Its main purpose is orchestration where I have full visibility into all the different Trend Micro products I use, and it is all centralized in a single dashboard. There is ease of use with this centralized dashboard. With this centralized management, I can dive into technicalities, and I am able to do all my workbench investigations. It is quite clear, and I do not have to sift through different logs. It makes our work so easy when we need to respond to or remediate a particular issue.

The main problem that we wanted to solve by implementing Trend Vision One was the blindspots. We tend to focus on endpoints, but we forget IoT devices such as printers and CCTV cameras. This is where we had serious blind spots simply because these devices do not have an operating system. For us, it was just about eliminating these blind spots. That was our number one focus.

It has been exceptional. If you look at the evolution of the Trend Micro products up until Vision One, you can see that they do what they say they do. It has worked for me so well. That is why I have had it all these years.

We have protection against zero-day threats. One of the things that pushed me towards Trend Micro was the fact that they have the R&D for the zero-day initiative. They are a pioneer in terms of classifying CVEs. It gives me comfort. When you go and check the workbench or the report, you can see the type of exploits that it was able to detect, which have even been classified as CVEs.

Apart from the things that I do in IT, my responsibility is to protect my company's assets. I am able to safeguard my data against ransomware. The company does not have to worry that they can be held at ransom. The assurance that they do not have to pay just to get their data back makes it easy to sleep at night.

We have a single console for cross-layer detection, threat hunting, and investigation. We have what we call the executive dashboard. This is what I share with the C-suite. It is quite easy for me to break down cybersecurity in a business way, and then, of course, we have the operational dashboard and the security dashboard where I centralize all the products into one single pane. From an orchestration point of view, I love Trend Vision One. We are able to orchestrate all of our different products from one single dashboard.

Trend Vision One provides visibility into different products. I have a 360-degree view of my entire IT infrastructure, which helps me understand my threat landscape and the way it looks. The beauty of it is that it has metrics. I can see how I am performing as compared to 30 days or 7 days ago in terms of the risk indicator. Is it going up or is it going down? This is important for me because I am able to forecast and anticipate behaviors or patterns from the people perspective and the process perspective. I know what I need to do and train people on, and in terms of processes, I know what I need to do to clean up my policies. In terms of technology, I can assess if there is any other thing of Trend Micro that I need to supplement to make sure I am fully protected.

Our response is instantaneous. I do not have an exact percentile in mind when it comes to the reduction in the response time, but our response is instantaneous.

I have integrated it with my NUC, my firewall, and my database monitoring tool. Trend Micro has a feature for virtual patching through Trend Micro TippingPoint. It instantaneously does the patching and cascades them across. Apart from what we call scheduled patching, on-demand patching is a part of their product features.

Trend Vision One is very easy to learn. This is the second organization where I am using this Trend Micro solution. When I introduced it, my team did not know about Trend Vision One, but within a month, simply with the help of the business portal where we have the e-learning, they were fully skilled and even certified at the entry-level of Trend Micro. Their feedback was that it was quite easy for them to adopt.

Trend Vision One is not at all difficult to administer.

We have seen a reduction in viruses and malware since implementing this solution. They provide you with the metrics for risk posture. You can see the reduction in your threat landscape. It goes granular to the point of telling you which type of malware or threat you are exposed to and the reduction. It is very definitive from a percentile marking. In my previous organization, we saw about a 75% reduction when we rolled it out. We were previously using something else there.

It reduces administrative overhead. I stopped adding additional headcounts from a security analyst and a security officer's point of view. It helps me reduce the overhead. On average, considering the annual wage of a security analyst, there is a reduction of about 7,000 dollars per annum.

I use Trend Micro's managed XDR services in conjunction with Vision One Endpoint Security. It reduces overhead. It is a fully-fledged managed service, so I do not need to have the business invest in an in-house SOC. It is a whole lot cheaper.

From an automation point of view, I find the ability to curate and deploy playbooks very helpful. I find that very convenient for us. It gives away the manual process. There is the ease of use.

I love what they have done with their Trend Companion AI, where it becomes so easy to have it do something for you instead of sifting through different tabs. So, the automation element and their new AI feature are top-notch for me.

I find the virtual patching that they offer superb.

There should be a bit more dynamism when it comes to their playbooks in terms of the action triggers. That is the only thing that I would want to see a bit more. There should be a bit more dynamism, especially when you are creating your own playbook. This is something I have also discussed with Trend Micro.

I have been using Trend Vision One since 2020 when it was rolled out. I have been using Trend Micro products since 2015.

It is stable. I would rate it a ten out of ten for stability.

It is scalable. I would rate it a ten out of ten for scalability.

I would rate their support a ten out of ten.

I have used a plethora of other solutions. I moved to Trend Vision One for multiple reasons:

• The ability to do what the solution says it does
• The ability to orchestrate all different solutions into one single pane
• The ability to have automation when it comes to detecting and responding to threats

It is deployed on the cloud. For me, the deployment was easy. For the endpoints, we just did a GPO push through Active Directory. For the cloud, we used just simple tenancy APIs and we were good to go.

It took us a week simply by virtue of how big the organization was.

In the IT team, there are 10 people working with this solution. We also have other departments such as risk and audit that use it. Overall, there are about 20 people directly working with it. The remaining are users for whom it just works silently in the background.

The maintenance is not done in-house. It is handled 100% by the OEM. They do share notifications, but we as users do not feel it, so whatever maintenance is required is handled 100% by the OEM. That is the beauty of a cloud service. You are not overly bothered by it.

In my previous company, over the four years, I believe we had seen about 81% ROI.

There are cost reductions because of the simple fact that I have automation. It means that I do not need to spend a whole lot on headcount for security analysts. From a commercial point of view, it has helped me reduce my operational costs, and then there are also security cost reductions because of the fact that it is automated and it responds in real time.

When I compare it to its peers that can do the same, it is cost-effective.

The evolution has been great. When I started using Trend Micro Vision One, the product feature was what they used to call business worry-free. It has evolved from an EDR to a fully-fledged XDR. You can see that the R&D is putting in work, and there is evolution. In terms of product coverage, they do not look at only endpoint protection. Right now, we have bespoke server protection. We have cloud asset protection and email security. You can see the growth of Trend Micro when it comes to its cybersecurity offering.

Based on my experience, I would recommend this solution. The ease of use, elimination of overhead, and return on investment are the reasons why you should have this solution.

I would rate Trend Vision One a ten out of ten.

We use Vision One to detect to detect and respond to malware incidents. With endpoints (Apex One/Cloud One Workload Security), network (Deep Discovery Inspector) and Office365 (Cloud Email and Collaboration Security).

The environment is complex, distributed in more than +100 locations. Some locations are just offices, some others are industrial facilities with ICS and SCADA. Besides Windows, we deal with a lot of operating systems, including Solaris on SPARC. And our users are diverse, with lots of employees roaming around the country.

With CREM, we tackle important use cases around identity protection and risk management in general. Identification, prioritization, and remediation.

The full stack of Vision One has delivered what "SIEM 2.0" couldn't deliver. The capability to monitor threats and discover attack vectors before they are exploited and across all our workspace (on-prem, IaaS, PaaS and SaaS). We have invested well over a million into SIEM during the last decade. A full ArcSight upgrade and then a Splunk migration assisted with a large MSSP. Vision One is still ahead at a fraction of the cost.

Going through a capable, single-vendor solution was necessary, given our small team. Choosing the best solutions for every task and building all the integrations was not an option.

Vision One is much more than just EDR for us; it is a threat intelligence platform and a SOAR too. And even with the limited capabilities in this area, we find ways to tackle challenges our MSSP and SOC haven't been able to accomplish on a very large budget.

I like everything. The most valuable feature is how the stack fully integrates all components of a solution. Then, integrations with third parties will be provided.

As an example, I am capable of sending a suspicious file directly to my Deep Discovery Analyzer appliance (a sandbox) while investigating a suspicious download/file interaction, and I can then quickly push the IOCs in the suspicious object lists to protect both managed endpoints, and the rest of the network too! Yes, you can push domains and IP addresses to Palo Alto through a Trend Micro Service Gateway, ensuring you can protect even what cannot receive an endpoint. And all this without writing a single line of code. The ease of use and ease of deployment for use cases like this are my favourite features.

The SOAR features (Security Playbooks) are quite limited. At the moment, it is impossible to execute a simple piece of Python code that would pull or push something to an API, for example. While you can tackle some use cases, a SOAR from another vendor is still a must-have.

To assist with complex use case integrations, having all the data from the SIEM inside XDR would be great, too. That's where the market is moving with solutions like Falcon Logscale and Cortex XSIAM. Pivoting from XDR to Splunk or vice-versa can be time-consuming during incidents.

I was actually an early beta tester of the Apex One Endpoint Sensor before Vision One appeared in 2021. That would be three solid years of using it.

Quite reliable. In the last three years, only one incident created memory leaks on Windows Servers. We didn't see too much impact (fortunately) as a workaround could be quickly provided.

Support is quite responsive when something does work well. However, we do pay for Premium support.

The scalability is really good.

My experience is generally good, but I have had the chance to deal with premium support. I'd say I get the support I expect for the price that I pay.

Although we have been dealing with other security vendors (McAfee, Symantec, Proofpoint, and more), Vision One was really our first EDR.

The initial setup was a breeze. It is realistically one of the strong points of the solution.

We implemented the solution in-house. Although with premium support, you do get a lot of help from Trend Micro if you ask for it. You'll be able to talk to actual experts.

It is very hard to quantify an ROI on a security product. It doesn't generate revenues, and you can't quantify the cost of incidents that didn't happen.

Product names are changing all the time. Lots of changes in the last three years. They introduced the concept of credits, too, which did not make anything easier.

It's also easy to underestimate the credits required with Cloud Email and Collaboration Security: people invited from third-party tenants will count.

The credit usage and allocation tool has been improving, at least.

We had a look at Carbon Black and CrowdStrike Falcon.

It's probably the best solution for a small team that cannot absorb the complexity of a multivendor solution. The ability to execute VS the cost is surprisingly good.

Vision One is the primary endpoint security product we use to protect our Macs and PCs. We also use the server product version, so it runs on my servers as well. We exclusively purchase Trend Micro's endpoint products. They have network and firewall products. We were using their email product until last month, and I ended up selecting a different provider. We stayed with them for the endpoint, but I moved off of them for the email product.

Vision One was a big deal to us immediately because we did not have context-aware before. We saw everything we had no idea was happening. It was a big deal three years ago.

It certainly reduces time to detect because a lot of the time, I didn't have it before. I didn't have that information until it gave it to me. The speed of response helps me know much more about what's happening quicker. They have some improvement to do in terms of automated remediation. It probably makes investigations 30 percent faster because of what it puts together.

When we purchased Vision One, what set it apart was that it wasn't a traditional signature-based antivirus. It's a process-aware solution that provides real-time protection. That was a big differentiator three years ago, but now it's a given that every AV provider should be doing that. It combines signature-based telemetry with behavioral awareness and a detection-based solution, making it a good solution for us.

When we bought it three years ago, it was separate. Apex One handled cloud and web app security, and Vision One handled cloud and server workload protection. Now, they call it Vision One. The server stuff is still separate, but it is the same now. When we purchased it, they told us we'd have a single console, but that took about two and a half years. Finally, there is a single pane of glass.

One of the things that made me the craziest was that we had too many tools or one tool that I had to log into five different ways. One of the frustrations is you have both legacy and newer detection methods. Not being able to fully investigate it in a single portal was a huge pain.

They need to stop changing Vision One once a week. They're in a hurry to change things so badly and so fast that I can't find where stuff is half the time, which is a challenge sometimes.

I've given one piece of feedback to their product guys. One thing that they're trying to make is a SIEM. It's a product where you input all the logs from your tools, and it creates additional insights into how things look. They've been kind of playing the "me too" game on that, even though that's not what I bought the product for.

They have a new gateway where I can take my firewall of email logs and send it over there. In theory, it's supposed to do a more comprehensive evaluation of all my stuff to improve that risk index score. I'm not impressed with it, and I've told them as much. I feel if you're good at something, you should keep working on that and not try to be all the things to all the people.

I bought a different email solution even though it would have been 10 times easier to just stay with their email solution because they aren't great at it. They are great at other things, but they're playing the "me too" game with some of their products. Their competitors do this, so they should be doing this, too. They need to pick a product and keep being good at that. If they're going to roll new things out, they should do it but do it right.

They have a button to isolate an endpoint because it looks bad, but it doesn't usually work. I've had no chance to argue with the product guys to show them examples of how their button doesn't work. You think it does, but it doesn't work in a real environment. That can be a challenge sometimes.

I can see in the data showing what is a false positive. But it doesn't save me time helping them figure out how to fix the problem in their engine. It can help me identify it as a false positive, but it doesn't apply that consistently. It will ignore the false positive for that device, but if they start detecting a false positive on Apple devices, I have eight thousand Apple devices and get 8,000 alerts. I can tell that specific false positive, but it doesn't learn from that particularly well.

We use the executive dashboards, but I don't find them particularly useful. One is the ability to customize. That has gotten a little better, and it'll be better in the future. Most of what they have on there are data points that are generic and not particularly actionable. That's why it's called an executive dashboard. Executives want to see if we are secure, but it's hard for me to find out why our attack surface risk went down by x percentage. I don't know. It says that on the dashboard, but it doesn't give me specific details about why.

I find it confuses my executives, and it's not useful for me because it doesn't give me things to work on. It will give me generic things on the executive dashboard like you have a thousand accounts with an old password. Those are big generic things, but I also can't tell it that our password policy is different from what your automatic detection model means, and I don't have a problem with that, so quit lowering my risk score.

The risk score is useless. In theory, it's based on the random intelligence they're getting from their various customers. I'm in K-12 education, so they have a decent amount of K-12 customers, but it's a subset, and the baseline of what's common in K-12 education is not the same. There's not enough data to make that particularly clean or useful. Vision One is not custom, and that's part of my beef. That index score is based on whatever random report they're looking at from their data sources at any given moment in time. It's nice, but I'd rather have one that's based on your particular circumstances. Instead, it's saying that the number one attack threat surface for school districts is email phishing. It's too generic.

I have used Trend Vision One for three and a half years.

Vision One has been less impactful toward my endpoints when scanning than the previous solution.

Vision One's resource usage is starting to creep up compared to three years ago. They used to focus on making their agent lightweight. I don't necessarily think all of this is their fault, but their agents are starting to suck more resources than they used to. Part of it is that the threat landscape has changed, and you need to look at it in additional ways, and it is a strain on the servers. They've gotten really bad about that on the servers.

I rate Trend Micro support three out of 10. Their technical support is challenging. The support's good once you get to the second layer, but they don't read what you write. They auto-respond by telling us to give them the logs.

Every time, I need to send them a written statement with my product license ID and that I'm the contact authorized to do a support ticket. About 75 percent of the time when I open a support ticket, I immediately email my customer service satisfaction manager person with the ticket number so they can help move it along.

I was using Sophos three years ago. I've looked at many of the feature sets out there, and they might be 80 percent of what Vision One has, and some might be better, but Vision One is price-competitive.

Deploying Vision One was a pain because of the automated removal tool. In the antivirus world, they try to make it difficult to uninstall people's defenses because that's what an attacker would do. However, all the competitors are making tools to uninstall their competitors' tools when they win business. That's directly counterintuitive to the whole point of the antivirus.

We went through a process of trying to do this in an automated fashion to replace the old product, and Trend didn't quite do it right. Trend had a real struggle toget their own tool to fix it.

We use it as a SaaS, so we have a gateway integrator on the server on-site, but the product sits on all my endpoints. In that aspect, it's on-prem, but all the processing, reporting, and everything else happens in the cloud. We had it 75 percent deployed in 45 days. That last 25 percent took us another four months.

I work at an underfunded public school district. I need a whole team, but there is only me. I used to have a security analyst until that position moved around, and
my ability to use the product has been drastically reduced. I miss much of the value of what I'm paying for because I don't have enough staff to use it. I wouldn't need more than one if that was their whole job.

It's not a totally elegant solution that always feeds and cares for itself. We have to check if it's doing its updates properly. It doesn't tell us, for example, that 2,000 devices haven't been updated or checked in. I have to go proactively looking at it.

Vision One's pricing is extremely competitive. They're probably the lowest-cost provider that has this feature set.

I rate Vision One seven out of 10. Make sure you learn the 90 percent of stuff in there that you didn't know you bought and preestablish an escalation contact for support tickets.

Trend Vision One functions as our XDR solution. I spend considerable time within it conducting reconnaissance on any security incidents requiring investigation. This tool allows me to quickly search for information that might be difficult to locate using our other tools.

We implemented Trend Vision One to improve our security posture by creating multiple layers of protection. This tool addresses security gaps our existing solutions, like Defender, may miss, providing deeper insights into potential threats.

We have implemented the product on both our cloud environment and endpoints. While we utilize a different Trend product for email, we also leverage Trend for this purpose. Trend's complete coverage is invaluable, as it centralizes data that would otherwise be difficult to locate, and its robust search function has been instrumental in our decision to continue using the platform. Although our organization is always exploring alternatives, the all-in-one nature of this solution has proven highly effective for our needs.

Vision One offers centralized oversight and control across our protective layers. It provides valuable insights into our various Trend applications, though its visibility into other layers is understandably limited. This limitation isn't a concern at this time.

Vision One has significantly improved our efficiency. For example, we recently faced a critical situation where a rule change on a client-server posed a potential security breach. Using Vision One, we quickly identified the employee responsible for the shift and resolved the incident without an extensive investigation. This would have been highly challenging without the tool, as determining the culprit would have been much more difficult.

We've been using the risk index feature to try to chip away at the risks within the environment and identify the vulnerabilities that need to be prioritized because that's been one area that has been more invisible to us with the other tools.

Vision One offers a valuable new perspective on our risk profile. While we receive reports from other tools like Nexus IQ, Vision One's unique risk classification and ranking system allows us to prioritize issues differently. This enables more informed decision-making as we can identify risks that other tools might underestimate. We've fully leveraged Vision One's benefits since our team's formation over two years ago. Though the tool existed previously, its impact was limited due to the absence of a dedicated team focused on its utilization.

It's able to detect things that other tools don't detect. We use a layered approach, so those tools have found stuff it hasn't detected. But that's to be expected. That's the goal of using the layered approach to it. But it's helpful because it catches things we might have been unaware of. Additionally, it might rank things differently than the other tools, and that's the same for this piece. And that can be very helpful for us to catch things we might have otherwise missed because it gives us that extra detail.

Trend Micro XDR has significantly reduced the time needed to detect and respond to threats. It offers capabilities that other security solutions lack, enabling us to address challenges innovatively. Additionally, built-in features such as insights and endpoint protection provide valuable tools that enhance our security posture compared to other systems.

Despite having a fifteen-year career in cybersecurity, I joined this role with limited hands-on experience. However, I quickly became proficient with Trend Vision One through self-directed learning, and my team soon recognized my expertise in the tool, making it a positive experience overall.

The Workbench feature is fantastic. It is so helpful to have something that pulls all the data into one visual representation of the events.

Vision One generates numerous false positives, forcing unnecessary investigations and highlighting a need for improved filtering options. A recurring false positive in our environment cannot be safely filtered, preventing us from ignoring it without risking overlooking genuine threats. This issue arises from a script that renames computers, which behaves suspiciously like malware but lacks a unique identifier within Trend for precise filtering. We cannot exclude the entire script due to potential exploitation by attackers who could embed malicious code within it, bypassing our security measures. While this scenario requires a targeted attack, the sensitive nature of our client's data, including threats from nation-state actors, necessitates a cautious approach to avoid compromising our security posture.

We want the ability to download and inspect emails from clients' mailboxes. Microsoft's platform supports this functionality, and we possess the necessary license. However, some clients lack the required license, prompting us to recommend Trend. If we could directly access and inspect client emails, it would eliminate the need to sell additional licenses to those clients, streamlining the process.

I have been using Trend Vision One for over two years.

Trend Vision One is stable.

As we've added employees and removed employees and added servers and removed servers, I haven't had to think about the scalability of Vision One. It has been very smooth.

We had a script that was not right and kept triggering false positives. I had reached out for help with that. The help I got took a lot of time to get responses. And in the end, they closed out the ticket I had opened without resolving it. I also found the communication experience to be rather frustrating. My biggest complaint about my experience with Trend has been the support. There's a lot of good to be said, but there's room for improvement in the support. The people were very polite, so I'm not giving them a five because that goes a long way for me. Having support that is snippy makes the experience significantly worse. So, I am grateful for that part.

We used a Microsoft XDR in conjunction with Trend Vision One. The main pros for Vision One are that the interface is typically a lot easier and a lot less confusing.

The overall experience of the interface is a lot more positive. The details I can pull out of Trend are much better than I can typically pull out from Microsoft. I'm able to get results that Microsoft doesn't seem to gather. The cons are that it's in such flux right now because they're moving all their other products into the Vision One console, which can sometimes make it a bit confusing.

It can also mean that we're unable to access the tools we previously did as rapidly. For example, many of the Apex One stuff is now within Vision One. So we had to relearn how to do that, which cost us time during security incidents. And Microsoft does change things, but they typically change things by adding extra bloat. So that ends up being a con for Trend compared to Microsoft.

While I cannot confirm the specific return on investment for Vision One without firsthand data, I expect it to be positive, given our organization's tendency to quickly discontinue partnerships that fail to deliver value.

I would rate Trend Vision One eight out of ten. There is room for improvement, but with the tools I've used, Vision One is one of the better.

I don't do much regarding the maintenance of Trend Vision One, but I also know that because I get emails about stuff that goes down, it's relatively low maintenance compared to other tools.

We have Trend Vision One deployed across multiple locations internationally. Because the number fluctuates, we have roughly 1,500 to 2,000 users at any given time. Three people on our network team use Vision One. We have also used Trend products, other than Vision One, for a couple of our clients, which would expand those numbers significantly.

My experience with Trend Vision One has taught me many valuable details, and I strongly recommend that new users carefully review the provided documentation.

I primarily use the solution to prevent attacks.

It's good for detecting malware and anomalies. We use it on our endpoints.

The user interface is very good. Everything is all on one single platform.

With this product, we get centralized visibility and management across all of our protection layers. With a central platform, we don't have to look around across different websites or platforms. We can go right on the portal and manage things. It also helps us reduce the learning curve. We can manage and monitor products from the same place instead of learning different platforms. It's also helped us increase efficiency.

We have made use of the executive dashboard. It greatly increased visibility. We get a risk management view and metrics that help us narrow down and find issues. It helps us reduce risks. The risk index feature gives us a score to help us in our security goals. With it, we know what's the baseline or standard, so now we know what we need to do in order to meet the standards out there in the industry. We can see everything we need to in one glance.

It's kept up to date and is consistently improving. This helps us protect our environment.

The patch management has been very useful. They help recommend what needs to be installed.

We leverage the attack surface risk management capabilities. It shows the entire incident, including how it happened. We can use the information when we're doing forensics.

We've been able to reduce our mean time to detect and mean time to respond. What would previously take us two to three hours to fix, we can do in one hour or even half an hour. We've also been able to reduce the amount of time we spend investigating false positives.

We'd like to see more use of AI around analytics and controls.

I've been using the solution for five years.

The stability is good; I'd rate it eight out of ten.

We're a small-to-medium-sized company. We have it deployed to less than 5,000 users.

I'm not sure of the scalability. It works for us and our company size.

Support is okay. They could be more responsive and could provide more communication channels.

We did not previously use a different solution.

I'm more of an end-user. I do not handle the installation aspect. The deployment was done a long time ago.

The tool does not require much maintenance.

I'm not familiar with the exact pricing of the solution. My understanding is the licensing is reasonable.

I'm an end-user and customer.

I'd rate the solution eight out of ten. It has very good management and monitoring benefits.

We rely on Trend Micro Vision One as our Extended Detection and Response platform, leveraging its capabilities for endpoint detection and response across our entire IT environment.

Trend Micro Vision One boasts a good detection rate thanks to its data lake analysis and frameworks like MITRE. This helps minimize false positives, ensuring alerts are truly security threats. While no platform is flawless and occasional false positives can occur, Vision One's detection is effective for our use cases.

Trend Micro Vision One doesn't have a separate module for advanced threat protection. Instead, its standard endpoint protection, formerly Apex One, includes features like real-time scanning with advanced telemetry collection to identify and prevent unknown threats. These features go beyond basic signature-based detection and offer advanced actions like specific file quarantine or cleanup thanks to machine learning capabilities.

Trend Micro Vision One uses real-time machine learning to detect ransomware, a critical tool since cybercrime is increasingly focused on extortion. While ransomware isn't new, its prominence in news reports makes it a major concern. However, even though it's widely reported, it may not be the biggest threat. For healthcare organizations especially, protecting patient data from being leaked and sold on the dark web is paramount. This is why using tools like Trend Micro Vision One is crucial.

Trend Micro's Vision One simplifies security management by offering a unified console for threat detection, investigation, and hunting across all security layers. This replaces their previous approach of separate consoles for different products like cloud app security and Cloud One, eliminating the need to switch between consoles for a complete security picture.

While telemetry data offers valuable insights into identity access, endpoint detection, and threat intelligence, doesn't provide complete visibility. There's no access to firewall logs or built-in network access control. However, the platform's strength lies in its advanced features like intrusion detection and integration capabilities, allowing for threat hunting and sharing data with other security solutions.

Vision One uses two methods for endpoint detection. The first is "active update," where devices connect securely using port 443 to the cloud to download the latest signature data every 12 hours, ensuring they have up-to-date protection. This eliminates the need for on-premise signature updates.

Vision One is user-friendly with clear navigation, but its wealth of data can be overwhelming for new users. For example, telemetry can be complex, and some alerts might go unnoticed by inexperienced users who lack the necessary skills to interpret the data effectively. This isn't a flaw of the product itself; it's simply a matter of needing the right training and experience to get the most out of it.

Vision One, while easy to manage, requires significant upfront investment when building a platform from scratch. Configuring agent deployment, servers, and third-party integrations, takes many hours and there's no perfect out-of-the-box solution.

While initially considering Trend Vision One as just a replacement antivirus solution, we realized its extended detection and response capabilities offered more than just basic endpoint protection. XDR allows for collecting telemetry data beyond signatures, enabling us to identify threats like suspicious file activity, lateral movement, and potential command-and-control communications. This provides a more comprehensive security posture compared to traditional antivirus solutions and helps reduce our workloads.

Our organization utilizes the full range of Trend Vision One features, excluding tipping points. This includes attack surface risk management, XDR threat investigation, endpoint, cloud, network security, and email protection. This full security posture positions us well for our future security roadmap.

Trend Micro Vision One requires significant customization to fit our specific needs, which increases the administrative burden. While the wider data collection offers a broader security net, we don't utilize all its services (e.g., Okta integration). This necessitates manual log ingestion from Azure (e.g., anonymous logins, suspicious tokens) and additional verification using separate tools like Azure for risky sign-in detection and IP vetting, making it a more hands-on security solution.

Trend Vision One has some usability issues. For example, extracting browser history for forensic analysis is cumbersome. The platform parses the history file but then doesn't allow exporting the data, making it difficult to share findings with managers. Additionally, the lack of a Network Security Installer for endpoint agents is surprising, especially considering servers have them. The feature request process, relying on a community voting system within a product portal, seems inefficient. Overall, improvements in data consistency and user-friendliness would be beneficial.

I have been using Trend Vision One for two years.

Despite having several open support tickets with Trend Micro, I'm impressed by their exceptional customer service. Unlike Microsoft, they proactively reach out by phone to resolve issues quickly. This personalized approach makes me confident we'll get everything sorted out.

Whenever I encounter an issue, technical support is fantastic at providing a root cause analysis, which helps me understand the underlying problem and document it accurately for leadership.

I wasn't involved in the initial Trend Vision One deployment, but I heard about performance problems. While my team deployed the product itself through SCCM after enterprise approval, the agent caused high CPU usage due to configuration issues. Now, from my new perspective, it's clear these problems stemmed from deployment configuration, not the product itself.

Trend Micro recently switched from a license-based pricing model to a credit system, which caused some initial frustration during my renewal. While I've spoken with their leadership about the credit system's functionality and potential improvements, it still feels unconventional even though I'm now more comfortable with it.

I would rate Trend Vision One eight out of ten.

In our organization, the IT department has a collective decision-making process for product procurement. During the proof of concept calls, a group of 30 IT professionals evaluate vendor presentations, like, Microsoft partners showcasing Windows Defender. They consider features, budget fit, and individual preferences before voting on the best option. Leadership then finalizes the purchase. While I, the senior security team member, have no direct influence on product selection like Trend Vision One, I significantly impact its functionality. I work directly with Trend Micro, providing daily suggestions for product improvement within the platform.

Upon taking control of Trend Vision One, I identified several areas for improvement, including integrating custom data feeds like taxi data, deploying agents in different ways, and collecting telemetry data specific to our environment e.g., Office 365 data. Since Trend Vision One doesn't natively collect everything, and tailoring it to our needs involved significant effort e.g., setting up DLP rules for email and collaboration, I'm unsure about its initial impact without customization.

While a patch exists for the vulnerability through Tipping Point, we don't have it, our existing intrusion prevention/detection rules within our server and workload protection system offer some mitigation. A specific module in this system is being configured to address the CVE and potentially protect our assets even if a patch isn't applied.

Trend Vision One is a great cybersecurity platform that requires upfront effort to set up but offers comprehensive protection for your organization. While it has room for improvement, the developers are actively adding new features like cloud scanning and AI-powered detections, demonstrating their commitment to innovation. This ongoing development ensures Trend Vision One stays relevant and effective in the ever-evolving security landscape.

We use Vision One together with the other products in the Trend Micro security stack, such as XDR, Site Management, and Apex One.

Vision One has made our detection and response time much faster. We have 30-plus integrations, helping us to identify the most critical threats. The more connections, the better. We can also identify and resolve false positives faster.

I like Vision One's workbench. It provides helpful logs that I can search, and the telemetry is excellent because I can see what's happening during an attack or potential attack.

Another one of my favorite features is attack surface risk management. It shows me faults and blind spots in my security. I also like the attack phase management. The model shows the risks in the corporation and provides considerable information about what is happening on the platform and the network, offering more visibility. There's also a risk index that shows me where I can improve my security.

Vision One provides centralized visibility and management across multiple layers. This is critical because I need to see what's happening. It also allows me to set separate rules and policies for some security areas.

Vision One's search could be improved. While the platform is very user-friendly, the search feature uses terms that aren't as intuitive. The automation is excellent, but I wish there were more templates to help me optimize more things.

I have used Vision One for nearly a year.

I rate Vision One nine out of 10 for stability. It has only crashed once.

I rate Trend Micro support six out of 10. They respond quickly but the answers aren't clear sometimes. They don't always understand the issue, so I need to explain a lot.

I previously used the Microsoft 365 security stack, but I found Microsoft's XDR lacking. We also used Microsoft CASB and Defender for Endpoint. Vision One's threat intelligence and modeling are better. It has all the features like attack surface and risk management as well as the workbench. I also find Vision One easier to navigate.

Vision One is easy to deploy. It's mostly automatic, but we needed to deploy some of the agents manually. If you can deploy all of the agents to the endpoints automatically, it takes only about five minutes.

Vision One is expensive, but I think it's a typical market price.

I rate Visione One nine out of 10. I recommend fully exploring Vision One's features. It has many features that you don't need to pay extra for. There are so many things to explore. For example, they have free playbooks for third-party integration.

We use Trend Vision One for real-time analysis and monitoring to identify the root cause of security incidents. This includes finding details like how the attack unfolded, user names involved, IP addresses associated with the attack, and the affected systems and devices. By analyzing this information, we can map out the entire attack flow chart.

The network coverage provided by Trend Vision One is important.

Trend Vision One is an XDR tool so it is important for us that it provides centralized visibility and management across protection layers.

Centralized visibility and management across protection layers enable real-time monitoring, which improves our efficiency.

While the Trend Micro Vision One executive dashboard provides a valuable overview, the ability to drill down from that level into the XDR detections is crucial. During a real-time attack, this drill-down functionality is essential for identifying the root cause, prioritizing the threat type, and ultimately finding an effective solution.

Trend Micro Vision One's greatest strength lies in its real-time monitoring and analysis capabilities. This allows for the seamless blocking of malicious URLs and attacks.

The managed XDR has saved us time allowing us to focus on other tasks.

The managed XDR helps us detect and respond to threats in under five minutes. It will display all the details in a single, unified view, including any alerts, trends, usernames, and everything else relevant. By simply looking at the tag data, we can get a complete analysis. This eliminates the need to switch between different screens and saves us significant time. For example, if we see a flag, we can immediately understand its meaning and the associated location without having to search for it elsewhere. Having all this information on a single page is a huge time saver.

Trend Vision One helps reduce the time we spend investigating false positives. The more we familiarize ourselves with the tool the easier it becomes identifying false positives. The time saved by identifying false positives depends on the type of alert. In some cases, we only deal with simple attacks, such as brute-force password attempts, followed by alerts for unusual login failures. These are common attack methods. We can then determine if the user was trying a different password, mistyped their password, or there's a mismatch. In such cases, identifying a false positive can be relatively quick, taking only one to two minutes.

I appreciate the value of real-time activity monitoring. It provides accurate data, giving us a clear picture of what's happening, including who attempted an attack, their location, and any other details we need to mitigate the threat.

While blocking an IP address restricts access for 30 days, it eventually becomes accessible again. For true permanence, blocked IPs need to be transferred to a dedicated storage solution. However, this storage has limited capacity. To accommodate new blocked IPs, we must remove existing ones, creating a disadvantage that has room for improvement.

I have been using Trend Vision One for over 1 year.

Trend Vision One is stable.

Trend Vision One is scalable.

We previously used Palo Alto's Cortex XDR. However, we switched to Trend Micro Vision One because it's more user-friendly. Trend Micro's interface allows us to better understand the features and processes, enabling us to achieve the desired results more easily. Cortex XDR, on the other hand, was more complex to navigate.

The solution has delivered a return on investment through time savings.

I would rate Trend Vision One 9 out of 10.

Maintenance is required but it is easy to do.

I would recommend Trend Vision One to others. I suggest completing training before using the solution.

Our biggest security challenge was the number of alerts. It has helped with the reduction in alerts. We had too many alerts in the past that were false positives. The reduction in alerts was definitely a big benefit to us.

With Vision One, we have a platform view and all alerts go to one place. It gives us a much better understanding.

We definitely have better visibility. We can now detect things that we could never detect in the past using traditional AV platforms. That is definitely the biggest benefit. The second one is the risk score where we can see where the risk is in the business, and we can actively call and address it.

We use it on all of our endpoints. We use it on our cloud, on our email, M365, SharePoint, and OneDrive. We have been using it pretty much everywhere.

Vision One provides us with centralized visibility and management across protection layers. It is critical to us. Without it, our staff has to work harder because we are in multiple dashboards, and we do not have a giant picture between the systems and the security layers. Vision One connects it all together for you, and it can show us an attack from start to finish. It allows us to defend that much better.

Vision One has definitely increased our efficiency by reducing the number of alerts and correlating them. It is almost impossible to put a real number on it, but we definitely see things that we could not detect without it. There is probably 50% efficiency.

We use the Executive Dashboards. It is important to us that we can drill down from the Executive Dashboards into XDR detections.

We use the Risk Index feature. We look at the highest risks to the business, and we actively address those risks. There is a little bit of gamification with it. We have engineers looking to reduce the overall score of the business. They are targeting the biggest risks that Vision One has given us and that are most likely to be exploited. By addressing that, we reduced our risk score, and, as a side effect of that, we improved our business' security posture.

We use the Attack Surface Risk Management capabilities. We can see what is being actively exploited in the wild, and if we see some of that in our perimeter, we are going to do that straight away. We have full visibility of what is vulnerable, which allows us to prioritize.

Trend Micro XDR has helped to decrease our time to detect and respond to threats. With the combined visibility of Vision One, we get a lot of better-quality reports. In the past, with products like SIEM, we used to get a lot of noise. We would get thousands of alerts that were never risks to us, whereas XDR is all joined together. It gives you a much more confident data set, and from our data set, we can then start addressing the real risks to the business, which we have never been able to do in the past. It is the primary driver for business change. We get great visibility and high-quality alerts. We never measured the time to detect in the past, but I know that we are now detecting things within an hour or so, whereas in the past, it might be in hours if not days. We would have never detected some of the things in the past because we did not have a tool to do it.

Vision One has helped to reduce the amount of time we spend investigating false positive alerts. It has saved a lot of time. Traditional tools give you completely out-of-context alerts, which take time. We had thousands of alerts to look at, but 99% of them were just false positives. People sat on those alerts all day long that were never going to be an issue for us. When you get an XDR and Vision One in place, you start getting good-quality alerts. It just frees up countless amounts of time, but I cannot give a number.

We use its automation capabilities. Some of the playbooks have saved us days. They have taken action without the security being involved.

It is definitely the center of our detection and response these days. We are seeing things that we have not seen before or never detected with other tools. It has made us far more aware of what is on our estate. It provides better visibility and allows the threat detection team to stop anything that might even be a suspect well in advance. It has definitely improved our response times.

I like the workbench. It is a view of all the alerts or problems in your estate. The visibility that it provides to engineers is very useful. It is one thing having lots of alerts. It is another thing to have something to correlate all your alerts into a workbench for you so that you can see what is going on.

Integration is very good. There are lots of integrations. There are third-party products that we use, so the integrations are beneficial.

Within five minutes, even a new engineer can understand how to use it. It is very intuitive. You can easily learn how to use the platform and get the most from it.

It is very good. It is very simplistic to learn. It is very intuitive to learn. We do not spend a lot of time training the staff on how to use it. They can just pick it up and use it themselves quite well.

On the reporting side, we use quite a lot of reports and dashboards. This visibility is very beneficial.

Playbooks are very good, but on the automation side, they could always improve. Having more variables within the playbook would be useful. It would allow us to have more refined playbooks for the business. It would allow us to take stronger action through a playbook. It will give us confidence to target a particular area of business where our risk tolerance might be higher or lower. We would like to have more granular playbooks.

Further integrations with other products are always beneficial.

I have been using it for four years.

It has never been down for us, so it is very stable. I would rate it a ten out of ten in terms of stability.

We have never had any scale issues. It has been absolutely fine. I would rate it a ten out of ten for scalability.

Their support is great. Whenever I have called them, the support teams have always been fast to respond. They are always helpful and willing to talk by email, phone, or WebEx. The escalations are always good as well. If we need further support, they are always there to promote that.

I would rate their support a ten out of ten. I do not think it can be improved. It is excellent.

We had a SIEM from LogRhythm. We almost replaced that entirely. We went for Trend Micro for a lot of reasons. The product was definitely the number one reason. It went through some rigorous testing with us, and we proved it to be very good and helpful to the business. Trend Micro's support model from their sales and delivery and their pricing model just worked for us. They were a good fit with our business.

Deployment on the cloud is always easy. Deploying the agents to the endpoints can take time due to the size of your estate, but it is not a Trend Micro issue. It is purely down to the size of your environment. If you have 1,000 endpoints, it is not going to take as long if you have 100,000 endpoints. It is just a bit of a scale thing. You have got to deploy it out. It is not the worst deployment we have ever seen.

It is fairly straightforward. Cloud-to-cloud gets done in minutes. With all such tools, it is always about how long it is going to take the IT team to deploy the agents to all of their endpoints. It was not a massive issue for us.

We spent a few months getting it working.

We had about four people for implementation and maintenance. We had about 11,000 endpoints. We have offices around the world. We have the UK, India, Canada, Australia, and many others. We have a full global team there.

In terms of maintenance, the cloud does not require maintenance. The rest of it is about looking at the agents in terms of how the agents work, how they are deployed, and whether they are doing what we are expecting.

We do not calculate return on investment as such, but we have detected things that we may never have detected in the past. Those things could have turned into an actual real attack. We have probably saved far more than the cost of the system by not having an attack. The cost of being attacked, being exploited, having downtime, and reputation damage would be huge. It easily pays for the product.

It is definitely not cheap. I do believe you get what you pay for to some degree. It is cost-effective. The money we spend on it is justifiable. It is not the most expensive product in the market. It is definitely not the cheapest product in the market. You have got to weigh that off as part of your business risk and understand what the risk to the business is if you do not spend and invest in modern tools like Vision One.

I would definitely recommend this product. We would not be without it. I would definitely recommend doing a proof of concept in your environment. Once you have done that, you will realize the value of it, and once you realize the value of the tool, there is no going back. You would have to purchase it.

I would rate Trend Vision One an eight out of ten. They have room for improvement, but that is not at all unusual. It is still very good, and we would not want to get rid of it any time soon.

We were using Symantec before, and with the coming of EDRs in the market, we were looking for a solution. We wanted a defense system so that if there is an attack on the system, such as an endpoint is infected or the attacker or a known technique for ransomware is moving laterally, I do not need to go to the firewall team. I do not need to go to other teams to find out. I should have enough intel at that very stage to contain it if possible.

We were looking for a system with a single pane of glass. The journey started with deploying the EDR client on the servers, which is called Deep Security, and Apex One on the endpoints, such as desktops and laptops. We then connected them to a single pane of glass, which was called XDR, now known as Vision One. It has helped us to correctly hunt and fix. We could see the communication between the endpoints and the servers and anything else they were talking to. We could then further expand it and connect it to all of the systems through APIs. That was the initial requirement we had, and it worked very well in that sense.

When you buy extensive or expensive SIEM solutions, such as Splunk or something else, what happens is that you need analytics. You can write meaningful queries to query the data. At the end of the day, all the data going in needs to be correlated. Vision One provides visibility in that sense.

We connected it to the cloud, so we could see the telemetry from Azure and cloud. We then installed the network detection response. It could see and detect a little movement from the network layer. We then connected it to Active Directory, so we could have attribution happening. We currently have a lot of data coming. With a small team, the issue that arises is how to deal with so much information and how to prioritize. It helps with the prioritization. The system is smart enough to proactively go and scan the logs and trigger workflow alerts. It prioritizes them based on the criticality, such as high, medium, low, or informational. When you have a small team, your analysts can go and start looking into those and see what is happening and what they need to prioritize at a stage.

We came very close to a Russian threat actor and Vision One helped tremendously. It helped us to control the attack in the initial stages. They got into the environment and they got the reverse shell out. I saw the alert. Vision One Protection showed me in detail what they ran, what they queried, what information was captured, and where the connections were going out. It was an initial access broker that had done the attack. If this information was not picked up on the late Friday afternoon, you can imagine what could have happened by Monday. Within hours, that information would have gone on to the dark net and would have been sold to a ransomware gang. The mean time to respond was reduced significantly. It is very rare for most organizations to detect such attacks in their own environment within the first four hours. It reduced the mean time to respond by 70% to 80%.

Its real-time monitoring capabilities help a lot in our overall security posture. We have everything configured to our central SOC email system, so the minute an alert is fired and depending on what criticality it is, we can work on it. When you work in the health industry, you often work with vendors who are still not very cybersecurity conscious. They are still learning. One of them plugged in a USB drive, and we found an early indicator of compromise. The device was plugged into one of the technical systems. It not only detected and blocked that, but we also got the alert pointing to the machine. If it was not detected and picked up at that very stage within a matter of minutes, it could have had a pretty big impact eventually.

The beauty is that I do not need to go and log in to the separate console of Apex One or Deep Security. I have got all the visibility and telemetry feeding in real-time into the Vision One console. The Vision One console straightaway alerts you. It just flashes a critical alert. It blocks, but then it provides mitigation recommendations. We need to take the machine off the network, scan the USB, educate the user, and escalate to the right people. Having all that information at hand is very crucial. We can influence the user behavior as well so that they do not do that again.

We are using it on endpoints. We are using it on our servers. We have a network detection response, which is called NDR. We are monitoring all the internal traffic coming from the firewalls. We have Citrix NetScalers, so we are monitoring the network side as well. We also have another product called Conformity that does a cloud assessment and compliance check for all externally exposed cloud assets. It tells you if they are not in compliance. For example, with the project that went in, something might get exposed accidentally, such as an Azure storage account, to the Internet. It all feeds into Vision One, and we have a single pane of glass.

It is helpful for multiple teams. It is not only limited to SOC. We have teams from the cloud side and sometimes from the endpoint and the server side who can get in, and they can see the alerts. It makes it easier to work because we all are seeing the same thing with more information. So, we are using it for our endpoint servers and network. We are using it for monitoring our Azure cloud. We also have something called Trend Micro Cloud App licenses as part of our licensing. We have policies that do advanced threat protection monitoring and DLP monitoring on the SaaS channels, such as Exchange Online, Teams, OneDrive, and SharePoint sites. These are other channels from where the data can be shared, the data can enter our environment, or the data can go out of our environment. It has policies to monitor DLP. It has policies to monitor any malicious files or any indicators of an ATP attack. We get those alerts as well.

There are two dashboards. The Executive Dashboards give an overall view of the entire system and what is happening on our system at any point in time. We can see how many outstanding vulnerabilities we have, what we need to report to the management, and how we will be progressing for things like that. Then we have the Operational dashboard with real-time alerts or pending alerts. It shows us that we have some account that is a match from a .Net data lake. A problem, for example, is that most users keep the same password, so you could have the same account password for your work account and for your personal account. They can get compromised at home and work as well. So, we use Executive Dashboards for reporting and overall understanding of what is happening in the environment and what we need to report and prioritize. The Operational dashboard is for day-to-day work.

It is very important that we are able to drill down from the Executive Dashboards into XDR detections. We are in the health industry. We are a hospital. The board is not only worried about ransomware because that can happen to anyone. You can never be safe enough. They are also concerned about the damage to our reputation and the operational cost of recovering, so they are very keen to have visibility. The Executive Dashboards give us good enough information to filter that. For example, our desktop support team has a limited set of people. For cybersecurity, we want to prioritize patching for a zero-day threat, but sometimes, it cannot happen because the teams have other priorities. The issue is not that they do not want to help, but they do not have resources. With Executive Dashboards and reporting, we can escalate things to the board saying that we need some attention. We can ask them to fund us with more resources to get this across the line. It helps us dictate the impact and prioritize a critical cybersecurity vulnerability so that we can get the management's buy-in to prioritize it and address it before it goes out of hand.

We use the Risk Index feature to map against other organizations in the same geographic region to see how we are doing in terms of risks as compared to other organizations. Are we better or worse than others? If we have some areas where we are worse than others, they help us to understand the reason and how to improve.

If we want to go through every single event, then with our current licensing, XDR can hold up to six months of data, which could be millions or thousands of alerts. A smart thing that they have done is to provide the Workbench, which automatically prioritizes. It does the hard work for you by pulling that intel and saying that these are the highly critical ones that you need to address as soon as possible. I am not discounting the fact that sometimes, attackers do not even go for highly critical ones. They go for a medium one, but it helps us to get them out of the way. Our team is small, and I had a good experience training a few people, taking them through, and showing them how to do it. Once people start working, they understand the workflow. It just becomes a second habit. It is very intuitive. You can get into the console, add new indicators of compromise, add new threat-hunting queries, add new CTI feeds, and check for new vulnerabilities. There is so much you can get out of it. You just have to prioritize what you think is important for that day.

We do use Managed XDR as a second service. The way that comes in handy is that we do have people on call. I, for sure, keep checking my emails, but if we have a critical alert that no one has attended from our side, they triage it. They triage it very well and then rate it. For example, they might say, "It seems to be benign or negative, but an alert came in, and no one was available. If you want to add an extra layer of security or caution, here is the mitigation." They are very responsive. I was able to see the big attack that we had two years ago within the first four hours, and by the time it got to the XDR, it was all correlated. Within half an hour, their response team came to the same conclusion. They reached out to us when I was about to reach out to them, so we were on the same page. They are definitely a good backup or a second solution for us. Also, some of the alerts can come up from workflows. They may seem malicious but they are not. The Managed XDR service people come back to us just to reconfirm that. We tell them that it is a known file. They do not need to worry about it. Sometimes, we might miss something or have no idea about the next step. They then come up with a recommendation about what we need to do. It is a very good service to have.

We are using Attack Surface Discovery to monitor the devices we have and the internet-facing assets, accounts, and applications. API is something we are still looking into, but with a few clicks, we get an overview. We can see how many are patched and how many are exposed externally or internet-facing assets. We have a lot of subdomains linked to the primary hospital site for different projects and workflows. We can see how they are doing, which ports are open, and which known vulnerabilities are there because some of them are not managed by us. They are managed by externally hosted vendors, so we can keep them in check. The same is applicable to our accounts. If we have accounts that are on the dark net, or we have accounts with excessive privileges that can potentially be exploited, we can address that.

For applications, the feature that I like the most is called the Cloud App List. It basically looks at all the SaaS applications and benchmarks them. It profiles them based on the rest and gives us a report. It tells us that certain apps that people are using may not be officially sanctioned by us. For an unsanctioned app, they do a risk profiling through Vision One, which shows us which security compliance standard it has gone through from the vendor. They give us a quick understanding of how bad or good it is to continue using an application.

During the COVID time, I was setting up Vision One, and I got an informational alert. The husband of a nurse gave her a USB, and she plugged it in. She was in an off-site environment, but the Trend client was still running. The clients were connected to the SaaS console or the Internet, so all telemetry was still being fed. They must have thought that it was not the case, but detections were still coming. When she plugged it in, it downloaded a power shell exploitation framework, which they were able to map to an ATP group from China that commonly uses this technique for intellectual property exfiltration. I quite like how much visibility it provides. For a couple of applications here, sometimes an alert comes in, and it can even drill down to the last command that was executed. It can create an attack graph and show you the full execution profile. It helps you troubleshoot and filter out whether something is a false positive or an issue at hand. This whole interconnectivity of different systems into Vision One, and its ability to help individualize an attack, is the thing I like the most. It is very good because reading logs and seeing an attack visualized are two different perspectives for a threat hunter. It really helps you understand what is going on.

With every such technology in an enterprise environment, as well as with most of the production systems, the reduction in the amount of time we spend investigating false positive alerts depends on how fast you finetune the system. You need to tell it which are the exceptions and not to alert you on it, and which ones it should alert you on. It is a balancing act in cybersecurity. For example, logins are used by attackers but also by your admin staff. If you totally put them in exemption, you can have a malicious login executing in your environment. You would be completely blind there because nothing would get alerted. In terms of false positives, the system is capturing a lot of data, and it is not the system's fault because it is seeing a lot of data. Sometimes, we have not classified the data. We are getting better at it. We are labeling and tagging the systems. We are fine-tuning it, and it has reduced a fair bit, but we still have a lot of work to do. It happens, but it is something we do behind the scenes. In terms of the day-to-day threat hunting and visibility, it categorizes them in Workbench, and that is what we look at first thing in the morning. We get to know what is happening and what we need to focus on. Once we see that there is a pattern repeating for some false positives and Workbench alerts are high and not true positive, we then figure out how to whitelist those systems. We now know that this is a known execution process. We know it is a known traffic or a known vendor that runs this application, and when it opens, it connects to these ports, for example. It is a bit of a balancing act. It changes dynamically.

For our day-to-day use cases, the correlation and attribution of different alerts are valuable. It is sort of an SIEM, but it is intelligent enough to run the queries and intentionally detect and prioritize attacks for you. At the end of the day, it is different data that you see. It correlates data for you and makes it meaningful. You can see that someone got an email and clicked a link. That link downloaded, for example, malware into the memory of the machine. From there, you can see that they started moving laterally to your environment. I quite like it because it gives visibility, so Workbench is what we use every day.

They also have something called virtual patching. If you have end-of-life systems or systems that are out of support, you cannot upgrade the agent, but you can still do the update if you get the signature. This is the feature I like. For example, today, if a new zero-day threat is out with a link vulnerability where attackers send you a link, and that link, even if opened in the preview mode, can basically execute a malicious code, we just cannot patch within four or five hours. We are a midsized organization. We are fairly big, and sometimes, it takes two days or even a week. With virtual patches being there and XDR with all that information connected, we can see that the virtual patch is working. It is there. We have all the mitigation in place, but then it is also detecting the environment for that threat. We can further write the hunting queries and enhance detections. So, Workbench detections and virtual patching are very helpful.

It also gives us an executive dashboard where we are monitoring our external sites. We can see what ports are open and what known vulnerabilities are being scanned on them. We get visibility and better mean time to respond and act.

The user interface is pretty easy to use. Sometimes, you learn it while you play around with it and you set it up. One thing I do like, which is very good, is that you can pivot from within the console to different sections if you know how to go about it, but if you have not used it, it could take a bit of learning. A good thing that Trend Micro has been doing for the last two years is organizing some sort of CDFs, which are scenarios based on real threat actors. They get you to come to those events. It is gamified so they can attract people. If you want to learn, they would show the event ID that came in and where to go and see that event ID. They show you how to hunt based on that event and how to extract the indicators of compromise from that ID. There is a feature called Suspicious Object. They show you how to block one. If you have a suspicious object linked to a threat intel feed that goes to Palo Alto, you can not only block it in XDR or Vision One, but straightaway, it also gets pushed to your firewall, so your firewall is also blocking it now. There are some cool functionalities, but you need to spend time to understand how you would pivot between different subsections. If someone is new and starting, it is still pretty straightforward. The UI interface is very self-explanatory. There are a lot of details. There is a lot of telemetry added to it for you to see and understand. It is not that complicated. If you have a bit of a cybersecurity background, you should be able to pick it up pretty straight.

They are constantly updating it, which is a good as well as not-so-good thing. There is an update every few weeks. They are very good updates. I quite like it that they have such an agile development. They listen to their customer's feedback, and they are constantly investing in the product. They do not give you an off-the-shelf product. The world is changing, and the attacks are changing. It is kept up to date.

Reporting could be a little bit better. They are working on it, and it is getting better. They have different development teams working on this product. Like any bigger organization, they have so many people working and fixing the product, and they have their own development routines and cycles and understanding of the code. It has gotten a lot better, but it has a long way to go. Recently, there were a couple of more reports. What I like is that they listen to the feedback. If we tell them that we need this reporting, they go back and do something about it. It does not get lost in emails or meetings.

We have been using Trend Vision One for almost three years.

I have not seen any downtime as such. I have not seen the console going down, not even once in three years.

It is set in firm defense. It is a very interconnected system now. I spend most of my time fine-tuning and working in Vision One. It has been 100% stable for me most of the time. I have had no issues. It is very stable. I would rate it a ten out of ten for stability.

We are based in Southwestern. It is a fairly big site. After COVID, we have remote workplaces. It is a part of our standard operating environment. Any new server or any new desktop or laptop has to have the client installed, but we are also multi-site. We have sites in Central Queensland and North Queensland. Those sites came along as well. It is a through-and-through solution. It is being used on all three sites.

Vision One is currently being used by multiple teams. There are 15 to 20 people at the moment. We have the Network and Security team, and then we have the core cyber team. We have people who look after the Apex One and desktops, and we also have people who look after servers and the cloud. They all know what to look for, and they know where the alert is coming from and what they need to do. I have given training internally a few times for people.

The customer support experience has been fantastic. They are fairly technical. What I like is that they are very responsive. You log a job, and within two hours, someone is on the call with you or contacts you through email. We have a relationship manager or a technical account manager from them who does biweekly calls with us. He addresses any issues and provides escalation channels as well. Their engagement as a vendor and as support has been amazing.

We were using Symantec. When we did the research three and a half years ago, the world was moving to EDRs. An EDR solution compensates for different technologies. It is not static signature-based detection because that can be bypassed easily.

The main considerations were the costs and virtual patching. We were looking for a solution that could help us with virtual patching. When you have a zero-day at hand, regardless of how big is your team, patching sometimes is just not possible. When you are a hospital, you cannot take the systems down. You have to go through a couple of processes, but during that time, you are in a vulnerable state. We were looking for a system that could provide virtual patching, has detection and virtual patching signatures, and gives you the breathing space where you can go and patch a system. It satisfies that need.

The EDR/full-stack functionality was also a welcome change. We do not have just an antivirus or EDR. It can do a lot more. It can do file integrity checks. It can do a baseline of your known system file caches. It can do all these things.

Our model is hybrid. Vision One console is on SaaS. It is on the cloud, but we have relays that get the updates, so agents have to be local. The EDR clients on servers and endpoints, such as laptops and desktops, have to be on-prem. The cloud posture management and PC bot are also SaaS-based. It is just through an API. Other than the EDR clients, most of the other integrations are pretty much SaaS-based.

The initial deployment was a bit tricky because even though Symantec was a very outdated product, there was still something on the machine. We had to work extra to get rid of that and put this on. Overall, the deployment was pretty good. The biggest challenge in the deployment of an EDR is understanding what your network traffic, day-to-day workflow, or applications look like. Most EDRs have something called real-time scans, so if something is trying to access the memory where the credentials are stored or write to a system-protected file, and if an EDR does not know about them, it will straightaway block it. They helped us to create those amazing baselines where we could whitelist the known applications and the known traffic. It was good. It took a while to get it right. As the environment changes, you keep fine-tuning it. I did not hear of any major issues or any dramas with it, but I did not do the deployment.

It does not require any maintenance as such. The only major change that I have recently seen is that they have gone from version 1 to version 2, and version 3 is coming. That is all happening behind the scenes. We had some agents in a different geographic region. We had to migrate them across, which is on-prem, but the backend team did the rest.

We had a dedicated project team that worked with Trend Micro project managers for implementation.

I do not have much visibility to it. It is definitely not a cheap product, but to my knowledge, it is out there with the big wigs in the industry, such as CrowdStrike, SentinelOne, and other EDR/XDR vendors. I had heard, and found out eventually, that their sales teams are very flexible, as more sales teams are.

The problem with any XDR is that you need to buy into their whole ecosystem so that it can provide more visibility and more data points. It can understand your system environment a bit more.

We started with the endpoint and server detection, and then XDR was given to us for free at that time to try it out. Once we got into it, we added NDR, which is the network detection response, the cloud side, and all the other things to it. They were pretty good in terms of pricing and understanding of our needs.

Their team is also very good, which is something I have not seen with other vendors. They are proactive. They reach out to you with new things happening in the cybersecurity world, such as any new attacks or detections, any new events, or new training. They reach out to you every few weeks and sit with you to understand what they can do better. This constant engagement and service is good. I do not base it only on the cost. Nothing is cheap, but it is about what you get from a vendor on the service. It is not like sell and forget, where they sold you the product, and they have nothing to do with you. It is a constant engagement because XDR is ever-evolving. They take you on that journey. They show you what new capabilities are coming. They ask about the use cases and how they can help us. They ask about what we are seeing or what challenges or gaps we still have in the environment so that they can help that. This has been my personal experience. It has been absolutely fantastic.

We had another vendor. We tested both EDR clients, and at that time, XDR was just a big buzzword in the market. We did not know what XDR was and whether we would get it. It was given to us as a complimentary to try for a few months. I did EDR testing of this solution and another very well-known vendor in the market. We did an attack simulation. We performed a couple of attacks with malicious code and ransomware. It was really good at picking up most of the attacks, whereas the other one was 50/50. We then created a report based on the facts we had in front of us.

Back then, we were told that Palo Alto was coming up with something called Cortex XDR. They bought another company, which had an EDR client that they slapped into their solution. Their methodology was a bit different. Firewalls were still the first line of defense. For example, the malware sitting on a machine is trying to connect to a command and control server or a malicious domain outside the environment on some ports. Once Cortex XDR sees it, and it hits the threshold, you will start seeing the alerts. I did not want to wait for it to get 25 machines infected before Cortex XDR started doing something. That was too late. I have heard that they have come a long way. They might have gotten similar feedback from others and made some changes internally. They are a brilliant company, but it did not meet our requirements at that time. The detections during the EDR testing were not that great. Most importantly, it did not meet one of the key requirements we were looking for back then. We wanted virtual patching and virtual patching signatures for end-of-support operating systems. That is what was the deciding factor for us.

To those who are evaluating this solution, I would advise doing a PoC and understanding their workflow and traffic. They should have the right expectations going into the product. It is a system with which you need to invest in other components as well, but once you get it up and running and it's working and tuned, you will start seeing the value of it.

They are now acting as a support partner for us. We can rely on them and work with them because we invested a fair amount of money with them. The product has proven to be very valuable for our defense arsenal. I personally follow them. It is not just me. It is all over the Internet that Trend Micro's zero-day initiative still picks up around 60% of vulnerabilities. It is more than any vendor out there. They have got a very good team.

I would rate Trend Vision One a nine out of ten. Reporting could use a bit of work, but it is improving. Just the other day, I heard that they are starting to provide automated threat hunt queries and an AI bot on Vision One. These features are still in preview, but it is changing rapidly. They also have something called forensic, so you can create forensic cases and log calls directly from the Vision One portal. There are some very good changes that they have made. It is evolving and dynamic.