Microsoft Defender ATP

Gartner named Microsoft as a leader in the endpoint security platform back in 2019. Looking at Microsoft Defender Advanced Threat Protection (ATP) today, the product has evolved even more. Most people may recognize the name Microsoft Defender, but do not know the name ATP. That is because Microsoft Defender ATP is more focussed on the business market, whereas Microsoft Defender is more focussed on the consumer market. This article will explain the differences between the two and take a more in-depth look into Microsoft Defender ATP.

Microsoft Defender vs Microsoft Defender ATP

Two Microsoft products protect your device from malware; Microsoft Defender and Microsoft Defender ATP. Microsoft Defender is an antivirus solution where Microsoft Defender ATP is a paid Endpoint Detection and Response (EDR) solution. The difference between the two is that an antivirus solution protects the device from known malware, where an EDR solution protects the device from known malware, and it looks at the program’s behavior. This way, an EDR solution can prevent an attack even when it is not yet known as malicious.

Microsoft recently changed Windows Defender ATP’s name to Microsoft Defender ATP due to the many platforms Microsoft Defender ATP supports. These include Windows, macOS, Linux, Android (private preview), and iOS (public preview).

Microsoft Defender is a non-centralized antivirus solution for consumers where Microsoft Defender ATP is an endpoint-protection platform for an organization. Microsoft Defender ATP is a cloud-based solution that contains a dashboard to get a clear overview of the health of your devices within your organization.

Figure 1: Microsoft Defender ATP Dashboard

Even though Microsoft Defender and Microsoft Defender ATP are two different products, they do compliment each other. You can install a non-Microsoft antivirus solution, but there are many advantages to run Microsoft Defender and Microsoft Defender ATP together. The benefits of Microsoft Defender ATP are endless, but I will highlight the most important ones.

Microsoft Defender ATP

Microsoft Defender ATP integrates perfectly with other Microsoft security products like Microsoft Cloud App Security (MCAS), Microsoft Intune, Azure Information Protection, Azure ATP, Office 365 ATP, and Microsoft Threat Protection (MTP). Integration is used for data correlation to evaluate an event quicker and more accurately. If you use the full Microsoft stack products and configure it correctly, only nation state-sponsored attackers might have a chance to get unnoticed.

Microsoft Defender ATP is one of the best EDR solutions out there, and third-party sources can be used as input for data correlation to make an even better evaluation if something is malicious.

Threat & Vulnerability Management

Threat & Vulnerability Management (TVM) is a built-in capability in Microsoft Defender ATP that uses a risk-based approach to discover, prioritize, and remediate endpoint vulnerabilities and misconfigurations. Microsoft Defender ATP maintains a software inventory per device to evaluate the software installed on the device if it is out-of-support or if it contains any vulnerabilities. Microsoft also recommends security mitigations based on what it detects on the endpoint. Old used protocols are security recommendations, for example.

Incident Response

When an incident occurs, you can start a scan initiated from the portal, restrict all apps that are not signed by Microsoft or isolate the device entirely from the network. If a device is in isolation mode, the only communication that can take place between the device and the Microsoft Defender ATP portal. At this point, you can still investigate the incident and take mitigation steps. Automated remediation takes this a step further and automatically apply the mitigation steps recommended by Microsoft. The automatic remediation steps can be approved manually or even automatically to stop an attack as soon as possible.

Incident Graph

My favorite feature of Microsoft Defender ATP is the incident graph. The incident graph is a responsive view. The incident graph tells the story of the cybersecurity attack in a single overview.

Figure 2: Microsoft Defender ATP Incident Graph

Threat Experts

There is an option to call a threat expert from Microsoft if you need help. Threat Experts can help when your organization has an urgent threat that needs to be analyzed. The threat Expert will help investigate the root cause or scope of the incident. Once enabled in the advanced features options, a 30-day trial will start. If your organization wants to have permanent threat experts support, you will need to have at least 10.000 seats.


Microsoft Defender ATP is a separate license, but it comes with additional license plans as well. Microsoft Defender ATP comes with the following license plans: Windows 10 E5, Microsoft 365 E5, and Microsoft 365 E5 Security.

Figure 3: Microsoft Defender ATP Licenses


Microsoft Defender ATP is one of the best, if not the best, Endpoint Detection and Response (EDR) solutions out there. Microsoft Defender ATP is more than an EDR solution. Microsoft Defender ATP detects outdated software, vulnerabilities, automated responses to threats, and integrates into other Microsoft products, which increases security due to data correlation.

For more information about Microsoft Defender ATP, check this link.