EDR Platform Comparison

Take a look at the CDC-ON® response to the rest of the EDR/XDR competition including multiple market leaders.

CDC-ON®'s Response to Market Leaders

Market Leader 1 Market Leader 2
MSSPs', You name it, we will get it for you
Freedom to Choose Vs. One Size Fits All
Customizable without the cost: Multi-site, multi-level architecture tailored to your org structure with no extra charge Flexibility that costs a fortune: Flat, limited tenancy with additional costs for limited customisation Customizable at code-level to suit the MSSP's business goals.
Easy to learn, easy to become an expert: Manage your operations from one intuitive console A laborious learning curve: Requires navigation between Market Leader 2-native & Splunk-powered technology No learning curve
Cloud-native, with options for more: Cloud-first SaaS, hybrid, and on-prem deployment & management available Confined to cloud-only MSSP decides the architecture, implementation, and delivery modes based on their business needs.
Time is Money: Faster, Better, Smarter Than Humans Alone
The simplicity of Storyline™: Automatic correlation of benign and malicious telemetry, events are mapped to MITRE for faster investigation and response Less signal, more noise: “Continuous, comprehensive recording” translates to manual parsing, prioritization, and correlation of telemetry; especially challenging across reboots CDC-ON® SOAR: Automatic correlation of benign and malicious telemetry, events are mapped to MITRE and or to other tactics of the MSSPs' choice for faster investigation and response
Real-time reconstruction: Machine-powered attack reconstruction generates focused, contextualized alerts for faster MTTR Human-powered, human-limited: Delayed, manual analysis introduces greater risk exposure CDC-ON® focuses on the shortest possible dwell time between attacks and the fastest MTTR
Fully automated recovery: Patented automatic and 1-click remediation & rollback Rudimentary remediation: Implemented through API and custom code Single click remediation or map the remediation to the clients' change management process
Confidence and Continuity in the Cloud
Scalable and sustainable: Runtime protection for containers, 10 Linux distributions Limited in Linux: Reduced feature support for 7 Linux distros, containers Containerized architecture, all Linux distributions or can custom build it for the MSSP
Control and confidence: No DevOps / performance impact, scheduling and maintenance window support available Unplanned updates: OS kernel module dependencies may cause forced updates No maintenance window controls No, performance degradation, Quad server architecture and containers allow live updates with minimal maintenance windows
EDR That Over-delivers, Not Overwrites
365 days: Malicious incident details 180 days: Malicious incident details Limitation is determined by the MSSP not the product
14 days: EDR data handles attacks like SUNBURST, upgradable to 365 days 7 days: EDR data misses attacks like SUNBURST, overwrites data every 7 days; high comparative cost to upgrade beyond 7 Limitation is determined by the MSSP not the product
The data you need, on-demand: Cloud data lake streams in real time Delays for data: Data lake streaming takes hours or longer Real-time data availability
Where You’re a Name, Not a Number
No security team left behind: Vigilance Respond & Respond Pro MDR offer accessible options for incident-driven triage, digital forensics, incident response, and threat resolution as needed for your organization Premium prices for standard services: Comparable capabilities require OverWatch Elite or Falcon Complete (Market Leader 2 highest-tier offerings) Fully customizable as per the MSSP needs.
Actionable hunting & intelligence: WatchTower threat hunting service comes standard with Vigilance offerings Overpromised, under-delivered: Falcon Overwatch costs a premium for correlation-based services Under promise and over deliver. Your pie in the sky is what we want to deliver
Fastest MDR on the planet: SOC expertise powered by platform automation MDR at human-speed: Only responds as quickly as its analysts, even with Falcon Complete Humans are still need, fastest automated response and or human-automated hybrid mode.
Ready. Real-time. Record-breaking.
Quick and customizable (STAR, MITRE): Rules and policy updates are active and instantly responsive upon deployment to agents Lags and limitations: Behavioral rule, custom IOA, and policy changes can take up to 40 minutes to take effect, extending an attack’s lifespan and cost Instantaneous, customizable
Richer context, fewer alerts: The most analytic detections in the MITRE ATT&CK Evaluation 3 years running, Singularity automatically consolidated 109 attack steps into just 9 alerts Manual and maintenance-heavy: A third as many analytic detections, despite all of the continuous tuning and manual correlation & analysis Automated and hybrid mode.
Unparalleled Visibility: Works out-of-the-box, achieved record-breaking results in the ATT&CK evaluation with the highest analytic coverage Middle-of-the-road: 86% visibility with 17 missed detections, delays, and configuration changes with analytic detections for only 94 of 109 sub steps Full range of visibility combining the strengths of both Market Leader 1 and Crowd strike
Discovery as Dynamic as Your Attack Surface
Passive and active: Network discovery, fingerprinting, and suspicious device blocking Passive-only: Rudimentary network discovery Combines all the strengths of these competing products and also the only product in the market that slows code level customization to meet the MSSPs' business needs
Full functionality, one price: Unlimited Device Control and Firewall Control, no fine print Multiple modules, multiple costs: Complicated licensing for rudimentary capabilities
Enterprise-ready: Broad OS support for Firewall Control and USB & Bluetooth Device Control, no reboot needed A minimally viable product: Windows-only Device and Firewall Control for USB (no Bluetooth), requires reboot to activate
Market Leader 1 Market Leader 2 *
EDR Partial visibility
Focused on process, file, network and user events.
Full visibility
Continuous, comprehensive recording captures raw events and related information that provides needed context - critical for hunting and investigations.
Full visibility and highly customizable. Can go at the process, file and network level as well.
Deployment Reboot required
Required endpoint downtime and restart for installation.
Immediately Operational
Deploys in minutes and is immediately operational - no reboot required.
Instantaneous deployment, client can choose any deployment strategy
Proactive threat hunting Alert monitoring, triage & investigation
Performs alert monitoring, triage and investigation on detected threats, not proactive threat hunting.
24/7 proactive hunting
Elite team of experts proactively hunt, investigate and advise on threat activity.
24/7 full support available including L1/L2 analysts to augment the MSSP teams during grave yard shifts, holidays and week-ends
Threat intelligence File reputation
Threat intelligence is limited to filehash reputation.
Integrated intel
Alerts are automatically enriched with Market Leader 2 threat intelligence including actor attribution, sandbox analysis and malware search for the threat and all known variants.
Combines the strengths of both Market Leader 1 and Market Leader 2
Managed services Alert monitoring, triage & investigation
Performs alert monitoring, triage and investigation on detected threats, not a full, end-to-end managed service.
Fully managed endpoint protection
Team of experts handles all aspects of endpoint security, from deployment, configuration, maintenance and monitoring, to alert handling, incident response and remediation.
CDC-ON® is built by a Master MSSP for MSSPs.

Unique for CDC-ON®

Build Your Own SIEM-EDR Platform

1 Zero learning curve
2 Advanced Machine Learning
3 Zero Trust
4 Highly Scalable
5 A comprehensive solution
6 Fully customizable, build your own niche custom SOC service with:
Build your own niche custom SOC service with:
Integrates/replaces any SIEM, EDR, XDR, Antivirus, providing a full-service SOC platform custom built for your business.
CDC trained SOC L1/2 analyst FTEs can support client SOC on any industry standard any third-party platform, or on custom built CDC-ON® platform. Can cover all shift options, including holidays and weekends.
Support industry standard process frameworks, regulations: MITRE, NIST, ISO 270001, ISA 62443, IEC 61850, PLC MODBUS, HIPAA, SOX, integrated with CDC-ON® SOC process.
7 Code Level Customisation: Bespoke Platform Build Custom Modules and Features
8 Code / API Level Integration With: Any platform including: Splunk, AlienVault, LogRhythm,Q Radar, Bitdefender, Sentinel One, Carbon Black etc. or can support SOC on custom-built CDC-ON® platform.


Custom build your service: You can add your needs to this list. We will build it for you.

1 Signature-based anti-malware protection
2 Machine learning/algorithmic file analysis on the endpoint
3 Machine learning for process activity analysis
4 Process isolation
5 Memory protection and exploit prevention
6 Protection Against Undetected Malware
7 Application whitelisting
8 Local endpoint sandboxing/endpoint emulation
9 Script, PE, or fileless malware protection
10 Integration with on-premises network/cloud sandbox
11 Real-time IoC search capabilities
12 Retention period for full access to data
13 Endpoint Firewall
14 FW Learning Mode
15 Automatically creates network traffic rules
16 URL Filtering
17 Host Based IPS
18 USB device Control
19 Full Device Control (Device Control based on Device Class product ID, Vendor ID and Device Name)
20 Agent self-protection/remediation or alerting when there is an attempt to disable, bypass, or uninstall it
21 Ransomware protection
22 Protect/block ransomware
23 VDI support
24 Manage, and maintain, an application control database of known trusted applications?
25 Multi-tenant cloud based service
26 EPP management console available as an on-premises virtual or physical server/application
27 Consolidated EPP management console to report on, manage, and alert for Windows macOS clients and mobile
28 Data loss prevention
29 Mobile Device Management
30 Mobile threat Defense
31 Vulnerability and patch management
32 Network/Cloud sandboxing
33 Security Orchestration, Analysis and Response (SOAR) Integration
34 Network discovery tool
35 Remote Access
36 Remote scripting capabilities
37 Default Deny Security with Default Allow Usability
38 Run unknown files with Auto Containment Protection
39 Create Virtual environment for any unknowns
40 Virtualize file system, registry, COM on real endpoints
41 Inter process Memory Access
42 Windows/WinEvent Hook
43 Device Driver Installations
44 File Access/Modification/Deletion
45 Registry Access/Modification/Deletion
46 Network Connection
47 URL Monitoring
48 DNS Monitoring
49 Process Creation
50 Thread Creation
51 Inter-Process Communication (Named Pipes, etc.) up to this
52 Telemetry data itself can be extended in real time
53 Event chaining and enrichment on the endpoints
54 Adaptive Event Modelling
55 Behavioral analysis (e.g. analysis over active memory, OS activity, user behavior, process/application behavior, etc.)
56 Static analysis of files using capabilities such as machine learning (not including signature based malware detection)
57 Time-series analysis
58 Integration with automated malware analysis solutions (sandboxing)
59 Threat Hunting interface or API for searching with YARA/REGEX/ElasticSearch/IOC
60 Support for matching against private IOC
61 Threat Intelligence integration
62 Linking telemetry (observable data) to recreate a sequence of events to aid investigation
63 Process/attack visualization
64 Incident Response Platform or orchestration integration?
65 Vulnerability reporting (ex. reporting on unpatched CVEs)
66 Alert prioritization based on confidence, able to define thresholds for alerting.
67 Alert prioritization factors system criticality
68 Able to monitor risk exposure across environment organized by logical asset groups
69 Reporting interface identifies frequent alerts that may be appropriate for automating response
70 Remote scripting capabilities
71 Quarantine and removal of files
72 Kill processes remotely
73 File retrieval
74 Network isolation
75 Filesystem snapshotting
76 Memory snapshotting
77 Manage customer endpoints and policies
78 Incident Investigation & Response
79 Preemptive containment
80 Application profiling (AI support)
81 Customizable policy creation
82 Central monitoring of all endpoints
83 Live remote inspection
84 Tuning of monitoring rules for reduction of false positives
85 Forensic analysis
86 Cloud-based SIEM and Big Data Analytics
87 Log data collection/correlation
88 Threat intelligence integration
89 Network profiling (AI support)
90 Available as virtual or physical
91 Integrated file analysis (cloud sandbox)
92 Full packet capture
93 Protocol analyzers numerous protocols such as TCP, UDP, DNS, DHCP, HTTP, HTTPS, NTLM, etc. w/full decoding capability
94 Includes ready-to-use cloud application connectors for:
95 Azure
96 Google Cloud Platform
97 Office 365
98 AWS
99 Threat detection for cloud applications
100 Log collection from cloud environments
101 Generating actionable incident response from cloud application
102 InHolistic security approach Combined network, endpoint, cloud
103 Internal security sensor logs (IOCs)
104 Expert Human Analysis
105 ML & Behavioral Analysis
106 Open source threat intelligence feeds
107 Information sharing with industry
108 Clean web (phishing sites, keyloggers, spam)
109 Deep web (C&C servers, TOR browsers, database platform archives—pastebins)
110 Cyber Adversary Characterization
111 Security operations center (SOC) ISO27001 certified
112 Dedicated cybersecurity expert and L1/2/3 resources
113 Security monitoring
114 Incident analysis
115 Incident response (handling)
116 Extensive threat hunting (scenario-based)