Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Compare Next-Generation Endpoint Security

Data valid as of March 2021.

Cisco Secure Endpoint

VMware Carbon Black

CrowdStrike Falcon

Microsoft Defender ATP

Expand all

Detection

Layers of integrated detection techniques16Cisco Secure Endpoint leverages multiple techniques for comprehensive protection: File reputation provides fast file disposition; antivirus for both Mac OS and Windows with custom signature-based detection allows online and offline protection; polymorphic malware detection with loose fingerprinting; System Process Protection engine protects critical Windows system processes from memory injection attacks by other processes; machine learning-based analysis with data sets from Talos; script protection; exploit prevention uses deception techniques to protect applications in memory and provides script and memory control; behavioral protection continuously monitors user/endpoint behaviors to protect against attacks such as living-off-the-land tools; malicous activity protection for ransomware protection; cloud-based indicators of compromise (IoCs) from Talos; host-based IoCs in OpenIOC format; CLI capture; Secure Malware Analytics advanced threat protection; and Orbital, which allows fast live and scheduled endpoint/app queries and detailed forensic snapshots.8Carbon Black employs watchlists; next-generation antivirus; banned lists; reputation assignment; CB Analytics/Custom; USB device blocking; cloud analysis via third party Avira; live queries; and behavioral models.11CrowdStrike Falcon employs cloud-based next-generation antivirus; indicators of attack (IoA); suspicious entity blocking (including IoCs based on intelligence); exploit mitigation; behavior-based models; lateral movement/ credential-based access; ML/AI; allow lists; real-time responses; endpoint query; and file sandboxing.13Microsoft Defender for Endpoint is a prevention, post-breach detection, investigation, and response tool. It includes threat and vulnerability management; next-generation protection (fileless, behavioral blocking, and UEFI scanner); attack surface reduction (hardware-based isolation, app control, exploit protection, network protection, controlled folder access, Azure Site Recovery (ASR), network firewall, and antivirus; deep file analysis; web protection; threat intelligence; antivirus scan engine; app execution restrictions; network file quarantine; and collecting an investigation package.
Cisco Secure Endpoint leverages multiple techniques for comprehensive protection: File reputation provides fast file disposition; antivirus for both Mac OS and Windows with custom signature-based detection allows online and offline protection; polymorphic malware detection with loose fingerprinting; System Process Protection engine protects critical Windows system processes from memory injection attacks by other processes; machine learning-based analysis with data sets from Talos; script protection; exploit prevention uses deception techniques to protect applications in memory and provides script and memory control; behavioral protection continuously monitors user/endpoint behaviors to protect against attacks such as living-off-the-land tools; malicous activity protection for ransomware protection; cloud-based indicators of compromise (IoCs) from Talos; host-based IoCs in OpenIOC format; CLI capture; Secure Malware Analytics advanced threat protection; and Orbital, which allows fast live and scheduled endpoint/app queries and detailed forensic snapshots.Carbon Black employs watchlists; next-generation antivirus; banned lists; reputation assignment; CB Analytics/Custom; USB device blocking; cloud analysis via third party Avira; live queries; and behavioral models.CrowdStrike Falcon employs cloud-based next-generation antivirus; indicators of attack (IoA); suspicious entity blocking (including IoCs based on intelligence); exploit mitigation; behavior-based models; lateral movement/ credential-based access; ML/AI; allow lists; real-time responses; endpoint query; and file sandboxing.Microsoft Defender for Endpoint is a prevention, post-breach detection, investigation, and response tool. It includes threat and vulnerability management; next-generation protection (fileless, behavioral blocking, and UEFI scanner); attack surface reduction (hardware-based isolation, app control, exploit protection, network protection, controlled folder access, Azure Site Recovery (ASR), network firewall, and antivirus; deep file analysis; web protection; threat intelligence; antivirus scan engine; app execution restrictions; network file quarantine; and collecting an investigation package.
Endpoint agents required1A single lightweight Cisco Secure Endpoint agent provides all the capabilities listed in this chart, including SecureX threat response. Unless otherwise noted, no other Cisco product is required to meet the listed functionality.1One endpoint agent is required to achieve all the functionality described here.1One endpoint agent is required to achieve all the functionality described here.1One endpoint agent is required to achieve all the functionality described here.
A single lightweight Cisco Secure Endpoint agent provides all the capabilities listed in this chart, including SecureX threat response. Unless otherwise noted, no other Cisco product is required to meet the listed functionality.One endpoint agent is required to achieve all the functionality described here.One endpoint agent is required to achieve all the functionality described here.One endpoint agent is required to achieve all the functionality described here.
Continuous analysis and retrospective detectionCisco Secure Endpoint employs continuous analysis beyond the event horizon (point in time). It can retrospectively detect, alert, track, analyze, and remediate advanced malware that may at first appear clean or that evades initial defenses and is later identified as malicious. LimitedVMware Carbon Black employs continuous analysis using Carbon Black Cloud Endpoint Standard. Retrospective detection is manual and part of threat hunting.LimitedCrowdStrike Falcon offers DVR capability down to a 5-second visibility of the endpoint. Retrospective detection is manual and part of threat hunting.LimitedDefender for Endpoint employs continuous analysis. It does not perform retrospective detection(part of threat hunting).
Cisco Secure Endpoint employs continuous analysis beyond the event horizon (point in time). It can retrospectively detect, alert, track, analyze, and remediate advanced malware that may at first appear clean or that evades initial defenses and is later identified as malicious. VMware Carbon Black employs continuous analysis using Carbon Black Cloud Endpoint Standard. Retrospective detection is manual and part of threat hunting.CrowdStrike Falcon offers DVR capability down to a 5-second visibility of the endpoint. Retrospective detection is manual and part of threat hunting.Defender for Endpoint employs continuous analysis. It does not perform retrospective detection(part of threat hunting).
Device trajectoryDevice trajectory is continuous. Cisco Secure Endpoint and SecureX threat response map how hosts interact with files—including malware—across your endpoint environment. It can see if a file transfer was blocked or if the file was quarantined. It can scope the threat, provide outbreak controls, and identify patient zero. Carbon Black has a very rich process tree for investigations and makes the investigation process visually appealingCrowdStrike provides device trajectory on a per-host basis.Microsoft uses Investigation Graph to show details on a per-host basis.
Device trajectory is continuous. Cisco Secure Endpoint and SecureX threat response map how hosts interact with files—including malware—across your endpoint environment. It can see if a file transfer was blocked or if the file was quarantined. It can scope the threat, provide outbreak controls, and identify patient zero. Carbon Black has a very rich process tree for investigations and makes the investigation process visually appealingCrowdStrike provides device trajectory on a per-host basis.Microsoft uses Investigation Graph to show details on a per-host basis.
Threat visualization, investigation and containmentSecureX threat response builds Relations Graph to show clear and concise visualization of host interactions with malware, files, domains, and network addresses—which is key for incident investigations and rapid threat containment. It automatically enriches investigations with local/global file prevalence and, more importantly, with data from Talos threat intelligence, Umbrella (for DNS), Secure Endpoint (for global intelligence), Secure Malware Analytics (for file analysis), and more to highlight the systems under attack. Response and remediation actions are available from within investigations.LimitedWhile Carbon Black does show per-host data, it does not show a visual representation of how hosts interact with malware, files, network addresses, and domains.LimitedCrowdStrike Falcon, via Indicator Graph, offers visualization of incidents—but with limited enrichment capabilities, response, and remediation actions.LimitedGraph (beta) shows the relations graph for entities(files, hosts) but with limited details and does not offer enrichment, response or remediation actions.
SecureX threat response builds Relations Graph to show clear and concise visualization of host interactions with malware, files, domains, and network addresses—which is key for incident investigations and rapid threat containment. It automatically enriches investigations with local/global file prevalence and, more importantly, with data from Talos threat intelligence, Umbrella (for DNS), Secure Endpoint (for global intelligence), Secure Malware Analytics (for file analysis), and more to highlight the systems under attack. Response and remediation actions are available from within investigations.While Carbon Black does show per-host data, it does not show a visual representation of how hosts interact with malware, files, network addresses, and domains.CrowdStrike Falcon, via Indicator Graph, offers visualization of incidents—but with limited enrichment capabilities, response, and remediation actions.Graph (beta) shows the relations graph for entities(files, hosts) but with limited details and does not offer enrichment, response or remediation actions.
Multiple detection measuresCisco Secure Endpoint uses multiple techniques for detection: File reputation; antivirus engine with custom signatures; polymorphic malware detection with loose fingerprinting; System Process Protection engine; machine-learning engine; script protection; and exploit prevention. Behavioral protection defends against attacks such as living-off-the-land tools. It also provides malicious activity protection; cloud-based IoCs from Talos; host-based IoCs; low prevalence; CLI capture; Secure Malware Analytics advanced threat protection (ATP); and Orbital, which allows fast live and scheduled endpoint/app queries as well as detailed forensic snapshots.Carbon Black employs watchlists; next-generation antivirus; banned lists, reputation assignment; CB Analytics/Custom; USB device blocking; Cloud analysis via third party Avira; live query; and behavioral models.Falcon can detect 120 local event types streamed in real time and uses hash and behavioral blocking, credential theft and privilege escalation, boot sector, process, stack, and other techniques. Microsoft Defender for Endpoint is a prevention, post-breach detection, investigation and response tool. Includes Threat & Vulnerability Management, NG Protection (Fileles, Behavioral Blocking, UEFI scanner), Attack Surface Reduction (Hw based isolation, app control, exploit protection, n/w protection, contolled folder access, ASR, n/w firewall, AV), Deep File Analysis, Web Protection, Threat Intelligence, AV Scan Engine, App Execution Restriction, Network File Quarantine, Collect Investigation Package are part of Microsoft Defender for Endpoint
Cisco Secure Endpoint uses multiple techniques for detection: File reputation; antivirus engine with custom signatures; polymorphic malware detection with loose fingerprinting; System Process Protection engine; machine-learning engine; script protection; and exploit prevention. Behavioral protection defends against attacks such as living-off-the-land tools. It also provides malicious activity protection; cloud-based IoCs from Talos; host-based IoCs; low prevalence; CLI capture; Secure Malware Analytics advanced threat protection (ATP); and Orbital, which allows fast live and scheduled endpoint/app queries as well as detailed forensic snapshots.Carbon Black employs watchlists; next-generation antivirus; banned lists, reputation assignment; CB Analytics/Custom; USB device blocking; Cloud analysis via third party Avira; live query; and behavioral models.Falcon can detect 120 local event types streamed in real time and uses hash and behavioral blocking, credential theft and privilege escalation, boot sector, process, stack, and other techniques. Microsoft Defender for Endpoint is a prevention, post-breach detection, investigation and response tool. Includes Threat & Vulnerability Management, NG Protection (Fileles, Behavioral Blocking, UEFI scanner), Attack Surface Reduction (Hw based isolation, app control, exploit protection, n/w protection, contolled folder access, ASR, n/w firewall, AV), Deep File Analysis, Web Protection, Threat Intelligence, AV Scan Engine, App Execution Restriction, Network File Quarantine, Collect Investigation Package are part of Microsoft Defender for Endpoint
Dynamic file analysisSecure Malware Analytics is now fully integrated into Secure Endpoint. This automated detonation engine observes, deconstructs, and analyzes using several methods. It is effectively impervious to sandbox-aware malware.Cloud-based only. Cloud Analysis via Avira (third-party) as well as integrations with partners like Lastline and Palo Alto Networks for sandboxing.LimitedFalcon Sandbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, breach detection (BDS), or breach prevention (BPS).LimitedMicrosoft offers cloud-based sandbox protection but does not support on-premises deployments. It does not integrate with supporting systems such as NGIPS, BDS, or BPS.
Secure Malware Analytics is now fully integrated into Secure Endpoint. This automated detonation engine observes, deconstructs, and analyzes using several methods. It is effectively impervious to sandbox-aware malware.Cloud-based only. Cloud Analysis via Avira (third-party) as well as integrations with partners like Lastline and Palo Alto Networks for sandboxing.Falcon Sandbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, breach detection (BDS), or breach prevention (BPS).Microsoft offers cloud-based sandbox protection but does not support on-premises deployments. It does not integrate with supporting systems such as NGIPS, BDS, or BPS.
File analysis deployment modelBoth on-premises and cloud. Secure Malware Analytics detonation technology is fully integrated in Secure Endpoint. File analysis can also be separated into an on-premises solution for customers who have cloud restrictions. Because Secure Malware Analytics uses a proprietary analysis mechanism and 100 other anti-evasion techniques, it is completely undetectable by malware trying to avoid analysis and sandboxing. Secure Malware Analytics uses the widest set of analysis techniques, including but not limited to host, network, static, and dynamic analysis, as well as pre- and post-execution analysis of the master boot record.LimitedCloud-based only. Cloud Analysis via Avira (third-party) as well as integrations with partners like Lastline and Palo Alto Networks for sandboxing.LimitedFalcon SFalcon Sandbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, BDS, or BPS.andbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, BDS, or BPS.LimitedMicrosoft offers cloud-based sandbox protection but does not support on-premises deployments. It does not integrate with supporting systems such as NGIPS, BDS, or BPS.
Both on-premises and cloud. Secure Malware Analytics detonation technology is fully integrated in Secure Endpoint. File analysis can also be separated into an on-premises solution for customers who have cloud restrictions. Because Secure Malware Analytics uses a proprietary analysis mechanism and 100 other anti-evasion techniques, it is completely undetectable by malware trying to avoid analysis and sandboxing. Secure Malware Analytics uses the widest set of analysis techniques, including but not limited to host, network, static, and dynamic analysis, as well as pre- and post-execution analysis of the master boot record.Cloud-based only. Cloud Analysis via Avira (third-party) as well as integrations with partners like Lastline and Palo Alto Networks for sandboxing.Falcon SFalcon Sandbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, BDS, or BPS.andbox offers cloud and on-premises deployments but does not integrate with supporting systems such as NGIPS, BDS, or BPS.Microsoft offers cloud-based sandbox protection but does not support on-premises deployments. It does not integrate with supporting systems such as NGIPS, BDS, or BPS.
API supportUse REST API access to pull events, indicators of compromise (IoCs), and device data. You can script and customize the API to fit the environment.Open API.Open API.API access with OAuth2.0 authentication.
Use REST API access to pull events, indicators of compromise (IoCs), and device data. You can script and customize the API to fit the environment.Open API.Open API.API access with OAuth2.0 authentication.
Low prevalenceSecure Endpoint will automatically identify executables that exist in low numbers across the endpoints and analyze those samples in the cloud-based sandbox to uncover new threats. Targeted malware or advanced persistent threats often start on only a few endpoints, but with low prevalence.LimitedRequires app control: A list of low-prevalence files can be manually extracted.LimitedRequires Falcon Discover. A list of low-prevalence apps and executable can be manually extracted and sent for analysis.LimitedA list of low-prevalence apps and executable can be manually extracted and sent for analysis.
Secure Endpoint will automatically identify executables that exist in low numbers across the endpoints and analyze those samples in the cloud-based sandbox to uncover new threats. Targeted malware or advanced persistent threats often start on only a few endpoints, but with low prevalence.Requires app control: A list of low-prevalence files can be manually extracted.Requires Falcon Discover. A list of low-prevalence apps and executable can be manually extracted and sent for analysis.A list of low-prevalence apps and executable can be manually extracted and sent for analysis.
File trajectorySecure Endpoint and SecureX threat response help gain visibility into the scope of a breach (how many endpoints are affected by subject malware). Discover patient zero: when the malware was first seen, on which computer in your environment, what its parentage is, and how it moves between hosts and the connections to IP addresses/domain it establishes. No additional Cisco product is required.LimitedCarbon Black's scope focuses on local host processes and does not track from the aspect of the file and where it has traveled.LimitedCrowdStrike shows data related to movement between hosts (first seen), network connections etc.LimitedDefender for Endpoint does not show the initial point of malware infection/patient zero data and its movement inside the network
Secure Endpoint and SecureX threat response help gain visibility into the scope of a breach (how many endpoints are affected by subject malware). Discover patient zero: when the malware was first seen, on which computer in your environment, what its parentage is, and how it moves between hosts and the connections to IP addresses/domain it establishes. No additional Cisco product is required.Carbon Black's scope focuses on local host processes and does not track from the aspect of the file and where it has traveled.CrowdStrike shows data related to movement between hosts (first seen), network connections etc.Defender for Endpoint does not show the initial point of malware infection/patient zero data and its movement inside the network

Prevention

Allowlists and denylistsCisco Secure Endpoint provides the ability to override dispositions set by Talos.Override of dispositions is available.Override of dispositions is available.Override of dispositions is available.
Cisco Secure Endpoint provides the ability to override dispositions set by Talos.Override of dispositions is available.Override of dispositions is available.Override of dispositions is available.
Software vulnerabilitiesWith Secure Endpoint you can view the number and severity of vulnerable applications, and how many endpoints the application has been seen on within the environment. You can link vulnerabilities for each application to the associated common vulnerabilities and exposures (CVE) entries.LimitedCarbon Black needs to integrate with IBM BigFix to provide hosts with vulnerabilities related to CVE. Cb LiveOps (add-on) can optionally be used to get vulnerability visibility (manually).LimitedRequires Crowdstrike Falcon Spotlight. There's no way to specifically search for CVEs related to hosts on the network. Falcon uses indicators of attack (IoAs) to detect exploits on a system. CVEs are located in the research information on the system. Defender for Endpoint can show app vulnerabilities on Windows 10 systems.
With Secure Endpoint you can view the number and severity of vulnerable applications, and how many endpoints the application has been seen on within the environment. You can link vulnerabilities for each application to the associated common vulnerabilities and exposures (CVE) entries.Carbon Black needs to integrate with IBM BigFix to provide hosts with vulnerabilities related to CVE. Cb LiveOps (add-on) can optionally be used to get vulnerability visibility (manually).Requires Crowdstrike Falcon Spotlight. There's no way to specifically search for CVEs related to hosts on the network. Falcon uses indicators of attack (IoAs) to detect exploits on a system. CVEs are located in the research information on the system. Defender for Endpoint can show app vulnerabilities on Windows 10 systems.
Integrated advanced threat protection (attack detonation)Secure Endpoint employs built-in sandboxing capabilities (via its full integration of Secure Malware Analytics), plus event correlations, more than 2000+ IoCs, billions of malware artifacts, and easy-to-understand threat scores. Secure Endpoint is a full antivirus client as well and meets PCI/HIPAA audit requirements as an AV replacement.LimitedBy itself, Carbon Black does not offer a closed-loop ATP. Carbon Black may integrate with other vendors such as Lastline and Palo Alto Networks with separate licensing, support, and management. Cloud Analysis via third-party Avira is available.CrowdStrike Falcon Sandbox includes 700 generic behavior indicators.Content analysis submits suspicious files identified by automated investigation to the cloud for additional inspection.
Secure Endpoint employs built-in sandboxing capabilities (via its full integration of Secure Malware Analytics), plus event correlations, more than 2000+ IoCs, billions of malware artifacts, and easy-to-understand threat scores. Secure Endpoint is a full antivirus client as well and meets PCI/HIPAA audit requirements as an AV replacement.By itself, Carbon Black does not offer a closed-loop ATP. Carbon Black may integrate with other vendors such as Lastline and Palo Alto Networks with separate licensing, support, and management. Cloud Analysis via third-party Avira is available.CrowdStrike Falcon Sandbox includes 700 generic behavior indicators.Content analysis submits suspicious files identified by automated investigation to the cloud for additional inspection.
Sandbox-aware malwareCisco Secure Endpoint uses a proprietary analysis mechanism and 100 other anti-evasion techniques. It is undetectable by malware trying to avoid analysis and sandboxing. LimitedCarbon Black does not employ its own advanced threat protection (ATP) or sandbox. Cloud analysis is offered via (third-party) Avira. It must integrate with Palo Alto Networks, Lastline, or others to provide malware detonation capabilites. None of the third-party integrations can detect ATP or sandbox-aware malware.LimitedFalcon Sandbox cannot detect sandbox-aware malware. CrowdStrike collects both static file data and behavioral data as the file runs, sends this data to the cloud, and through machine learning gives the file a score that indicates how likely the file is to be malicious. If the file has a known behavioral capability, Crowdstrike will prevent the file from causing harm, but it does not remove it. If the file does not have an indicator (anti-exploit), then the asset may be at risk (action not blocked). If CrowdStrike gets disabled or removed, the asset is at risk, because the previous malware code still resides on the asset.LimitedMicrosoft Deep Analysis cannot detect sandbox-aware malware.
Cisco Secure Endpoint uses a proprietary analysis mechanism and 100 other anti-evasion techniques. It is undetectable by malware trying to avoid analysis and sandboxing. Carbon Black does not employ its own advanced threat protection (ATP) or sandbox. Cloud analysis is offered via (third-party) Avira. It must integrate with Palo Alto Networks, Lastline, or others to provide malware detonation capabilites. None of the third-party integrations can detect ATP or sandbox-aware malware.Falcon Sandbox cannot detect sandbox-aware malware. CrowdStrike collects both static file data and behavioral data as the file runs, sends this data to the cloud, and through machine learning gives the file a score that indicates how likely the file is to be malicious. If the file has a known behavioral capability, Crowdstrike will prevent the file from causing harm, but it does not remove it. If the file does not have an indicator (anti-exploit), then the asset may be at risk (action not blocked). If CrowdStrike gets disabled or removed, the asset is at risk, because the previous malware code still resides on the asset.Microsoft Deep Analysis cannot detect sandbox-aware malware.

Response

Threat huntingSecure Endpoint accelerates incident tracking and rapid threat remediation with automatic data enrichments from multiple sources. It has 200+ pre-built queries, enabling you to run live and scheduled queries to all endpoints using a technology built on osquery. Analysts can quickly pivot from the sandbox to our advanced search interface with relevant pre-populated queries when a sample submission to our sandbox contains behavioral indicators that contain our queries. Casebooks allow you to gather observables in groups and assign names, take notes, and add observables directly into cases. Other apps can submit observables to Cisco SecureX for reputation lookups without ever leaving the host application's interface. Case notes follow you from one product to another.LimitedCarbon Black uses osquery for querying endpoints but does not offer integration with advanced sandbox solutions for Behavioral Indicators. It offers a limited (64) number of pre-built queries. No casebooks (or ribbon) to gather observables from various solutions to speed up threat hunting.LimitedCrowdStrike uses Splunk Search for querying endpoints but does not offer integration with advanced sandbox solutions for Behavioral Indicators. It offers a limited (11) number of pre-built queries. No casebooks (or ribbon) to gather observables from various solutions to speed up threat hunting.LimitedMicrosoft uses Kusto Query Language for querying endpoints but does not offer integration with advanced sandbox solutions for Behavioral Indicators. No casebooks (or ribbon) to gather observables from various solutions to speed up threat hunting.
Secure Endpoint accelerates incident tracking and rapid threat remediation with automatic data enrichments from multiple sources. It has 200+ pre-built queries, enabling you to run live and scheduled queries to all endpoints using a technology built on osquery. Analysts can quickly pivot from the sandbox to our advanced search interface with relevant pre-populated queries when a sample submission to our sandbox contains behavioral indicators that contain our queries. Casebooks allow you to gather observables in groups and assign names, take notes, and add observables directly into cases. Other apps can submit observables to Cisco SecureX for reputation lookups without ever leaving the host application's interface. Case notes follow you from one product to another.Carbon Black uses osquery for querying endpoints but does not offer integration with advanced sandbox solutions for Behavioral Indicators. It offers a limited (64) number of pre-built queries. No casebooks (or ribbon) to gather observables from various solutions to speed up threat hunting.CrowdStrike uses Splunk Search for querying endpoints but does not offer integration with advanced sandbox solutions for Behavioral Indicators. It offers a limited (11) number of pre-built queries. No casebooks (or ribbon) to gather observables from various solutions to speed up threat hunting.Microsoft uses Kusto Query Language for querying endpoints but does not offer integration with advanced sandbox solutions for Behavioral Indicators. No casebooks (or ribbon) to gather observables from various solutions to speed up threat hunting.
Malware remediationMalicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.
Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.Malicious file can be automatically quarantined or removed.
Malware gateway determinationExposes the entry point for malware and other files to help responders quickly the assess root cause and implement proper enforcement against further instances.Only possible with integration point to third-party solution.Falcon can be used to determine the root cause of the incident.Root cause determination is possible.
Exposes the entry point for malware and other files to help responders quickly the assess root cause and implement proper enforcement against further instances.Only possible with integration point to third-party solution.Falcon can be used to determine the root cause of the incident.Root cause determination is possible.
Custom detectionHelps administrators quickly enforce full protection against questionable files and targeted attacks across both endpoint and network control planes based on endpoint activity.Custom detection and blocking can be done by adding custom file hashes.Custom detection and blocking can be done by adding custom file hashes. Custom detection and blocking can be done by adding custom file hashes.
Helps administrators quickly enforce full protection against questionable files and targeted attacks across both endpoint and network control planes based on endpoint activity.Custom detection and blocking can be done by adding custom file hashes.Custom detection and blocking can be done by adding custom file hashes. Custom detection and blocking can be done by adding custom file hashes.
File search and fetchSecure Endpoint with SecureX threat response lets administrators hunt for any questionable file in an organization, see the dispersion through an installed base, and pull the file off any endpoint for further forensics and analysis.Files can be searched for and fetched from the endpoint with Enterprise EDR.Files can be searched for and fetched.LimitedFiles can be searched for but not fetched.
Secure Endpoint with SecureX threat response lets administrators hunt for any questionable file in an organization, see the dispersion through an installed base, and pull the file off any endpoint for further forensics and analysis.Files can be searched for and fetched from the endpoint with Enterprise EDR.Files can be searched for and fetched.Files can be searched for but not fetched.
Vulnerable application visibilityCisco Secure Endpoint dynamically exposes the vulnerable applications in an endpoint environment, aiding administrators and responders in better instructing and informing the patch management process.LimitedCarbon Black needs to integrate with IBM BigFix to provide hosts with vulnerabilities related to CVE. Cb Audit and Remediation Live Query (add-on) can optionally be used to get vulnerability visibility (manually).LimitedRequires CrowdStrike Falcon Spotlight. There's no way to specifically search for CVEs related to hosts on the network. Falcon uses indicators of attack to detect exploits on a system. CVEs are located in the research information on the system. Shows vulnerable applications and OS entities for Windows 10.
Cisco Secure Endpoint dynamically exposes the vulnerable applications in an endpoint environment, aiding administrators and responders in better instructing and informing the patch management process.Carbon Black needs to integrate with IBM BigFix to provide hosts with vulnerabilities related to CVE. Cb Audit and Remediation Live Query (add-on) can optionally be used to get vulnerability visibility (manually).Requires CrowdStrike Falcon Spotlight. There's no way to specifically search for CVEs related to hosts on the network. Falcon uses indicators of attack to detect exploits on a system. CVEs are located in the research information on the system. Shows vulnerable applications and OS entities for Windows 10.
Integrated DNS-level protectionExposes malicious domains associated with malware, giving users the ability to dynamically block access through Umbrella integration. Prevents command and control callbacks for data exfiltration, and stops execution of ransomware encryption. Provides up-to-minute threat data and historical context about domains, IPs, and file hashes for faster investigation.LimitedInfoblox services are required, which provides domain reputation to Carbon Black for correlation and enforcement. LimitedFalcon DNS requires Falcon Overwatch, which is delivered as a managed service where DNS monitoring and alerting takes place.LimitedOffers web content filtering and web threat protection on Windows 10 OS only.
Exposes malicious domains associated with malware, giving users the ability to dynamically block access through Umbrella integration. Prevents command and control callbacks for data exfiltration, and stops execution of ransomware encryption. Provides up-to-minute threat data and historical context about domains, IPs, and file hashes for faster investigation.Infoblox services are required, which provides domain reputation to Carbon Black for correlation and enforcement. Falcon DNS requires Falcon Overwatch, which is delivered as a managed service where DNS monitoring and alerting takes place.Offers web content filtering and web threat protection on Windows 10 OS only.
Extensive threat information across threat vectorsCisco Secure Endpoint is directly tied to Talos threat intelligence, so it can immediately see anything Talos sees. Secure Endpoint can instantly defend the endpoint against threats seen by your own or another organization's firewall, web URL, DNS entry, other endpoint, or email gateway. It has a global view of threats across all threat vectors.LimitedLacks information from different threat vectors such as firewalls, endpoints, and email gateways, DNS.LimitedLacks information from different threat vectors such as firewalls, DNS and email gatewaysLimitedLacks information from different threat vectors such as firewalls and DNS
Cisco Secure Endpoint is directly tied to Talos threat intelligence, so it can immediately see anything Talos sees. Secure Endpoint can instantly defend the endpoint against threats seen by your own or another organization's firewall, web URL, DNS entry, other endpoint, or email gateway. It has a global view of threats across all threat vectors.Lacks information from different threat vectors such as firewalls, endpoints, and email gateways, DNS.Lacks information from different threat vectors such as firewalls, DNS and email gatewaysLacks information from different threat vectors such as firewalls and DNS

Architecture

Operating system supportWindows (XP, 7, 10 or later), MacOS, Linux, Android, and iOS. Cisco Secure Endpoint uniquely enables protection for iOS, as part of the Apple-Cisco API partnership.LimitedWindows, MacOS, and Linux (no mobile device protection).LimitedWindows, MacOS, and Linux (Falcon for Mobile requires additional purchase)LimitedMicrosoft's primary focus is on Windows 10. Coverage for MacOS (EDR) and Linux is included, though many protection features apply to Windows 10 exclusively (including auto investigation and remediation, ASR, web content filtering and web threat protection). The future of existing partnerships for MacOS and Linux (with SentinelOne, Ziften, and Bitdefender) is unknown.
Windows (XP, 7, 10 or later), MacOS, Linux, Android, and iOS. Cisco Secure Endpoint uniquely enables protection for iOS, as part of the Apple-Cisco API partnership.Windows, MacOS, and Linux (no mobile device protection).Windows, MacOS, and Linux (Falcon for Mobile requires additional purchase)Microsoft's primary focus is on Windows 10. Coverage for MacOS (EDR) and Linux is included, though many protection features apply to Windows 10 exclusively (including auto investigation and remediation, ASR, web content filtering and web threat protection). The future of existing partnerships for MacOS and Linux (with SentinelOne, Ziften, and Bitdefender) is unknown.
Deployment modelBoth cloud and on-premisesCisco Secure Endpoint is 100% managed in the cloud, reducing total cost of ownership. It's also offered as an on-premises solution for organizations with cloud restrictions, such as the U.S. government.Limited/cloud onlyDepending on the product, it is on-premises or in the cloud. VMware Carbon Black Cloud Endpoint Standard (next-generation antivirus and behavioral EDR) is cloud-based only. App control and Carbon Black EDR (threat hunting and incidence response for hybrid deployments) are available for on-premises deployments.Limited/cloud onlyDeploys only in the cloud; no on-premises installations for the private sector/air-gapped networks (only Falcon Sandbox is available for on-premises deployment).Limited/cloud onlyDeploys only in the cloud; no on-premises installations for the private sector/air-gapped networks.
Cisco Secure Endpoint is 100% managed in the cloud, reducing total cost of ownership. It's also offered as an on-premises solution for organizations with cloud restrictions, such as the U.S. government.Depending on the product, it is on-premises or in the cloud. VMware Carbon Black Cloud Endpoint Standard (next-generation antivirus and behavioral EDR) is cloud-based only. App control and Carbon Black EDR (threat hunting and incidence response for hybrid deployments) are available for on-premises deployments.Deploys only in the cloud; no on-premises installations for the private sector/air-gapped networks (only Falcon Sandbox is available for on-premises deployment).Deploys only in the cloud; no on-premises installations for the private sector/air-gapped networks.
Offline supportOffline protection is constant with exploit prevention, antivirus, and the Secure Endpoint engine.Carbon Black provides offline support with VMware Carbon Black Cloud Endpoint Standard.Falcon continues to run when the host is not connected to a network; however, the efficacy of this function has never been publicly proven.Defender ATP offers offline protection using attack surface reduction/AV.
Offline protection is constant with exploit prevention, antivirus, and the Secure Endpoint engine.Carbon Black provides offline support with VMware Carbon Black Cloud Endpoint Standard.Falcon continues to run when the host is not connected to a network; however, the efficacy of this function has never been publicly proven.Defender ATP offers offline protection using attack surface reduction/AV.
Closed-loop detection; integration with other platformsIntegrates with Cisco Firepower firewalls, Firepower NGIPS, Cisco Identity Services Engine, and other platforms, such as Cisco Secure Email and Web Security. This integration is relevant when organizations own several platforms, but owning several platforms is not required to fulfill any of the functionality of Cisco Secure Endpoint referenced in this comparison.LimitedOpen API. Can ingest common scripting languages. Integrates with solutions from Palo Alto Networks, Check Point, Blue Coat, Cyphort, Fidelis, Damballa, Splunk, Red Canary, and others. Falcon API and Falcon Streaming API for third parties.LimitedDefender for Endpoint integrates with certain third-party SIEM solutions and orchestration/automation platforms and managed service providers. Integrates with Bitdefender, SentinelOne, Ziften, etc. for MacOS and Linux as well as Palo Alto Networks, ThreatConnect for threat intelligence, and Morphisec for MTTD. It has integration with Microsoft's own services like Skype for business integration, Azure ATP, Office 365 Threat Intelligence connection, Microsoft Cloud App Security, Azure Information Protection, and Microsoft Intune.
Integrates with Cisco Firepower firewalls, Firepower NGIPS, Cisco Identity Services Engine, and other platforms, such as Cisco Secure Email and Web Security. This integration is relevant when organizations own several platforms, but owning several platforms is not required to fulfill any of the functionality of Cisco Secure Endpoint referenced in this comparison.Open API. Can ingest common scripting languages. Integrates with solutions from Palo Alto Networks, Check Point, Blue Coat, Cyphort, Fidelis, Damballa, Splunk, Red Canary, and others. Falcon API and Falcon Streaming API for third parties.Defender for Endpoint integrates with certain third-party SIEM solutions and orchestration/automation platforms and managed service providers. Integrates with Bitdefender, SentinelOne, Ziften, etc. for MacOS and Linux as well as Palo Alto Networks, ThreatConnect for threat intelligence, and Morphisec for MTTD. It has integration with Microsoft's own services like Skype for business integration, Azure ATP, Office 365 Threat Intelligence connection, Microsoft Cloud App Security, Azure Information Protection, and Microsoft Intune.

Integration

IntegrationsREST API.Open API. Can ingest common scripting languages. Integrates with solutions from Palo Alto Networks, Check Point, Blue Coat, Cyphort, Fidelis, Damballa, Splunk, Red Canary, and others.Falcon API and Falcon Streaming API for third parties.Defender ATP integrates with certain third-party SIEM solutions and orchestration/automation platforms, and managed service providers. Integrates with Bitdefender, SentinelOne, and Ziften for MacOS and Linux, as well as Palo Alto Networks, ThreatConnect for threat intelligence, and Morphisec for MTTD. It has integration with Microsoft's own services like Skype for business integration, Azure ATP, Office 365 Threat Intelligence connection, Microsoft Cloud App Security, Azure Information Protection, and Microsoft Intune.
REST API.Open API. Can ingest common scripting languages. Integrates with solutions from Palo Alto Networks, Check Point, Blue Coat, Cyphort, Fidelis, Damballa, Splunk, Red Canary, and others.Falcon API and Falcon Streaming API for third parties.Defender ATP integrates with certain third-party SIEM solutions and orchestration/automation platforms, and managed service providers. Integrates with Bitdefender, SentinelOne, and Ziften for MacOS and Linux, as well as Palo Alto Networks, ThreatConnect for threat intelligence, and Morphisec for MTTD. It has integration with Microsoft's own services like Skype for business integration, Azure ATP, Office 365 Threat Intelligence connection, Microsoft Cloud App Security, Azure Information Protection, and Microsoft Intune.

Third-party validation

AV Comparatives Test Report December 2019AV Comparatives Testing (an average of two tests in 2020, March-June and August-November): High protection rate of 97.6% with approximately 1 false alarm in the Real-World Protection Test. 99.9% efficacy in Malware Protection Test with 0 false positives.LimitedAV Comparatives Testing (an average of two tests in 2020): Protection Rate of 98.5% with approximately 3 false alarms in the Real-World Protection Test. 100% efficacy in Malware Protection Tests with 0 false positives.LimitedAV Comparatives Testing (an average of two tests in 2020): Protection Rate of 97.6% with approximately 20 false alarms in the Real-World Protection Test. 99.7% efficacy in Malware Protection Tests with 0 false positives.LimitedAV Comparatives Testing (an average of two tests in 2020): Protection Rate of 99.8% with approximately 6 false alarms in the Real-World Protection Test. 100% efficacy in Malware Protection Tests with 0 false positives.
AV Comparatives Testing (an average of two tests in 2020, March-June and August-November): High protection rate of 97.6% with approximately 1 false alarm in the Real-World Protection Test. 99.9% efficacy in Malware Protection Test with 0 false positives.AV Comparatives Testing (an average of two tests in 2020): Protection Rate of 98.5% with approximately 3 false alarms in the Real-World Protection Test. 100% efficacy in Malware Protection Tests with 0 false positives.AV Comparatives Testing (an average of two tests in 2020): Protection Rate of 97.6% with approximately 20 false alarms in the Real-World Protection Test. 99.7% efficacy in Malware Protection Tests with 0 false positives.AV Comparatives Testing (an average of two tests in 2020): Protection Rate of 99.8% with approximately 6 false alarms in the Real-World Protection Test. 100% efficacy in Malware Protection Tests with 0 false positives.
AV Comparatives - Endpoint Prevention and Response EPR Comparative Report December 2020Cisco Secure Endpoint was named a Strategic Leader in the Endpoint Prevention and Response (EPR) 2020 Comparative Report. Secure Endpoint had one of the lowest costs per endpoint over a five-year period, with the highest rated prevention and response capabilities.Did not participate or chose to remain anonymous.LimitedCrowdstrike Falcon was named a Strategic Leader in the Endpoint Prevention and Response (EPR) comparative report, but with one of the highest costs per endpoint over a five-year period.Did not participate or chose to remain anonymous.
Cisco Secure Endpoint was named a Strategic Leader in the Endpoint Prevention and Response (EPR) 2020 Comparative Report. Secure Endpoint had one of the lowest costs per endpoint over a five-year period, with the highest rated prevention and response capabilities.Did not participate or chose to remain anonymous.Crowdstrike Falcon was named a Strategic Leader in the Endpoint Prevention and Response (EPR) comparative report, but with one of the highest costs per endpoint over a five-year period.Did not participate or chose to remain anonymous.
Radicati Endpoint Security Market Quadrant 2020Cisco Secure Endpoint received the highest rating and was named an Endpoint Security Top Player. Radicati recognizes endpoint security top players as "current market leaders with products that offer, both breadth and depth of functionality, as well as possess a solid vision for the future. Top Players shape the market with their technology and strategic vision."LimitedVMware Carbon Black was named an Endpoint Specialist.LimitedCrowdstrike was named an Endpoint Specialist. LimitedMicrosoft was named an Endpoint Specialist.
Cisco Secure Endpoint received the highest rating and was named an Endpoint Security Top Player. Radicati recognizes endpoint security top players as "current market leaders with products that offer, both breadth and depth of functionality, as well as possess a solid vision for the future. Top Players shape the market with their technology and strategic vision."VMware Carbon Black was named an Endpoint Specialist.Crowdstrike was named an Endpoint Specialist. Microsoft was named an Endpoint Specialist.

Other services

Cybersecurity insuranceThe Cisco, Apple, Allianz, and Aon collaboration for cyber insurance is an industry first. Collectively, we provide a holistic framework to decisively act on cyber risk, giving organizations streamlined access to the right tools and cyber insurance to strengthen security, reduce risk, and cover the complete cost of a breach if needed.None offered.LimitedFalcon Complete is required for a warranty. Requires a minimum spend of $250,000 to get a $1 million warranty. Requires strict controls and adherence to Measured Security Posture.None offered.
The Cisco, Apple, Allianz, and Aon collaboration for cyber insurance is an industry first. Collectively, we provide a holistic framework to decisively act on cyber risk, giving organizations streamlined access to the right tools and cyber insurance to strengthen security, reduce risk, and cover the complete cost of a breach if needed.None offered.Falcon Complete is required for a warranty. Requires a minimum spend of $250,000 to get a $1 million warranty. Requires strict controls and adherence to Measured Security Posture.None offered.
Managed security servicesCisco Managed Detection and Response (MDR) spans beyond endpoint and covers advanced threats, network and DNS with: Secure Cloud Analytics, Cisco Umbrella, Secure Malware Analytics (advanced threat protection) in addition to Cisco Secure Endpoint.LimitedVMware Cb Cloud Managed Detection offers alert validation by analyzing and prioritizing alerts; trend monitoring; and context for alerts for root-cause analysis. LimitedFalcon MDR offers detection and response capabilities. It is however limited to using endpoint data only.LimitedMDR is offered via partnes like BlueVoyant and Red Canary.
Cisco Managed Detection and Response (MDR) spans beyond endpoint and covers advanced threats, network and DNS with: Secure Cloud Analytics, Cisco Umbrella, Secure Malware Analytics (advanced threat protection) in addition to Cisco Secure Endpoint.VMware Cb Cloud Managed Detection offers alert validation by analyzing and prioritizing alerts; trend monitoring; and context for alerts for root-cause analysis. Falcon MDR offers detection and response capabilities. It is however limited to using endpoint data only.MDR is offered via partnes like BlueVoyant and Red Canary.
Managed threat huntingCisco SecureX threat hunting is an analyst-centric process that helps organizations to uncover hidden advanced threats. Once threats are detected, customers are notified within their Cisco Secure Endpoint console, so they can begin remediation. The purpose is to discover and thwart attacks before they cause any damage. Customers can leverage SecureX threat response to expand the scope beyond endpoints to network, DNS, email, and other solutions.LimitedThreat validation but no proactive threat hunting.LimitedFalcon Overwatch provides 24/7 operations and alert prioritization. It is, however, limited to using endpoint data only.LimitedManaged threat hunting via the Microsoft Threat Experts service provides targeted attack notifications and experts on demand for engagement.
Cisco SecureX threat hunting is an analyst-centric process that helps organizations to uncover hidden advanced threats. Once threats are detected, customers are notified within their Cisco Secure Endpoint console, so they can begin remediation. The purpose is to discover and thwart attacks before they cause any damage. Customers can leverage SecureX threat response to expand the scope beyond endpoints to network, DNS, email, and other solutions.Threat validation but no proactive threat hunting.Falcon Overwatch provides 24/7 operations and alert prioritization. It is, however, limited to using endpoint data only.Managed threat hunting via the Microsoft Threat Experts service provides targeted attack notifications and experts on demand for engagement.