Defender ATP isn't really comparable to XProtect because it's providing your company with detailed logs of what's going on with the device - file operations, network connections, data about every program executed and the command line, and so on. That's why it slows down Homebrew so much, it's creating a ton of files every time you run it. Setting up exclusions for Homebrew's directories might help with performance, but I'd understand if they say no. Bad guys use Homebrew too.

It's extremely hard because you're essentially trying to use absence of proof as proof of absence. ("There is no malware, therefore the anti malware worked")

Even 'known' detections and preventions won't do it because you'd have to extrapolate if it wasn't detected, if prevention of anything was actually needed. Take a detection of a Excel v4 Macro loader, that's great to detect and prevent with ATP, but doesn't do anything on a Mac, and doesn't do anything on most PC's either.

This is similar to comparing Sophos vs. Trend Micro for example. The products do similar things, have similar goals and similar methods.

Ultimately the true protection doesn't lie in what AV you have or what EDR vendor you select, but how you deal with inevitable infections and loss of service. If you can treat the loss of a laptop (be it theft, fire or ransomware) the same way, regardless of the reason of loss, you're good. That also means encryption at rest and DLP at runtime. Neither are going to be in the AV vendor's product.

The same applies to malware ingress. If you have good controls on mail (even if just for attachment and BEC scams), that already saves you a ton of issues. And if you don't use filesystem shares like it's the 90's, that helps a ton as well, because now there is no OS-native spreading method using existing mounts.

The list goes on and on, and ultimately the whole AV vendor thing is just a tiny speck in the grand scheme. The biggest gap would be your audit capabilities, and having any controls vs. having no controls at all.

Something as simple as bare minimum hardening (FDE, MFA, autolock), OSQuery or Kolide for health/security posture checks, non-SMB/NFS file access, and proofpoint or mimecast in your mail flow will have a bigger impact on most corporate setups than any anti malware vendor can do.

Depending on the skill and education level of your users, you might even consider self-selection controls. Personally I use the Objective-see tools, XProtect and on-demand Sophos. The type of work I do doesn't fare well with traditional AV, but because I don't mind binary allowlisting, persistence lockout popups etc. and periodically confirming that I didn't miss anything using Sophos, I can get my work done and be secure enough at the same time. When I work at a regulated company I'll just use their supplied workstations and bill them extra by the hour.

Homebrew is abysmally slow as is. It is a shame it has the most packages as it is the worst package manager out of Windows, Linux and Mac now that winget is GA.

I've extensively used: apt/dpkg (Debian and Ubuntu), rpm (Mandrake, Red Hat, Fedora), portage (Gentoo), and MacPorts. I also have some experience with package management on Void, Arch, and FreeBSD. I wanna say I used some unofficial package manager on BeOS back in the day, too, and I'm pretty sure QNX had one though I don't remember much about those.

HomeBrew is my favorite of them, overall. Though Portage is pretty damn great, for what it is.

I used to love pacman, but I never used Arch professionally so I can imagine it can have its share of problems.

Among Mac package managers, I think nix with nix-darwin is the best option.

MacPorts nominally has several times more packages than Homebrew.

My current company is using Microsoft Defender ATP as a security measure too. Honestly by far the slowest Macbook I've ever used even though it's 2018 model.

We collectively complained about it as it slows down our development process but it fell on deaf ears.

There are many ways to tune ATP, you should not be having 15 mins+ of lag to install homebrew. I erroneously see some orgs run full ATP + RegEx (DLP) and more on the same scan which can kill things tremendously alongside auto labeling.