DLP, browser security, AI usage governance, and just‑in‑time hardening… These are all capabilities that endpoint protection platform (EPP) vendors tend to rank higher than core innovation in their offerings.
Gartner highlights this in its latest Magic Quadrant devoted to this market. In this context, it explains, gaps are widening in areas such as:
- Telemetry collection
- Agent footprint
- Administration and detection logic customization
- Functional coverage outside Windows environments
Last year, the firm already noted this tendency to push R&D toward ancillary products, as well as the integration of AI. Including generative AI, even though its use remained embryonic. It mainly provided administrative assistance (incident summaries, documentation discovery, text-to-code and vice versa).
Almost a year later, the finding persists. As for generative AI, the associated roadmaps are primarily focused on automating repetitive tasks such as triaging alerts, creating queries and playbooks, and analyzing malware. Extending the scope to third‑party products remains a prospect.
Coupled with SecOps process structuring and stack consolidation, market maturity is fueling upselling: 25% of organizations buy, from their EPP vendor, adjacent TIDR (threat detection and incident response) products.
13 vendors, 6 “leaders”
Last year, 15 vendors appeared in Gartner’s Magic Quadrant for endpoint protection platforms. All remain in the field this year, with Cisco and Cybereason the only exceptions. No change in the Leaders quadrant, still occupied by CrowdStrike, Microsoft, Palo Alto Networks, SentinelOne, Sophos and TrendAI (Trend Micro).
On the axis dubbed “execution,” which translates to the ability to actually meet demand (quality of products/services, customer experience, market track record…), the situation is as follows:
| Rank | Vendor | Year‑over‑year change |
| 1 | CrowdStrike | = |
| 2 | Microsoft | = |
| 3 | SentinelOne | = |
| 4 | Sophos | + 2 |
| 5 | TrendAI | = |
| 6 | Palo Alto Networks | – 2 |
| 7 | ESET | = |
| 8 | Bitdefender | + 1 |
| 9 | Check Point | + 2 |
| 10 | Fortinet | = |
| 11 | Trellix | – 3 |
| 12 | WithSecure | = |
| 13 | Broadcom | + 1 |
On the axis “vision,” which reflects strategies (commercial, geographic, sectoral…) :
| Rank | Vendor | Year‑over‑year change |
| 1 | CrowdStrike | = |
| 2 | Microsoft | = |
| 3 | Palo Alto Networks | + 1 |
| 4 | SentinelOne | – 1 |
| 5 | TrendAI | = |
| 6 | Bitdefender | = |
| 7 | Sophos | = |
| 8 | Check Point | = |
| 9 | Fortinet | = |
| 10 | Trellix | + 3 |
| 11 | ESET | – 1 |
| 12 | WithSecure | + 2 |
| 13 | Broadcom | + 2 |
CrowdStrike advances on data security…
Last year Gartner credited CrowdStrike for the effectiveness of its EDR, its cloud management and its TIDR integrations. It also appreciated the agent’s light footprint, its telemetry collection capabilities, and options for content updates control. All while noting the vendor’s strong brand among buyers and its sizable market share.
This year, Gartner again praises EDR, cloud management, and the agent’s lightness. It also highlights the “growing maturity” of CrowdStrike in data security. Good marks also on the customer experience (account management, technical support, managed services) and on the product strategy (steady investment, a single console).
… but still more expensive than the average
CrowdStrike’s pricing has become increasingly opaque, while remaining among the highest in Gartner’s assessment of 2025. Gartner had also pointed to the admin console’s minimal language coverage (English and Japanese) and the number of SaaS presence points being fewer than other Leaders. It noted the solution’s misalignment for anyone needing on‑premise or hybrid management.
Although Gartner no longer frames pricing as “difficult to understand,” it still characterizes it as premium. The on‑prem or hybrid management issue remains relevant, with a broader note: the offering is not ideal for organizations seeking complete operational and technological sovereignty outside the USA… Outside this region, hosting choices are limited to Germany.
Microsoft, praised for predictive capabilities…
Last year, Microsoft stood out for EDR and cloud management, as well as for its integration with workspace protection solutions. Gartner also liked its roadmap, particularly in reducing the attack surface. It similarly noted the vendor’s visibility and market share, as with CrowdStrike.
This year again, EDR, cloud management, visibility, and market share remain strong points for Microsoft. It also earns praise for its integrations with the Defender suite and for “growing maturity” in data security. The product strategy also hits the mark for Gartner, especially on predictive protection.
… less on support and licensing
In 2025 Gartner had flagged improvements needed in customer experience, from initial deployment to configuration and the relative slowness of support. It also highlighted underutilization of Microsoft bundles, while renewals tended to be less generous on discounts.
This year, customer experience remains variable, particularly in ease of use and the quality of technical support. Licensing proves complex, and Defender for Servers isn’t included in popular bundles like Microsoft 365 E3 and E5. As with many others, there is no on‑prem option, and the prospect of full operational and technological sovereignty outside the USA remains out of reach.
Palo Alto Networks, appreciated from DLP to kernel-driver protection…
Like CrowdStrike, Palo Alto Networks was praised last year for EDR, cloud management and TIDR integrations. Its roadmap also impressed Gartner, who called it “aligned with emerging needs.” Other strengths cited include robust funding, global presence and revenue growth outpacing the market.
In terms of EDR effectiveness, Gartner this year adds functional parity across the covered platforms. It again notes maturity in cloud management and highlights the roadmap, particularly on AI security. It also points to the flexibility of customization and automation, the expansion of DLP, and kernel‑driver behavioral protection.
… but again more expensive than average
Palo Alto Networks’ market share does not reach the level of other Leaders, Gartner had stated last year. It also underlined the high cost of its solutions and, once again, their mismatch for those needing on‑premise or air‑gap management.
The remark on costs remains, especially as they tend to rise at renewal. The same goes for on‑prem management, still absent; and for market share, which remains below that of other Leaders.
SentinelOne stands out for its product strategy…
In 2025, SentinelOne did not deviate from favorable notes on EDR and cloud management (+ hybrid). It also earned praise for the ease of use of its solutions, right down to the console, whose UX “differentiated itself in the market.”
This year Gartner applauds SentinelOne’s market share. It also notes its understanding of the market, evidenced by acquisitions such as Prompt Security (control of GenAI usage). A positive point on product strategy, including expanded visibility into network telemetry, a DLP roadmap and feature parity across operating systems.
… but appears less often on the shortlists
The administrative dashboard’s language reach for SentinelOne is limited to English and Japanese, Gartner explained in 2025. It also noted a relatively limited presence outside the USA compared with other Leaders, along with premium pricing and a trend to focus R&D on adjacent products like automation and orchestration.
The remark about limited non‑USA penetration remains. Moreover, SentinelOne appears less frequently on the shortlists than in the past. And its latest advances (expanding DNS telemetry, mitigating lateral movement, etc.) do not stand out as market‑leading innovations.
Sophos has extended its reach…
In 2025 Sophos stood out for its historical presence in this market and steady revenue growth. Gartner also praised per‑user licenses, which could be competitive in organizations where employees work across multiple endpoints. It also noted the implications of acquiring Secureworks for TIDR, alongside broader commercial expansion.
The combination of market presence and steady revenue growth again earns Sophos favorable marks. So do per‑user licenses, and the Secureworks acquisition, which indeed broadened Sophos’ global footprint. Another plus: increased headcount for QA activities.
… but little innovation
Beyond misalignment with on‑prem management, Gartner had pointed out last year a heavy resource load during scans and inefficient workloads in Sophos Central. A further caveat: R&D had shifted away from the core offering toward integrating Taegis XDR.
Recently, R&D has focused less on breakthrough innovation and more on addressing gaps (agent performance, AI‑assisted incident summarization, etc.). Like SentinelOne, Sophos rarely features on the shortlists relative to other Leaders. As with most of them, there is no on‑prem option, and full sovereignty outside the USA remains out of reach.
From Trend Micro to TrendAI, pricing remains competitive…
Last year, prevention and management (cloud + hybrid) earned Trend Micro a strong point, and it has since become TrendAI. Gartner also praised the breadth of OS coverage, the technology for virtual patching, and, more broadly, the well‑differentiated protection capabilities. It highlighted innovations in behavioral protection, content‑update control, and deepfake detection.
The note on OS support remains valid, as does the one on prevention and management. Gartner also adds improvements in data and workspace security, as well as the roadmap for reducing attack surface and protecting against prompts injections in the browser. It also mentions generally competitive pricing.
… but the credit‑based licensing model still lacks clarity
Customer experience can suffer from the high volume of alerts and resource consumption during scans, Gartner warned last year. It also emphasized the lack of clarity in the licensing by credits and noted revenue growth slower than that of other Leaders.
A year later, these three observations still hold. They are accompanied by issues with support quality, according to some customers’ feedback.
