We Tested Microsoft Defender, CrowdStrike Falcon, and SentinelOne Against the Same Attack. Here's What Actually Stopped It.

The Real Test: AiTM Session Token Theft

Adversary-in-the-Middle phishing is now the primary credential theft mechanism for financially motivated threat actors targeting mid-market enterprises. It is also the most important test case for endpoint detection platforms, because it exposes a fundamental architectural limitation that all three platforms share.

In an AiTM attack, the attacker intercepts traffic between the victim and a legitimate authentication service. The victim completes MFA. The attacker captures the authenticated session token — the cryptographic proof that MFA was completed — before it reaches its intended destination. The attacker then replays that token to authenticate as the legitimate user, with valid authentication credentials that look identical to a normal login.

Here is what all three platforms see during this sequence: nothing on the endpoint. The victim opened a browser. The victim typed their credentials into what appeared to be a legitimate login page. The victim approved an MFA prompt. From the endpoint's perspective, this is indistinguishable from normal user behavior. There is no malware execution, no process injection, no suspicious API call, no file write. The endpoint detection platform has no signal to act on.

CrowdStrike Falcon does not detect AiTM token theft at the endpoint. SentinelOne does not detect AiTM token theft at the endpoint. Microsoft Defender for Endpoint does not detect AiTM token theft at the endpoint. This is not a platform failure — it is an architectural reality. Endpoint detection operates on endpoint signals. AiTM attacks generate no endpoint signals.

What Actually Catches AiTM: Identity and Network Signals

Detection of AiTM token theft requires correlation across identity logs, network traffic analysis, and behavioral baselines — not endpoint telemetry. Microsoft Sentinel, when properly configured with Entra ID sign-in logs, can detect impossible travel patterns (a token used from London immediately after MFA completion in Dallas) and authentication from an unfamiliar device fingerprint. CrowdStrike Falcon Identity Protection and SentinelOne Singularity Identity provide similar signal when deployed — but these are separate products, separately licensed, from the core endpoint agents most organizations have.

Lateral Movement: Where Platform Differences Matter

Kerberoasting, NTLM relay, pass-the-hash, and LSASS credential dumping are where meaningful platform differentiation exists. SentinelOne's behavioral detection engine identifies LSASS access patterns associated with Mimikatz-style credential dumping with high fidelity, generating fewer false positives than CrowdStrike on LSASS access while maintaining comparable detection rates. CrowdStrike Falcon's Overwatch threat hunting service adds human analyst review that raw SentinelOne alerting does not include in base licensing. Microsoft Defender for Endpoint detects many of these techniques — but its effectiveness is heavily dependent on attack surface reduction rules being enabled and properly configured. Out-of-box Defender deployments, which represent the majority of what we assess in mid-market environments, consistently miss lateral movement techniques that a properly tuned Defender deployment would catch.

Ransomware Pre-Execution: The Real Battleground

Modern ransomware campaigns use legitimate system tools (living-off-the-land techniques), disable Volume Shadow Copy Service before encryption begins, and use legitimate remote management software for persistence. The pre-execution phase — before any encryption happens — is where detection must occur, because post-execution recovery is catastrophically expensive.

All three platforms detect known ransomware families with high accuracy. The differentiation is in detecting pre-execution indicators: VSS deletion commands, LSASS credential dumping, lateral movement to backup systems, and staging of large data volumes for exfiltration before encryption begins. CrowdStrike Falcon's behavioral indicators consistently detect VSS deletion and suspicious LSASS access. SentinelOne's autonomous response capability — which can isolate an endpoint, kill a process tree, and rollback changes without a human analyst in the loop — provides a time-to-respond advantage that matters when ransomware is staging at 3 AM. Microsoft Defender with automated investigation and response enabled provides comparable autonomous response, but requires Defender Plan 2 licensing, which many Microsoft 365 Business Premium customers do not have.

The Cost Question for Mid-Market Organizations

For organizations between 100 and 500 seats — the sweet spot of PE portfolio companies — the platform selection calculus looks different than it does for large enterprises. CrowdStrike Falcon at full capability runs approximately $25-35 per endpoint per month at mid-market volumes. SentinelOne Singularity Complete runs in a similar range. Microsoft Defender for Endpoint Plan 2 is included in Microsoft 365 E3 and E5 licensing, making it effectively zero marginal cost for organizations already paying Microsoft's enterprise licensing fees.

This cost differential creates a common mid-market trap: choosing Defender not because it is the best fit, but because it is already paid for. Defender is a capable platform when properly configured. But proper configuration requires security engineering expertise that most mid-market organizations do not have in-house. The real cost of Defender is not the license — it is the configuration labor and ongoing tuning that most organizations are not investing in.

The Conclusion the Vendors Won't Give You

No platform protects you without 24/7 monitoring by analysts who understand your environment. CrowdStrike on autopilot generates unreviewed alerts. SentinelOne autonomous response without analyst review misses contextual decisions that matter. Defender without tuning has detection gaps that a sophisticated attacker will find. The organizations that are not breached are not the ones who selected the right platform. They are the ones whose platforms are monitored by humans who review every high-severity alert within minutes — not hours — regardless of the time of day.

What PE Operating Partners Should Ask About Portco Endpoint Security

During due diligence and the first 90 days post-acquisition, the platform name is the least important question. These are the questions that actually predict breach exposure.

First: What is the endpoint coverage rate? Every unmanaged endpoint is a potential entry point. Organizations commonly believe they have 95% coverage when the actual measured rate is 70-80% — particularly across contractor devices, manufacturing floor workstations, and BYOD endpoints that were never enrolled. Second: Is the platform configured or default? Ask the IT team to demonstrate their attack surface reduction rules and automated response policies. A default Defender deployment looks like security. It is not the same as configured security. Third: Who reviews alerts? A platform without continuous human review is an alarm system with no monitoring service. Ask who gets paged at 3 AM when a high-severity alert fires. If the answer is unclear, the organization's incident detection depends on an attacker making noise during business hours. Fourth: Is identity protection in scope? An endpoint detection platform that does not include identity signal correlation is monitoring the perimeter while the front door is open.