According to the Hiscox Cyber Readiness Report, attacks on small businesses continue to increase, with 47% of companies reporting security events in 2019 compared to 33% in 2018. The mean cost of all incidents is $14,000, which is no small figure for companies struggling to maintain profitability in today's economy.
Standard antivirus or internet security software simply can't protect companies from the types of malicious attacks that start on one device and quickly spread through an entire network. And with more employees working from home, it's harder to track what's happening throughout the system. However, endpoint detection and response (EDR) software not only stops malware but remediates the problem so you can isolate problem devices and continue working.
We evaluated more than 30 EDR solutions to find the best services based on ease of deployment, functionality, and supported operating systems. Plus, we looked at pricing models, independent studies, and features to select winners in each category.
The 7 Best Endpoint Detection and Response of 2020
Best Overall: Bitdefender GravityZone
Bitdefender predicts, detects, and prevents attacks anywhere in less than three seconds, making it the most dynamic solution available.
30-day free trial
No advanced IT knowledge needed
24/7 phone and email support
May slow computers down somewhat
All admins have separate consoles that must be customized
No instant notifications
Since 2001 Bitdefender has consistently received high scores from independent third parties while continually updating its products for comprehensive cybersecurity. With no advanced IT knowledge required and affordable yearly plans, Bitdefender GravityZone is the best overall EDR provider.
Bitdefender protects desktops, laptops, and mobile devices with its web-based software. It works on:
- Microsoft Windows
This all-in-one service provides real-time control and monitoring of on- and off-site devices through a unified management web console. Bitdefender GravityZone provides:
- Antivirus software
- Antimalware software
- Firewall with intrusion detection and prevention
Implementation is simple, as you only need to log into your account and download the link to install. You don't need any tech skills to manage your account, and the web console is immediately available to start protecting your business upon download.
With Bitdefender, you pay one annual payment, but it's less expensive to opt for a two-year or three-year plan. The GravityZone packages have a minimum of three devices and a maximum of 100. The website provides a tool to find your yearly cost easily. For example, if you have three endpoints and one server, you'll pay:
- One year: $110.99 plus tax
- Two years: $177.99 plus tax
- Three years: $221.99 plus tax
Top features include machine learning (ML) antimalware, anti-phishing and web security filtering, and endpoint control and hardening. Third parties, like AV-Test, Mitre, and AV-Comparatives, review the software regularly.
Best for Small Businesses: Kaspersky
Kaspersky protects every device in your small business while providing a cloud console for device and user management that is easy for the small business owner to understand.
30-day free trial
Protects mobile and desktop devices
Offers online and offline protection
Resource intensive while scanning devices
False positives for specialty apps
24/7 premium support is an add-on
Founded in 1997, Kaspersky uses machine learning and real-time analysis to stop attacks. With its easy-to-use cloud console and low cost, Kaspersky is our pick as best for small businesses.
Whether you need on-site or off-site security, Kaspersky covers all operating systems such as:
- Microsoft Windows
Kaspersky offers several solutions for small businesses, along with add-on services like managed EDR. Kaspersky software includes:
- Ransomware detection
- Antivirus software
- Antimalware software
- Network firewall
Installation and setup for Kaspersky are pretty straightforward. Use the online quick start guide to download the security center, then install software for your specific operating system.
You can purchase Kaspersky through its website or go through their authorized reseller partners. With a Kaspersky EDR plan, you pay annually, and the following prices are based on a minimum of 10 devices:
- Kaspersky Select: $404.20 for an EDR agent, ransomware detection, and cloud-assisted intelligence
- Kaspersky Advanced: $746.20 for role-based access control, encryption, vulnerability, and patch management
- Kaspersky Total: If you need advanced security for web gateways and email servers, you must go through an authorized partner for a custom solution
With Kaspersky, you get endpoint hardening, automatic updates, mobile threat defense, and automatic rollbacks after attacks. The company received third-party testing from Mitre and ICSA Labs, giving it additional credibility.
Best for Cloud Hosting: Cybereason
Protect your remote assets, on-premise devices, and cloud network with Cybereason.
Instant remediation tools
Collects 100% of event data in real-time
Top ranking by Forrester
No free trial
Takes 24 to 48 hours to start detecting attacks
May be buggy immediately after OS updates
Cybereason is a newcomer to the market, as it was founded in 2012. However, it quickly made its presence known with automatic processes that eliminate threats and prevent data loss. With several deployment options, including cloud-first deployment, Cybereason is best for cloud hosting in our review.
You can use Cybereason on operating systems such as:
- Microsoft Windows
Cybereason offers several different service options:
- Root cause analysis
- Whitelisting and blacklisting
- Malware detection
- Antivirus software
- Host-level firewall management
Although installation is fairly simple, and the software is easy to use, it does take 24 to 48 hours to set it up and start monitoring your systems.
Cybereason offers four Cybereason Defense Platform plans, along with many add-on solutions such as threat hunting and incident response services. Once you choose your desired features, Cybereason gives volume-based discounts. For instance, you may pay an estimated $50 per endpoint per year for a few devices versus paying $25 per endpoint if you have more than 10,000 devices. Plans include:
- Professional: Includes threat intelligence and next-generation antivirus (NGAV)
- Enterprise: Adds on EDR and deep response services
- Ultimate: Provides managed detection and response and cyber posture assessment
- Managed: Fully managed solution with endpoint and mobile threat defenses
With Cybereason, you get real-time, multi-stage attack details, automatic or one-click remediation, and anomaly and malware detection. Both Mitre and SC Labs independently review Cybereason, along with industry validation from Gartner.
Best Premium Option: CrowdStrike Falcon
Replace your existing security systems with one unified and feature-rich platform that gives companies more bang for their buck.
Consumes 1% or less of CPU
15-day free trial
Only Google Chrome browser can access admin UI
No included firewall
No on-premises management console
Since 2011, CrowdStrike has been an industry leader for its unified set of cloud-delivered technologies. Although the company offers various solutions, CrowdStrike Falcon delivers premium features in a tidy, all-in-one system, making CrowdStrike Falcon the clear winner for our best premium option.
CrowdStrike Falcon supports Microsoft Windows, Linux, and Mac operating systems. To get services for Android or iOS, you'll need to add Falcon for mobile.
With CrowdStrike Falcon, you get a centralized software solution with available features like:
- Falcon Prevent: Next-generation antivirus software
- Falcon Discover: Security hygiene
- Falcon Insight: EDR
- Falcon Search: Threat intelligence
- Falcon OverWatch: Threat hunting
You don't need any on-premise equipment, so you can download and deploy CrowdStrike Falcon within minutes, not days.
Choose from à la carte features, add-on services, or bundled plans. CrowdStrike's packages require an annual payment and cover five to 250 endpoints. Plans include:
- Professional: $8.99 per endpoint per month for Falcon Prevent
- Enterprise: $15.99 per endpoint per month for Falcon Prevent and Falcon Insight
- Premium: $18.99 per endpoint per month for Falcon Prevent, Falcon Insight, and Falcon Discover
- Complete: For fully managed and custom services, you can contact the company to set up your personalized package
CrowdStrike Falcon provides machine learning and indicators of attack (IOA) detection for on- and off-line endpoints. Plus, you get real-time and historical visibility into managed and unmanaged assets. The services meet compliance according to independent third-party testers like Mitre, SE Labs, AV comparatives, and AV-Test.
Best Value: Infocyte
Infocyte is the only company providing a guaranteed first-hour response while offering affordable plans.
Free trial of Enlist plan
60 minutes or less incident response
Offers an agentless option
Does not quarantine malware
Capabilities may differ by the operating system
Limited support for IoT and mobile
Founded in 2014, Infocyte is a newer company focusing on helping companies with high-value assets. Its low cost per node or device and premium features make it the winner of our best value category.
You can use Infocyte as a standalone system or an add-on to your existing security system, and it works on Mac, Microsoft Windows, and Linux.
With Infocyte, you get software focused on detection and response. It offers:
- Behavioral antivirus software
- Real-time monitoring
- Malware prevention and detection
Setting up the software and integrating it with your existing security system takes a bit longer than other methods. However, Infocyte's agentless option means you can deploy its services from the cloud without any installation.
Infocyte pricing is billed annually and priced per node. You can choose from three solutions:
- Enlist: For $2 per node per month, you get continuous monitoring, asset and application discovery, and incident response and automation actions
- Patrol: For $3 per node per month, Infocyte adds application programming interface (API) access and integrations, along with reporting options about vulnerabilities
- Command: This plan goes through authorized partners and provides managed detection and response services
With Infocyte, you can click to respond to threats, meaning you can terminate processes or isolate hosts from your cloud console. It also offers AI-driven analysis, AI and ML threat detection, and real-time monitoring. Although Infocyte received a mention in a recent Gartner report, it doesn't yet have the number of licenses required to receive a full review.
Best for Remote Workforces: ESET
Quickly transfer or add new devices while remotely managing access via your web browser.
Low system CPU impact
Console comes in 21 languages
No whitelisting capability
Limited remediation options
Founded in 1987, ESET is a trusted name in the industry. With its cloud-based or on-premise options, an administrator can easily oversee all devices, making ESET the winner in our best for remote workforces category.
ESET supports virtual workplaces by working on operating systems like:
- Microsoft Windows
- Email servers
All ESET plans include software solutions such as:
- Malware protection
- Host-based intrusion prevention
- Ransomware prevention
With no hardware or software required, it only takes minutes to deploy ESET EDR software, giving you a single point of network security management.
ESET offers solutions for small businesses with up to 250 seats, midsize companies needing 251 to 999 seats, and enterprise solutions for 1,000 plus seats. You'll pay yearly, with the small business plans below covering five devices:
- Endpoint Protection: $190 for multi-platform endpoint security, including data passing through servers like OneDrive and anti-theft features
- Remote Workforce Security: $334.50 for cloud-based sandbox testing and analysis, encryption for disks, partitions, and drives
- Two-Factor Authentication: $349.50 with user identity validation via cell phone for on-premise software and Office 365, Google Apps, and Dropbox
You get interactive charts and tables with real-time updates, alerts when suspicious activity is detected, and flexible management from your administrative console. Third-party testing has been completed by AV-Test, AV-Comparatives, VB Spam Test, and SE Labs.
Best for Enterprise Capabilities: Sophos Intercept X
Sophos Intercept X delivers enterprise-grade features for a comprehensive view of your network.
30-day free trial
Visually appealing UI
You can roll back changes after an attack
Low-bandwidth locations may run slower
Linux may include fewer admin features
Only basic workflows supported
Since 1985 Sophos has repeatedly received high ratings in tests while continuously improving its threat detection services. With advanced software and access to 90 days of historical data, Sophos is our review's best choice for enterprise capabilities.
Deploy Sophos to your Microsoft Windows, Mac, or Linux machines, and you'll get a complete EDR solution including:
- Forensic-level analysis
- Virus clean
- Malware detection
You can install and deploy your Sophos software within minutes regardless of the option chosen. The company offers three bundled packages available for purchase through one of its authorized partners. Pricing is based on the annual manufacturer suggested retail price (MSRP) cost for 500 to 999 users with a 36-month contract. Plans include:
- Intercept X Advanced: $28 per user per year for ransomware protection, deep learning malware detection, anti-exploit, and fileless attack prevention
- Intercept X Advanced with EDR: $44 per user per year, adds EDR, malware analysis, forensic data export, and endpoint isolation
- Sophos Managed Threat Response: $75 per user per year for 24/7 expert threat hunting and remediation
Sophos features CryptoGuard, which prevents malicious and spontaneous encryption and reverts files to safe states, along with artificial intelligence (AI) and machine learning (ML) malware detection, and false-positive suppression. The company has been tested by AV-Comparatives, AV-Test, MRG Effitas, and SE Labs.
What Is Endpoint Detection and Response Software?
Endpoint detection and response software detects suspicious activity, stops the malicious activity, and alerts administrators when an event occurs. While antivirus software blocks threats, EDR solutions find threats hidden on devices. Furthermore, EDR systems use artificial intelligence and machine learning to analyze endpoints to find anomalies, giving administrators time to respond and isolate a possible threat before it results in a data breach or leaks into your network.
Many systems go beyond prevention and detection by providing remedial options to quarantine the problem device from the network quickly, then wipe it clean so your employees can get back to work.
What Is an Endpoint Attack?
Endpoint attacks threaten devices attached to your networks, like computers, laptops, and smartphones. An attack may affect hardware such as server systems or cloud environments, including shared folders and storage.
Small and midsize businesses (SMBs) and enterprises face increased and highly sophisticated attacks stemming from macro viruses, user logins, email, or employees clicking on links. The most common types of endpoint attacks consist of:
- Ransomware: Malicious software locks your systems by encrypting data and demanding a ransom in return for restoration.
- Eavesdropping attack: With an eavesdropping attack, hackers intercept network traffic to get passwords, confidential data, or banking or credit card numbers.
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks: These flood your systems and overwhelm resources, so you can't use your services.
- Phishing and spear-phishing attacks: Also called spoofing, it’s where hackers pretend to be a trusted source, like an email from your bank, and upon opening the email, malware enters devices, leading to financial scams or other threats.
- Man-in-the-middle (MitM) attack: This type of attack is when a hacker gets into a session and pretends to be the server to overwhelm resources and launch a DDoS attack.
- Drive-by attack: Also called zero-day attacks, it’s where hackers exploit an unsecured app, web browser, or website. People who view the site may be redirected to a hacker's link or have malicious scripts installed on their device.
- Structured query language (SQL) injection attack: Hackers add SQL commands to database-driven websites to extract or modify data.
- Password attack: Brute force or dictionary attacks attempt to gain access to passwords to gain entry into restricted content.
- Cross-site scripting (XSS) attack: Attackers use a malicious script to access and control devices, capture screenshots, or get network information.
What Does Endpoint Detection and Response Software Cost?
EDR pricing differs by volume, features, and add-on services. Furthermore, many EDR providers work with authorized partners so you can select a local service to purchase your product from.
You get managed services at the high end, including teams that hunt for threats and handle remediation for you. At the lower end, you get fewer remediation options. Prices start as low as $24 per user per year and go up to $228 per user per year.
Is It Worth Paying for Endpoint Detection and Response Software?
Having work computers or your entire network locked from use can threaten not only your business data and productivity but shut down your company. Recovering from advanced cyberattacks is expensive and time-consuming.
With the range of solutions offered for EDR, you can get antivirus software, antimalware, and anti-ransomware bundled into one program for just a few more dollars than what you're paying for antivirus software. However, lower-end products rely on you or your IT team to respond to alerts, so someone in your organization will need to oversee the software.
Fortunately, most solutions work in the background, and you won't notice it's there unless you're attacked. You'll be able to see where the attack is coming from and take action to prevent it from worming its way into your entire system.
How We Chose the Best Endpoint Detection and Response
After looking at more than 30 EDR systems and reading through analyses by Gartner and Forrester, we narrowed our list down to seven fantastic solutions. However, to make this list, all software had to work across multiple operating systems, provide a range of detection, prevention, and response features, while offering simple interfaces. We further considered cost as well as the ease of use for administrators to monitor results.
Hiscox. "Hiscox Cyber Readiness Report 2019." Accessed October 26, 2020.
Gartner. "Gartner Magic Quadrant for Endpoint Protection Platforms August 2019." Accessed October 26, 2020.