Skip to main content

The endpoint protection was running.
But did it actually defend?

From installed to configured to defend

A European institution in a tightly sealed, high-confidentiality environment. The endpoint protection was there, but its configuration had quietly drifted from best practice. We exposed it, prioritised it, and delivered a hardened design, fully on-premise.

Findings · severity × effortReview
High severityMedium / low
Source · configuration reviewOn-premise · privacy by design
Sector
European institution
Environment
Tightly sealed, on-premise
Lead time
Review in about 8 weeks
Frameworks
On-premise, privacy by design
Findings
about 28
grouped by severity and the effort to resolve them.
Settings
Locked
protective features no one can switch off anymore.
Constraint
On-premise
all within the sealed, privacy-by-design environment.

The challenge

An installed agent is not yet protection.

The endpoint protection was running, but no one could prove the configuration still met best practice. In an environment where that is exactly what matters, that certainty was missing.

ConfigurationState
On best practice
Quietly drifted from best practice
On best practice
Drifted
  • 01

    Protective settings were unlocked. Users could switch them off; protection was optional instead of enforced.

  • 02

    The management platform was outdated and vulnerable. The place that steers everything was itself a risk.

  • 03

    Users could add their own exceptions. Every hole someone opened themselves stayed invisible.

  • 04

    Behavioural detection did not block the right things. Tampering with DNS and system files passed through unhindered.

An installed agent is not protection. The question was not whether it was running, but whether it was configured to defend you.

The approach

Not assume it is set right. Check it.

A structured review against best practice, and from it a design that closes the gaps, within the strict constraints.

Against best practiceBenchmark
By severity and effortPrioritisation
On-premise, privacy by designConstraint
01

Data gathering and interview

The full configuration of the management platform, the policy and the clients collected and the goal made sharp, inside the sealed environment.

02

Analysis against best practice

Every setting tested against best practice and against what an attacker could do with it: where protection is on, where it can be switched off, where the gaps are.

03

Findings by severity × effort

About 28 findings, grouped by severity and the effort to resolve them. Not a list to drown in, but an order to start with.

04

A hardened design

A low-level design and DMZ architecture for the target state, plus reporting to keep it configured right, fully on-premise.

The solution

No longer optional. Enforced.

What stands now: protection that no longer depends on who can reach which switch. Locked, patched and designed to keep it that way.

Auto-Protect · locked
Exploit & behaviour · on
DNS & hosts · blocked
Exceptions · central
Management platform · patched
Configured to defend

The protective features locked and sharp, no longer switchable by anyone.

Prioritised findings report

About 28 findings by severity and effort, an order to start with.

A hardened design

A low-level design and DMZ architecture for the target state, not loose fixes but a foundation.

On-premise and privacy-compliant

All within the sealed environment, no data leaving the door.

“We knew it was running. Now we know it actually defends us.”

Security Officer · European institution

The result

From assuming to demonstrably defended.

Before
  • -Protective settings unlocked, switchable off
  • -Management platform outdated and vulnerable
  • -Users added their own exceptions
  • -No certainty the protection actually defended
Now
  • Protection locked and enforced, no longer optional.
  • The management platform patched and hardened.
  • About 28 findings prioritised, an order to start with.
  • A hardened design and reporting, to keep it configured right, fully on-premise.

A similar challenge?

No pitch. One conversation.

One conversation in which we determine whether, and how, this works for your organisation too.

Schedule a conversation

30 minutes with a senior, no pitch.

Speak with an architectCall directly088 - 163 23 25