The top endpoint detection and response tools in 2025

The rise of the hybrid workforce has afforded today’s workers greater flexibility but has also exposed organizations to a wider attack surface. Endpoint detection and response (EDR) tools can help security teams secure their environments by monitoring and detecting threats across endpoints like laptops, servers, and end user devices in real time.

EDR tools rely heavily on sensors, lightweight software agents that are deployed on endpoints. Once installed, these sensors continuously gather data including what programs are running, what processes programs interact with, any registry changes, system calls, and so on. By analyzing data from these sensors and alerts generated for security teams, defenders can prioritize the most critical threats first and focus on remediation efforts.

EDR tools commonly use behavioral analysis to establish a baseline of normal activity. From there, these tools provide complete endpoint security by leveraging threat intelligence to detect suspicious and anomalous behavior to better identify emerging threats and help security teams carry out proactive defense.

Having a quality EDR product in place is essential for organizations looking for better visibility, intelligence, and response capabilities to defend against today’s evolving threats.

By correlating events and patterns of activity, EDR can help detect a wide range of threats, including activity indicative of malware, ransomware and other sophisticated threats.

To help buyers better understand what the market looks like, in this article we’ll walk through some of the top-rated EDR tools organizations can use in 2025. We’ll also look at what’s important in an EDR product and how businesses can choose the best EDR tool for their enterprise.

Looking for more guidance when it comes to evaluating endpoint detection and response (EDR) products? Our EDR evaluation guide breaks down criteria to consider as well as questions to ask vendors about EDR products.

VMware Carbon Black EDR and Cloud

VMware Carbon Black EDR, is an scalable incident response (IR) and threat hunting solution designed for security operations center (SOC) and IR teams. It continuously records and stores comprehensive endpoint activity data, allowing threat hunters to look for threats in real-time and visualize the complete attack kill chain.

VMware Carbon Black Cloud is a cloud-native platform that lets administrators manage endpoints with the VMware Carbon Black Cloud Endpoint sensor.

Carbon Black’s EDR integrates with network security providers, existing security technologies, and security information and event management systems (SIEMs). The EDR console, accessible through a browser-based user interface, allows defenders to monitor threats on their network, categorized by feed, score, and severity.

Top tool features

• Continuous and centralized recording: Provides easy access to continuously recorded endpoint data for real-time threat hunting and in-depth investigations
• Attack chain visualization and search: Offers a visual representation of attack progression and root cause analysis, providing a better understanding of attacker behavior
• Customizable behavioral detection: Allows for the creation of tailored detection rules based on observed behaviors
• Threat intelligence integration: Incorporates multiple threat intelligence feeds, both out-of-the-box and customizable, to enhance detection capabilities
• Watchlists dashboard: Provides details on watchlists, including the number of watchlists, top watchlists, trends, and comparisons over time. It also automatically captures queries and flags suspicious activities based on defined criteria
• Process and binary search: Allows security teams to search through centralized data for specific processes and binaries

Pricing

Like many EDR tools, pricing around VMware Carbon Black EDR can vary depending on the needs and size of an organization. Cost is usually on a subscription basis, usually per endpoint per year but can also fluctuate based on contract length.

Links

• Website: https://www.vmware.com/docs/vmwcb-datasheet-edr
• G2 reviews: https://www.g2.com/products/carbon-black-edr/reviews

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight, part of the broader Falcon platform, is an EDR solution designed to give organizations complete visibility across their organization. CrowdStrike claims it leverages indicators of attack (IOA)–indicators that demonstrate the intentions behind a cyber attack–behavioral analytics, and machine learning to identify malicious activities, including malware, ransomware, and other advanced attacks. Security teams can use the tool to capture details needed to investigate incidents, respond to alerts and hunt for new threats.

Top tool features

• Real-time visibility: Insight provides comprehensive visibility into endpoint activity, including process creation, network connections, file modifications, and more
• MITRE ATT&CK framework mapping: Insight maps alerts and detections to the MITRE ATT&CK framework, helping to better understand attacker tactics and techniques, and in turn aiding triage, prioritization, and remediation
• Indicators of attack (IOA): Focus on detecting malicious behavior and techniques rather than just known signatures
• Threat intelligence integration: Incorporates CrowdStrike’s threat intelligence to identify and contextualize threats

Pricing

Pricing around Falcon Insight isn’t fixed, The company offers different tiers of pricing around its Falcon platform, including Falcon Go, Falcon Pro, and Falcon Enterprise, each with varying features and, in turn, different pricing.

Links

• Website: https://www.crowdstrike.com/platform/endpoint-security/falcon-insight-xdr/
• G2 reviews: https://www.g2.com/products/crowdstrike-falcon-endpoint-protection-platform/reviews

Red Canary Linux EDR

Red Canary Linux EDR is specifically designed to provide enhanced visibility and protection for Linux environments, extending managed detection and response (MDR) to organizations’ on-prem and cloud Linux infrastructure. It focuses on detecting runtime threats with a lightweight agent and offers deeper insights to endpoint activity, user behavior, and system changes.

Top tool features

• Linux-first design: Built from the ground up to address the unique threats and characteristics of Linux systems
• Lightweight agent: Minimizes performance impact on Linux systems
• File modification (filemod) telemetry: Tracks file creation, deletion, renaming, and editing to gain crucial insights into potential malicious activities. Sensors also collect Scriptload telemetry, allowing the tool to identify and analyze potentially malicious scripts and detect script-based attacks
• Comprehensive visibility: Monitors processes, network connections, DNS queries, and user activity across various Linux distributions and containerized applications
• MDR integration: Often offered as part of a managed service for expert analysis and response

Pricing

Pricing around Red Canary Linux EDR and MDR varies depending on the number of Linux servers and workstations organizations need coverage for.

Links

• Website: https://redcanary.com/products/linux-edr/
• G2 reviews: https://www.g2.com/products/red-canary/reviews

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an enterprise endpoint security solution that’s designed to help organizations prevent, detect, investigate, and respond to advanced threats. It integrates with other Microsoft security services, including Microsoft Defender Antivirus and Microsoft Defender for Business, and covers a wide range of devices, including Windows, macOS, Linux, Android, and iOS.

Top tool features

• Antimalware and antivirus: Powered by behavior-based, heuristic, and real-time analysis
• Automated investigation and response (AIR): Automatically investigates alerts and takes remediation actions–like isolating devices, quarantining files, or blocking malicious IPs–to reduce the workload on security teams
• Advanced hunting: Enables security analysts to proactively search for threats using a powerful query language over a rich dataset
• Vulnerability management: Helps identify, prioritize, and remediate endpoint vulnerabilities

Pricing

There are two versions of Microsoft Defender for Endpoint; for both, generally the cost depends on the plan, licensing model, and whether it is purchased as a standalone product or part of a Microsoft 365 bundle. Plan 1 provides a foundational set of endpoint security capabilities, emphasizing preventative protection and basic response actions. Microsoft Defender for Endpoint Plan 2 provides more comprehensive EDR capabilities, including automated investigation and incident response.

Links

• Website: https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint
• G2 reviews: https://www.g2.com/products/microsoft-defender-for-endpoint/reviews

Cortex XDR

Cortex XDR (EDR) by Palo Alto Networks is an EDR tool that incorporates threat detection, investigation, and response capabilities. It uses artificial intelligence (AI) and machine learning to detect sophisticated attacks, automate investigations, and accelerate response across different security layers.

Top tool features

• Cross-layer detection and response: Correlates data from endpoints, networks, and the cloud for comprehensive threat detection and response
• Behavioral analytics: Uses machine learning to profile behavior and detect anomalies indicative of attacks, including insider threats and credential theft
• Automated root cause analysis: Automatically identifies the root cause and sequence of events for each alert, simplifying investigations
• Incident management: Provides intelligent alert grouping and incident scoring to help analysts prioritize critical threats
• Flexible response actions: Enables rapid containment of threats through integration with enforcement points, allowing for blocking, isolation, and script execution
• Cloud-based architecture: Offers simple, zero-touch deployment and scalability

Pricing

Pricing around Cortex XDR isn’t fixed and can often depend on variables, including the type of modules (Forensics, Identity Threat Detection and Response, etc.) needed by your organization, the number of endpoints that need to be protected, and any required data retention policies.

Links

• Website: https://www.g2.com/products/palo-alto-networks-cortex-xdr/reviews
• G2 reviews: https://www.paloaltonetworks.com/cortex/endpoint-detection-and-response

SentinelOne EDR

SentinelOne EDR, part of the company’s broader Singularity security platform, is an EDR tool that uses AI and machine learning to provide autonomous endpoint security. It focuses on detecting and responding to threats in real-time, offering features like behavioral analysis, automated response, and rollback capabilities to assist in recovery from ransomware attacks.

Top tool features

• Behavioral AI: Employs static and dynamic behavioral analysis to detect known and unknown threats, including fileless malware and exploits
• Real-time monitoring and visibility: Provides continuous monitoring of all endpoint activities with detailed forensic data for post-attack analysis
• Automated response and remediation: Automatically initiates incident response workflows, like isolating infected endpoints and terminating malicious processes
• Endpoint data collection and correlation: Continuously collects and analyzes endpoint data, network traffic, and user behavior to identify anomalies
• Granular visibility: Offers insight into each endpoint to pinpoint the origin and progression of threats

Pricing

SentinelOne’s EDR is part of the company’s broader Singularity platform. It’s available in different packages with varying features, including a basic endpoint protection (Core) subscription for $69.99 per endpoint, an advanced endpoint protection (Control) subscription for $79.99 per endpoint, and a version including EDR and XDR (Complete) for $179.99 per endpoint. Commercial ($229.99 per endpoint) and Enterprise (Requires contacting SentinelOne for a quote) subscriptions are also available.

Links

• Website: https://www.sentinelone.com/platform/endpoint-security/
• G2 reviews: https://www.g2.com/products/sentinelone-singularity/reviews (Singularity)

EDR tools today provide several key features needed by organizations to quickly identify, isolate, and remediate threats, including:

Comprehensive visibility: The best EDR tools provide deep and broad visibility across an organization’s endpoint workstations, collecting data from operating systems and data sources (as outlined by frameworks like MITRE ATT&CK®). This includes telemetry on processes, commands, files, network traffic, logon sessions, registry changes, and more.

Effective alerting: An EDR tool should generate alerts with sufficient context, explaining the logic behind the alert and the specific telemetry that triggered it. Look for features like alert severity classification—again mapping to frameworks like MITRE ATT&CK—and the ability to aggregate related alerts into incidents.

Robust response capabilities: An EDR tool should enable security teams to actively respond to incidents—including isolating machines and blocking hashes or IP addresses as needed in real time—directly from the platform. Key response abilities should include the ability to ban/unban binaries, kill processes, isolate/de-isolate endpoints, quarantine/delete/capture files, block network communications (IPs, domains, ports), and potentially block users/accounts. Automation of these actions based on alerts and API access are also important.

Prevention capabilities: Modern EDR tools should incorporate preventive controls. Look for tools with the ability to block known malicious malware, dual-use tools, potentially unwanted programs (PUPs), suspicious behavior, and more. Understanding what the tool blocks by default, the criteria for blocking, and how to tune preventive controls is essential.

Data access and search functionality: An EDR tool should offer a user-friendly interface with robust search capabilities and a query language (or ideally, plain language search powered by GenAI). The ability to export data and strong API support for integration with other security tools like SIEM and Security Orchestration, Automation, and Response (SOAR) solutions are also important considerations for accessing and utilizing the collected data effectively.

EDR tools continue to be important for organizations, not only because they address a gap in security by providing comprehensive visibility into endpoints but because they can help defenders effectively investigate security incidents, perform root cause analysis on alerts, and follow through on the necessary response actions.

While early EDR tools lacked the context, fidelity, and response capabilities needed to properly defend, today’s solutions can allow security teams to respond to threats in real time, improving an organization’s ability to prevent intrusions.