We just raised a $30M Series A: Read our story

CrowdStrike Falcon Competitors and Alternatives

Get our free report covering Microsoft, SentinelOne, Palo Alto Networks, and other competitors of CrowdStrike Falcon. Updated: November 2021.
554,873 professionals have used our research since 2012.

Read reviews of CrowdStrike Falcon competitors and alternatives

DS
Enterprise Security Architect at a recruiting/HR firm with 10,001+ employees
Real User
Top 20
Single pane of glass allows us to run a lean team while protecting tens of thousands of endpoints around the world

Pros and Cons

  • "SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's... There are cost savings not only on licensing but because I don't have to have different people managing different consoles."
  • "If it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit."

What is our primary use case?

We use it for endpoint protection. It's an active EDR endpoint protection tool. Think of it as an antivirus and endpoint protection solution with machine learning, like McAfee on steroids.

In our company it is deployed in 83 countries and on over 40,000 workstations and servers.

How has it helped my organization?

It provides incredible visibility in a single pane of glass. The dashboard gives me visibility over all the endpoints, which are broken down by country, and then broken down within each country by brand and machine type. It provides a very simple way for me to understand if

  • we're being targeted globally
  • my endpoints are actively being attacked
  • we have outstanding issues in any one region
  • we have malicious activity.

In addition, it logs to my SIEM tool, cloud-natively, which makes it a very effective weapon to help diagnose and remediate any potential bad actors in my environment.

The Behavioral AI feature for ransomware and anti-malware protection does an outstanding job of identifying abnormal behavior patterns in my environment. Once we allowed it to sit in learning mode for about 30 days, we switched all our endpoints into what is called Protect mode, instead of Detect mode. With Protect mode, we have different functions available to us, such as kill, quarantine, identify, and rollback. Using those features, we are really able to protect our endpoints much better. We take advantage of the fact that we have a machine, or an automated process, governing our endpoint protection. That reduces the total headcount needed to babysit my environment.

Furthermore, Behavioral AI recognizes novel and fileless attacks and responds in real-time. It improves my security, reduces my total cost of ownership and management, and provides enhanced protection for what is now a highly mobile population. Due to COVID-19, we have had to take most of our workforce, and that's over 40,000 people around the world, and give them access to work remotely through a series of different mechanisms. In doing so, we felt much more comfortable because we have this endpoint protection tool deployed. It provides us not only the visibility into what the tool is doing and how it's protecting us, but it allows us to look at what applications are installed, what IP range is coming on, and what network it's sourced from.

And with Ranger we're able to help identify additional networks. Using SentinelOne with Ranger, allowed us to take a look at some of our smaller offices in Asia Pacific where we didn't have exceptional visibility.

We also use the solution’s automatic remediation and rollback in Protect mode, without human intervention. I want to protect mode for both malicious and suspicious, and that is in Protect mode. Having turned that on, we saw no negative impact, across the board, which has been an outstanding feature for us. It does save time on having to go in and identify things, because we allowed it to run in learning mode for so long. It learned our business processes. It learned what's normal. It learned file types. It learned everything that we do enough that, when I did turn that feature on, there were no helpdesk calls, no madness ensued, no people complaining that files were being removed that they needed. It worked out very well for us. 

We also use the solution’s ActiveEDR technology. Its automatic monitoring of every OS process, at all times, improves our security operations greatly. There is a learning time involved. It has to learn what processes are normal. But the fact that it's actively engaged with every process—every file that moves across it, every DLL that's launched, whether or not it's automated or process-driven—everything is viewed, inspected, and categorized. And it allows us to have enhanced visibility that ties directly into the Deep Visibility. I can look at and help identify behavior patterns. 

For example, yesterday I wrote a series of queries for Deep Visibility that are based on MITRE ATT&CK parameters. Those give me reports, on a daily basis, of how effective this tool really is because I can use MITRE ATT&CK engine parameters to help define what's going on. Even if something is not considered malicious behavior by the tool itself, if I take that information and couple it with information I can pull from Tanium and information I pull from other tool sets, and aggregate that into my SIEM tool, my use case is provided. I get more positive and actionable intelligence on how my endpoints are behaving. If I have somebody out there who is doing testing of software, I can pick that out of a crowd in a second.

We have application control and containers available. Since we have AWS, Azure, and a myriad of cloud platforms, it's been hugely beneficial to us. Considering that we are endeavoring, as an organization, to move into cloud-based solutions, this has been a huge benefit.

Overall, SentinelOne has absolutely reduced incident response time. It's instantaneous. It has reduced it by at least 95 percent.

I use the tool to help me determine how well my other tools are working. For example, we have a role called a RISO, a regional information security officer. Those people are responsible for regions of the globe, whether it be Latin America, Asia Pacific, or AMEA. The RISOs now use the tool because it can help them identify other tools we have rolled out, like Zscaler. They can go into the SentinelOne console and query for Zscaler and look at all the machines in their environment and determine what the delta is. It allows people with different levels of knowledge and different roles in an organization to have visibility. It's been outstanding. That, in and of itself, makes it a better tool than its counterparts and it makes it usable for non-technical and non-security people.

We get the long-term strategic benefits of having enhanced visibility and the more short-term tactical benefits of knowing that our endpoints are protected, the visibility is there, and that no matter what lands on top of it, it's going to get taken care of.

What is most valuable?

The most valuable feature of the solution is its ability to learn, the fact that once you tune it correctly, it knows how to capture and defeat malicious activity on the endpoints. It's not set-it-and-forget-it, but it does give me a much more comfortable feeling that my endpoints are secure and protected from malicious behavior.

SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's. The latest Mac OS X that's coming out is already supported and in test for our organization. The complete coverage of every OS that we have in our environment has been a huge benefit because I don't have to have different tools to support them. There are cost savings not only on licensing but because I don't have to have different people managing different consoles. For me, having single pane of glass visibility is incredibly important because we run a very lean team here. We are a skeleton crew governing all 83 countries. In doing so, it provides us the ability to do a lot more with a lot less.

I use the Deep Visibility feature every single day. It is outstanding because I just create hunting cases and then I can load them. I can figure out what queries I want to run and I can go digging. And with the queries that I have built for the MITRE ATT&CKs, it makes it very simple to identify something. And now that I have reporting set up based on those queries, I get emails every day.

Using Deep Visibility I have identified a threat and figured out information about it. I've also used Deep Visibility to be proactive versus reactive as far as my alerting goes. I know that SentinelOne will protect my endpoints, but there's also a case where there isn't specific malicious behavior but the patterns look malicious. And that's really what I'm writing these queries for in Deep Visibility.

Here's an example. You can do a lateral movement in an organization. You can RDP to one server and RDP to another server, depending on how your software defined perimeter is configured. Unless you do something malicious, SentinelOne will look at it, but it won't necessarily stop it, because there is no malicious activity. But I can write a query in Deep Visibility to show me things. Let's say somebody breached my secure remote access solution. With the Deep Visibility queries that are being run, I can see that that one machine may have RDPed to a server and RDPed to another server and been jumping around because they may have gotten compromised credentials. That can be reported on. It might not have been malicious behavior, but it's an activity that the reporting from Deep Visibility allows me to pursue and then do a deeper dive into it.

What needs improvement?

If they would stop changing the dashboard so much I'd be a happy man. 

Also, if it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit.

The nice thing about SentinelOne is that I get to directly engage with their leadership at any time I want. That allows me to provide feedback such as, "I would like this function," and they've built a lot of functions for me as a result of my requests. I don't really have much in the way of complaints because if I want something, I generally tend to get it.

For how long have I used the solution?

I have been using SentinelOne for about 14 months now.

What do I think about the stability of the solution?

It's incredibly stable. We really haven't had any significant issues. There have been a couple of things here and there where certain versions of the product weren't disabling Windows Defender effectively. I think that was predicated on a GPO that we identified that had been accidentally linked and that kept turning Defender back on again. The issues were very trivial things.

How are customer service and technical support?

I talk to my TAM once a week, minimum. I think I have the best customer support in the business.

I had an issue that I raised a couple of weeks ago and within minutes I had an army of engineers working on it. By the end of the week, I had senior management calling me asking me what else I want, what else I need, and how else they could help me. 

They go all-in. I have never had to wonder or concern myself with whether I will be getting adequate support? Will the support be on time? Will the support be effective and accurate? Not once, not ever.

I have such a close relationship with the team, not only the team that sold it to me but the team that supports me. We call each other on a first-name basis and we talk about how we're doing. It's that kind professional relationship. That's how good it is.

Which solution did I use previously and why did I switch?

Before, we had a mix of dozens of different solutions across the enterprise. We didn't have any one, ubiquitous solution. We had a mix of McAfee and Panda and Kaspersky. You name it, we owned a copy of it, and that didn't provide a unified field of view. It also didn't provide the best protection that money can buy and, in my opinion as a professional in this industry for 25 years, this is the best protection money can buy.

How was the initial setup?

The initial setup of SentinelOne was very simple. I packaged the executables into MSIs, including the token ID, I created a package in Tanium, and I dropped it on all the workstations. I was able to deploy it to over 40,000 endpoints in 35 days.

When you govern as much real estate as I do, meaning the number of endpoints and the number of different business units that those endpoints comprise, there had to be a deployment strategy for it. I broke it down into countries, and in each of those countries I broke into brands and I broke it into asset types, whether they be servers or workstations, whether they're mobile or localized. It's not difficult to push out there, as long as you create exclusions. I used my legacy tools in parallel with this for a month and still never faced any issues.

For any organization, if you have any kind of deployment mechanism in place, you could put your entire workforce on this and it wouldn't matter how many endpoints. If they're online and available and you have a deployment solution, you could do it in a month, easily, if not less. I could've done it much faster, but I needed to do a pilot country first. I did all the testing and validations and then, once we went into production mode, it was very fast.

What's my experience with pricing, setup cost, and licensing?

I got a really good deal so I'm very happy with the pricing.

Which other solutions did I evaluate?

I looked at everything. I looked at CrowdStrike, Cylance, Carbon Black, and I had McAfee as the largest of the incumbents. I tested them all and I validated them all and I pushed every malware virus—everything in my collection—at them. I built a series of VMs to test and validate the platform. I tested against multiple operating systems. I tested against downloads, I tested against uploads. I tested visibility. I did this entire series of tests and listed out 34 or 35 different criteria. And at the end of the day, SentinelOne came out on top.

One of the huge benefits of SentinelOne is the Full Remote Shell. That has been an incredibly useful tool for me.

Cylance came in second. It has very similar functionalities, very similar builds, but not a full remote shell. It had the single pane of glass dashboard, but the visibility I get out of SentinelOne, as well as the protection and the capability to run the Full Remote Shell pushed it over the top.

Carbon Black was nice, but I had to run two different dashboards, one cloud and one local. I couldn't get single pane of glass visibility from that.

When I tested SentinelOne against all the engines, they all pretty much found everything. Mimikatz was the deciding factor. A couple of the solutions flagged it but didn't remediate it. SentinelOne just rolled everything back as it started to discover it. It actually pulled the installer out, so that was nice. 

A lot of new technologies that are out there are very similar. They are pulling from public threat feeds and other learning engines. But if you compare and contrast all the features available, SentinelOne is just going to edge everybody else out. And they're constantly evolving the product to make it more efficient and to have a smaller footprint too. When they came out with Ranger, we were still doing some network discoveries around our environment to try to figure out exactly what was still out there. That came to be a very useful tool.

It really just shines. If you compare it to everybody else there are a lot that come close, but nobody else can really quite get to the top. SentinelOne really gives you the best overall picture.

What other advice do I have?

Do your homework. I would encourage everybody, if you have the capabilities, to do what I did and test it against everything out there. If you don't have those capabilities and you want to save yourself a lot of time, just go straight to SentinelOne. I cannot imagine any organization regretting that decision. With the news stories you read about, such as hospitals under attack from malware and crypto viruses—with all the bad actors that exist, especially since the pandemic took over—if you want to protect your environment and sleep soundly at night, and if you're in the security industry, I highly encourage you to deploy SentinelOne and just watch what it's capable of.

I don't use the Storyline technology that much simply because I'm really turning this into a more automated process for my organization. An example of where we may use Storyline is when we download an encrypted malicious file. Let's say that email was sent to 500 people. If it gets through our email gateway, which is unlikely, I can not only identify those users quickly, but I can also use the Storyline to determine where it came from, how it got there, and what it was doing along the way. And while it killed it, it will tell me what processes were there. It helps us create and identify things like the hash, which we then summarily blacklist. Overall, Storyline is better for identifying what had happened along the way, but after the fact. For me, the fact that it has actually taken care of it without me having to go hunt it down all the time is the real benefit.

The only thing we don't take advantage of is their management service. We do have a TAM, but we don't have Vigilance.

For top-down administration, there's only about six of us who work with the solution. For country level administration, we have one or two in every country in those 83 countries.

We run a myriad of different front office and back office environments. SentinelOne had to learn different environments in different countries. It had to understand the business processes that are surrounding those. We did a substantial amount of tuning along the way, during the deployment. And then, of course, there are agent updates and there are considerations when you get a new EA version and are creating test groups. But, as an organization, we have reduced our total cost of ownership for our EPP platform, we have improved our visibility a hundred-fold, and we have maintained our data integrity. It really is the one end-all and be-all solution that we needed.

It's a home run. I've been doing this a long time and I've done this in over 48 countries around the world. Given what we do with this product and the visibility it has given us and the protection it has given us, I feel very comfortable with my security right now.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SG
Owner at a security firm with 1-10 employees
Reseller
Very customizable but slow in the cloud environment

Pros and Cons

  • "The features that I have found most valuable are the ability to customize it and to reduce its size. It lets you run in a very small window in terms of memory and resources on legacy cash registers."
  • "Everything with Fortinet having to do with their cloud services. They need to invest more in their internal infrastructure that they are running in the cloud. One of the things I find with their cloud environment compared to others' is that they go cheap on the equipment. So it causes some performance degradation."

What is our primary use case?

Our primary use cases for Fortinet FortiEDR are cash registers and endpoint, and point of sales.

The reason we originally started with FortiClient with one of our clients in the first place was that they were able to have legacy cash registers, a really old technology, which we had to get to run in a small resource space, and FortiClient, which was the predecessor, allowed us to literally pick and choose what features we wanted in the client and reduce its size, which you couldn't do with any other types of clients that were out there. That's how we started with that.

It is mostly on premise and any cloud services that we use are directly from Fortinet themselves. I would call that public cloud. We do run some of the customer's environment in private cloud, basically co-location. This has provided the services back to their dataset. I am talking about Fortinet's cloud for the public. For the private stuff it was basically out at Q9, which is the co-location provider.

How has it helped my organization?

Fortinet FortiEDR has the ability to customize the footprint of the client or the agents on the device and on the endpoint.

What is most valuable?

The features that I have found most valuable are the ability to customize it and to reduce its size. It lets you run in a very small window in terms of memory and resources on legacy cash registers. The customer has literally about 800 cash registers. That was the use case for Fortinet FortiEDR - to get that down into a tiny space. The only way to do that was to use this product because it had that ability to unbundle services that were a surplus.

What needs improvement?

In terms of what could be improved, I would say everything with Fortinet having to do with their cloud services. They need to invest more in their internal infrastructure that they are running in the cloud. One of the things I find with their cloud environment compared to others' is that they go cheap on the equipment. So it causes some performance degradation.

A classic example of that would be products like FortiMail where you're basically acting as a mail relay. So say you're on a support call and I'm sending you a mail with document that you expect to come to you immediately, or within 30 - 60 seconds, could take up to 45 minutes because of the load on the cloud services. This can result in trouble tickets and other customer side issue.

In the next release I would like to see more investment in their cloud services. Additionally, they definitely need better integration into their FortiSIEM and FortiSOAR solutions.

They should continue to improve that and possibly include a managed threat hunting feature, an MDR solution.

For how long have I used the solution?

I'm a Fortinet Gold Reseller but primarily we're a consulting company, not a product company. We tend to be agnostic with the one caveat being Fortinet, and only because I was the first guy in Canada to get certified in that, and also the first guy to sell it. There is a personal preference there. But I'm looking deeper into more enterprise security solutions that are SASE and endpoints and EDR, XDR, MDR, all that kind of stuff.

We've done work primarily with FortiGate deployments, but we've also done multiple SD-WAN projects and we've worked with FortiEDR, which is similar to their version of EDR. We've worked with FortiClient before that. As far as FortiCloud goes, we've worked with FortiMail in the cloud, we've worked with FortiManager in the cloud, but we haven't gone into CASB stuff yet.

We also do some Fortinet managed services in our customer base. So I have worked with Fortinet since 2004, 2005.

Fortinet FortiEDR has only been out for a couple of years. We've been working with it for a couple of months, primarily migrating a customer from FortiClient to FortiEDR.

We haven't done full scale deployments of FortiEDR yet, it's still fairly new.

What do I think about the stability of the solution?

In terms of stability, EDR is a pretty decent solution, but it's not best of breed. One of the challenges with Fortinet, and all of these vendors, is that they are doing acquisitions and doing things to retrofit into their environment, but there's a dependency on legacy or other features that Fortinet has, and Prisma from Palo Alto has. They have their own products, which are how their system is designed. It's really a suite of products. Fortinet is now FortiFabric, with Palo Alto it's Prisma, Prisma Cloud and XSOAR and all that stuff.

All these types of companies are not as flexible. I think in the future, people are not going to be interested in having these huge complex suites of products in order to take advantage of integration.

If you look at a true SASE solution, for example Zscaler, it's a product on its own. And it typically integrates with industry best of breed products first. So Zscaler would work with CrowdStrike or Microsoft Defender before it's going to work with an integrated solution like Palo Alto or Fortinet.

I'm finding more and more that these companies, Palo Alto, Fortinet, Check Point, Juniper, are all doing well right now. But I think in the next year to two, you're going to see a transition away from that type of technology.

It is actually one of Fortinet's big selling points that they're not maintenance heavy and they've got their gang leveraging all the other components. It actually updates itself automatically if you choose. And it has the ability, using FortiManager and other products, where you can push out policies very easily across multiple appliances, although that requires proper design and architecture from the beginning to make sure that you've got cookie cutter configurations across your enterprise.

What do I think about the scalability of the solution?

Scalability is Fortinet's sweet spot, even though they're heavily focused trying to sell into enterprise, their sweet spot is still mid-size, SMB, customers.

Those products work well in an environment which is below 3000 users. It also works well in in terms of large enterprises, like a bank.

I don't see EDR really expanding. Fortinet Firewalls is another story. Firewalls can scale up to very large enterprises, including Telcos, but I don't see the EDR product deployed in those environments.

How are customer service and support?

Their support is getting better.

Right now it is not that good. Fortinet was never big on technical support. I think they went by the theory that if it was hard to write, it should be hard to understand. Their technical support is getting better, but if you compare it to Cisco, it's not as good and it never was. It is one of their weak points. Its response time is not bad, but the attitude of the people on the phone is. It's the amount of information they ask for to do an RMA, for example. They can be very challenging to work for. That's an opportunity for managed security providers, because if you confront them, and take it away from the customer, it makes the customer's experience much better. So a bad support center is good for an MSSP.

How was the initial setup?

The initial setup is complex compared to stuff like CrowdStrike or other products where you can just sign up and download and it, and it works.

It's a little bit more complex with FortiEDR because you're dealing with the setup and management of it, whereas in products like CrowdStrike, it's pretty automatic and it's just a question of a radio button to turn on or turn off additional features that you may want.

For example, going EDR to XDR or going EDR to MDR in CrowdStrike, you can do that in Fortinet but you have to implement FortiSOAR and all this other stuff.

Initially the setup took us a while, simply because we had to mess around with the client. We are talking weeks because we had to test and make sure that there were no performance issues and no interruptions in the flow of data, etc...

That took us probably five, six weeks to get up in a POC type environment. Once we got that, it's cookie cutter. You have an image that you deploy that already has that compiled in it, and it works pretty easily.

What's my experience with pricing, setup cost, and licensing?

Fortinet FortiEDR is priced pretty competitively if you compare it to other companies that are in the same boat, like Palo Alto, who have similar product suites. It is reasonable. In the industry, they call Fortinet the Chevy of Perimeter Security and Palo Alto the Cadillac. I think that's undeserved. I think Fortinet is actually, in the long run, a better product, but it has that reputation because of their pricing. Palo Alto, right off the bat, charged a much higher premium, which created the illusion that you're getting a better product. Palo Alto products are brutally expensive.

But that's the way Palo Alto works and it works for them. Although, I've heard rumors that they're changing their channel model where they're going after enterprise customers directly, rather than forcing it through the channel. Fortinet is a 100% channel, Palo Alto is not. And that's affecting them. If you look at stock prices and earnings, Fortinet is actually doing better.

What other advice do I have?

With any of these products, you need to step back and look at where the wave of technology is going in the security posture. I think that you need to step back and say, "Here's my current situation, what's the best solution two to three years from now?" If you look at that, I don't see Fortinet or Palo Alto or any of those traditional product vendors being the future state.

These companies are like system integrators. A lot of system integrators went out of business mostly because they couldn't make the paradigm shift from a product led business to a service led business. I see the same type of thing happening in the traditional Perimeter Security companies, that are not designed from the ground up. They make an acquisition of a product and they try to integrate it into their business model, and to leverage all their other products in a suite. That's not the way the industry is going.

On a scale of one to ten, I would rate Fortinet FortiEDR somewhere around a six.

It goes back to what I said that I don't think it's got a huge future. If you compare it to CrowdStrike or those type of products, it is very similar to Palo Alto's Cortex, they didn't even come out with an an EDR solution, they went directly to an XDR solution. What is XDR penetration? About 2% of the market right now. It's just not a fit to the future. That's why I give it a six.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
Norman Kromberg
VP of Info Security at SouthernCarlson, Inc.
Real User
Top 20
Does a good job of reporting when it detects anomalous behavior

Pros and Cons

  • "Morphisec makes it very easy for IT teams of any size to prevent breaches of critical systems because of the design of their tool. When we evaluated Morphisec, the CIO and I sat and listened. What attracted us to them is the fact that it stops activity at the point of detection. That saves a lot of time because now we are not investigating and trying to trace down what to turn off. We have already prevented it, which makes it very much safer and more secure."
  • "Morphisec is a venture startup. They are still early in their growth stage. They need to get mature on their customer support and on how they interface with system tools. For example, they need to get multifactor in place and an API for the major multi-factor systems, e.g., Okta, Duo, Ping, and Microsoft. They don't have them built in yet. They are working on them. It is just not there yet. Also, their stability, customer support, and processes need improvement, which is just part of maturity."

What is our primary use case?

We purchased Morphisec to protect our endpoints from anomalous behavior. The biggest use case would be to prevent ransomware, but also to detect other unnecessary programs running on devices. So, the use case has been endpoint protection, both for servers and endpoints, e.g., laptops and desktops.

We do a multi-layered defense in-depth. They are our primary prevention at the endpoints for anomalous behavior. I would classify it as a preventative tool, since Morphisec blocks and prevents execution. So, I would put it at the preventative layer.

We have agents on all of our endpoints and servers pointing to their cloud instance.

How has it helped my organization?

Morphisec makes it very easy for IT teams of any size to prevent breaches of critical systems because of the design of their tool. When we evaluated Morphisec, the CIO and I sat and listened. What attracted us to them is the fact that it stops activity at the point of detection. That saves a lot of time because now we are not investigating and trying to trace down what to turn off. We have already prevented it, which makes it very much safer and more secure.

What is most valuable?

The biggest feature is its ability to prevent. Here is the interesting thing with a tool like Morphisec. You implement it almost as an insurance policy. If it works, nothing happens. If it fails, you have bad things occurring. So far, nothing terrible has happened. It does a good job of reporting when it detects anomalous behavior so we can research it. However, the key is that we can research in a much calmer fashion, since we do not need to uninstall because it blocks the activity.

What needs improvement?

Morphisec is a venture startup. They are still early in their growth stage. They need to get mature on their customer support and on how they interface with system tools. For example, they need to get multifactor in place and an API for the major multi-factor systems, e.g., Okta, Duo, Ping, and Microsoft. They don't have them built in yet. They are working on them. It is just not there yet. Also, their stability, customer support, and processes need improvement, which is just part of maturity.

For how long have I used the solution?

My company has been using Morphisec since mid-December of 2020.

I have been aware of Morphisec since I worked for Optiv and met one of the key sales people back in 2015 or 2016. When I was at that company, I was a consultant helping companies with their roadmaps. So, we connected there and got Morphisec introduced to Optiv, the company I was working with then, who is also a VAR. Therefore, it was getting the product in via another sales route or sales channel.

What do I think about the stability of the solution?

It takes less than one person to deploy and maintain the solution. So far, we have not had to do maintenance. The biggest thing that we are working with Morphisec right now on is the multi-factor interface enhancement.

What do I think about the scalability of the solution?

We have had no issues with scalability. It's worked fine.

We have probably 10 people between our help desk, Tier 2, and executives accessing the system and using the dashboards, which has been pretty straightforward and easy to do.

In the system, our IT people research alerts. We get a daily report of all the events from the prior day. If there was a critical alert, the help desk will go out and research to see if they need to do anything with the endpoint. They have to go into the system to monitor and look at it. If we are running into an issue on a particular server and endpoint, we may go out there to see if there was any indication of an issue or if the actual agent is causing a problem. We have yet to find that the agent is causing a problem, but that is why they potentially would go out there.

It is on every endpoint, e.g., laptops, desktops, and servers, which is pretty extensive. We may expand into their incident response process and a number of other things that we can use them for, but that will be evaluated as we go into our budget cycle at the end of the year.

How are customer service and technical support?

I would rate Morphisec technical support as eight out of 10. They have just been very responsive. They are very strong at follow-up. They won't close tickets until we tell them to. They are very much a customer service focused group. They have been very good at tech support, providing knowledge, information, etc.

Which solution did I use previously and why did I switch?

Morphisec makes use of deterministic attack prevention that doesn’t require investigation of security alerts. We didn't have a protection layer prior to Morphisec, so we added it. The key is the amount of work by the team is minimal. So, it did not increase our workload. We did not have to add staff. It has been a positive benefit that way.

This solution was an additive layer that we didn't have before. So far, it has been successful in the sense that it has not caused us to add resources. So, we have been able to get layer protection without additional expense, in terms of staff. That is a good thing.

How was the initial setup?

The initial setup was very straightforward. It was simple to install the agent. They provided good support. It was just a push, then it just took minutes to get the process rolling. We could monitor how well it rolled out, and they were there to support us. This was one of the easiest that we have ever done.

The deployment took a day or two in total actual work time, so we could confirm it reporting in on the dashboard. 

It probably took us a week or two to get it rolled out to all the devices because of our change control windows. 

We put it in the most conservative setting that we could for prevention. We did roll through certain applications for the logic of what not to include, but they had a pretty good baseline for what we should reference. We then just pushed the agents with some logic on the change windows. So, we did all the desktops and laptops first, then the servers. It was a pretty straightforward implementation.

What was our ROI?

Morphisec helps us save money on our security stack. We probably would have spent $100,000 more on a different solution. So, it did save us on that expense.

What's my experience with pricing, setup cost, and licensing?

It is an annual subscription basis per device. For the devices that we have in scope right now, it is about $25,000 a year.

Which other solutions did I evaluate?

We also evaluated CrowdStrike, Cylance, and SentinelOne. CrowdStrike and Cylance were way too expensive. You could also throw in Sophos and Symantec in there. All those were too expensive and burdensome. SentinelOne was interesting. We were able to get better pricing and better access to the top people at Morphisec, and that is why we went with Morphisec.

We do not use Morphisec for antivirus at this time. We are using another tool for antivirus, but we will look at Morphisec Guard when that license is up.

What other advice do I have?

Don't overthink it. Just do it. Follow the directions of Morphisec and go for it, but make sure you understand what your application stack is before you go full bore, so you don't create false positives. However, they are easy to work with in those terms.

The reality is nobody ever gets to a single pane of glass or a single dashboard. Those claims are made by vendors, even Morphisec will make it. The problem is you have so many layers in your security stack that you will never get to a single pane of glass. So, I never have that as a requirement because I know it is not attainable.

We do not have Microsoft Defender in place, but so far it is providing visibility for what it is installed on.

While I have known of the company since 2016, they are still a startup. They are still equity-backed. I don't know where they are going to end up, but right now I am confident that they have good backing and financial resources. They got a new round of funding just after the first of the year. That is always a good sign.

Biggest lesson is the amount of discipline required in our company to stay current. Morphisec highlights breakdowns that we have in process and procedure, which is a good thing, but it's highlighted to us that we need to be a little bit more disciplined.

I would rate Morphisec as nine out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
SB
Computer Systems Administrator at a university with 10,001+ employees
Real User
Top 10
Lacks next-generation behaviour-based detection, offers terrible technical support, and not as robust as competitors

Pros and Cons

  • "The solution detects malware very well."
  • "The stability was not the best. There were times when antivirus updates broke it. It wasn't necessarily self-updating - at least, not in terms of the virus signatures. It updated in terms of the executable files. Therefore, when Windows updates would come out, they often couldn't be installed, or the computer would hang due to the fact that the updates weren't compatible with the antivirus."

What is our primary use case?

The use case for the solution was basically this: any computer or anything used for any sort of official business needed to have endpoint protection and needed to have some sort of antivirus protection. The thing was somewhat more than just an antivirus, it also included a firewall that operated in addition to the Windows or Mac firewall.

The university policy basically required that all endpoint devices used for official business have to meet certain requirements and one of them was to have an antivirus.

How has it helped my organization?

The solution probably caught some malware a certain percentage of the time and that helped the organization. By the time we abandoned it, it was actually less effective, at least on Windows 10 machines, than the built-in antivirus that you get with the Windows 10 Defender Antivirus. It became, in the end, sort-of a liability.

It also became a liability when the company was sold to Broadcom. The name is actually different now. I don't think it's called Symantec Endpoint Protection. It's called Broadcom Endpoint Protection. We had a very difficult time even getting in touch with the technical support from that company, especially after Symantec was sold. It wasn't a very robust solution.

What is most valuable?

The solution detects malware very well.

What needs improvement?

It wasn't a very good solution overall, which is why we ended up replacing it.

Most organizations are choosing a next-gen antivirus, one that's based on artificial intelligence. Symantec Endpoint Protection was one of those legacy products that have been around forever. Symantec was a spinoff from Norton. Norton Antivirus was one of the very first antiviruses to come out in the 1980s. Symantec was very highly rated at one point in its life. It never really caught on to the new trends and antivirus protection. And so it still relied on things like a database of virus signatures that would need to get downloaded and then files would be checked for those signatures.

Modern antiviruses don't do that. They're based on behavior. They're based on intelligence algorithms. They're honed by artificial intelligence and machine learning from data collected all over the world. And so for that reason, the next-gen antiviruses are much more efficient at detecting viruses. They also take up a lighter load on the computer.

Next-generation is behavior-based detection rather than signature-based detection. Symantec tried to be a hybrid between the two. It had a behavior-based component called SONAR, however, it was still mostly a signature-based software antivirus application. For that reason, you can never keep up with all the mutations and viruses, and you can't keep up with malicious behavior that isn't based on viruses. Things like downloaded PowerShell scripts, things that computers can do with the components that they already have without needing to put any virus on the computer. A lot of malicious attacks, government-backed attacks, don't use any kind of foreign software. They take advantage of vulnerabilities within existing operating systems like Microsoft Windows or the various versions of Linux or the Mac operating system. They don't need to put additional software on the computer to compromise them.

That, in a nutshell, is why we switched to a next-gen antivirus. Next-gen antiviruses have probably been around for about five or six years. Some of the old companies made the transition to them seamlessly. Symantec didn't. It remained wedded to the old technology and that made it, you could say, a has-been.

For how long have I used the solution?

I've been using the solution for many years. It's probably been about ten years at this point, at least a decade.

What do I think about the stability of the solution?

The stability was not the best. There were times when antivirus updates broke it. It wasn't necessarily self-updating - at least, not in terms of the virus signatures. It updated in terms of the executable files. Therefore, when Windows updates would come out, they often couldn't be installed, or the computer would hang due to the fact that the updates weren't compatible with the antivirus. I give it pretty poor score for robustness.

What do I think about the scalability of the solution?

It was scalable just due to the fact that had to be installed individually on individual computers. For the unmanaged workstations, it was as scalable as you wanted it to be. There was a new download and a new install on a new computer. There are no limits on that. I'm not sure, however, how true that is, as it wasn't within my area of responsibility. I'm not sure if the managed work points overloaded the servers that were meant to monitor them. I don't think that was the case. The scalability was probably pretty good there too. I never heard any complaints about it not being scalable.

We likely had between 10,000 and 20,000 users on it. The roles would include, since it's a university, students, faculty, staff, and researchers. That pretty much covered the type of people that work at a university.

We don't plan to increase usage as we've completely phased out the solution.

How are customer service and technical support?

Once Symantec was sold to Broadcom, it became very difficult to reach out to technical support, and they just stopped being responsive. By the end, we were very unhappy with their level of support.

Which solution did I use previously and why did I switch?

I've been at the organization for 21, 22 years. Originally, before we had Symantec, it was McAfee antivirus. We had that up until maybe about 2010 or so. Now, we are using CrowdStrike Falcon.

How was the initial setup?

The initial setup was not complex. It was simple.

The deployment was always ongoing due to the fact that, as a university with something like 16,000 employees, computers were getting bought and repurposed all the time. The initial rollout was in fact not a managed version of the antivirus. It was just a standalone version that users could download from a website when they provided their credentials. After that, they would just double click on a downloaded file and run the installer and they'd have the antivirus.

However, it was completely unmonitored. The antivirus program on their computer was not sending its data anywhere. It couldn't be helped by anyone remotely to do its job of protecting the computer.

Therefore, almost all organizations now want to have a managed antivirus solution where there's software installed on the computer, but it communicates with the cloud, and IT administrators at the organization can control this behavior and learn from it.

In terms of the staff required to handle the deployment and maintenance, there was probably the equivalent of maybe two to three full-time staff that were dedicated to antivirus endpoint protection issues. 

What about the implementation team?

We handled everything ourselves in-house. We didn't need the help of a consultant or integrator.

What's my experience with pricing, setup cost, and licensing?

We pay on a yearly basis. However, I'm unsure of the exact amount.

Which other solutions did I evaluate?

We did evaluate a number of other vendors. We entertained some RFPs and we did testing on four other competing products. There was one other competitor that was close. The main factor that tilted us toward CrowdStrike is that they did make a last-minute significant cut in price to their offer. I think they reduced it by something like 30% or 40%.

CrowdStrike has been in the business longer and is a bigger company than the runner up as well. To us, that mattered. If there is winnowing out of competitors, if the market actually shrinks and there are a few big players in five years, we want to be sure that we're with one of the big players that are going to make it.

What other advice do I have?

The solution is a kind of a mix between an on-premise managed server that managing some machines, and other machines just had an unmanaged client that was distributed to students. It's not actually a cloud, it's a server. It's an on-premises server. It's not a cloud-based server that is being used. The antiviruses report to the server and policies can be set on the server.

I'd advise users to be aware that there are better solutions out there than this. I've learned that technology can change and your solution may be great now, but in a few years, it may drop to the bottom of the barrel. That's what happened here.

I'd rate the solution one out of ten. In order to get any sort of higher rating, they would need to start it over again from scratch. Instead of trying to make a legacy product better, they should abandon it and invent a new product.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Imad Taha
Group CIO at a construction company with 10,001+ employees
Real User
Top 20
Centralization via the cloud allows us to protect and control people working from home

Pros and Cons

  • "You can deploy it through the cloud so that even if your stuff is outside of your controlled environment, you are still under control, based on the policies you create. The policies are controlled through the cloud. For example, if I don't allow anyone to do a certain activity or to install a particular app, and a consultant or a partner who is not part of our environment is doing so, it will stop them as well."
  • "As far as I know, Carbon Defense has nothing that can be installed on mobile devices. It lacks a defense solution for mobile devices, especially mobile tablets. I would like to see support for mobile devices and the pricing should be less than the pricing for a normal workstation."

What is our primary use case?

We started using it to protect our environment from ransomware specifically.

What is most valuable?

Carbon Black works completely differently from other products. We tested different products and Carbon Black was selected because it does not remove a virus but it kills any suspect operations and it's up to the admin to check the scenario. It kills the "effect," if you will. If you receive ransomware or anything suspicious, it will kill the process unless you allow it, after receiving warnings.

I cannot say it's pure AI, but the way it works is that it stops any suspicious activity, not based on signature-based attacks. It works in a way that it detects that a given effect is unusual.

Also, you can deploy it through the cloud so that even if your stuff is outside of your controlled environment, you are still under control, based on the policies you create. The policies are controlled through the cloud. For example, if I don't allow anyone to do a certain activity or to install a particular app, and a consultant or a partner who is not part of our environment is doing so, it will stop them as well. Because of COVID-19, we are all working from home. Imagine if the centralization and control provided by the product were not on the cloud. We would lose control of the people working from home. So the centralized cloud control is one of its more effective aspects.

What needs improvement?

As far as I know, Carbon Defense has nothing that can be installed on mobile devices. It lacks a defense solution for mobile devices, especially mobile tablets. I would like to see support for mobile devices and the pricing should be less than the pricing for a normal workstation.

Also, there is not much education for customers about Defense versus its other products. They promote Defense as enough, but then they say if you need more protection you can go for CB Response. I don't know whether it's a technology issue or a marketing issue, but they should teach the customer more. They tell you you are secure with Carbon Defense but then they recommend Carbon Protect. There is not a lot of education on this.

I don't want to have an incident in the future and their answer will be, "Sorry, you did not buy Protect." Security is a continuous process. I can accept that it has more features, but don't tell me, "You are not protected because you did not buy the more expensive product."

In addition, these other products should be add-ons, not separate products. And the cost for them should be much less for adding on because you are already a customer.

Finally, we receive a lot of high alerts. There is no priority system, from one to 10, where 10 is very dangerous and one is something easy. There is no way for us to tell why this alert is similar to that one.

For how long have I used the solution?

I have been using Carbon Black CB Defense for two years.

What do I think about the stability of the solution?

It is stable. It does not use a lot of CPU or RAM. This is one of its good points.

What do I think about the scalability of the solution?

We have about 1,000 users. Scaling is always possible because it's a cloud solution.

How are customer service and technical support?

They have good local support, here in Dubai.

How was the initial setup?

Deployment takes too much time because it has a lot of options. The implementation was not an easy process. I wish the implementation was easier. But it has a positive effect in the end. The complexity pays for itself ultimately. You do not spend time on the complexity and then get nothing as a result. So the complexity is something that is necessary.

We were new to this product. If the deployment took, say, two weeks, it took us a very long time, maybe a couple of months, until we knew this product was solid. The education services given by the partner are not enough. It was a completely new product for us, so we needed a lot of education. While the implementation took two weeks, it really took two months to go through all the options.

What about the implementation team?

We had a consultant at the beginning.

What's my experience with pricing, setup cost, and licensing?

We have branches, we have different companies, but we cannot buy less than 100 licenses. This does not make sense to me. We do have some big companies within our group. But if I have a small office with 20 users and all my licenses are in use, the next buy cannot be less than 100 licenses. We have to do a lot of implementation and communication to add that many. But we only need 20. They are not flexible in the licensing part. It should be more flexible. 

I can understand their saying, "Okay, to be a customer you need 100," but to add on to that number it should be something very straightforward. If I need to add five, for example, I shouldn't need to add 100.

I'm not happy with the way they are treating existing customers for adding licenses. I sent an angry communication to them, to the management, and said to them: "With 1,000 users, I need only another 50 licenses. Why do you want me to go for 100? It's a stupid policy." Then I got approval from them for fewer. I don't need to buy subscriptions for users I don't have.

Also, licenses should not be per endpoint but rather per user. If I am the same user on a mobile device or on a workstation it should be one license for me.

Which other solutions did I evaluate?

To compare apples to apples, before going for Carbon Black I was thinking about CrowdStrike. CrowdStrike has a lot of very beautiful features that Carbon Black does not have, like IT asset management. But I am not buying this type of software for IT asset management. I'm buying it to protect my infrastructure from big threats. While CrowdStrike has many good features that Carbon Black does not have, that's not the case when it comes to security. CrowdStrike is a very good product but it's more expensive. If you buy all the components of CrowdStrike I can assure you it will be much better than Carbon Black, but cost is a factor.

Our previous product, Kaspersky, was fine but it's not on the level of Carbon Black. Carbon Black is called a next-generation antivirus because it does not only work based on signatures. With Kaspersky we had an incident, and one of the servers affected was the Kapsersky control server.

What other advice do I have?

My advice is to get enough information about the differences in Carbon Black products from day one. In other words, if Carbon Black is claiming that Carbon Black CB Defense is enough, why are they always promoting the more expensive product, which is Carbon Black Protect? So, you need to be educated well about the differences between the products.

Also, look at the roadmap of the product regarding whether there will be good mobile protection for mobile users or not. And be aware of the minimum license purchasing policy.

The number of people for maintenance of the solution depends on how your environment is structured, but in our company I need five people.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Get our free report covering Microsoft, SentinelOne, Palo Alto Networks, and other competitors of CrowdStrike Falcon. Updated: November 2021.
554,873 professionals have used our research since 2012.