Correlated threat hunting in a bank SOC
A bank's SOC combines Vision One endpoint + email + Active Directory telemetry and detects lateral-movement attacks within 5 minutes.
Trend Micro · Cybersecurity
Trend Vision One
AI-driven platform unifying XDR, ASRM and cyber risk management in a single console.
Quick answer
Trend Vision One is a SaaS XDR platform that ingests endpoint, email, network, identity and cloud-workload telemetry into a single data lake. The Companion AI assistant, ASRM (Attack Surface Risk Management) risk score and automated response playbooks accelerate detection and response for SOC teams.
Trend Vision One is the SaaS security platform that combines XDR + ASRM + SOAR. It correlates Apex One endpoint, Cloud One server, Email Security and Network Security telemetry inside a single data lake.
The Companion generative AI assistant auto-summarizes incoming alerts, maps them to MITRE ATT&CK techniques and proposes response actions. Tier 1 and Tier 2 analysts cut time-per-alert from minutes to seconds.
The Attack Surface Risk Management (ASRM) module fuses CMDB, EASM and VM data to score the corporate attack surface continuously. High-risk assets (unpatched servers, open ports, weak-password users) are surfaced automatically.
The Companion + ASRM + XDR combination earned one of the highest visibility scores in both the 2024 and 2025 MITRE ATT&CK Evaluations. Vision One is also available as Trend Service One — a managed XDR (MDR) service.
Multi-vector telemetry coverage: most XDR platforms in the market cover only endpoint + network telemetry. Vision One brings in five additional vectors — email, identity, cloud workload, mobile, IoT/OT. Identity signals from Microsoft Entra ID, Active Directory and Okta plus email signals from Microsoft 365 and Google Workspace enable detection of business email compromise (BEC) and account-takeover (ATO) attacks that pure-endpoint XDRs cannot see.
Companion AI maturity is Vision One's distinguishing edge. Powered by a private LLM trained on Trend Micro threat intelligence, the assistant works in Turkish queries as well as English. Analysts can ask questions like "summarize incidents from the last 24 hours", "what's the top MITRE technique used this week" or "prepare an incident report" and Companion produces actionable output. KVKK-compliant — data does not leave the customer's region.
Sora Yazılım MDR option: for organizations that prefer to skip building an in-house SOC, we deliver 24/7 monitoring on Vision One. The 15-minute first response SLA + monthly security report + threat hunting hours run alongside Türkiye's NSE-certified Sora analysts working in shifts.
Key features
What it offers
- XDR — endpoint, email, network, cloud and identity correlation
- Attack Surface Risk Management (ASRM) continuous risk score
- Companion (AI assistant) alert summarization and response guidance
- Threat intelligence and playbook-based SOAR
- Multi-tenant (MSSP) management
- MITRE ATT&CK Evaluations Leader
- Sentinel, Splunk, QRadar integration
- Credit-based (pay-as-you-use) licensing model
- Apex One endpoint sensor included
- Companion AI assistant in Turkish and English
Tech Summary
Important technical data
- Licensing
- Credit-based (per-user/per-asset)
- Data retention
- 30 days (extendable to 90/365 days)
- API & integrations
- REST API + 50+ ready-made connectors
- Data regions
- EU (Frankfurt), US, JP, AU, SG, IN
- Response actions
- Auto isolate, kill, quarantine
- MITRE ATT&CK
- Visibility Leader (2024 Eval)
- AI engine
- Companion (private LLM)
- Telemetry vectors
- Endpoint, Email, Network, Cloud, Identity, Mobile, IoT/OT
Use CasesFinance Manufacturing Retail Government Healthcare
When would you choose this product?
Ransomware prevention in OT/IT networks
A manufacturer monitors SCADA servers on the factory network with Vision One and blocks ransomware attempts capable of stopping the line in real time.
Central security for a multi-branch chain
A retail chain with 200 branches monitors all POS and back-office devices from a single Vision One console — no per-branch SOC personnel required.
KVKK-compliant event logging
A government organization uses Vision One log retention to keep KVKK-mandated event logs for a year, with audit-ready reports.
Hospital chain identity protection
A private hospital chain correlates Microsoft Entra ID signals with endpoint events in Vision One to detect insider threats and ATO attempts targeting physician accounts.
Who is it for?
Mid-to-large enterprises with mature SOC teams or those purchasing a managed XDR (MDR) service — typically 250+ users.
Frequently Asked Questions
Frequently asked questions
Can Vision One be deployed on-prem?
No. Vision One runs as a SaaS service only. For organizations with data-residency constraints the recommended hybrid is Apex One on-prem + Vision One cloud correlation; endpoint data stays local while only event/alert metadata reaches the cloud.
How does it compare with Microsoft Defender XDR?
Defender XDR is deeply integrated into the Microsoft 365 ecosystem but third-party integration is limited. Vision One pulls data from Microsoft, Google Workspace, AWS, Azure, GCP, Fortinet, Palo Alto, Cisco and many other third-party sources. For mixed-stack organizations Vision One is typically the more flexible choice.
Does the Companion AI assistant really improve productivity?
According to Trend Micro's published customer data, Companion reduces Tier 1 and Tier 2 analyst time per alert by 30–50% on average. Turkish queries are supported; technical reports are produced in English.
How does Vision One licensing work?
It is credit-based. Each user/asset/GB of logs consumes a defined amount of credit. You purchase an annual credit bundle and distribute it across modules through the year, flexibly adapting to need changes.
Is there an MSSP / multi-tenant mode?
Yes. Vision One MSSP mode supports multi-customer management, isolation and per-customer billing. Managed security partners like Sora Yazılım can manage dozens of customers from a single console.
What is the data retention period?
Default 30 days; extendable to 90 days or 1 year with additional credits. KVKK and PCI-DSS-style compliance use cases typically opt for the 1-year retention package.
How is SIEM/SOAR integrated?
Vision One forwards event data to Splunk, Sentinel, QRadar, Elastic SIEM and other tools via syslog/CEF or REST API. For SOAR, ready-made playbooks exist for XSOAR, Splunk SOAR and Microsoft Sentinel Automation. Sora Yazılım handles the integration setup.
Can I do threat hunting?
Yes. Vision One Search lets you run TQL (Trend Query Language) queries over raw telemetry — searching historically for lateral movement, persistence and exfiltration techniques across the retention window.
I am a Worry-Free or Apex One customer. How do I move to Vision One?
Apex One customers upgrade by connecting the sensor to Vision One in a few steps — no reinstall needed. Worry-Free customers must move to Apex One or a Vision One bundle. Sora Yazılım prepares the migration plan.
What is the time to value?
Vision One goes live in a pilot group (50–200 devices) within a week and produces first correlated alerts. A full enterprise rollout completes in 4–8 weeks. Sora Yazılım runs pilot + rollout with certified engineers.
Vendor's official product page
Opens the vendor's original technical documentation and product page in a new tab.
Trend Micro — Trend Vision One →From the same brand
Trend Micro family — other products
Apex One
AI-driven enterprise endpoint protection (EPP + EDR).
DetailsWorry-Free Business Security
Cloud-based endpoint + email protection for SMBs.
DetailsDeep Security / Server & Workload Protection
Hybrid workload security for physical, virtual and cloud servers.
DetailsTrend Email Security
Advanced email threat protection for Microsoft 365 and Google Workspace.
DetailsComparable Solutions
Similar solutions from other brands
Trend Vision One licensing + deployment + support
Sora Yazılım handles licensing, deployment, training and ongoing management — all from a single team.