting, IT operations, or vulnerability and compliance.Carbon Black uses osquery for querying endpoints but does not offer integration with advanced sandbox solutions for behavioral indicators. It offers a limited (64) number of pre-built queries.CrowdStrike uses Splunk Search for querying endpoints but does not offer integration with advanced sandbox solutions for behavioral indicators. It offers a limited (11) number of pre-built queries.Microsoft uses Kusto Query Language for querying endpoints but does not offer integration with advanced sandbox solutions for behavioral indicators. It offers no threat- or malware-focused pre-built queries.
Malware remediationMalicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.
Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.
Malware gateway determinationExposes the entry point for malware and other files to help responders quickly the assess root cause and implement proper enforcement against further instances.Only possible with integration point to third-party solution.Falcon can be used to determine the root cause of the incident.Root cause determination is possible.
Exposes the entry point for malware and other files to help responders quickly the assess root cause and implement proper enforcement against further instances.Only possible with integration point to third-party solution.Falcon can be used to determine the root cause of the incident.Root cause determination is possible.
Custom detectionHelps administrators quickly enforce full protection against questionable files and targeted attacks across both endpoint and network control planes based on endpoint activity.Custom detection and blocking can be done by adding custom file hashes.Custom detection and blocking can be done by adding custom file hashes. Custom detection and blocking can be done by adding custom file hashes.
Helps administrators quickly enforce full protection against questionable files and targeted attacks across both endpoint and network control planes based on endpoint activity.Custom detection and blocking can be done by adding custom file hashes.Custom detection and blocking can be done by adding custom file hashes. Custom detection and blocking can be done by adding custom file hashes.
File search and fetchAMP with Cisco Threat Response lets administrators hunt for any questionable file in an organization, see the dispersion through an installed base, and pull the file off any endpoint for further forensics and analysis.Files can be searched for and fetched from the endpoint.LimitedFiles can be searched for but not fetched.LimitedFiles can be searched for but not fetched.
AMP with Cisco Threat Response lets administrators hunt for any questionable file in an organization, see the dispersion through an installed base, and pull the file off any endpoint for further forensics and analysis.Files can be searched for and fetched from the endpoint.Files can be searched for but not fetched.Files can be searched for but not fetched.
Vulnerable application visibilityAMP dynamically exposes the vulnerable applications in an endpoint environment, aiding administrators and responders in better instructing and informing the patch management process.LimitedCarbon Black needs to integrate with IBM BigFix to provide hosts with vulnerabilities related to CVE. Audit and Remediation (an add-on) can optionally be used to get vulnerability visibility manually. LimitedRequires CrowdStrike Falcon Spotlight. There is no way to specifically search for CVEs related to hosts on the network. Falcon uses IOA to detect exploits on a system. CVEs are located in the research information on the system. Shows vulnerable applications and OS entities for Windows 10.
AMP dynamically exposes the vulnerable applications in an endpoint environment, aiding administrators and responders in better instructing and informing the patch management process.Carbon Black needs to integrate with IBM BigFix to provide hosts with vulnerabilities related to CVE. Audit and Remediation (an add-on) can optionally be used to get vulnerability visibility manually. Requires CrowdStrike Falcon Spotlight. There is no way to specifically search for CVEs related to hosts on the network. Falcon uses IOA to detect exploits on a system. CVEs are located in the research information on the system. Shows vulnerable applications and OS entities for Windows 10.
Integrated DNS-level protectionExposes malicious domains associated with malware, giving users the ability to dynamically block access through Umbrella integration. Prevents command and control callbacks for data exfiltration and stops execution of ransomware encryption. Provides up-to-minute threat data and historical context about domains, IPs, and file hashes for faster investigation.LimitedInfoblox services are required, which provides domain reputation to Carbon Black for correlation and enforcement.LimitedFalcon DNS requires Falcon Overwatch, which is delivered as a managed service where DNS monitoring and alerting takes place.LimitedDoes not offer integrated DNS-level protection.
Exposes malicious domains associated with malware, giving users the ability to dynamically block access through Umbrella integration. Prevents command and control callbacks for data exfiltration and stops execution of ransomware encryption. Provides up-to-minute threat data and historical context about domains, IPs, and file hashes for faster investigation.Infoblox services are required, which provides domain reputation to Carbon Black for correlation and enforcement.Falcon DNS requires Falcon Overwatch, which is delivered as a managed service where DNS monitoring and alerting takes place.Does not offer integrated DNS-level protection.
Extensive threat information across threat vectorsAMP is directly tied to Talos Threat Intelligence, so AMP can immediately see anything Talos sees. AMP can instantly defend the endpoint against threats seen by your own or another organization's firewall, web URL, DNS entry, other endpoint, or email gateway. Because AMP is built on the Unity framework, AMP has a global view of threats across all threat vectors.LimitedLacks information from different threat vectors such as firewalls, endpoints, email gateways, and DNS.LimitedLacks information from different threat vectors such as firewalls, DNS and email gatewaysLimitedLacks information from different threat vectors such as firewalls and DNS.
AMP is directly tied to Talos Threat Intelligence, so AMP can immediately see anything Talos sees. AMP can instantly defend the endpoint against threats seen by your own or another organization's firewall, web URL, DNS entry, other endpoint, or email gateway. Because AMP is built on the Unity framework, AMP has a global view of threats across all threat vectors.Lacks information from different threat vectors such as firewalls, endpoints, email gateways, and DNS.Lacks information from different threat vectors such as firewalls, DNS and email gatewaysLacks information from different threat vectors such as firewalls and DNS.

Architecture

Operating system supportWindows (XP, 7, 10, or later), MacOS, Linux, Android, and iOS. Cisco AMP is the only antimalware software available for iOS, as part of the Apple-Cisco API partnership.LimitedWindows, MacOS, and Linux (no mobile device protection).LimitedWindows, MacOS, and Linux. (Falcon for mobile devices requires additional purchase.)LimitedMicrosoft's primary focus is on Windows 10. Coverage for MacOS (EDR) was introduced and Linux is on the roadmap. The future of existing partnerships for MacOS and Linux (with SentinelOne, Ziften, and Bitdefender) is unknown.
Windows (XP, 7, 10, or later), MacOS, Linux, Android, and iOS. Cisco AMP is the only antimalware software available for iOS, as part of the Apple-Cisco API partnership.Windows, MacOS, and Linux (no mobile device protection).Windows, MacOS, and Linux. (Falcon for mobile devices requires additional purchase.)Microsoft's primary focus is on Windows 10. Coverage for MacOS (EDR) was introduced and Linux is on the roadmap. The future of existing partnerships for MacOS and Linux (with SentinelOne, Ziften, and Bitdefender) is unknown.
Deployment modelBoth cloud and on-premisesAMP is 100% managed in the cloud, reducing TCO. It is also offered as an on-premises solution for organizations with cloud restrictions, such as the U.S. government.Limited/cloud onlyDepending on the product, it is on-premises or in the cloud. VMware Carbon Black Cloud Endpoint Standard (next-generation AV and behavioral EDR) is cloud-based only. App Control and Carbon Black EDR (threat hunting and IR for hybrid deployments) are available for on-premises deployments. Hybrid Deployments) are available for on-prem deployments.Limited/cloud onlyDeploys only in the cloud; no on-premises installations for the private sector/air gapped networks. (Only Falcon Sandbox is available for on-premises deployment.)Limited/cloud onlyDeploys only in the cloud; no on-premises installations for the private sector/air gapped networks.
AMP is 100% managed in the cloud, reducing TCO. It is also offered as an on-premises solution for organizations with cloud restrictions, such as the U.S. government.Depending on the product, it is on-premises or in the cloud. VMware Carbon Black Cloud Endpoint Standard (next-generation AV and behavioral EDR) is cloud-based only. App Control and Carbon Black EDR (threat hunting and IR for hybrid deployments) are available for on-premises deployments. Hybrid Deployments) are available for on-prem deployments.Deploys only in the cloud; no on-premises installations for the private sector/air gapped networks. (Only Falcon Sandbox is available for on-premises deployment.)Deploys only in the cloud; no on-premises installations for the private sector/air gapped networks.
Offline supportOffline protection is constant with Exploit Prevention, AV, and the AMP engine.Carbon Black provides offline support with VMware Carbon Black Cloud Endpoint Standard.Falcon continues to run when the host is not connected to a network; however, the efficacy of this function has never been publicly proven.Defender ATP offers offline protection using attack surface reduction/AV.
Offline protection is constant with Exploit Prevention, AV, and the AMP engine.Carbon Black provides offline support with VMware Carbon Black Cloud Endpoint Standard.Falcon continues to run when the host is not connected to a network; however, the efficacy of this function has never been publicly proven.Defender ATP offers offline protection using attack surface reduction/AV.
Closed-loop detection; integration with other platformsIntegrates with Cisco Firepower NGFW, Firepower NGIPS, ISE, and other AMP platforms, such as AMP for Email and Web Security. This integration is relevant when organizations own several platforms, but owning several platforms is not required to fulfill any of the funtionality of AMP for Endpoints referenced in this comparison.LimitedOpen API. Can ingest common scripting languages. Integrates with solutions from Palo Alto Networks, Check Point, Blue Coat, Cyphort, Fidelis, Damballa, Splunk, Red Canary, and others. Falcon API and Falcon Streaming API for third parties.LimitedIntegrates with certain third-party SIEM solutions and orchestration/automation platforms, and managed service providerss. Integrates with Bitdefender, SentinelOne, and Ziften for MacOS and Linux, as well as Palo Alto Networks, ThreatConnect for threat intelligence, and Morphisec for MTTD. Integrates with Microsoft's own services like Skype for business integration, Azure ATP, Office 365 Threat Intelligence connection, Microsoft Cloud App Security, Azure Information Protection, and Microsoft Intune.
Integrates with Cisco Firepower NGFW, Firepower NGIPS, ISE, and other AMP platforms, such as AMP for Email and Web Security. This integration is relevant when organizations own several platforms, but owning several platforms is not required to fulfill any of the funtionality of AMP for Endpoints referenced in this comparison.Open API. Can ingest common scripting languages. Integrates with solutions from Palo Alto Networks, Check Point, Blue Coat, Cyphort, Fidelis, Damballa, Splunk, Red Canary, and others. Falcon API and Falcon Streaming API for third parties.Integrates with certain third-party SIEM solutions and orchestration/automation platforms, and managed service providerss. Integrates with Bitdefender, SentinelOne, and Ziften for MacOS and Linux, as well as Palo Alto Networks, ThreatConnect for threat intelligence, and Morphisec for MTTD. Integrates with Microsoft's own services like Skype for business integration, Azure ATP, Office 365 Threat Intelligence connection, Microsoft Cloud App Security, Azure Information Protection, and Microsoft Intune.

Integration

IntegrationsREST API.Open API. Can ingest common scripting languages. Integrates with solutions from Palo Alto Networks, Check Point, Blue Coat, Cyphort, Fidelis, Damballa, Splunk, Red Canary, and others.Falcon API and Falcon Streaming API for third parties.Defender ATP integrates with certain third-party SIEM solutions and orchestration/automation platforms, and managed service providers. Integrates with Bitdefender, SentinelOne, and Ziften for MacOS and Linux, as well as Palo Alto Networks, ThreatConnect for threat intelligence, and Morphisec for MTTD. It has integration with Microsoft's own services like Skype for business integration, Azure ATP, Office 365 Threat Intelligence connection, Microsoft Cloud App Security, Azure Information Protection, and Microsoft Intune.
REST API.Open API. Can ingest common scripting languages. Integrates with solutions from Palo Alto Networks, Check Point, Blue Coat, Cyphort, Fidelis, Damballa, Splunk, Red Canary, and others.Falcon API and Falcon Streaming API for third parties.Defender ATP integrates with certain third-party SIEM solutions and orchestration/automation platforms, and managed service providers. Integrates with Bitdefender, SentinelOne, and Ziften for MacOS and Linux, as well as Palo Alto Networks, ThreatConnect for threat intelligence, and Morphisec for MTTD. It has integration with Microsoft's own services like Skype for business integration, Azure ATP, Office 365 Threat Intelligence connection, Microsoft Cloud App Security, Azure Information Protection, and Microsoft Intune.

Third-party validation

AV Comparatives Test Report Dec 2019AV Comparatives Testing: 99.5% efficacy in Malware Protection Tests with zero false alarms. High Protection Rate of 97.2% with only one false alarm in the Real-World Protection Test.Did not participate in AV Comparatives Testing.LimitedAV Comparatives Testing: 96% efficacy in Malware Protection Tests. Protection Rate of 96.4% with only six false alarms in the Real-World Protection Test.LimitedAV Comparatives Testing: Protection Rate of 99.6% but with the highest number of false alarms (45) amongst 17 vendors in the Real-World Protection Test. (Points to aggressive blocking thresholds that could lead to more work for the security analysts.)
AV Comparatives Testing: 99.5% efficacy in Malware Protection Tests with zero false alarms. High Protection Rate of 97.2% with only one false alarm in the Real-World Protection Test.Did not participate in AV Comparatives Testing.AV Comparatives Testing: 96% efficacy in Malware Protection Tests. Protection Rate of 96.4% with only six false alarms in the Real-World Protection Test.AV Comparatives Testing: Protection Rate of 99.6% but with the highest number of false alarms (45) amongst 17 vendors in the Real-World Protection Test. (Points to aggressive blocking thresholds that could lead to more work for the security analysts.)

Other services

Cybersecurity insuranceThe Cisco, Apple, Allianz, and Aon collaboration for cyber insurance is an industry first. Collectively, we provide a holistic framework to decisively act on cyber risk, giving organizations streamlined access to the right tools and cyber insurance to strengthen security, reduce risk, and cover the complete cost of a breach if needed.None offered.LimitedUp to $1 million breach prevention warranty with Falcon EPP "in the event that a customer using EPP Complete experiences a breach within their protected environment that EPP Complete should have prevented." Thus, if you experience a breach and Falcon cannot detect it, there is no coverage.None offered.
The Cisco, Apple, Allianz, and Aon collaboration for cyber insurance is an industry first. Collectively, we provide a holistic framework to decisively act on cyber risk, giving organizations streamlined access to the right tools and cyber insurance to strengthen security, reduce risk, and cover the complete cost of a breach if needed.None offered.Up to $1 million breach prevention warranty with Falcon EPP "in the event that a customer using EPP Complete experiences a breach within their protected environment that EPP Complete should have prevented." Thus, if you experience a breach and Falcon cannot detect it, there is no coverage.None offered.
Managed security servicesCisco Managed Detection and Response (MDR) provides 24/7 threat analysis and incident monitoring, Cisco Collective Security Intelligence Enrichment (including Talos), log and telemetry collection, metadata extraction, rules-based analytics, full packet capture, high-touch incident support, a customer portal, and proactive threat hunting.LimitedVMware Carbon Black Cloud Managed Detection offers alert validation by analyzing and prioritizing alerts; trend monitoring; and context for alerts for root-cause analysis.Falcon Overwatch provides 24/7 operations and alert prioritization.LimitedManaged threat hunting via Microsoft Threat Experts service in Microsoft Defender ATP.
Cisco Managed Detection and Response (MDR) provides 24/7 threat analysis and incident monitoring, Cisco Collective Security Intelligence Enrichment (including Talos), log and telemetry collection, metadata extraction, rules-based analytics, full packet capture, high-touch incident support, a customer portal, and proactive threat hunting.VMware Carbon Black Cloud Managed Detection offers alert validation by analyzing and prioritizing alerts; trend monitoring; and context for alerts for root-cause analysis.Falcon Overwatch provides 24/7 operations and alert prioritization.Managed threat hunting via Microsoft Threat Experts service in Microsoft Defender ATP.