ThreatLocker Zero Trust Endpoint Protection Platform Reviews

We use ThreatLocker Protect along with ringfencing and elevation. 

We include it as part of our managed service for our clients. Our clients are aware of the tool, but they are not buying it. We package it as a part of a service.

When we look at security on the endpoint, there are two parts to it. One is blocking known bad things and then setting an allowlist for the things that you want to run. Defining allowlisting reduces the attack surface just to the known good applications. It also reduces the number of false positives that we need to chase when it comes to things that hit our endpoint detection or response, which is more of our known bad or behavioral-based security endpoint. So, we pair the two together.

Allowlisting helps to keep the environment clean. More and more applications do not require admin rights to install. Even if you limit the ability for a user to install applications, they can still run some things on their own such as browser plugins. We know that browser plugins can be potentially very dangerous because they sit in a browser, and that is where most people do their work. They can become a problem. Allowlisting helps to put guardrails around what is allowed to run. By keeping the environment clean, the programs perform better. They are more secure, and there is less noise for us to chase when it comes to actual security events.

It is easy for administrators to approve or deny requests using allowlisting. They have two ways for administrators to approve or deny requests. They can do it in a managed way, where they do it for you using Cyber Hero. We do not do it that way. We are an old customer of ThreatLocker. We have been using it before they had Cyber Hero in place. Originally, we thought it was going to be problematic because allowlisting tends to be very hard to implement. Most of the other allowlisting systems, such as Microsoft's AppLocker, are very difficult to implement and maintain, but ThreatLocker does two things. When it comes to very common applications, they work with vendors. They are always looking at the new installations and making sure they are constantly up to date, so you do not have to always approve those things. But, of course, things happen, and sometimes they happen in the middle of the night when somebody is doing something and needs help. The nice thing about it is that it is fairly easy to approve. We can approve even with a mobile app. I have had the ThreatLocker mobile app since they introduced it a year or two years ago. If one of our clients in Australia or somewhere else is doing something, I can easily approve it without having to get up from my chair. I can approve it after doing a quick review of what they are installing. If I want to do a little bit deeper check, I can do that, but most of the time, there are just basic things, and we can approve them on the fly. The portal gives us a lot of granularity in terms of not only approvals but also how to approve them. We can choose to approve something for a person, the entire company, or all of our clients. We can choose to approve only the hash or a particular version of a particular executable or any application that is signed by a company. We can define how loose or tight we want to be when it comes to certain applications. They have recently also introduced time-based approval. We can give approval for only a period of time, and then the approval goes away. If somebody needs to run something, but we do not want it to be allowed to run for a long period of time, we can implement that.

In terms of access requests, we control what is allowed and what is not allowed. They have curated things on our behalf for Windows, Office, Chrome, Firefox, and a whole slew of other applications, but you do not have to add those. You can curate your own list. For example, we have an engineering company, and the applications that they use are not used by anybody else. They are very bespoke for their specific industry. We get new requests from them all the time. We check if it is something that looks nefarious. Is it on VirusTotal? Are there any other scans that show that it could be potentially malicious? If we are still not sure, ThreatLocker now has a sandboxing feature where we can watch the application execute in a secure environment and see if it is doing anything potentially bad and if it is touching files that it should not be touching. By doing that, we have some more comfort. We know that the program we are allowing is safe.

We were able to see some of its benefits immediately and some were over time. We were using an EDR tool before ThreatLocker about six years ago. It was very noisy. A lot of alerts came up on that EDR. We were chasing a lot of ghosts, trying to figure out whether it was malicious or not. A lot of it was not malicious, but we still had to do all that checking. When we put ThreatLocker in place, one of the things that we immediately noticed was that it was blocking everything by default and only allowing things that we approved. It reduced the ticket noise. We mostly had things that needed investigation and more likely were malicious and needed to be reviewed. That was an immediate change. Over time, we got other benefits. We got a better grasp of what is being run on our clients' desktops. In the rare cases where because of the nature of their work, we allow them to have admin rights, we can still control what applications are being installed. Could they bypass it? Potentially and theoretically, yes, but that would be very difficult and require some technical skill. We at least have some verification of what applications are run and what applications are allowed. So, its long-term benefit was much more control over the clients' environments and the short-term or immediate benefit was a reduction in ticket noise that we were having to deal with chasing a lot of false positive alerts.

Allowlisting helped us reduce our organization’s help desk tickets. We were able to reduce our security alerts by 75% to 85% after its implementation, and now, it is practically down to zero. We have very few alerts that we need to chase at this point. 

Allowlisting has technically helped us to free up help desk staff for other projects, but we have not quantified the savings. Because we are not having to do these other things, we are able to work on helping clients and get their work done better rather than just chasing security events.

Allowlisting has not helped us consolidate applications and tools because our usage is quite narrow. We are just using allowlisting, ringfencing, and a little bit of elevation. They have other products in their mix, but we already have other products that do some of those things. I do not see us necessarily replacing all of that with other parts of ThreatLocker, so there is no tool reduction. However, it fits nicely into our workflows. In other words, it integrates into our PSA. Tickets come in there, and from there, we can go directly to ThreatLocker and do approvals. We also have the pop-ups on the mobile device.

Allowlisting, in general, is valuable because it allows us to have a lot more granular control over what is executed on a desktop. We are also able to ringfence known vectors of attack through Office applications, email, browsers, etc. By doing that, we can also limit the exposure of those applications for the company. This encapsulates how we are trying to protect the clients. We can tell them the applications that they need to run and what they are allowed to do, and that is it. 

It would be beneficial to have a tighter integration into PSA systems so that approvals can be done directly without having to leave the PSA. 

Additionally, having their Cyber Hero support available during non-working hours could improve service for clients. They have a managed version of allowlisting with Cyber Hero so that their Cyber Heroes can approve things. It would be nice if I could implement that during the hours we are not working so that clients who work during our night would have a better experience and do not have to wait till morning to get their applications approved.

I started Triada Networks in 2008, which makes it 16 years. However, we started using ThreatLocker about six years ago.

We have had very few stability issues. Occasionally, the portal has become unresponsive, but the product itself continues to function without interruption. I do not remember the last time that happened. It was maybe about two years ago. They have fairly solidly developed this product.

We have not encountered any scalability issues. I know colleagues with thousands of endpoints on ThreatLocker with no reported problems. I do not anticipate having scalability problems at all.

To contact ThreatLocker, we go through their chat service. They have a live chat where they typically get somebody on in a minute or two. They always have somebody who is available and starts to work with us on any issues. We had to contact them more frequently when we were learning ThreatLocker Protect and ran into weird issues, but we do not contact them too often now just because we are managing it ourselves. Once in a while, we do get their support. They are very fast and helpful regardless of what time it is.

Their support is a ten out of ten. They are one of the best support teams that we run into product-wise. I do not give that rating lightly. Most of our vendors are in the six or seven range. ThreatLocker does an exceptional job when it comes to support.

Positive

The management console is in the cloud, and the endpoint agent is on the device.

Its deployment was very easy. They provided installation scripts for Windows. We were easily able to put it into our RMM tool and deploy it to the devices of our clients. In fact, we do that today when we onboard a new client. As soon as our RMM agent is installed, one of the first things that gets installed in that stack is ThreatLocker, so we have it automated so that as soon as a client is onboarded or we install a new PC, ThreatLocker gets installed.

We deployed it client by client. We were onboarded very early. We would do one client a month and ramp that up until we got to month three, and then we deployed everything else. That was the process. In about three months, we were comfortable enough with the platform that we were able to manage it going forward on our own. After 90 days, we went to town and deployed the rest of our fleet. It was en masse at that point.

The implementation was done in-house with support from ThreatLocker during onboarding. We had a couple of weekly or biweekly sessions to learn troubleshooting and approvals.

Of course, things have changed since then, so you learn those along the way. One good thing they do is that once a quarter, they do a check-in with their technical account manager. We go over any issues or things that we would like to bring up. They do a nice job of taking that information back to their development team or their product teams to make adjustments in the solution over time.

Its price is fair. They have added some additional things to it beyond allowlisting. They are up-charging for them, but in terms of the value we get and the way it impacts us, we get a bang for our buck with ThreatLocker than a lot of our other security tools. We have a few tools that would fit into that category, but then there are some that are more expensive than they need to be. ThreatLocker is definitely not one of them. 

It is one of the reasons why we have eliminated other tools, but ThreatLocker has not necessarily replaced them. It was because ThreatLocker and some of our other things were doing so much that we did not necessarily need them. We were able to remove that redundancy. So, its price is fair. Hopefully, they do not take this to raise their prices.

We looked at Microsoft AppLocker but found it difficult to manage and maintain. We also considered Airlock Digital and other security tools but found that they lacked the ability to manage at scale. That is what ThreatLocker does very well. We are a small team. We are managing 400 or so computers with a small staff, and we are still able to do that because the tools do a lot of the heavy lifting for us. If we had to do that with AppLocker, AirLock Digital, or any other security tools, it would have been a lot more time-consuming. We probably would have needed more staff to do that.

When we went with ThreatLocker, there were not a lot of allowlisting companies out there. Some of them were more enterprise and mid-market. The concept of ringfencing was not the one that the others were even talking about. 

When we are at a conference or business meeting, a lot of times we do a hacker demo. Usually, the demo involves a Word document that downloads something malicious or runs something malicious that gives you backdoor access. Ringfencing is designed to prevent that from happening. When you have a Word document, Word does not need to execute other programs. Chrome does not need to execute other programs. Excel does not need to execute other programs. Excel does not need to beacon out and connect to the Internet. Locking these little avenues greatly diminishes your chances of getting compromised. Nothing is 100%, but controlling what each application can do can make everything work better.

I would rate ThreatLocker Protect a ten out of ten. It is a great product. At times, it might block something, and we are not aware that it is being blocked and are trying to troubleshoot something. It is one of those things that we always have to remember. We bring up ThreatLocker and see if something is going on. In the past, we had to go to the portal, and there was a delay by the time that the agent would report to the portal for that information, but now, we have the ability to, at least on the device, see in real-time what is happening so that we can troubleshoot it and more. We just need to check this, but it is solid. It would probably be one of the last tools that we would remove if we ever remove anything.

We use the application for whitelisting, elevation, and ringfencing purposes.

The coolest part is that we do not need local admins anymore. It was a great switch to take away the local admin rights.

The benefits include a little bit more relaxation and peace of mind because we have control over what is going on.

ThreatLocker Zero Trust Endpoint Protection Platform has helped our organization save on operational costs, but I do not have the metrics.

ThreatLocker Zero Trust Endpoint Protection Platform is good at blocking access to unauthorized applications. It only allows running applications that are allowed. If there is anything new to the environment, it is not going to run.

ThreatLocker Zero Trust Endpoint Protection Platform has helped reduce help desk tickets.

ThreatLocker Zero Trust Endpoint Protection Platform has helped free up our IT team’s time for other projects or tasks.

The solution has made knowing and managing what is running on our clients' devices much easier for us. We know they cannot run what they are not supposed to run. We have peace of mind because we are aware of what is happening if anything new tries to come into the workstation. 

It is pretty easy to use. The UI is pretty straightforward, especially after the upgrade. I like it more than what it was previously. There is also a phone app. When a user sends a request, we can see it on our phones. It makes our work a bit easier.

From my point of view, logging could be improved. Logging should be easier. Sometimes, we have noticed that there is too much logging that can apply to different types of software.  

We have been using the solution since the end of 2021.

The customer service is amazing. I would rate it a ten out of ten.

Positive

We did not use a solution of this type before.

The platform is great. I would rate it an eight out of ten.

We provide IT security or cybersecurity services to our customers. ThreatLocker is a key component of our security stack, and we roll it out to every one of our customer's endpoints. It's not an optional component, but a must-have because we are strong proponents of zero trust.

We provide remote monitoring and management services, which can be considered remote IT security for our clients. Our clients have minimal interaction with ThreatLocker Protect directly. It is one of the security tools we install on their systems to secure their networks and end devices. More importantly, it allows us to manage and control the specific applications and services running on their endpoints.

For instance, we can maintain a pre-approved list of applications that are allowed to run in the environment, while preventing unauthorized applications from executing. Even for permitted applications, we implement additional security measures.

ThreatLocker's unique capabilities are particularly evident in its handling of Adobe Acrobat, a common PDF reader. PDFs can be exploited by malicious actors, or hackers, to gain access to systems. Typically, a user clicks on a PDF, it opens, and without their knowledge, malicious code executes on the system, interacting with other components to enable hacker access.

With ThreatLocker, we can restrict Adobe Acrobat to only accessing the official Adobe update servers on the internet, preventing it from accessing any other websites. Additionally, we can restrict Adobe's access to other applications and underlying files on the computer, preventing hackers from utilizing the program to compromise the system.

ThreatLocker is a cloud-based endpoint protection platform that utilizes endpoint agents installed on each device. The deployment of these agents can be automated through Microsoft Intune or RMM, depending on the specific scenario. The ThreatLocker portal is also cloud-based, and once the agent is installed, it communicates directly with the ThreatLocker cloud. One of the key advantages of ThreatLocker is the instantaneous implementation of changes made in the cloud to the endpoints. This ensures that devices are always protected with the latest security policies.

Administration of Allowlisting is incredibly simple, and ThreatLocker provides numerous methods for approving applications and ensuring their legitimacy. One of ThreatLocker's strengths is its dedicated team that continuously monitors applications for changes. For instance, Microsoft's infamous "patch Tuesday" releases require thorough vetting of all patches. If not vetted, ThreatLocker will block them. ThreatLocker's team proactively prevents these issues by adding validated applications to the system. Occasionally, an unpopular application may slip through their team's detection. In such cases, the process for blocking is straightforward. Upon receiving an alert, we can examine the application and its characteristics, including its files. Directly from ThreatLocker, we can verify the application against known repositories that track applications based on their hash or unique Digital DNA to determine if it's a registered application with a known location. Additionally, we can check for any malicious characteristics. Based on this assessment, we can take two actions: either approve the application or utilize ThreatLocker's newly introduced virtual sandbox environment. With a simple click, we can isolate the blocked file in a virtual environment. ThreatLocker creates a separate Windows screen, copies the file over, and executes it within the environment for two purposes. The first is for capturing the file's signatures and any missing elements. The second is for observing the file's behavior in a controlled environment.

Software approval requests for end users are simple. The end user will typically see a small box, which can be customized. We can create a custom appearance or use the ThreatLocker standard box that appears and states that the application has been blocked. There is a box where users can justify the application and explain why they need it. They can then request approval. This is their interaction in terms of requesting approval. On the backend, either the Cyber Heroes or our team will review and approve everything. If the application is approved, the users will receive another small box in the lower right-hand corner of the screen stating that the app has been approved and can now be run. The box will have a button that users can click to run the previously blocked application.

The combination of Allowlisting and Ringfencing is a key advantage of ThreatLocker, particularly in preventing applications from accessing unauthorized internet sources or tampering with sensitive system programs. Allowlisting explicitly permits specific applications to run, while Ringfencing imposes additional restrictions on their behavior. This layered approach ensures that applications can only execute authorized actions and cannot escalate privileges or compromise system integrity. Allowlisting simplifies application control by eliminating the need to define granular permissions for each application. Instead, administrators can simply check a few boxes to whitelist trusted applications. However, for more advanced configurations, ThreatLocker provides granular control over application permissions. Ringfencing acts as a safeguard, akin to guardrails along a mountain road. Just as guardrails prevent vehicles from plunging over the edge, Ringfencing prevents applications from engaging in unauthorized or malicious activities. This additional layer of protection provides peace of mind and enhances overall security.

Establishing trust is crucial, and with Allowlisting, we have a thorough vetting process to ensure applications meet the necessary security criteria. We first evaluate whether the application is truly needed in the environment or what its purpose is. Additionally, we can identify who initiated the request. Furthermore, ThreatLocker's portal provides access to historical data on applications, including file hashes, which act as unique digital DNA. This allows us to verify whether the application is in its original form and check for any known threat advisories. This comprehensive information empowers us to make informed decisions about whether to Allowlist or deny an application based on our findings. Additionally, we can sandbox the application to observe its behavior in a controlled environment and detect any malicious activities. This rigorous vetting process ensures that only trustworthy applications are Allowlisted.

ThreatLocker allows us to maintain consistent environments by providing a central repository that tracks which applications are authorized to run. This simplifies application management and ensures that only approved applications are installed. Additionally, ThreatLocker enables us to control bloatware, which can often contain vulnerabilities. We can prevent bloatware from executing within our environment, further enhancing security. ThreatLocker's zero-trust architecture, including application control, ringfencing, and other features, strengthens our overall security posture. With ThreatLocker, we no longer need to worry excessively about end users clicking on malicious emails, as the embedded code cannot execute due to the restrictions we have implemented. Overall, ThreatLocker's zero-trust architecture is mandatory across all clients in our environment. It is not an optional security measure; it is essential for doing business with us. ThreatLocker empowers us to control our environment and ensure comprehensive security.

ThreatLocker has helped us reduce our helpdesk tickets by preventing rogue applications from running in our environment. This significantly reduces the overhead associated with managing tickets. With ThreatLocker, we have complete control over which applications are allowed to run, so we don't have to worry about users clicking on something they shouldn't. Occasionally, we do receive requests from end users who are trying to run blocked applications, such as games. These requests are denied and do not become tickets. Overall, ThreatLocker has significantly improved the standardization of our environments and reduced the overhead associated with managing user-related tickets. It has given us complete control over which applications can run in our environment, and we rarely have any end-user-related tickets as a result.

Many tickets are created due to an inconsistent or non-standardized user environment. Users encounter differences in software configurations between systems, leading to curiosity and clicking on unfamiliar items. In the current era where 96 percent of security incidents originate from phishing email clicks, we have clear evidence, supported by metrics, of the impact and consequences of such actions within client environments. By standardizing the environment and utilizing a common system like ThreatLocker, which enables whitelisting, blacklisting, or implementing guardrails, the number of tickets and user-generated noise can be significantly reduced.

Our current security stack is very lean and well-integrated. Whenever I attend a trade show or conference with vendor halls, I'm always approached by vendors trying to sell me something. ThreatLocker already does what they're offering, so there's no need for additional purchases. From a cost perspective, ThreatLocker has allowed us to consolidate and save significantly. Additionally, without ThreatLocker, we would likely need six or seven different tools to achieve the same level of security, further reducing costs.

We use ThreatLocker's Allowlisting to whitelist specific applications and prevent unauthorized software from running.

We utilize Ringfencing to establish guardrails around implementations, ensuring that applications operate within defined boundaries.

We leverage network access control to granularly control interactions between computer systems and servers. This enables us to restrict communication between specific applications, even within a locked-down environment.

We employ storage control to impose additional security measures on data storage. This includes controlling access to network shares, network files, and folders, as well as USB storage devices. We can whitelist specific devices based on their serial numbers or allow access based on predefined conditions.

We rely on ThreatLocker's Cyber Hero support, which provides exceptional assistance and responsiveness. At any time, we can initiate a chat session and receive immediate support. If the issue requires escalation, it is promptly handled.

Cyber Hero support also plays a crucial role in vetting application updates. When a user attempts to install or update an application, and the update has not been approved from a security standpoint, it is blocked by ThreatLocker. A notification is presented to the user, informing them of the block and providing an option to justify the application's need. These requests are then reviewed by ThreatLocker's Cyber Hero support team, who evaluate them against our security criteria and make an informed decision to allow or deny the application.

We utilize ThreatLocker's elevated control feature for applications that require administrator-level access. We avoid granting full administrative privileges to end users, as this elevates the risk of compromise if the device is infiltrated. Instead, elevated control allows us to precisely define the execution conditions for specific applications, such as QuickBooks updates. By verifying the application's signature and certificate, we can enable the update to run with administrative privileges while restricting the user's overall administrative access.

Integrating ThreatLocker with other products is simple and only requires a few clicks. ThreatLocker's deployment is also very straightforward. The company provides extensive and well-written online documentation, which is continuously being improved. They also offer a variety of training resources, including university courses, training videos, webinars, and conferences. I have no complaints about the level of support and knowledge transfer provided by the company. ThreatLocker is also developing a new reporting tool, which I had the opportunity to beta test. The company has also been showcasing the new reporting tool at conferences. The new reporting tool provides a level of detail that is unmatched by any other product on the market.

From a reporting perspective, enhancing the ability to customize reports would be beneficial. This could include the option to export reports to a Word document for further tailoring, allowing users to add their own executive summaries and additional content.

I have been using ThreatLocker Protect for five and a half years.

ThreatLocker's development team is capable of releasing beta versions of upcoming releases. Our organization has a policy against deploying beta code due to potential stability and security issues. We don't want to inconvenience our customers or use them as guinea pigs. Overall, ThreatLocker has been a stable platform. However, the threat landscape changes rapidly, and even vetted releases can have minor glitches, such as applications being categorized differently. This can sometimes have adverse effects. However, ThreatLocker's team is very responsive and quickly addresses any issues we bring to their attention.

I haven't identified any inherent limitations or restrictions, or let's say, a ceiling. I'm aware that ThreatLocker is deployed in large corporations around the world. So, they can accommodate organizations of all sizes, from single-person entities to Fortune 500 companies. It's undoubtedly scalable. When I evaluate scalability, I consider not only the number of endpoints and various supported components but also the ability to adapt to the evolving threat landscape. ThreatLocker has certainly been doing that with the introduction of new products and services, as well as the continuous evolution of the platform as a whole.

ThreatLocker is the only company where, regardless of the time of day or whether it's a holiday, I can get immediate support by just jumping into the portal, clicking on the chat, and having someone respond. And it's not just a bot; it's a real Cyber Hero who is ready to assist. They even offer the option to request a Zoom link so that we can have a face-to-face meeting to explain our scenarios and share our screens. If the Cyber Hero is unable to resolve the issue, there are two additional levels of support available online 24/7. We've dealt with many vendors, but we've never experienced this level of support.

Positive

The implementation process was relatively straightforward. ThreatLocker provides us with granular control over almost every aspect of the system, which is one of its key advantages. Upon initial installation, ThreatLocker enters a learning mode where it identifies and catalogs all applications within the environment. We can then determine when to transition ThreatLocker from learning mode to full secure mode, with options ranging from one day to 30 days. In our case, the transition to full secure mode was relatively seamless. We completed the learning phase and had ThreatLocker fully operational within 30 days.

We utilize Microsoft Azure and Intune to manage the majority of our services. In this instance, we employed a PowerShell script provided by ThreatLocker, tailored to our specific environment, and deployed it via Intune. Intune ensures that every device is enrolled. Upon defining and adding the PowerShell script, Intune automatically distributes it to the endpoints, completing the installation process. The deployment process is simple.

We don't require many people for the deployment of ThreatLocker.

ThreatLocker has been instrumental in our ability to standardize and secure our environments, enabling us to replicate them consistently. This standardization has significantly reduced overhead, as we no longer need to rebuild the infrastructure for each new client or prospect. Furthermore, the controlled environment that ThreatLocker has facilitated resembles a well-policed community, where crime rates are low, residents are content, and property values are rising. In contrast, an uncontrolled environment akin to one with inadequate law enforcement would result in chaos. Consequently, ThreatLocker has allowed us to operate efficiently and effectively, minimizing support tickets, eliminating security concerns, and ultimately contributing to our profitability.

Today, the term "zero-trust bubble" is used to describe the growing number of vendors offering zero-trust security solutions. However, I've observed that the IT security industry, as a whole, tends to over-hype new technologies with acronyms and buzzwords without fully understanding their implications. When I examine the current zero-trust landscape and compare it to other security bubbles like endpoint detection and response, secure access service edge, and so on, I find ThreatLocker's pricing to be reasonable for the services it provides.

Previously, we had not implemented any solutions for zero trust because it was a relatively new concept at the time. We were exploring various options to gain more granular control over applications running on separate networks within our environment. Our goal was to standardize and normalize these applications while preventing the execution of unauthorized applications or scripts. However, we were unable to find any solutions that met our specific requirements. When we were introduced to ThreatLocker, we evaluated other available solutions and found that ThreatLocker offered the most comprehensive feature set.

There was nothing else in the market at the time that was doing what ThreatLocker was doing or even attempting to do anything with Zero Trust. The CEO and co-founder visited my office and provided me with an in-depth explanation of the product, its vision, and its future plans. This was sufficient for me because, first and foremost, what matters most to me, especially in the security industry, is having personal connections with my vendors. I don't want to be just another customer. I specifically want to know that I have people I can call on my speed dial when something goes wrong. And that's the kind of relationship I have with ThreatLocker.

I would rate ThreatLocker Protect nine out of ten. There are many security products available today that companies like mine utilize, and some of these products could be replaced with ThreatLocker. However, ThreatLocker is one of those tools that I consider indispensable to our security stack. We have such a strong conviction about this because we understand its capabilities and have seen its effectiveness firsthand. While a significant portion of our work is proactive security, we have also been called upon by companies who have experienced ransomware attacks. In these situations, we have been able to assist them in their recovery efforts. If these companies had ThreatLocker in place, they would not have been vulnerable to these attacks. This reinforces our unwavering belief in the value of ThreatLocker.

We implemented ThreatLocker from the outset within our environments. Therefore, it's difficult for me to compare it to previous solutions as it has become an integral part of our security framework. When I interact with colleagues who don't use ThreatLocker, I hear a lot of complaints, particularly regarding ticketing and the time wasted on text-based communications. I would say that the vast majority of these issues could be avoided if they had ThreatLocker in place.

The company as a whole has experienced and addressed all the concerns that have been raised. Firstly, they are continuously developing and enhancing their product offerings, which include not only the product itself but also the accompanying knowledge base and support structure. Most recently, we have been beta testing their latest portal upgrade, which is remarkably impressive. Ultimately, if I were forced to reduce my security stack to just one or two tools, ThreatLocker would undoubtedly be among them.

Occasionally, a less popular application pushed by a publisher may be flagged by ThreatLocker. In such instances, customers may inquire about the issue. However, once the reasoning behind the flag and the importance of our application vetting process to safeguard their environment are explained, the concerns typically subside.

ThreatLocker's user interface has undergone a significant transformation since its inception. The new beta portal, which we now have access to, is a vast improvement over the original portal. It is both aesthetically pleasing and functional, fulfilling all of its intended purposes. In terms of UI customization, I see little room for improvement. One area where I always seek enhancements is integration with third-party products, particularly PSA platforms. We utilize ConnectWise Manage, now known as ConnectWise PSA, and it seamlessly integrates with ThreatLocker. During a recent client audit, I compared the actual numbers to the PSA's reports, and everything matched up perfectly. When I consider ThreatLocker as a whole, I am impressed with not only the product itself but also the company's culture and commitment to innovation. They continuously invest in thought leadership initiatives, such as webinars, training programs, the ThreatLocker University, and their annual conference. These efforts demonstrate their dedication to providing their customers with the best possible experience. I have no specific wishlist items for ThreatLocker. I am genuinely satisfied with their product and overall approach.

We began realizing immediate value from ThreatLocker, as it provided us with the ability to view blocked applications, scripts, or files within the environment through its unified audit feature. This allowed us to quickly identify and eliminate unwanted software from our environment. Additionally, we could revisit applications that had been vetted or cataloged and decide to block them if they were no longer deemed necessary. Overall, the time to value for ThreatLocker was within the first 30 to 45 days.

ThreatLocker is used by all of our clients and on all of our endpoints. We currently have over 250 endpoints protected by ThreatLocker.

From a maintenance standpoint, ThreatLocker is relatively straightforward. While application signatures inevitably change, the most frustrating aspect is the lack of consistent code signing by software publishers. Despite the current cybersecurity emphasis and efforts to minimize risk, it's baffling that reputable software developers often fail to sign their code. This necessitates an additional vetting process to verify the code's authenticity and ensure it hasn't been tampered with. One of ThreatLocker's strengths is its audit service. Upon request, their system engineers conduct a thorough audit of our client's environment via a Webex or Zoom session. They examine what's being blocked, what's not, our configurations, best practices adherence, and potential changes. This proactive approach ensures we're on the right track and adhering to best practices.

First and foremost, it is crucial to thoroughly understand the clients' environments and develop a tailored strategy for each one before implementing ThreatLocker. A one-size-fits-all approach is ineffective as every client environment has its unique set of applications and requirements. Thorough education is key. When rolling out ThreatLocker, we spend a considerable amount of time educating our customers about its purpose, functionality, and potential impact. We address their concerns and explain the rationale behind the restrictions. This education process should be ongoing for end customers. In the technology industry, there is a tendency to focus on the latest bells and whistles, neglecting the importance of educating end users about the benefits and implications of new technologies. This oversight can hinder the successful implementation of security solutions like ThreatLocker. It is essential to dedicate sufficient time to educating end users to ensure a smooth and effective rollout.
Know the environment. Before implementing ThreatLocker, thoroughly document and understand the client's environment. Initially, run ThreatLocker in learning mode to capture all applications used in the environment. Fine-tune the policy. Before switching to secure mode, collaborate with a Cyber Hero or solutions engineer to identify and address potential application conflicts or redundant applications. Leverage ThreatLocker University. Encourage the team to participate in ThreatLocker University training to gain in-depth product knowledge. Test in the environment first. Before deploying ThreatLocker to clients, thoroughly test it in your own environment to gain familiarity and expertise. ThreatLocker is not suitable for every organization. It is not intended for those who lack a serious commitment to security or are unwilling to invest the time and effort required to properly vet and configure the product for their specific environment. ThreatLocker is most effective for organizations that are willing to take advantage of its comprehensive features and dedicated support to tailor the solution to their unique needs. Remember, the success of ThreatLocker implementation depends on thorough planning, education, and a commitment to security.

Every single endpoint and everything that we manage has ThreatLocker on it. We saw how valuable it was, and we went to every one of our customers and told them either we install this on your PCs or we have to just part ways as friends.

We use the basic ThreatLocker product for Zero Trust and we have one client where we're using Elevation Control.

The big benefit is that I can sleep better.

The fact that it stops anything that we don't want from running is the biggest thing. It's also very easy for administrators to physically approve or deny requests. The difficulty is in determining whether they should approve or deny.

We use ThreatLocker Allowlisting with Ringfencing and I would give ThreatLocker a 10 out of 10 on pretty much everything. The establishing of trust for every access request, no matter where it comes from, is the way of the future.

Something we have come up against a couple of times is that we have two clients that are software developers. They create software that doesn't have digital signatures and that's not easy to categorize or whitelist with ThreatLocker. We have to go in and make custom rules to allow them to do their work and be protected from malicious threats. We've gotten really good at it. 

ThreatLocker's support has been absolutely wonderful, you get somebody there very quickly. The danger is when one of my techs calls in with a question about some rules, and he reaches somebody on the other end that has about the same level of technical ability—and I know it says "cyber hero in training"—my concern would be that if the people on both ends of a call are inexperienced, they could inadvertently create a rule that opens up too much. So if I have a concern about that, I usually just get on the call myself.

There is one other big thing. If I want to install a piece of software, and I want everybody in the organization to be able to install that software subsequently, when I put a computer in Learning Mode that disables ThreatLocker. I then install the software and Learning Mode tells ThreatLocker everything that the software just did. 

Every now and then, ThreatLocker will block something, like a web browser update or a web browser plug-in update, and some of that is just not important so I don't worry about whitelisting it. It keeps trying to run, and ThreatLocker keeps causing it to not run, which is okay.

But when I turn on ThreatLocker Learning Mode to install some other piece of software, if there is something that has been trying to install for weeks and hasn't been able, and then attempts to install while ThreatLocker is in Learning Mode, it will allow it to happen.

To summarize, when you put ThreatLocker in Learning Mode, if there's something else that is trying to run at the same time as whatever it is that you're trying to install, it will be allowed to run.

I've been using ThreatLocker Allowlisting for two or three years.

It's completely stable, other than every now and then an agent will stop phoning home and somebody will have to intervene, but that's very rare.

Scaling is super easy. The great thing is that you can deploy policies to other computers. That means I can make a policy in the parent company, which is mine, and I can then deploy it to all computers.

We have 380 users of ThreatLocker from our company, but I just merged my company with another company so the total across all of our endpoints is about 1,300.

Their tech support is the best I have ever come across.

Positive

We never used a Zero Trust solution before ThreatLocker. We use a next-gen antivirus product called SentinelOne. We had deployed that on all PCs and servers. When ThreatLocker came up, it was so valuable and thorough, that we replaced SentinelOne with ThreatLocker across the board.

In the initial deployment, which I did completely, it was a little difficult to understand how the policies and the rules interact together, at first. But it's a complicated subject, so it took a while for us to grasp all of it. And it took even longer to grasp the finer points of it. But they have very good training and their support is absolutely unparalleled, just great. I've never waited longer than a minute for somebody to get online.

ThreatLocker is a cloud solution. We install it on the local machines but it reports back to the portal, which is in the cloud. As a deployment model, that's perfectly fine. It's very easy to roll out. We use a little piece of software called PDQ Deploy and we can push it out to all machines at once. We can also use our RMM solution, which is ConnectWise, to push it out. It's very easy.

Once I understood it a little, I brought on two techs and they sat with me while we did deployments. Periodically, if I have figured out a different way to do rules, we do in-house training where I show my guys what I'm doing and why I'm doing it, and we document it and write down the steps. Now, those guys know how to install ThreatLocker and deploy it.

It doesn't really require any maintenance. Every now and then we have an agent that's not phoning home, but not often.

I did it myself but had help from Colin Ellis who works for ThreatLocker. He helped us take everything out of Learning Mode and make sure that there was nothing malicious that we were missing that might be allowed to run. He is one of the smartest guys I have ever met.

We have very much seen a return on our investment. We have been around as a company for a long time, for fourteen years. And it was really only recently that we figured out what we were worth and what we should be charging. But it's very hard to go back to a customer that you've had for many years and say, "Hey,  you've been paying $45 a month for a long time and we're now charging $120 a month. 

However, if we can come in and say, "Look, this is the best tool on the market for keeping you safe, and we feel so strongly about it that we insist that you install it or we just can't work with you anymore." We were able to charge another $25 to $30 a month for that product. We had to explain exactly what it did and how it worked, but we were able to significantly increase our recurring revenue by adding that product because the pricing is reasonable and, when you present it correctly to the customer, it is so valuable that you can charge another $25 to $30 a month, per machine.

I saw the value in it before we deployed it, from the very first presentation I saw about it. I was intrigued enough that I went to the booth, once we were on break at the trade show, and started talking to people there. It was just obvious what its value was going to be. It really does allow me to sleep, in every sense of the word.

It felt as if we were in a losing battle, and then ThreatLocker came along and it
felt like we had a chance. As an industry, we're up against nation-states. All of us as little MSPs are up against people who have endless resources and money and who are either sponsored by their governments or organized crime.

The pricing works fine for me. It's very reasonably priced.

We do have other antivirus products running at the same time. We have Webroot and, in some cases, we have Windows Defender running at the same time. But ThreatLocker just catches everything so we don't have to worry about antivirus signatures being up to date.

We also evaluate other products all the time. Komodo was one as well as something from Trend Micro.

It was obvious, right from the get-go, that ThreatLocker was the most efficient and effective way to stop malware from running. The thing that makes ThreatLocker different and better than all other Zero Trust solutions that I've ever heard of—and I've never tried another one, but I've heard the horror stories —happens in the beginning by turning on Learning Mode and letting that run for three to four weeks. That means that when you turn ThreatLocker on by taking it out of Learning Mode, all of the things that have been running during that time are whitelisted and they're allowed to run.

In the olden days, when you turned on Zero Trust, it blocked everything. And then we had what we used to call the "scream test." We would wait for people to start screaming and then go wherever the screaming was, figure out what was being blocked, and unblock it. But that was horrible because even if you unblocked one file, that one file might be trying to call two or three other files to run and make that software work. And if you don't whitelist those too, you still get problems. So that's the upside of Learning Mode. ThreatLocker takes that initial pain completely out of the equation.

In terms of reducing help desk tickets, at first, it's something of a wash. When you first install ThreatLocker and make it active after a certain time in Learning Mode, the tickets are going to go up because people are going to have software, over the next 60 days or so, that they can't run because it didn't happen to run during the Learning Mode period. So for the first 45 to 60 days, we probably had a small increase in tickets because we had to whitelist things. But since then, it has been significantly better. Once we got all the rules sorted out so that people could do whatever work they need to do, and we still keep them protected, we had very little background noise. There is a ticket increase at first, which is normal and expected. There's no way that you're going to turn this on and have everything be perfect every time. But after that, the tickets go down significantly.

Every now and then, we'll get a call from someone who has gotten a phishing email, and they're suspicious of it. They'll call us and ask us to look at it. But the great thing is that if you get a malicious email and you try to run something, ThreatLocker is not going to let it do anything. It is not going to let anything infect your network.

If somebody takes a look at ThreatLocker and doesn't understand what it can do for them, I don't know if that person should be in the IT business. It sounds like I'm sitting here worshiping at the altar of ThreatLocker, but that's not entirely true. There might be other solutions out there that are similar. I know that there are other Zero Trust solutions, but there's no compelling reason for me to move anywhere else.

They just do a great job across the board. When I merged my company with another company, that company had been playing around with ThreatLocker but had never turned it on. They didn't understand how it worked. They tried turning it on internally and it blew up a bunch of stuff but that was because they didn't follow the instructions. 

When we merged the companies, I was very adamant about this: "Guys, you need to put this piece of software on every PC that you manage—every single one. I simply explained to the one guy who was complaining about it, because he was the one who had turned it on before he had figured out how to whitelist things first, that there was a way to get around the issue that you have. And once you get past that issue, it's really great.

One last point: There is a feature, Elevation Control, that we're only using for one of our clients, but it works so well. It's fabulous, just wonderful.

I have an advantage over many other people and that is that I live 20 minutes away from ThreatLocker's corporate office. I'm fortunate enough to know Danny Jenkins (CEO), his brother, and several other people who are high up in the company. I visited them at their old office, and I went over on opening day and visited their new office. 

I can walk in there and see how the people are working and I can also see the morale of the people who are working there. To everybody who walks in there, it looks like a fun environment to work in. It's a scary business to be in and yet I see people walking around smiling and saying to me, "Hey. How are you?" You don't see any evidence of people stressed out and working in a job that they didn't like. Probably the best thing that I can say about the leadership at ThreatLocker is that they put their people first.

Their training is very good. They treat their people very well and that makes those people want to help customers and MSPs. It's a very well-run business.

I would rate ThreatLocker at 11 out of 10.

We use ThreatLocker for application allowlisting to enhance security. This is particularly beneficial in school environments, where it prevents students from bypassing security measures by downloading unauthorized applications like VPNs and elevation control, enabling specific local users to gain temporary administrator privileges when running designated applications.

ThreatLocker utilizes a cloud-based system where an agent is deployed on a server or workstation, either on-premise or in a cloud environment like Azure. This agent connects to the ThreatLocker cloud for management and security functionalities.

ThreatLocker simplifies the process for administrators to approve or deny requests. Built-in applications streamline approvals as ThreatLocker manages all associated rules. If a built-in application exists, administrators simply select and allow it. However, if a built-in application is not available, administrators can select from various parameters to create a customized rule. Overall, ThreatLocker provides a relatively easy and efficient approval process.

We use ThreatLocker's ringfencing feature to implement the principle of least privilege. This allows us to control applications like Microsoft Word and Chrome by permitting them to run while restricting potentially malicious actions, such as Word executing PowerShell scripts. This granular control enhances the security of our environment by limiting what applications can do.

ThreatLocker enhances security by verifying the trustworthiness of all access requests, regardless of origin. Its built-in checks ensure applications match their claimed identities, such as confirming that "Word" is indeed Microsoft Word. Additionally, ThreatLocker provides a testing environment to execute executables and scripts in a virtual machine, verifying their legitimacy. Finally, integration with VirusTotal allows for hash analysis, providing further validation. These combined checks offer a robust system for confirming the authenticity of user application requests.

We saw the benefits of ThreatLocker quickly, especially during security incidents. For example, we had a customer where ThreatLocker successfully blocked a threat actor's attempts to install malware and exfiltrate data using legitimate tools. This immediate visibility is crucial, particularly in environments like schools where students might use various unapproved Chrome extensions. ThreatLocker allows for swift action, like blocking ten different VPN extensions, preventing further unauthorized activity.

ThreatLocker has allowed us to consolidate applications by deciding which ones we permit, such as choosing between Firefox or Chrome, while not permitting Opera or Brave. This means we only focus on two browsers for patching and security purposes. It helped us to immediately identify and block unnecessary Chrome extensions in schools, like VPN extensions. We have experienced quick visibility into what students are trying to use and gained more control over our applications.

I find the application control valuable. ThreatLocker provides visibility into user activity and application usage, empowering organizations to define acceptable applications and web browsers. Additionally, elevation control eliminates the need for local administrators by streamlining privilege elevation for specific applications and updates, resolving the challenges customers previously faced with managing local admin rights.

A valuable addition to ThreatLocker would be a column in the audit page displaying a VirusTotal score for each file. This would allow for quick identification of potentially malicious files during allowlisting. Currently, ThreatLocker has a risk scoring system, but integrating VirusTotal results would provide more granular insight. This would enable users to efficiently assess the safety of audited files and prioritize those flagged by multiple antivirus engines for further investigation.

I have been using ThreatLocker for about two years.

The system is generally stable, with one exception during a customer demo where the portal froze and some applications failed to load.

ThreatLocker is scalable. We have customers with ten endpoints to thousands of endpoints. It scales well across different customer sizes and requirements.

ThreatLocker's customer support is exceptionally fast, typically connecting me with a representative within a minute of submitting a ticket and enabling a Zoom call within three to five minutes. While the support team demonstrates knowledge about ThreatLocker, they occasionally provide hasty answers without proper verification, leading to subsequent revisions.

Positive

The initial setup was easy and well-supported by ThreatLocker's documentation and training.

Most new onboardings require approximately 21 days of learning mode before transitioning to secure mode. Therefore, it typically takes about 21 days to a month for an environment to reach secure mode.

I am the one responsible for all the ThreatLocker deployments.

The implementation was completed in-house.

I handle the technical aspects, while my manager deals with pricing. Although the pricing seems good, there have been inconsistencies in contract negotiations. What we are told during calls sometimes differs from what is communicated later causing frustration.

We considered CyberFOX, but it prioritized elevation over allowlisting. ThreatLocker remains the only effective allowlisting tool we've found.

I would rate ThreatLocker nine out of ten.

The agent can be set to update automatically, which is the default setting. ThreatLocker handles the maintenance of the agents. Once in secure mode, the primary maintenance task is approving new application requests from users.

We use ThreatLocker Allowlisting for application whitelisting, and zero trust. We utilize the elevation portion to allow access without us having to grant it on an individual basis. We also utilize the Ringfencing portion of the solution to block and protect things that normally we don't want to occur, or could occur on a normal basis.

We didn't have a solution for this specific security feature or package. So we added ThreatLocker Allowlisting 3 yrs ago when we realized that we need to step up our game with cybersecurity nowadays.

ThreatLocker does something different than our other tools, so we kept our antivirus and other protection. We changed tools over time, but not because of ThreatLocker; it sits on top of all of that and provides the security we're looking for.

With ThreatLocker Allowlisting, training is key. If we properly train our staff and go through product training, knowledge bases, and learning processes, it is relatively easy to approve or deny requests. Without this training, we would be lost, as the product is too powerful to guess at. I have a standing appointment with Cyber Heroes every Tuesday at ten am for an hour, where we go through any issues I see, seek help or advice, and approve or deny requests. This also allows us to take a look at our environment as a whole, and make any necessary fixes, modifications, or improvements for our clients. By doing this, we can get to know the product and ensure we use it properly, leading to successful results.

The visibility into software approval requests is straightforward due to the presence of an approval center. We can view all the necessary approvals for our clients in one place. Additionally, we receive an email that creates a ticket in our ticketing system, allowing us to track and follow up on it. This provides us with two locations to manage the process, making it easy to keep track of.

By default, Allowlisting is built-in with Ringfencing, so we would need to take action to turn it off. Ringfencing is enabled for all the major items we would want it for. We can make systems more secure by taking additional steps if desired. Out of the box, Ringfencing is enabled for all the potentially dangerous items that could cause problems if not monitored.

The combination of Allowlisting and Ringfencing helps us block unknown threats and attacks. For example, we allow this application to run, which is fine, but it may try to do something we don't want it to do. By Ringfencing it, we can stop the application from doing anything other than what we intend. We can also prevent other applications from being spawned by previously approved applications. By doing this, we create a container and compartmentalize the application to prevent it from doing anything outside of our intentions.

I believe that ThreatLocker Allowlisting has distinguished us from other MSPs and has allowed us to provide our clients with genuine security in a time when there is no reliable solution for security due to the constant presence of zero-day threats. This is the way we can anticipate a zero-day attack and have the means to prevent it if it does occur, which is what gives me peace of mind.

We have recently (Q 2 & 3 of 2024) are implementing across all of our environments Network Access Control (NAC).  NAC has dramatically improved our endpoint firewall control.  This reduced the access to endpoint to a Zero-trust level.   

We still have some work to do, as we need to approve everything. Once things calm down, Allowlisting will help reduce our organization's help desk tickets. We don't want small changes to be made that we don't plan for. Allowlisting is the best way to set our clients up. Allowlisting requires some effort upfront to get it working the way we want it, but once it's set, Allowlisting will do the work for us.

Allowlisting, once is settled does not add any additional labor or time on our help desk staff.

Since ThreatLocker combined four solutions into one, we saved a significant amount on implementation costs.

When all of these features are combined, we have a strong product. If any of these features were to be used as a standalone product, it would be largely ineffective. However, ThreatLocker Allowlisting has all of these features integrated into one console, making it effective. Without this combination, I would need to use four different products to achieve the same result. The combination of integrated features is the reason why ThreatLocker AllowListing is so powerful.

We are an MSP. One of the benefits of this product is that we can monitor our clients' activities beyond just removing the software. Even if they don't have military privileges, we can still keep track of what is happening in their environment, such as file access, application installation, or network access. We can see what they are doing, and we can allow the activities that they are supposed to be doing and prevent them from doing activities that could be harmful to them or us. This enables us to have a lower cost of management for our clients, which would otherwise require more effort.

We identified several areas that we would like to see improved. We submitted these as feature requests and ThreatLocker has acknowledged them. They are in the process of being implemented and many of them have been completed in the past year and a half, which we are delighted about. For example, I had been asking for the ability to copy a policy for a few months, and then it suddenly became available. This saves us a lot of time because if we set something up for one client, we don't have to do all the work again for another client; we can just copy it.

I have been using the solution for 3 yrs

ThreatLocker pushes the boundaries of technology while also integrating well with the core of the operating system. So far, we have not had any problems, so I would say it is quite stable.

ThreatLocker Allowlisting is highly scalable. We currently have thousands of endpoints on it and could easily have ten times more. There is no limit to ThreatLocker Allowlisting scalability.

The technical support is excellent. I appreciate when a solution has great tech support because I don't have time to spend trying to figure out an issue that needs to be fixed quickly. I don't want to have to talk to someone who doesn't know what they're doing when I reach out to them; they usually resolve the issue within minutes. We can contact them by phone, email, or text and submit a ticket, and they will provide an answer promptly. The technical support is truly remarkable.

Positive

The initial setup is straightforward. I was fully involved in the initial setup for my company and in getting ThreatLocker running. We then passed it on to our certified and knowledgeable techs, who can now do it. When we initially rolled out and deployed, we wanted to make sure we were monitoring ThreatLocker closely. 

ThreatLocker has lots of documentation and explanations on how to deploy it. I strongly recommend using their free concierge service with Cyber Hero to guide you step by step. This eliminates the need for you to figure it out on your own. Their professionals will help you deploy properly and successfully. This is one of the great benefits of this company and product, as they want us to be successful with their product.

The deployment was done primarily myself with a script and we deployed two thousand endpoints over a three to six-month period. 

Our deployment covers approximately fifty companies in multiple countries, with multiple sites across those companies. Some of the companies have more than two hundred endpoints.

The implementation was completed in-house.

There is certainly a return on investment due to the increased control we have over our clients' environments and the peace of mind it provides us and them. ThreatLocker is an additional layer of protection that surpasses our standard security measures.

The price is very reasonable, and we have been able to integrate ThreatLocker with all of our clients. We do not offer it as an option for only some of our clients; it is a standard feature for all of our clients. One of the reasons for this is that the pricing is quite reasonable considering all that ThreatLocker offers.

I attended several conferences and viewed numerous demonstrations, and I found ThreatLocker to be particularly impressive. I was very impressed with the features and product design, which showed that a great deal of thought had gone into it. I believe ThreatLocker is quite advanced in comparison to some of the other products on the market, which are more established but have yet to achieve what ThreatLocker can already do.

I give the solution a ten out of ten.

With any product of this type, we should always maintain ThreatLocker Allowlisting. The more we maintain it, the more successful it will be and the more secure our environment will be. Maintenance should become part of our normal routine to manage our environments.

Potential users should take the time to work with Cyber Heroes in deploying ThreatLocker AllowListing, learning how to use it, and managing it. They will be very pleased with the results. They should not attempt to do this alone; it is not something they should have to do on their own, given the services ThreatLocker provides.

We're an IT service provider that acts as an IT department for companies that don't have one. We take over a company's IT infrastructure, look after, manage, and secure it. ThreatLocker is a part of our security stack. 

We've got multiple products and vendors that we use, and ThreatLocker is a tool we provide to clients who need it. We use it to control access, block specific programs or activities, and manage things like USBs and other devices. For example, if no one's allowed to use the USB device on the computer, we can do that with ThreatLocker.

ThreatLocker has freed up help desk staff for other projects by saving us time. We don't need to do workarounds to get things to work. It's effortless to deploy. We send out the software to the machines as we would any other piece of software, and it automatically sets up everything in the portal. It works most of the time without the need to configure anything manually.

Adopting ThreatLocker has helped us consolidate solutions. For example, we previously used another product for USB blocking, local administrator access, and things like that. Now, we have that functionality built into ThreatLocker. We can deploy different policies to machines to do other things. And I think there's a community where people can make policies for all the tools. Those solutions were separate paid products, so eliminating them reduced our operational costs. 

The most valuable feature is probably the ability to block programs from running. ThreatLocker has some built-in features that make it super easy. You can also contact their support within the program. If you're having issues, you can click on that button and connect with someone in five to 10 seconds. 

It's easy for administrators to manage requests through ThreatLocker. It's set up so we can get notifications in our ticketing system. Every notification ThreatLocker sends contains a link that we can click. We sign in, look at the options, and select the one we need to apply.

The process is straightforward from the end users' perspective. If they try to run something that they're not allowed to run, they get a popup saying that in plain English. There's a little button they can click to cancel it or request access. If they request access, they're asked why they want to run this and then they click send. That's all they need to do. They don't have to call anyone.

ThreatLocker's ring-fencing capabilities are excellent. I haven't seen any other products that do it. It's certainly not built into Windows. It's quite good, but it could be a bit more granular with the options that it gives you. However, the existing options are enough to cover 90 percent of scenarios.

The solution is effective for establishing trust for requests. For every request that comes in, it tells you who sent it and the reason why. It also gives you a breakdown of the application the user wants to run, and it'll tell you things like the company that published it. It also has links that will take you to a virus-scanning website that has scanned the file in the past, so we can see straight away if it's trustworthy or not.

The portal can be a little overwhelming at times from an administration point of view. It displays a lot of information, and it's all useful. However, sometimes there is too much on the screen to sift through, especially if you're trying to diagnose a client's problem with a piece of software. Maybe something has stopped working since they updated it, and we need to see if ThreatLocker is blocking a component of that software. 

We must look through the logs, and there's an awful lot of information to go through. It has many options to filter out that information, and it becomes much easier once you've had some training. Still, there is so much information on the screen. 

I have used ThreatLocker Protect for around two or three years.

Yeah. Never never noticed it. So Yeah.

I can imagine it's very scalable. Yeah. We've got it, like, clients many two people up to, like, fifty. So, yeah, it seems for it's got I think, obviously, you can go much much higher I

I rate ThreatLocker support 10 out of 10. They're quick and helpful. Whenever I've had a problem, they've fixed it for me. They have this Cyber Heroes feature, which is a button built into the solution that connects you to support within seconds. I've only used it a few times, but they have been spot-on every time. 

Positive

The deployment was straightforward, but we had a lot of hand-holding from the ThreatLocker team, and they did regular review meetings with us to ensure we're on track. We would do a Zoom meeting where a guy would go through it and do a lot of the work for us.

It doesn't take long to set ThreatLocker up for a client. It takes around 30 minutes to add the client to the portal, get the software, and deploy it to the machine. After that, we let it run in learning mode. It runs in the background for about a week. That part is automated, so we don't need to do anything. Once that's done, we probably spend an hour or so just looking through what it found and ensuring everything's all settled. After deployment, it doesn't require much maintenance aside from keeping everything up to date. 

I can't complain. Cheaper would always be nice, but I think it's reasonable compared to other software in the cybersecurity market.

I don't think there was anything else on the market that does all the same things as ThreatLocker. If there was, I was unaware of it. 

I rate ThreatLocker eight out of 10. Before implementing ThreatLocker, you should consult one of the company's support engineers. Don't try to do it by yourself because there's a lot of information there. They've got some excellent documentation, but I personally like to be shown how to do it. 

As a Managed Security Service Provider, we have numerous clients. We offer ThreatLocker's application whitelisting as a key component of our security stack, leveraging its capabilities as intended. For client-specific applications, we utilize learning mode to automatically whitelist them. Additionally, we employ global whitelisting for commonly used software such as QuickBooks, Sage, and other applications pre-configured by ThreatLocker. This proactive approach ensures seamless operation of essential enterprise applications.

For administrators, approving or denying requests is a straightforward process. They have three options available. The first is on-site with credentials. When a pop-up notification appears on the computer, an administrator can easily navigate through it, log in with their credentials, and approve the request. The second is a remote administrator. For administrators who work remotely and need to approve requests, an email will be sent to the ticketing queue. This notification allows them to access the tenant and approve the request from anywhere. The third is the mobile app. The top-level administrator and I can use a mobile app to approve requests on the fly, even while traveling. All three options are user-friendly and facilitate a smooth approval process.

The visibility is good. While it doesn't overwhelm users with information, ThreatLocker allows us to tailor the request message when approvals are needed. This means it's not just a generic notification. We can incorporate our branding and write a customized message containing relevant details. For example, in our case, the message would state, "Iowa Solutions is requesting this information." This approach helps avoid appearing malicious or unusual, promotes user comfort due to clear communication, and leverages name recognition to ensure users understand the request and its destination.

We use ringfencing when it's applicable. This can be a bit more challenging, particularly with certain global apps. Nevertheless, we utilize it to ensure that solutions without internet access requirements remain disconnected.

Our initial implementation of whitelisting applications did not seem to reduce the number of support tickets. It may have even generated slightly more. However, this was primarily an issue with the initial setup and the values have since returned to normal levels. The included Elevation module, however, has demonstrably reduced tickets, particularly once properly configured. While we are still experimenting with its optimal configuration, we are confident that it represents an internal process improvement rather than a product issue. The ThreatLocker solutions engineer we work with has guided us through this process. The product's ability to elevate already-approved applications directly addresses a significant source of tickets. We have streamlined operations and reduced support overhead by removing the need for end users to request administrator assistance for installing approved applications.

ThreatLocker has enabled us to effectively eliminate the risk of users introducing unauthorized applications into their environment. Occasionally, clients with on-premises IT teams or trusted individuals with administrative privileges might install software that they deem harmless. However, this software is often not part of the standard deployment or approved image, posing a potential security threat.

ThreatLocker serves as an additional layer of defense, ensuring that only authorized software is installed. For example, we have blocked and consolidated the installation of older Adobe versions, which may be vulnerable due to a lack of security updates. Similarly, when Adobe transitioned to a new licensing model, we prevented users from deploying older versions they might have had on hand, ensuring compliance and mitigating potential compatibility issues with the operating system or modern MSA-related items. One of the most common instances of unauthorized software installation involves printer drivers. Users may attempt to install specific drivers or software packages, which can introduce unwanted bloatware or adware. ThreatLocker effectively prevents this type of installation, ensuring a clean and secure environment. For example, if someone attempts to download Adobe Reader directly, the installer might attempt to bundle McAfee software. ThreatLocker efficiently blocks such bundled installations, preventing the introduction of unwanted adware.

We had already anticipated the benefits of ThreatLocker, and these benefits were subsequently confirmed in real-world scenarios. This prior knowledge solidified our understanding of the value it provides. We have a client who unfortunately fell victim to a compromised campaign that ThreatLocker would have prevented. This specific case serves as a compelling use case demonstrating the product's effectiveness. Notably, we were able to identify this value proposition quickly by reviewing the documentation and implementing ThreatLocker in our test environment. However, having a real-world example—where we can confidently state that ThreatLocker would have stopped the attack—further reinforces the product's potential value.

While it can be frustrating at times, we appreciate the low-level security provided by the application whitelist. Although incorrect implementation can lead to unintended blocking of desired applications, it serves as a crucial layer of defense against unauthorized activity. This whitelist effectively enforces established policies, ensuring minimal potential damage in the event of a malicious incursion.

This is our first time using whitelisting software in a production environment, so I can't speak from experience with other solutions. However, one of the main challenges we've encountered is that whitelisted applications can sometimes result in blocked requests, which disrupts workflows. If there's a way to mitigate these disruptions, it would significantly improve the end-user experience. While I don't have a specific solution in mind, I think ThreatLocker's current implementation is elegant. It allows users to customize what they see, submit a request, or simply exit without creating a ticket. This flexibility avoids forcing users to create tickets unnecessarily. While I think ThreatLocker is doing a good job overall, I believe the biggest pain point is the potential disruption to user workflows.

One area I see for improvement is in the visibility of support tickets within the ThreatLocker ticketing system. While my interactions with individual representatives and my solutions engineer have been excellent, communication through the ticketing system itself lacks transparency. Specifically, when an issue is escalated or marked as "being worked on," I'm not provided with any updates or information about the progress being made. This lack of visibility is frustrating, especially when dealing with complex issues that may take longer to resolve. While I understand that not every problem can be fixed in five seconds, I would like to see improved visibility in the ticketing system. This could be achieved by providing regular updates on the progress of tickets, particularly those that are older than three weeks. I appreciate the responsiveness and expertise of the individual support personnel I've interacted with, but enhanced visibility within the ticketing system would be a welcome improvement.

I have been using ThreatLocker Protect for two years.

One of the recent tickets we opened resulted in stability issues for a very small population of deployed agents less than 0.1 percent. While the scale of the issue is minor and it only emerged recently, with a previously perfect stability record, it does represent a blemish on the otherwise excellent track record. I wouldn't allow this short-term problem to overshadow their previously pristine performance.

I have not encountered any scalability issues.

The technical support team is incredibly fast and efficient. Their live chat feature connects us directly with a support engineer, not an automated system or auto attendant. This direct connection is fantastic and ensures a swift resolution to your issue.

The accuracy of their solutions for common problems is impeccable, consistently exceeding 99 percent. While I've encountered some uncommon issues that required escalation to the development team, this is not a reflection of support's competence. It simply indicates an underlying product issue, not a support-related one.

The team's tier-one support engineers are exceptional, and the solutions engineer assigned to our account is equally impressive. They are both invaluable assets to the support side of the operation.

My only critique concerns the visibility of tickets that aren't resolved immediately. However, every time I've interacted with a support representative, they've been professional and helpful.

Positive

We deployed the agents using our cloud-hosted RMM software, Ninja RMM. ThreatLocker provided us with a script to facilitate the deployment, making it incredibly easy. Management is also handled through the cloud portal, making the entire process cloud-exclusive and efficient for large-scale deployments.

I am involved in the initial deployment process for each newly onboarded client. The process is very straightforward, requiring only a few clicks and confirmation of the organization in the portal pop-up. Issues are extremely rare, and any encountered have been on our end during deployment, not with the product itself.

Deployment is typically a one-person job, especially for new clients. When we first launched the program, we had two people in the testing environment to ensure smooth execution. However, this included ThreatLocker integration, which required two additional key players: our account manager and solutions engineers. Therefore, the initial onboarding process involved two individuals, while subsequent client deployments required only one. This has proven sufficient to manage deployments without issues.

We used an integrator who is the solution engineer assigned to our account and has been very helpful to this day. His involvement extended far beyond the initial 90-day onboarding period, and he remains heavily involved in our ongoing integration efforts. His contributions have been a true boon to our project's success.

I believe ThreatLocker's pricing model is fair and flexible, allowing account managers to offer customized deals based on our specific needs. As a small company internally, we also appreciate the ability to scale our subscription easily to accommodate rapid growth periods, which are common for MSPs like ourselves. The tiered pricing structure based on devices is helpful, and the option to commit to specific modules in exchange for discounts is a valuable feature. Overall, I find their pricing fair and transparent, and I am impressed with their willingness to collaborate with us to achieve our goals.

I would rate ThreatLocker Protect a nine out of ten.

Building trust in ThreatLocker's protection relies on the visibility of application requests, demonstrating that the product is actively working. However, this approach may not always achieve the desired outcome. Unfortunately, end users can perceive the constant prompts as a burden, hindering their workflow. While it's crucial to ensure that unauthorized applications are not running, these interruptions can erode trust unless users fully understand the security rationale. Instead of fostering confidence, the prompts can feel like roadblocks, obstructing users' ability to perform their tasks.

Our workflow has generally stayed the same with ThreatLocker. We were not looking for a solution that would save us time. We were looking for a robust whitelisting application software.

End users may not always consider the potential consequences of their actions. As security advisors, it's our responsibility to educate them on safe online practices. Downloading files from unknown sources, clicking links in suspicious emails, and entering passwords carelessly are all risky behaviors. Our "Know Before" training program specifically addresses these vulnerabilities through interactive phishing simulations and social engineering exercises. While some users might find this mandatory training disruptive, it's crucial for building awareness and mitigating cybersecurity risks. Security professionals can't afford to remain passive. While a silent, background approach might be ideal, the reality is that active intervention is often necessary. The end user is dangerous and just like a guardian watching over a child crossing the street, ThreatLocker offers an extra layer of protection, preventing users from making critical mistakes.

Users need to be aware that this feature will bring security to the forefront for them. This visibility is not a negative aspect, but rather a positive one, as it increases user awareness. However, it's important to remember that sometimes even tech professionals and security analysts cannot anticipate how users will think or react. So, it's essential to avoid approaching the situation from a purely technical or analytical perspective, and instead strive for a balanced and grounded approach. Be mindful of the increased visibility and leverage ThreatLocker's exceptional support team. They have likely encountered any unique situations we might encounter and can guide us through the implementation process.