Endpoint Protection: The Limited ‘CrowdStrike Effect’ in a Market Where …

Planning, version control, progressive deployments… A year after the CrowdStrike incident, content update control remains scarce on EDRs.

Gartner notes this in its latest Magic Quadrant for Endpoint Protection Platforms (EPP, endpoint protection platforms).

Over the past year, major vendors have largely innovated little at the core functional level. Their R&D has pivoted toward adjacent products, third-party solution integrations… and the AI aspect. Including generative AI, even though its use remains embryonic. At present, it mainly provides administrative assistance (incident summaries, documentation discovery, text-code translation and vice versa…). The agent-focused roadmaps hint at task-oriented solutions, such as triaging alerts and credential resets.

There remains a long road ahead to integrate AI assistants with third-party products, Gartner notes. Connectivity with security solutions for the workspace appears more advanced.

15 vendors, 6 “leaders”

All the vendors that were ranked last year are ranked again. And the six “leaders” remain: CrowdStrike, Microsoft, Palo Alto Networks, SentinelOne, Sophos, Trend Micro.

On the “execution” axis, reflecting the ability to actually meet demand, the ranking changes little.

They do not move much further on the “vision” axis, reflecting strategies (commercial, geographic, sectoral, R&D…).

CrowdStrike pricing becoming increasingly opaque

Gartner credits CrowdStrike with a strong point for the effectiveness of its EDR, cloud management, and its TDIR (Threat Detection, Investigation & Response) integrations. It also praises the lightweight agent, telemetry collection capabilities… and the content update control options integrated after the Summer 2024 incident. The US vendor also enjoys a large market share and strong brand recognition among buyers.

Despite the availability of a “flexible” licensing model, pricing is increasingly hard to understand, while remaining among the highest. Gartner also points to minimal linguistic localization of the admin console (English and Japanese), as well as a smaller number of SaaS PoPs compared with other vendors. CrowdStrike is also not suited for those who require on-prem or hybrid management.

A trend of underutilized Microsoft bundles

Microsoft also earns praise for several aspects of its product (EDR, cloud management, integrations with workspace security solutions). And for its roadmap, notably autonomous reduction of the attack surface. It also combines brand recognition with market share.

Microsoft has been among the vendors that recently focused on adjacent segments such as security posture management. It has room to improve the customer experience, from initial deployment and configuration to relatively slow support. Moreover, its bundles are often underutilized, alongside a tendency to be less generous with discounts at renewal time.

Pricing remains high for Palo Alto Networks

Palo Alto Networks also stands out for EDR and cloud management, as well as for its TDIR integrations. Its roadmap aligns with emerging needs, Gartner adds. The vendor is generally well funded, has a global presence, and shows revenue growth above the market.

Despite a competitive migration program from competing solutions, the cost of Palo Alto Networks solutions remains high. They are not suited for those seeking on-site or air-gapped management. And despite revenue growth, their market share is not at the level of the other leaders.

SentinelOne, still limited outside the American market

SentinelOne is not immune to the positives around EDR and cloud management (+ hybrid). Gartner also notes the ease of use of its solutions. Even to the console, whose UX “differentiates itself” in the market.

The language localization of SentinelOne’s admin dashboard is limited (English, Japanese), as is the vendor’s penetration outside the United States compared with other leaders. Caution is also warranted on pricing, which sits at a premium. As for R&D, the focus recently extended to adjacent products, such as automation and orchestration.

Sophos products, resource-hungry…

In addition to its track record in this market and steady revenue growth, Sophos benefits from user-based licensing: these can be competitive in organizations where each employee has multiple endpoints. Gartner also notes the acquisition of Secureworks, which broadens commercial reach and expertise in adjacent segments, while hinting at stronger TDIR functionality.

Beyond the mismatch of its products with on-prem or air-gapped management needs, R&D has not recently focused on core functionality: it has rather targeted telemetry gaps and the integration of Taegis XDR. Also beware of high resource consumption during scans. And workflows deemed “inefficient” in Sophos Central.

… like Trend Micro’s

Beyond Trend Micro’s prevention and management capabilities (cloud + hybrid), Gartner praises the breadth of OS support and its virtual patching technology. The protection capabilities are “well integrated” and “well differentiated,” according to the firm. It also appreciates innovation in behavioral protection, update-content control, and deepfake detection.

However, the user experience can be degraded by a large volume of alerts and resource consumption during scans. Also note the lack of clarity in the credit-based licensing model. Gartner adds that revenue growth is slower than that of the other leaders.