MDI Sensor vs Standalone Sensor - Updated Guidance

Occasional Visitor

It appears that guidance on MDI Sensor vs Standalone Sensor has shifted towards discouraging Standalone sensors altogether. Standalone is now lacking functionality, while all the older materials highlighting its benefits had been removed. (E.g. higher stability/throughput; better security and separation of duties, especially when deployed as a member of a Workgroup etc.)


This begs the question - is Standalone on its way out? And what are the use cases you still believe it is best suited for?


Thank you!

1 Reply

Integrated is clearly superior to standalone because it has many more data sources we can use to do detection and add additional security.

Using a Workgroup standalone is better security wise only in theory, assuming that it will be maintained and patched in the same level of a domain joined machine. In most cases it is not...
There is no throughput change compared to integrated, but there is a possible scale issue if your DC is limited to scaling up, and your current spec will not allow the additional resources needed for the sensor (old physical machine for example).

As of today, only 3.19% of sensors we have are standalone. the number keeps dropping monthly.
For now there is no planned decision to remove this option, but in theory this can happen some time in the future once this umber will go down to a ridiculous number...

The Advice is clear - use Integrated whenever possible, use standalone as last option.