twobee - Fotolia

Comparing EDR tools: Cybereason vs. CrowdStrike vs. Carbon Black

Learn how tools from leading EDR vendors Cybereason, CrowdStrike and Carbon Black compare when it comes to helping security teams fight endpoint threats and respond to incidents.

It's relatively new, but the endpoint detection and response tools market is crowded with vendors vying to protect enterprises from threats and bad actors. While all share a similar goal, they differ in key ways, revolving around detection and response, scalability, depth of visibility, remediation and integration capabilities and pricing.

Let's take a look at three leading options: Cybereason vs. CrowdStrike vs. Carbon Black. Using extensive research into the EDR tools market, TechTarget editors selected these three companies with regard to market share and product capabilities. Research included data from TechTarget surveys and reports from other well-respected research firms, including Gartner and Forrester Research.

Before exploring Cybereason vs. CrowdStrike vs. Carbon Black, let's examine the EDR market. In the past, signature-based antivirus software and personal firewalls were adequate for fighting desktop security threats. Sprinkle in acceptable usage and password policies, and that was the extent of many organizations' information security program. Although criminal hackers and malicious insiders still were a threat, the web wasn't quite as advanced and enterprise networks weren't nearly as complex as they are today.

Endpoint security has come a long way in the past two decades and necessarily so. With today's advanced threats and their often-unexpected attack vectors, organizations must treat endpoint security differently. That's where next-generation EDR tools come into play, as they help security teams fight endpoint threats as well as respond to incidents.

EDR tools package several key endpoint security functions into a single product. These tools offer behavioral analysis and blocking through advanced threat intelligence, application control, whitelisting techniques and network recording, along with incident response capabilities. EDR software can integrate with other tools on an organization's network to help with data collection and visualization, physical and information asset management, and help desk ticketing and incident management. EDR tools can also provide visibility and control -- two core elements often missing from many organization's security plans.

Threat detection and response

Cybereason Inc. The Cyber Defense Platform, which can be deployed in the cloud or on premises, takes an intelligence-based approach to endpoint analytics and security. The product uses real-time information from endpoints to build a picture of malicious operations -- including infection, privilege escalation and ransomware -- across different attack phases within the network environment. This EDR tool can perform both static and dynamic prevention, taking a traditional approach to nefarious behavior as well as a more contextualized analysis-based approach using its AI engine.

Security teams can use Cybereason's threat hunting capabilities to break down attack scenarios into detailed timelines that are built out in a graphical interface. Using a toolbox for forensics analysis and remediation, analysts can immediately investigate threat activity and security events using online resources, internal threat intelligence capabilities and manual analysis. This EDR platform supports whitelisting, reputation filters and ransomware prevention and detection.

CrowdStrike. The Falcon cloud-based endpoint security platform includes Falcon Discover for security hygiene; Falcon Insight, which provides EDR capabilities; Falcon X for cyberthreat intelligence; Falcon OverWatch for managed threat hunting; and Falcon Prevent, which provides next-generation antivirus capabilities.

The Falcon products are designed to detect and prevent known malware and block exploits for unknown malware through behavioral analysis and machine learning. Falcon also automates threat hunting and incident response processes, which can help with investigations and minimize the impact of exploits. Its prevention capabilities come from the CrowdStrike Threat Graph engine that's powered by big data and AI analytics involving security events across the Falcon ecosystem.

Organizations can purchase Falcon endpoint protection products in bundles or separate modules. Falcon Pro incorporates next-generation antivirus and threat intelligence. Falcon Enterprise adds EDR, device control and threat hunting via CrowdStrike's team of security experts. Falcon Premium includes the inventory and monitoring capabilities of Falcon Discover. Falcon Complete is a fully managed endpoint security product that includes a breach prevention warranty.

Carbon Black Inc. CB Predictive Security Cloud is the company's cloud-based big data and analytics platform. It provides data collection, contextual insight, collective intelligence and open APIs for endpoint security. The CB Defense product provides next-generation antivirus and endpoint detection and response. It also helps ensure endpoint security through attack prediction and prevention, capture and analysis, and response to help with remediation efforts. Optional products are available for real-time querying and remediation, threat hunting and incident response, application control and infrastructure protection.

Carbon Black's EDR software works in diverse environments, but is often used in high-risk scenarios such as point-of-sale and industrial control systems that are targets of advanced threats and malware. Carbon Black uses predictive modeling to identify and prevent both known and unknown malware, ransomware and fileless attacks.

Scalability and depth of visibility into the organization

Cybereason. The Cyber Defense Platform supports endpoints running Windows and macOS, as well as Red Hat and CentOS Linux, and can scale to hundreds of thousands of sensors. The tool's endpoint sensor runs in user -- as opposed to kernel -- memory space on workstations, which minimizes its footprint and resource usage.

CrowdStrike. Falcon uses endpoint sensors running Windows workstation and server, macOS and various Linux releases and can scale to more than 100,000 endpoints. Because processing takes place in the cloud, the impact on endpoint performance is minimal.

Carbon Black. CB Defense uses a lightweight endpoint agent that's delivered via the CB Predictive Security Cloud. The product supports Windows workstation and server and macOS.

Remediation capabilities

EDR isn't incident response in and of itself. It's simply a component of the larger program that needs to be well-integrated with the organization's existing incident response plan.

Cybereason. The Cyber Defense Platform offers a remediation workflow that helps security teams respond to specific malicious operations, enabling them to clean or quarantine files or kill processes. Remediation details are shared with other endpoints to prevent this event from occurring across the entire network environment, which helps to speed up and simplify response efforts.

CrowdStrike. Falcon Insight offers security teams real-time response actions to address security events and assist with forensics investigations remotely. These actions include deleting files, listing and killing system processes, and retrieving memory dumps and event logs.

Carbon Black. CB Defense provides workflows across the attack lifecycle with tools for live response, real-time investigations and team collaboration to speed up security event resolution.


Cybereason. The Cyber Defense Platform provides and supports integrations for IBM QRadar and Splunk Inc. Third-party integrations include Axonius, Demisto, DFLabs, LogicHub and Opswat. Additional integrations for Splunk Phantom, IBM Resilient and ServiceNow are on the vendor's roadmap.

CrowdStrike. Falcon offers five unique APIs: streaming, data replicator, threat graph, query and intelligence. Falcon integrates with SIEM systems via the import of API-based indicators of compromise. Custom integrations are also available. The Falcon SIEM Connector supports SIEM platforms, including Micro Focus ArcSight, QRadar and Splunk.

Carbon Black. The company has a large partner and integration program and supports various SIEM, analytics and IT operations tools from vendors, including Aruba Networks, Okta and ServiceNow. In addition, Carbon Black offers open API support for endpoint security functions, including collecting information, taking action on discovered threats and providing threat intelligence feeds.


Cybereason. Pricing for the Cyber Defense Platform starts at $50 per endpoint. Volume discounts apply. 

CrowdStrike. Falcon Enterprise, which includes Falcon Insight functionality, starts at $14.99 per endpoint, per month. Additional pricing options are available.

Carbon Black. Pricing may vary, depending on selected offering and deployment size.


Cybereason. Support and account management are offered in varying levels, including monitoring, threat hunting and incident response services.

CrowdStrike. Three levels of support are offered: Standard, Essential and Elite. The latter includes a dedicated technical account manager and on-site visits.

Carbon Black. Three levels of support are available: Standard, Premium and Platinum. The latter includes a designated support engineer.

Moving ahead

So, what's the best EDR tool? That's an impossible question to answer given all the factors involved. But whether your organization is comparing Cybereason vs. CrowdStrike vs. Carbon Black or is evaluating other EDR software, it's best to take one or more of these tools for a test drive to see how it interacts with the business's systems and processes. It also may be beneficial to see what others are saying on various rating sites such as Gartner Peer Insights or IT Central Station.

These EDR tools can provide massive endpoint security improvements. From traditional antivirus replacement to malicious activity recording to formal forensics investigations, these EDR products offer a lot in terms of endpoint visibility and control. But does your organization need them? Whether or not the organization can benefit from EDR software isn't a quick decision. There are many considerations, including the following:

  • What is the organization's current level of endpoint risk? How is its existing approach to antimalware and incident response working -- or not working?
  • What level of security does the business need to minimize risks as well as meet compliance and contractual obligations?
  • Is there anything the organization can do differently now, using existing resources, in terms of endpoint hardening and network security controls to make improvements?
  • Is the organization maximizing its vulnerability and penetration testing efforts, including authenticated vulnerability scans and phishing of users? What more can the organization do to find endpoint vulnerabilities that advanced threats are exploiting?
  • Knowing what you now know, what steps are required to get to the level of endpoint security and resilience that the organization needs? How will on-premises or cloud-based EDR tools help the company reach its goals?

With many of today's security exploits taking place at the endpoint, it's important to ensure workstation and server risks are minimized. But a well-run information security program must consist of various levels of security protecting physical and logical assets at the network level and in the cloud, as well as via mobile computing.

The organization's security team must also ensure other basics have been addressed, such as data backups and disaster recovery and security awareness training. The security committee and incident response team should also integrate the policies and workflows of the EDR tool chosen into the organization's overall incident response function.

EDR isn't incident response in and of itself. It's simply a component of the larger program that needs to be well-integrated with the organization's existing incident response plan.

Next Steps

Incident response tools: How, when and why to use them

Top incident response tools to boost network protection

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing