Defend
The One Defend is an endpoint detection and response (EDR) platform purpose-built for MSPs. It detects threats across Windows, macOS, and Linux endpoints using a combination of signature-based rules, behavioral AI, and cross-MSP intelligence — then gives your team the tools to investigate and respond in seconds.
What Defend Does
Defend runs as a module of the unified RMM agent — no separate binary to install. When activated, it begins collecting telemetry from every enrolled device and feeding it through 157+ detection rules mapped to the MITRE ATT&CK framework.
| Capability | Description |
|---|---|
| Agent Telemetry | Collects process, network, file, registry, and DLL events via ETW (Windows), ESF (macOS), and eBPF (Linux) |
| Detection Rules | 157+ rules across 12 MITRE ATT&CK tactics — signature, behavioral, and anomaly-based |
| Behavioral AI | 7-day learning period per device builds a baseline; deviations trigger anomaly alerts scored 0–100 |
| Threat Investigation | Process tree, device timeline, lateral movement graph, and AI-generated attack narratives |
| Response Actions | 10 response types including isolate, kill process, quarantine file, collect forensics, and run script |
| Rewind Recovery | Automated ransomware rollback via Backups integration — reverts file system changes to pre-attack state |
| Compliance Reports | On-demand SOC 2, HIPAA, NIST CSF, and cyber insurance reports exported as PDF |
| IOC Feeds | Ingests from abuse.ch, AlienVault OTX, and VirusTotal every 6 hours |
| Cross-MSP Intelligence | Confirmed threats are anonymized and shared across the Defend customer base to improve detection |
| MITRE ATT&CK Coverage | 73% technique coverage across 12 tactics with a visual heatmap in the console |
Pricing
| Tier | Price |
|---|---|
| Workstation (standalone) | $5/ws/month |
| Server (standalone) | $8/server/month |
| Endpoint Defend bundle (RMM + EDR) | $7/ws/month |
| Endpoint Complete (RMM + EDR + Backups) | $10/ws/month, $18/server/month |
How Defend Fits in the Stack
Defend shares the unified agent with RMM — when you enable the Defend module, existing enrolled devices activate EDR telemetry without a reinstall. Threats detected by Defend flow into your other products:
- PSA — Critical detections auto-create security incident tickets
- On-Call — High-severity alerts page the on-call technician
- CMDB — Device criticality and PHI tagging enriches alert severity
- People — Insider threat signals flag anomalous behavior for departing employees
- Backups — Ransomware recovery triggers automated rewind to pre-attack state
- AI Platform — Jarvis generates investigation summaries and attack narratives
Next Steps
- Getting Started — Enable Defend and run your first investigation
- Agent Installation — How the unified agent delivers EDR
- Detection Rules — Rule types, severity levels, and custom rules
- Threat Investigation — Process trees, timelines, and lateral movement
- Response Actions — Isolate, quarantine, kill, and more