@OmarDweik wrote: The Other EDR Vendor they have behavior and legacy With Sandbox verdict so it is more protection.
Sandboxing is different from Cortex XDR's in-line capabilities. Sandboxing, while important, can be identified by advanced malware that send WMI queries, perform other environment checks, or check which processes are running to see if they are operating within a sandbox.
On the other hand, Cortex XDR intercepts processes and prevents exploits by implementing roadblocks at each stage of the process, thus preventing behavioral threats by observing patterns throughout the entire process cycle. Malware can't evade this check like it can evade sandboxing (by remaining dormant), making Cortex XDR's protection more complete than traditional antivirus and sandboxing techniques. Case in point, the SolarStorm compromise performed a sandboxing check and went dormant for two weeks following the initial access and execution phase. This process successfully by-passed sandboxing attempts in traditional EDR platforms.
Sandboxing also adds unnecessary performance impact and user operation disruption when compared to the in-line protection provided by Cortex XDR. Competitors that have bet on sandboxing technology have had that problem since the beginning when compared to Cortex XDR.
Finally, XDR leverages sandbox technology by way of WildFire. While not native in XDR agents, this once more improves performance impact while providing better protection. This usage of WildFire sandboxing allows XDR to both prevent the activity locally while detonating in a sandboxing in the cloud to identify what the malware would have done on the endpoint, effectively giving Cortex XDR the best of both worlds.
... View more