Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an enterprise endpoint security platform that combines preventative protection, post-breach detection, automated investigation, and response capabilities. Available in Plan 1 and Plan 2 tiers, it scales from foundational attack surface reduction and next-generation antivirus in Plan 1 to full endpoint detection and response (EDR), advanced threat hunting, and access to Microsoft Threat Experts in Plan 2.

Plan 1 delivers next-generation antivirus powered by cloud intelligence and behavioral analysis, attack surface reduction rules that harden endpoints against common techniques, device-based conditional access that blocks compromised devices from accessing corporate resources, and centralized management through the Microsoft Defender portal. These capabilities provide a strong preventative baseline for organizations focused on blocking threats before they execute.

Plan 2 adds comprehensive EDR that records detailed endpoint telemetry—process creation, network connections, registry changes, file modifications—enabling security analysts to investigate incidents, understand attack scope, and hunt for threats across the entire device fleet. Automated investigation and remediation reduces analyst workload by automatically triaging alerts, determining verdicts, and executing remediation actions such as quarantining files or isolating devices.

Advanced threat hunting in Plan 2 provides a query-based interface over 30 days of raw telemetry data, allowing security teams to proactively search for indicators of compromise or suspicious patterns. Microsoft Threat Experts augments in-house capabilities with targeted attack notifications and on-demand access to Microsoft's threat intelligence analysts. The platform protects Windows, macOS, Linux, iOS, and Android devices and integrates natively with the broader Microsoft 365 Defender suite for cross-domain correlation of endpoint, identity, email, and cloud application signals.