This report summary focuses on Endpoint Security, with data on the following vendors:
ETR’s 2025 Observatory for Endpoint Security delivers a comprehensive, survey-based view of vendor momentum and market presence, grounded in insights from 303 IT decision makers directly responsible for endpoint security strategies. The respondent base spans large enterprises, 55% with more than 1,200 employees, 16% from the Fortune 500, and 21% from Global 2000 firms, with a strong North American majority (77%) and concentration in Services, IT/TelCo, and Financial sectors. The research highlights a cybersecurity segment in rapid transformation. Endpoint security now sits at the center of enterprise resilience, evolving from traditional protection to an intelligent, AI-driven layer that connects identity, data protection, and operational assurance. Leading vendors increasingly integrate these functions with cloud analytics and machine learning to detect and contain emerging threats in real time. As endpoint security absorbs more responsibilities, including AI governance, the demand for secure-by-design architecture and resilient systems also grows.
Despite budget pressures and lengthening sales cycles, organizations continue to prioritize endpoint security as foundational to their IT strategy. Microsoft Defender remains the top enterprise choice for integration and ease of deployment, while CrowdStrike sustains leadership through innovation and deployment agility. Palo Alto Networks further strengthens its position, achieving the highest Net Score and top marks in customer retention. Collectively, these leaders define the category’s future, driven by automation, convergence on platforms, and constant improvement for greater protection at scale.
Over the past year, the sector has endured a marathon stress test. On the threat actor side, the ransomware landscape has evolved into an increasingly professionalized endeavor, with affiliate programs, access brokers, and exploit markets accelerating attack cycles. In response, endpoint platforms have leaned on automation to reduce attacker dwell time and strengthen remote management controls. At the same time, new ‘AI on the endpoint’ features have grown in both capability and complexity, offering localized intelligence but layering more data privacy and governance problems. Regulators and governments have also intensified the push for ‘secure-by-default’ principles, prompting vendors to design hardened configurations and resilient update pipelines that reduce user burden and limit exploit exposure.
Endpoint security operates directly on the devices it protects, making it a distinct, core area of modern cybersecurity. These systems must be able to handle a wide array of threats, from malware and ransomware to zero-day exploits, while maintaining performance and usability for end users. As many organizations incorporate remote connectivity and virtual environments, endpoints have become an obvious surface of IT risk exposure. Modern endpoint protection has advanced far beyond the antivirus tools of its early years. Today’s solutions integrate Endpoint Protection Platforms (EPP), Endpoint Detection and Response (EDR), and increasingly, Extended Detection and Response (XDR) capabilities.
Leading platform vendors now integrate these functions with cloud analytics and AI-driven modules to detect and contain emerging threats. Endpoint software continues to absorb more security responsibilities, from identity and data protection to local AI governance, and with it, the importance of resiliency and secure-by-design architectures only grows. Even amid budget scrutiny and longer sales cycles, enterprises continue to prioritize endpoint security spending as an essential, core component of holistic IT strategies in a deteriorating threat environment.
This Observatory features comprehensive and current data about the information security marketplace. The ETR Observatory for Endpoint Security was specifically designed to capture usage and evaluation metrics across a wide swath of professionals representing the end user and evaluator buying demographic. The study offers data and analysis around spending trends, usage, return on investment (ROI), churn, product feature rankings, Net Promoter Scores (NPS), and more for the plethora of players encompassed in this Observatory Scope. This report utilizes a small portion of that market intelligence data, but the full Endpoint Security study is available separately.
While structuring a grouping of disparate vendors with varying functionalities is subjective, the ETR Observatory for Endpoint security categorizes the vendor group primarily by breaking down the data-driven plotting of each vendor into our four Observatory Scope vectors and by analyzing proprietary user and evaluation metrics, including Momentum, Presence, and Net Score. Since the full Observatory data study asks respondents about both spending intention and evaluation perspectives, a larger swath of vendors is covered in the Observatory data. However, only vendors with sufficient spending intentions citations are included in the Observatory Scope graphic. ETR’s Observatory reports are based solely on end-user data and feedback from our qualified IT decision-maker community, without vendor involvement.
Reflecting on the market and threat dynamics over the past year, Endpoint security still stands at a critical juncture, maturing from traditional protection toward an intelligent, adaptive, and integrated function of enterprise IT resilience. The findings of this report underscore that while technical innovation continues to accelerate, differentiation also stems from how well vendors can balance capability with operational reliability.
Market leadership is now concentrated among a small group of vendors, namely CrowdStrike, Microsoft Defender, Palo Alto Networks, Fortinet, and Cisco. Each demonstrates a combination of capabilities with innovation, enhanced by qualities like ease of deployment and ecosystem alignment that can make all the difference in strategic sale outcomes. These firms currently define the security category’s trajectory, shaping user expectations for automation, integration, and ‘secure-by-default’ design. Meanwhile, Advancing vendors such as SentinelOne and Tanium continue to demonstrate technical ambition, signaling competitive dynamism outside of the leading cohort.
Across the broader field, the ETR Observatory data implies a competitive market with high customer expectations, amid the convergence of EPP, EDR, and XDR capabilities, combined with emerging AI workloads. As organizations push toward zero trust and AI-assisted security architectures, endpoint platforms will serve as anchors between users, devices, and data. The strategic imperative is complex, as vendors must deliver not only stronger product capabilities, but also autonomous systems that instill confidence throughout the gamut of IT operations.
Press: Need a quote, image, or additional information for an article, reach out to our press team at press@etr.ai
Reprints: If you would like permission to reprint this report or our ETR Observatory Scope graphic, please send your request to reprints@etr.ai
ETR Insights Team: Contact a member of our ETR Insights team to discuss all the details from this analysis or request custom research.
Erik Bradley, Chief Strategist & Research Director epb@etr.ai
Daren Brabham, PhD, VP Research Analyst dbrabham@etr.ai
Jake Fabrizio, Principal Research Analyst jf@etr.ai
Doug Bruehl, Principal Research Analyst dbruehl@etr.ai