Endpoint Protection Platforms

Second Wave of Players Push Progression in Evolving Endpoint Security Market

Based on data collected October 2023

31-minute read

There is an evolutionary arc in endpoint security that frames the present moment of this Observatory report. One with humble beginnings of singular-purpose endpoint agents detecting viruses. Since those early days (when many vendors in this report were active), this realm of information security has rapidly transformed as the volume of endpoints expanded to firewalls, servers, virtual machines, mobile, embedded devices, and IoT. Simultaneously, the functionality of the increasingly lighter-weight agents widened, fostering inter-device communication across vast networks and facilitating a boundless permutation of information flow.

Traditional endpoint agents that identify malware are no longer enough. The market moved on long ago to the Endpoint Detection and Response (EDR) world, offering advanced threat protection, proactive hunting, and automated responses configurable to a CISO’s playbook. However, since technology in motion tends to stay in motion (sorry, Newton), the industry is redefining the “E” in endpoint into an extended “X.” While the definition of XDR varies by vendor, the promise of the technology is providing extended data telemetry beyond traditional endpoint agents. The full hope of an open and unified XDR pulls third-party data into the XDR purview in a vendor-and environment-agnostic manner, creating a full spectrum view on a singular screen, a.k.a. the holy grail of security. Layer in the promise of AI, and XDR markets itself with limitless potential.

Now fold in other aspects of endpoint agent usage, like asset and vulnerability management, SIEM agents, digital forensics, and data loss prevention (DLP), plus buzzy new acronyms that many of the vendors listed in this report market themselves as, such as Cloud-Native Application Protection Platform (CNAPP), which encompasses aspects of Cloud Security Posture Management (CSPM), Cloud Infrastructure Entitlement Management (CIEM), and Cloud Workload Protection Platform (CWPP), and it becomes dizzyingly obvious how evolving and amorphous endpoint security technology is. In fact, one CISO stated, “If you want to get technical, we have maybe five agents on every endpoint device that we have today, and I bet I'm forgetting one.”

Largely due to the complexity of these dynamics, security remains a top priority for organizations. In fact, since the initial launch of ETR’s quarterly Macro Views Survey in March of 2020, information security has consistently been the number one priority among all IT decision makers (ITDMs) surveyed. There is no reasonable expectation for that to wane given the escalating threat landscape with increasingly more nation-state-sponsored actors and monetarily motivated operations targeting an ever-expanding proliferation of endpoints and attack surfaces as hybrid and remote work has become the new normal. Needless to say, despite its long history, the endpoint protection marketplace is more relevant than ever, and its rapid progression shows no signs of slowing.

Don't have time to read now?

DOWNLOAD THE REPORT

Introduction

With that backdrop, allow us a small caveat that no single report could encompass all factors at play with endpoint protection platforms. However, this Observatory features the most comprehensive and current end-user data and feedback about the marketplace. In addition to relying upon ETR’s industry-leading evaluation and spending intentions data, this report also leverages a new syndicated data set: the ETR Market Array. This debut ETR Market Array for Endpoint Protection Platforms (EPP) study was designed specifically for the endpoint market, targeting security professionals and capturing spending and usage metrics, as well as product feature rankings, ROI, Net Promoter Scores (NPS), and more for the endpoint players encompassed in this Observatory. This report utilizes some of that market intelligence data; in addition, the full Market Array study on Endpoint Protection Platforms is available separately.

While structuring a grouping of vendors that appeases all definitions is futile, this Observatory for EPP vendors categorizes the vendor group in two ways. First, we break down the data-driven plotting of each vendor into our four Observatory Scope vectors. Second, we sort the vendors by their historical entry into the endpoint protection marketplace, beginning with the first generation of vendors with a pre-existing history in antivirus that are still serving the market today. Next, we identify the interesting subgroup of vendors that were originally utilized for their networking acumen before developing endpoint security functionality, including Cisco, Palo Alto Networks, Fortinet, and Check Point. Then, we focus on the next generation of endpoint players robustly driving the ongoing evolution of the market, including CrowdStrike, SentinelOne, Tanium, and others. Lastly, we touch upon mobile-native players like Lookout and Zimperium.

Figure 1. Positioning for the ETR Observatory on process automation was determined by ETR’s two core, syndicated surveys. Full methodology and graphic explanation are available on our About the ETR Observatory page.

This Observatory report examines endpoint protection vendors by triangulating data from ETR’s Technology Spending Intentions Survey (TSIS), Emerging Technology Survey (ETS), commentary from ETR Insights Interviews with IT decision makers (ITDM) from the ETR Community, and proprietary industry analysis by our research staff.

TSIS data measures spending velocity on a vendor or product based on ETR’s proprietary measures of Net Score and Pervasion. ETR Insights interviews provide qualitative context and vendor evaluation to complement quantitative data. This is also the first Observatory report featuring ETR Market Array data, tracking competitive intelligence metrics specific to a peer grouping within a defined product marketplace.

The Observatory Scope

The plotting of vendors across the Observatory Scope is supported wholly by ETR’s exclusive market intelligence and spending intentions data sets (see Figure 1). The Leading vector in this period consisted of CrowdStrike, Microsoft Defender, Palo Alto Networks, and Fortinet. CrowdStrike led in Momentum, while Microsoft Defender dominated in Presence. Palo Alto Networks was solidly positioned in the middle of this group in both measures, while Fortinet, who has been called a “Swiss army knife of tech vendors” due to its broad product offerings, captured enough Momentum and Presence to take the fourth and final spot within the Leading vector.

The Advancing and Trailing vectors were less populated. SentinelOne broke into the Advancing category due to elevated Momentum, which was the second highest, but failed to reach the Leading category because of lower overall Presence. Tanium joins SentinelOne in the Advancing vector based on the fifth-highest Momentum but still trails many peers in Presence. Occupying the Tracking vector is the well-established Cisco, where the vendor was ranked in the top three in Presence but was shy of the Leading vector due to lower Momentum.

In this ETR Observatory, numerous vendors fell within the Trailing vector. While Tanium, Trellix, Carbon Black, Trend Micro, and Sophos all held positive Market Array Net Scores, their relative position was much lower than peers. Malwarebytes had a Net Score of zero, whereas Check Point exhibited negative spending intention levels

Spending Intentions

Figure 2. ETR’s Market Array Net Score for Endpoint Protection Platform vendors was derived from a survey of 336 security-expert ITDMs.

In Figure 2, we exhibit the Market Array Net Score for each vendor within the EPP marketplace. This tracks the forward-looking spending trajectory for each vendor’s endpoint security offerings and differs from ETR’s TSIS, which tracks overall spending projections at the company and sector-wide levels. The data visualized in this figure will be referenced throughout this Observatory report.

CrowdStrike leads with a 61.4% Net Score, driven by the highest level of Increase spend (58% of the vendor’s unique respondents). SentinelOne’s Net Score comes in second and stands out with the highest expected Adoption percentage at 13%. Meanwhile, the ubiquitous Microsoft Defender rounds out the top three with a Net Score slightly below 50%, highlighted by the lowest level of Negative spend (Decrease + Replace).

The peloton of vendors resting in the middle has spending scores ranging from 37% to 16% and consists of (in order) Tanium, Palo Alto Networks, Fortinet, Trellix, and Cisco. Palo Alto Networks, Fortinet, and Cisco all stand on solid footing, with 88%, 89%, and 84% (respectively) of their unique respondents citing either stable or increased spending intent on their vendor’s endpoint products. That is a remarkable feat for all three vendors within an EPP-specific study, considering their origins in the networking sector before branching into security.

On the other end of the spectrum, Symantec (Broadcom), Check Point, and Trellix (formerly McAfee and FireEye) captured the highest anticipated Replacement rates among their respective respondents, ranging from 13% to 12% to 11%, respectively. Trellix is a curious case since its 11% Replacement rate is offset by an equal 11% of its respondents showing intent to Adopt the product. Lastly, given the recent acquisition of Carbon Black (VMware) by Broadcom, that vendor’s relatively high Replacement rate of 8% is of interest, as anecdotal commentary from ETR Insights guests highlights concern regarding the private equity owner’s intentions with the long-tenured endpoint player. One CISO for a large consumer enterprise directly stated, “We have Carbon Black, but the acquisition by VMware and now private equity has us really concerned about the long-term health of that product. So, our intention is probably to change it.”

The Vendor Breakdown

With the data-driven positioning of the Observatory Scope explained, here we break down the vendor-specific categorization of the varying endpoint players, with supporting data and ITDM commentary.

I. First-Generation Players: Malwarebytes, Microsoft, Sophos, Symantec, Trellix, TrendMicro

While some might be surprised to see Microsoft in this first grouping, it is historically accurate. Before Microsoft became the omnipresent Goliath it is today, the vendor made its foray into the market by building endpoint encryption into its operating systems on all Windows devices (Apple did the same for its macOS as well, and Jamf has successfully launched itself from that role these days). One CISO recalls the general attitude of that time as “Why would I pay you more money to secure the computer that you’re giving me? It should already be secure." Of course, back then, the idea that Microsoft would become a dominant enterprise security player was unfathomable. One CISO of a large hospitality enterprise remembered, “Ten years ago, I would have laughed if you told me to use Microsoft’s endpoint security tool. But as an industry, we moved way beyond that, and Microsoft has gained a lot of credibility and industry power in having such a big ownership of the market. Looking at this [ETR data] now, it makes sense with all the investment that Microsoft has done and the security ecosystem they built.”

Another ITDM backed up the notion that Microsoft’s security services are seen as significantly improved. “I can remember as recently as 2019, I wouldn’t have trusted Microsoft Defender any further than I could throw it, but it’s become a great product in the last number of years.” Microsoft Defender for Endpoint, formerly Windows Defender Advanced Threat Protection (ATP), is praised for its comprehensive and unified platform. “If I look at Defender, ATP is actually a pretty solid endpoint security product. They’re definitely getting better with time.”

Microsoft’s suite of Defender offerings is extremely broad, boasting solutions and services for basic antivirus, EDR, Identity, IoT, Cloud Security, SIEM, and even unified XDR offerings. As such, enterprise security practitioners are being won over. “I still don’t think I would put all my eggs in the Microsoft basket,” said one CISO. “But I would definitely consider them for this if they could prove that they’re going to be an open platform and still be able to integrate with competitors.” Hidden within that last comment is the final hurdle left for Microsoft to clear because Microsoft’s capacity is often seen as limited to its own suite, forcing clients to consider alternative players for other areas of security, such as networking, for instance. “If you look at Microsoft 365 Defender, maybe it’s really great at protection of your environment, but when it comes to detection of network anomalies and detection of events, they don’t seem to play at nearly as mature a level as Cisco does.” That said, Microsoft Defender tightly integrates with its other O365 services, which can be an advantage for the majority of large enterprise organizations that already use the universal vendor.

ETR Data: According to the OCT23 TSIS data, Microsoft Office has the highest Pervasion rate among all vendors tracked in our survey universe, with 88% Pervasion of more than 1,700 ITDMs. Microsoft also has the highest Pervasion within Information Security sector at 78%. Switching to spending intentions data, Microsoft has the highest Net Score among all Cloud providers and among all Information Security vendors ETR tracks.

The next highest vendor of this first-generation classification in terms of EPP spending intentions is Trellix, a formed entity that combined McAfee with FireEye in 2022 to create what is being marketed as a unified XDR security provider. Trellix captured a 17.6% Net Score within the endpoint market, with 39% of the vendor’s unique respondents indicating intent to either newly adopt or increase spending with the product. The specific spending intent data for Trellix within the Market Array for Endpoint Protection is much higher than the vendor’s aggregate spending levels across all of Information Security that was captured within ETR’s broader OCT23 TSIS.

Two more names in this grouping of early entrants into the endpoint market were also the only two vendors without any Replacement indications in the Market Array for EPP, and they were Trend Micro and Malwarebytes. Unfortunately, neither of these two vendors had any new Adoptions either. Of the two, Trend Micro had the higher EPP-specific Net Score at 6.7% versus Malwarebytes at an even zero, meaning that positive and negative spend intent were equal and offsetting. Malwarebytes is known for being effective, easy to use, and affordable, and is often marketed as a managed service for businesses that don’t have in-house capabilities. This notion is supported by the Market Array Vendor Strengths data, where easy implementation, integration, and offering good value for the money are top strengths attributed to the vendor.

Trend Micro is one of the numerous vendors in this grouping that offers much more than endpoint protection, including a full suite of CSPM, networking security, vulnerability assessment, and even penetration testing. The wide range of offerings does not translate to increased share, however, as ETR data shows flat Pervasion rates for the vendor over the last 12 months, which are stagnant at 14%. That is a data trend supported by ITDM commentary like this: “I know they have their niche as a cheaper alternative, but I think that Trend Micro is one that people are going to be moving away from because they’re not innovating at the same velocity.” Despite that sentiment, in the ETR Market Array for EPP, Trend Micro ranked third highest in the ROI tracker (out of 18 endpoint vendors), trailing only Microsoft Defender and SentinelOne. Such a favorable ROI sentiment from end users is likely attributable to the more affordable pricing that Trend Micro offers.

ETR Data: In the OCT23 TSIS data, Trend Micro exhibited a -2% Net Score within the broader Information Security sector, considerably lower than its EPP-specific score. Malwarebytes, however, captured a higher Net Score in the TSIS data with its 8% level showing a sizeable year-over-year increase from the -10% recorded in OCT22.

The remaining vendors within this grouping include Sophos and the Broadcom-owned Symantec, with Sophos capturing a nominal but positive 6% Net Score within the endpoint market. Meanwhile, Symantec exhibited the lowest EPP spending intention at an astonishing -26%, based on 35% of respondents indicating negative spend intent (Decrease + Replace) versus only 9% increasing their spend. The data from the broader TSIS survey remains consistent, where Symantec has the lowest OCT23 Net Score across all Information Security vendors at -23%.

With the glaring exception of Microsoft, most of the players in this first-generation category have clearly lost ground to the newer competitors due to cloud-native functionality, lightweight architecture, and far superior threat detection and automated response. An IT Security Manager for a large industrial enterprise expressed the juxtaposition thusly, “Because there’s still a lot of older companies that have the traditional internal Symantec, they’ve got their set ways, and then somebody will bring CrowdStrike in, and they find a lot of vulnerabilities.” He continues that you have to pay for what you get, however, adding, “If you look at the Symantec Endpoint Protection, we were paying $30 a year per license. Now we’re paying for SentinelOne, and it’s $15 a month per license. We went from spending $30 a year on Symantec Endpoint to $180 a year on SentinelOne.”

II. Networking Vendors that Evolved into Endpoints – Check Point, Cisco, Fortinet, Palo Alto

In our second grouping of endpoint protection players, we pair four vendors whose roots are deeply embedded in the networking world but have since spread out to cover a wide swath of security functions and services. Unlike the previous group, who began as endpoint-first players, these companies have leveraged their strong networking market share to land and expand into endpoint-driven features. This group includes Check Point, Cisco, Fortinet, and Palo Alto Networks and was described by one CISO in the ETR Community as such, “Several years ago, Fortinet was the go-to for network security if you wanted a better-than-good but also inexpensive solution. They were the cheaper alternative to Palo Alto, but they performed well. They’ve carried that over into that endpoint space, and there’s absolutely a place in the market for that. Not everyone is going to buy a Ferrari, and if they’re a Honda, or maybe even a Mercedes, there is a space for that.” He adds, “I would view them along with Palo Alto, Cisco, and Check Point, in that same class, meaning they started in the network and they’ve expanded into endpoints.”

Based on the Market Array for EPP data, Palo Alto Networks leads this particular group as one of the two companies in our Leading vector along with Fortinet. Palo Alto Networks also captured the fifth highest EPP-specific Net Score at 33.8%, a level that was driven by 42% of its unique respondents citing an intention to Increase spending with the vendor’s endpoint products. Palo Alto Networks, of course, is known for much more than endpoint-related security services. With origins in hardware, much like this entire grouping, Palo Alto Networks already had a large installed base to expand into and has deployed a deft roll-up strategy to catch up to leading competitors when in-house R&D and innovation weren’t fast enough. As one security manager stated, “Palo Alto’s growth by acquisition is well-recognized. We are all familiar with the business model of Palo Alto, to find the best solutions out there that you either aren’t competing with or, if you are, acquire them and then rebrand them as your own.”

Palo Alto Networks is not the only company in this networking grouping willing to use its market cap and cash flow to retain its market-leading presence, with Cisco deploying a similar playbook. However, simply acquiring solutions and rebranding them does not ensure successful integration and customer loyalty. This is why it is critical to point out that Palo Alto Networks also leads in another auspicious metric within this data set, which is the lowest Churn Score of all featured endpoint vendors. This new and proprietary metric is included in ETR’s Market Array study and is based on customer expectations of longevity and stickiness of a product offering.

ETR Data: The Market Array Churn Score depicts how long customers anticipate utilizing a vendor’s products and services. In the EPP data set, Palo Alto Networks leads with a 37.7% Churn Score. See the Market Array data set for details on the rankings and actual timeline of longevity for each vendor’s product.

Fortinet holds the second-highest EPP Net Score within this networking categorization at 27%, which was buoyed by a lack of Replacement indications among its unique respondent base. While Fortinet was most widely recognized for its networking and hardware prowess, especially affordable firewalls, the vendor has evolved into a full-service shop for many budget-minded IT decision makers. Fortinet’s networking, firewall, endpoint, and SIEM capabilities enable it to collect and analyze security logs from across the organization to provide real-time visibility into security threats and incidents. The company also boasts aspects of security orchestration and automation response (SOAR) that, when added all together, sound an awful lot like the modern interpretation of an XDR. As one ITDM noted, “We do work with Fortinet, and they do bring a lot to the table, and I think have really good value. They’re not just a firewall. They can do a lot of other things; they can do endpoints and SIEM for you.” Another price-sensitive Director of Technology for a higher education institution even went as far as switching away from an existing vendor to sign a more palatable contract with Fortinet. “We switched from Palo Alto to Fortinet. Palo Alto is great technology; they’re just terribly priced. Palo Alto has lost a ton to Fortinet in education, and I don’t foresee that changing until Palo changes their pricing model.”

Reinforcing the above viewpoint on Fortinet’s affordable pricing, this was the sole vendor in this networking-first grouping with a high ranking for the “product offers good value for the money” answer option in ETR’s Vendor Strengths analysis, with 70% of the company’s respondents agreeing or strongly agreeing with the statement. The vendor’s endpoint product also captured high rankings for the availability of technical professionals with relevant experience, executing updates to the product suite well, easy implementation, and high remarks for offering the technical support needed for the product. In Figure 3 below, you will see an abridged excerpt of this analysis from ETR’s Market Array.

Individual Vendor Strengths

Figure 3. The above image is an abridged visualization of ETR’s Market Array Individual Vendor Strengths analysis. The full data model ranks 10 answer options and is searchable by all vendors. See the full Market Array data for details.

Moving on to our next networking-to-security vendor, Cisco had the highest Presence positioning of this group (and third highest Presence of the entire endpoint constituents tracked) but fell slightly short in its Momentum ranking to break into the Leading vector during this iteration, instead sitting regally as the lone vendor in the Tracking vector. This high customer presence is not exclusive to the endpoint market, however, because Cisco also holds the second-highest Pervasion ranking in ETR’s broader TSIS survey, trailing only Microsoft in the Information Security sector, and standing ten percentage points higher than Palo Alto Networks.

In the Market Array for EPP, Cisco’s Net Score came in at a healthy 16%, with 84% of respondents planning steady or increasing spend within the vendor’s endpoint products. Similarly, the company saw a 16.4% Churn Score, with 24% of its respondents stating plans to use the endpoint products for “five years or more,” which was the highest in the analysis and good enough for a fourth-place ranking across all featured vendors.

Like Cisco, Palo Alto Networks is also “in a race against time to shift away from traditional hardware and networking revenue as that shrinks and make sure that they can get their security services revenue up to a point where it offsets that,” as one ITDM aptly described. Although Palo Alto Networks’ products and services are often considered best-of-breed, it can be very difficult to unseat an established platform vendor, especially within large enterprises, where Cisco often excels. As one CISO from a large financial services enterprise told ETR, “[Cisco’s] newer products come very close from a security perspective to what Palo Alto products do, and they’re much cheaper. It would be hard for a major Fortune 100 institution to say, we’re going to give up Cisco, and we’re going to go all in with Palo Alto.”

Perspective changes based on your positioning, of course, and Cisco’s size and expense frustrate others, especially smaller and even more budget-conscious organizations. “It’s pretty hard to avoid Cisco. For anything more than the smallest companies, you’re going to encounter Cisco hardware at the very least.” This ubiquity can be restricting, and the urge to avoid Cisco vendor lock-in and complexity could leave an opening for vendors like Fortinet, who offer products at a more competitive rate, as well as new market entrants. This was the sentiment expressed by one smaller enterprise ITDM who said, “Cisco has become so big and so expensive that it is actually time to do something different. It’s time for us to work with a smaller vendor who is putting out a great product at a more competitive rate.”

That said, Cisco’s recent acquisition of Splunk gives the combined company a clear runway into even more expanded offerings, which could retain customers tempted to switch. Recently, the Executive Director of Information Security and Risk Management from a large healthcare enterprise commented that “Cisco is obviously so pervasive with the networking piece, and such a big part of cybersecurity in your environment is your network, so it’s very smart that they’re moving in that SIEM direction too.” ETR recently conducted a Drill Down survey querying joint Cisco and Splunk customers about their sentiment around the announced acquisition, which was generally well-received. ETR clients can review that report on the ETR Platform.

As we wrap up this grouping, it is remarkable to note how successfully these former networking and hardware companies have adeptly moved into a software-defined security realm with a full suite of offerings ranging from basic endpoint agents to full XDR suites and beyond. As they continue leveraging R&D and M&A dollars to keep pace with the next wave of cloud-native players (highlighted in the next grouping), one would caution them that CISOs have memories like elephants. Only through dedication to their security roadmaps will they earn loyalty. As one CISO warned, “Cisco has been hot and cold on security through the years. Sometimes they’ve had really great products, but they abandoned them and changed their strategy. I’ve been burned before. Yes, it was a while ago, but I still do have a little concern.” Only time can heal old wounds, but the current pace of investment and adherence being shown by these networking-turned-security players should assuage any lingering doubts.

Lastly, if praise is warranted for Palo Alto Networks, Cisco, and Fortinet’s transition to broader endpoint-derived security services, Check Point appears the laggard in this group. Based on the ETR Market Array data, Check Point has an EPP-specific Net Score of -3% and a Churn Score of -7%, both ranking as the worst of this cohort. The story for Check Point stays the same across the entire OCT23 TSIS data set as well, as seen in Figure 4 below, where these four vendors are plotted by Net Score (y-axis) and Pervasion (x-axis) within the broader Information Security sector. Palo Alto Networks and Fortinet lead in Net Score, while Cisco leads in Pervasion, and Check Point is mired in negative Net Score and single-digit Pervasion levels.

Vendor Position

Figure 4. Net Scores (y-axis) and Pervasion (x-axis) for vendors categorized in the networking grouping of the ETR Observatory for EPP show Palo Alto Networks as a leader in spending intentions, followed by Fortinet and Cisco, who also leads the group in Pervasion. Check Point lags far behind in both measures.

III. Second Generation Vendors – Carbon Black, CrowdStrike, SentinelOne, Tanium

One drawback of chronological structure is having to wait for the present, but alas, here is the final grouping of this Observatory report’s featured EPP vendors. This group garners the majority of headlines and analyst attention in the very hot EDR and XDR market, but none of them would exist without the path blazed by the groupings previously analyzed.

First, an admission that based solely on the feature set of Microsoft’s current endpoint-related security offerings, it is worthy of inclusion with this grouping. However, it should be noted that it was only in 2019 that Microsoft took a hodgepodge of different antivirus and ATP offerings and started rebranding them under the Defender moniker, a journey that continued into 2021 with Microsoft 365 Defender. That is not a knock on their product but a defense of the categorization methodology when compared to three other second-wave players in this space that were all founded within a three-year window, including CrowdStrike (2011), Cybereason (2012), and SentinelOne (2013). This is a solid place to start our review of the data for the second-generation endpoint vendors since two of them lead the endpoint market in spending intentions.

Although both CrowdStrike and SentinelOne lead with the top two positions in Momentum, it is the Presence metric that separates the vendors, with CrowdStrike holding a material lead, large enough to break into the Leading vector, while SentinelOne is closely behind in the Advancing vector. By the numbers, CrowdStrike holds the highest Market Array Net Score at an extremely robust 61%, driven by 65% of the vendor’s respondents citing an intention to either Adopt or Increase spend. SentinelOne also holds an elevated EPP Net Score of 54%, strengthened by the highest Adoption rate of the entire endpoint survey at 13%. Churn Scores also favor CrowdStrike, as the vendor ranks third versus SentinelOne at sixth regarding the expected length of use for their respective endpoint solutions. Inversely, ETR’s ROI rankings favor SentinelOne, which holds the second-highest position and is eight spots higher than CrowdStrike in that analysis. Both vendors were also ranked in the top three (behind Microsoft Defender) of the most desired vendors (see Figure 5 below).

Most Desired Endpoint Protection Vendors

Figure 5. The above image is an abridged visualization of ETR’s Market Array Most Desired Vendors analysis. Respondents stated their Most Desired EPP Vendor, with Microsoft Defender, CrowdStrike, and SentinelOne holding the top three positions. See the full Market Array data for details.

Lastly, in yet another debut unveiling of a new ETR data set, the ETR Market Array for EPP also incorporates a Net Promoter Score (NPS) for all vendors listed, and CrowdStrike and SentinelOne are two of only three vendors holding a positive NPS in that analysis. As with all the data cited in this Observatory, the NPS scores and full breakdown for all vendors are available as part of ETR’s Market Array study.

The data supports both vendors as forerunners within the marketplace, and the marketing doesn’t add much distinction as these two rival companies claim to have very similar capabilities and are often locked in somewhat adversarial and head-to-head POCs. Both are also born cloud-native, with AI and machine learning already well-entrenched in their DNA instead of hype phrases being bandied about, and both offer fully comprehensive suite offerings with strong visibility that could potentially displace other security offerings over time. One such security feature in their crosshairs is vulnerability management, an area of security that is being encroached upon in multiple directions. As such, we decided to dedicate a portion of this analysis to hearing directly from ETR’s community of ITDMs and end-users about these two competitive offerings.

Let’s begin with those ITDMs that will only settle for the best and have the budget to support their expensive tastes, such as this CTO who states his strategy as such, “CrowdStrike is the best of the best as far as endpoint protection goes. We start with the Microsoft tools, then we supplement on top of that with the Cisco tools, and then we supplement on top of that with CrowdStrike.” However, other customers are switching from legacy providers to SentinelOne to reduce complexity, improve efficiency, and lower costs. “I belong to a CISO group in Chicago that has about 150 CISOs, and we just had an exchange about EDR players,” said a VP & CISO of a large tech enterprise. “There were a fair number of peers who switched from a more traditional or a legacy antivirus player to SentinelOne instead of CrowdStrike. I’ve seen two different sentiments expressed: one being that it’s fantastic and it’s just as good as CrowdStrike, and the other side is that it’s a little more overhead on the endpoint.” Still others describe SentinelOne as easier to use. “I find the ability to use it is just easier, its deployment is easier. Finding folks that are well trained in SentinelOne has also been easier,” remarked a Director of Managed Services for a large tech services enterprise.

As alluded to earlier, both SentinelOne and CrowdStrike claim they can be used for vulnerability management and patching, though ETR Insights commentary suggests customers are not yet confident enough to fully replace a service like Qualys, Tenable, or Rapid7. “I do know that, at least for SentinelOne, that they’re going to be incorporating a vulnerability management component into their EDR solution, but I don't know if they’re going to be able to fully automate patching systems.” Another ITDM adds that competitors like Tanium may be a better choice for organizations that need visibility into and control over all assets in their environment. “You can sort of do the same thing on CrowdStrike and SentinelOne, but it’s more difficult because it gives admin and access to do certain things, but then you have to build the scripts to do it, while Tanium already has that.”

That quote segues into our next vendor profile in this category. Tanium likely warrants a sub-category of its own, and some may question its inclusion in this Observatory, but despite being widely viewed as an asset management player, Tanium markets itself as a converged endpoint management (XEM) solution with enhanced incident response. The vendor clearly holds weight in the endpoint security market, as our data will demonstrate. Across the ETR Market Array study, Tanium solidly holds the fourth-highest EPP-specific Net Score at 37.5% and fifth-best Churn Score at 13.5%, driven by 48% of its respondents expecting to use the vendor’s products for “at least four years,” which was the highest for that answer option among all vendors.

Tanium is widely used to monitor, create, manage, and deploy patch schedules for all endpoints. “Tanium allows us to update the endpoints. As soon as that machine hits the Internet, the first order of business is going to be that any updates or security patches that need to be pushed down are getting pushed down.” To this end, it fills a particular gap left by other security providers. “It really depends on what technologies and gaps you have today. In the case of other competitors, they don’t have the patching piece, but Tanium does.” Tanium’s lightweight architecture and broad capacity to address asset management, security, risk, and compliance make it attractive, though other competitors may offer more in-depth protection. As one CISO said, “If they were to go toe-to-toe with a Carbon Black or others and had to win the deal solely on their EDR capability, they would be in trouble. But Tanium does so many other awesome things, like discovery of assets on your network.”

Usage vs Spend Projections

Figure 6. In ETR’s Market Array for EPP, respondents offered the overall usage or utilization of each endpoint provider in their stack. Above, we plot increases in overall usage on the y-axis against spend increases on the x-axis to see how the metrics differ.

In Figure 6, we take one last look at a proprietary data visualization from ETR’s Market Array study, which plots how usage of each vendor’s endpoint products might differ from spending intent. Consider this the final exhibit of why Tanium deserves a place at the endpoint security table, as the vendor checks in with the second-highest increasing usage percentage, trailing only CrowdStrike. In this visualization, it is clear how CrowdStrike, SentinelOne, and Microsoft Defender have separated themselves from the rest of the pack in terms of both usage and spend velocity. Palo Alto Networks is also very well positioned in this analysis.

Another name sitting squarely in the center of this analysis is Carbon Black (VMware), a vendor that straddles the first and second generation of endpoint vendor groupings. Having been founded more than 20 years ago in 2002 as Bit9 and then branded as Carbon Black in 2011, the vendor has spanned a long course of endpoint evolution. The vendor was also one of the early players to market itself as an EPP using machine learning and behavioral analytics in its proactive defense and remediation of attacks.

After being acquired by VMware in 2019, it will now be folded into the Broadcom portfolio and join legacy Symantec as part of the private equity firm’s growing security quiver. As mentioned earlier in this report, many ITDMs have expressed concern about private equity ownership marking the end of investment and innovation. That sentiment may already be playing out in the ETR Market Array data, where Carbon Black had an EPP-specific Net Score of -4.3%. That low spending trajectory, along with Presence falling behind its leading peers, plotted the vendor in the Trailing vector of this Observatory report.

IV. Lower Citation Vendors – Cybereason, Cylance, Lookout, Zimperium

The structure of the ETR Market Array study was designed to capture metrics based on the survey respondents’ choice of EPPs being deployed within their enterprise, and as a result, some vendors were cited more often than others. This section quickly touches upon those vendors that did not garner enough citations to merit inclusion in many of the analyses depicted above.

One company in this category is Cylance (Blackberry), another of the second wave of EPPs founded in 2012 and which marketed itself as a pioneer in cybersecurity AI before being acquired by Blackberry in 2019. According to ETR’s TSIS data, Cylance has been stuck in negative Net Score territory for the last year, with the most recent OCT23 survey capturing a -6% spending intent for the vendor.

Finally, we review three endpoint vendors that ETR tracks in its Emerging Technology Survey (ETS), which is designed to track awareness, evaluation, and utilization of private companies across the enterprise technology domain. Cybereason, Lookout, and Zimperium are all tracked in the Endpoint subsector of the ETS. While Cybereason is more aligned with the second-generation EDR and XDR players detailed earlier in this report, Lookout and Zimperium are both security applications specifically designed for mobile devices.

ETR Data: Lookout leads in overall awareness with the highest Mind Share level of the three and is also well positioned in overall Net Sentiment, falling slightly below the leader Zimperium. Although Zimperium leads the three in Net Sentiment, it is the worst-positioned with a Mind Share percentage below 10%. Lastly, Cybereason rests between the two, holding second place in Mind Share but last in Net Sentiment.

Conclusion: Progression Plus Integration Will Fulfill the XDR Promise

The endpoint-related security industry is relentlessly advancing, and in this Observatory report, we see CrowdStrike, SentinelOne, and Tanium driving innovation with the massive gravitational force of Microsoft drafting very closely behind. Meanwhile, the native networking players with entrenched customers, like Palo Alto Networks, Cisco, and Fortinet, have quickly transitioned and kept pace with market demands to join the push toward progression. Although first-wave players with historical significance market themselves with EDR and XDR capabilities, the end user data suggests their message is not resonating.

The true pacemakers of this market are cloud-native and better equipped to roll out expanded features, fostering hope of an open and unified XDR strategy. As we set our gaze to the horizon, the fast-paced adoption of generative AI and large language models will be in focus, although in this endpoint-related security market, AI and ML have long been a part of the leading vendors’ feature sets. Almost all of the vendors categorized in the second wave have long lauded this technology as an underlying foundation of their efficacy, and some are now re-branding aspects of these offerings simply to better monetize the trend.

Amidst global tensions, further deterioration in the threat landscape is likely, and with bad actors leveraging AI, enterprises and public institutions alike must follow suit in scaling security vigilance. In just one small reflection of the environment, the US Securities and Exchange Commission adopted rules this year requiring public companies to disclose within four days all cybersecurity breaches that could affect their bottom lines. Regulatory compliance will only increase in tandem with the escalating risks as forces driving this market.

Although endpoint security is only one layer in the depth of defense necessary for effective cybersecurity, the evolutionary arc from antivirus to XDR must press forward. However, a truly open and unified XDR will never be a single-source solution but more an agnostic and communicative pull of telemetry across the holistic environment. As such, the promise of XDR will only manifest once vendors relinquish the selfish goal of customer lock-in and target collaborative integration instead.

Contact the ETR Team to discuss this report or request the source data.

ETR Insights:

Our ETR Insights library contains transcripts and executive summaries from 360+ live and virtual events, totaling 15,000+ minutes of audio interviews. Uncover inflection points, understand what drives the decisions of enterprise technology purchasing leaders, and aggregate end-user sentiment around progressive technology trends.

ETR Insights Team:

Erik Bradley, Chief Strategist epb@etr.ai

Daren Brabham, PhD, Sr. Director Analyst dbrabham@etr.ai

Jake Fabrizio, Associate Analyst jf@etr.ai

Media Contact:

Contact our press team at press@etr.ai

View and download this report

Ask about reprints

See more Observatory reports

This document was prepared by Aptiviti, Inc. (“Aptiviti”), the parent company that operates the Enterprise Technology Research or “ETR” business, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. Except as expressly stated in the Aptiviti, Inc./ ETR Terms of Use (https://app.etr.ai/terms-of-use), (i) this document is provided “as is”, and Aptiviti makes no warranties, representations, or covenants, expressed or implied, regarding this document and its contents, (ii) Aptiviti expressly disclaims all warranties, representations, and covenants regarding this document and its contents, and (iii) your use of this document is at your own risk. In no event will Aptiviti be liable for any damages or other costs or fees incurred by you arising out of your use of, or your inability to use, this document, even if Aptiviti has been notified of the possibility of such damages or other costs or fees. If you received this document in error, please notify the sender and delete this document. Thank you.