What do you like best about the product?

Red Canary excels at ingesting and correlating telemetry and alerts from our Microsoft Defender suite, combining and deconflicting that data into a single, cohesive threat narrative for a given machine or activity. This correlation capability provides a clearer picture of threats than we get from our other tools and can reduce the time our analysts spend on manual investigation. The platform itself is intuitive and well-designed, making it easy to navigate and use. Additionally, the customer support has been excellent—particularly Annalise and Matthew, who have been responsive and helpful, with Matthew providing deep technical assistance on integrations and automation. Overall, Red Canary adds meaningful value to our security operations.

What do you dislike about the product?

While Red Canary offers strong automation capabilities, there are some limitations that impact our ability to fully leverage the platform. One of the main issues is the inconsistency between the GUI, automation platform, and API. For example, when closing out threats, the options available in the automation platform differ from those in the GUI and API—such as missing specific closure reasons like "Internal testing." Additionally, the automation platform only supports "AND" logic in trigger conditions, which makes it difficult to build flexible workflows that share common traits but differ in just one condition. These limitations force us to rely on custom scripts and direct API calls to achieve the functionality we need, rather than managing everything within Red Canary itself.

What problems is the product solving and how is that benefiting you?

As the lead of our Breach and Attack Simulation (BAS) Team, my use of Red Canary differs from that of our SOC analysts. I simulate attacks against our network and assets using AttackIQ, and Red Canary plays a critical role in helping me identify and track this activity across our environment. It excels at correlating AttackIQ-generated telemetry with the correct target assets and associated alerts in Microsoft Defender, which is something we struggle to do effectively with other tools. This correlation allows us to validate detection coverage and response workflows more accurately. Additionally, we leverage Red Canary’s automation capabilities to ensure that our simulations don’t overwhelm the SOC or disrupt normal security operations, helping us maintain operational efficiency while testing our defenses.