ThreatLocker Zero Trust Endpoint Protection Platform Reviews

We're an IT service provider that acts as an IT department for companies that don't have one. We take over a company's IT infrastructure, look after, manage, and secure it. ThreatLocker is a part of our security stack. 

We've got multiple products and vendors that we use, and ThreatLocker is a tool we provide to clients who need it. We use it to control access, block specific programs or activities, and manage things like USBs and other devices. For example, if no one's allowed to use the USB device on the computer, we can do that with ThreatLocker.

ThreatLocker has freed up help desk staff for other projects by saving us time. We don't need to do workarounds to get things to work. It's effortless to deploy. We send out the software to the machines as we would any other piece of software, and it automatically sets up everything in the portal. It works most of the time without the need to configure anything manually.

Adopting ThreatLocker has helped us consolidate solutions. For example, we previously used another product for USB blocking, local administrator access, and things like that. Now, we have that functionality built into ThreatLocker. We can deploy different policies to machines to do other things. And I think there's a community where people can make policies for all the tools. Those solutions were separate paid products, so eliminating them reduced our operational costs. 

The most valuable feature is probably the ability to block programs from running. ThreatLocker has some built-in features that make it super easy. You can also contact their support within the program. If you're having issues, you can click on that button and connect with someone in five to 10 seconds. 

It's easy for administrators to manage requests through ThreatLocker. It's set up so we can get notifications in our ticketing system. Every notification ThreatLocker sends contains a link that we can click. We sign in, look at the options, and select the one we need to apply.

The process is straightforward from the end users' perspective. If they try to run something that they're not allowed to run, they get a popup saying that in plain English. There's a little button they can click to cancel it or request access. If they request access, they're asked why they want to run this and then they click send. That's all they need to do. They don't have to call anyone.

ThreatLocker's ring-fencing capabilities are excellent. I haven't seen any other products that do it. It's certainly not built into Windows. It's quite good, but it could be a bit more granular with the options that it gives you. However, the existing options are enough to cover 90 percent of scenarios.

The solution is effective for establishing trust for requests. For every request that comes in, it tells you who sent it and the reason why. It also gives you a breakdown of the application the user wants to run, and it'll tell you things like the company that published it. It also has links that will take you to a virus-scanning website that has scanned the file in the past, so we can see straight away if it's trustworthy or not.

The portal can be a little overwhelming at times from an administration point of view. It displays a lot of information, and it's all useful. However, sometimes there is too much on the screen to sift through, especially if you're trying to diagnose a client's problem with a piece of software. Maybe something has stopped working since they updated it, and we need to see if ThreatLocker is blocking a component of that software. 

We must look through the logs, and there's an awful lot of information to go through. It has many options to filter out that information, and it becomes much easier once you've had some training. Still, there is so much information on the screen. 

I have used ThreatLocker Protect for around two or three years.

Yeah. Never never noticed it. So Yeah.

I can imagine it's very scalable. Yeah. We've got it, like, clients many two people up to, like, fifty. So, yeah, it seems for it's got I think, obviously, you can go much much higher I

I rate ThreatLocker support 10 out of 10. They're quick and helpful. Whenever I've had a problem, they've fixed it for me. They have this Cyber Heroes feature, which is a button built into the solution that connects you to support within seconds. I've only used it a few times, but they have been spot-on every time. 

Positive

The deployment was straightforward, but we had a lot of hand-holding from the ThreatLocker team, and they did regular review meetings with us to ensure we're on track. We would do a Zoom meeting where a guy would go through it and do a lot of the work for us.

It doesn't take long to set ThreatLocker up for a client. It takes around 30 minutes to add the client to the portal, get the software, and deploy it to the machine. After that, we let it run in learning mode. It runs in the background for about a week. That part is automated, so we don't need to do anything. Once that's done, we probably spend an hour or so just looking through what it found and ensuring everything's all settled. After deployment, it doesn't require much maintenance aside from keeping everything up to date. 

I can't complain. Cheaper would always be nice, but I think it's reasonable compared to other software in the cybersecurity market.

I don't think there was anything else on the market that does all the same things as ThreatLocker. If there was, I was unaware of it. 

I rate ThreatLocker eight out of 10. Before implementing ThreatLocker, you should consult one of the company's support engineers. Don't try to do it by yourself because there's a lot of information there. They've got some excellent documentation, but I personally like to be shown how to do it. 

We use ThreatLocker Allowlisting to control inventory and manage software. We want to make sure that we know which software is being used on our client computers and that we are only allowing approved software to run. This is in line with the principle of least privilege, which ensures that users are only allowed to do the things they need to do and not the things they don't. This is especially important for shared-use computers and different environments where users on the same computer may have different access levels.

The visibility into software approval requests of end users is easy. We not only have approval requests pushed directly into the platform, but we also have a ticket opened in our ticketing system. As the manager, I can run reports to see what requests are coming in from client organizations and how my technicians are handling them. This makes my life easier from a managerial perspective.

The combination of ThreatLocker and Ringfencing is excellent for blocking unknown threats and attacks. For example, we can ensure that all software stays within its designated sandbox. This means that I can run the PowerShell scripts from our RMM software, but nothing else can run the PowerShell scripts. With Ringfencing, we can say, "Allow this to run, but not that," or "Allow this website to be accessed to download an installer, but don't allow other websites to be accessed." Other use cases for Ringfencing include selective elevation of a process. For example, if a user needs to run QuickBooks and is elevated to an administrator to do so, then all privileged processes will also be elevated. However, with Ringfencing, we can prevent QuickBooks from opening PowerShell or anything else that it is not supposed to open. This helps to keep us safe and prevents unknown threats from exploiting compromised privileged processes.

In line with the textbook definition of a zero-trust model, every request must be approved. This can create some tension with clients, so it is important to get their buy-in on the process. With ThreatLocker's learning mode, we can make the approval process invisible to clients for the most part. We manually select which requests to approve and which to deny. By the time we set ThreatLocker to enforce everything, we have a good baseline of what is allowed and what is not. We have also communicated everything to the clients and found procedural ways to reduce friction.

ThreatLocker Allowlisting can help to reduce helpdesk tickets. On the one hand, we do receive approval requests with some regularity. However, on the other hand, overall tickets are reduced because we no longer have everyone trying to install iTunes or wondering why they're getting pop-ups in their browser because they have three different browser add-ons for coupon clippers that are laced with malware. After all, with ThreatLocker, users are not allowed to install these programs, to begin with, which reduces the tickets we would get after they've been installed because they're unpublished installations that any standard user could complete. The net result is an overall reduction in tickets, although there are some tickets required to manage the approvals.

ThreatLocker Allowlisting has saved our helpdesk around a 15 percent reduction in overall tickets. With the average handle time for a ticket being 14 minutes, if I have 100 tickets in a month, each one will take 14 minutes, for a total of 1,400 minutes per month.

The most valuable feature is selective elevation, which allows elevating an individual process to admin privilege without granting admin privilege to that user, which has been by far the most useful feature outside of the overall solution itself.

Approving or denying requests using the software can be more difficult to do correctly. Overall, it is easy to use, but it is not the easiest in the world to get right. There are some nuances and things that we need to understand.

ThreatLocker Allowlisting needs to improve its user interface and overall workflow. The UI looks very dated and is challenging to navigate, and we spent more time training technicians on how to interact with ThreatLocker than on what to do with it. The user experience needs a lot of work, but their beta portal is solving a lot of that. If I had to pick any lingering difficulty, it would be the learning curve to grasp how ThreatLocker manages what is allowed and the details around that.

I have been using ThreatLocker Allowlisting for almost two years.

We experienced some delays with our cloud agent. For example, when we changed a policy, it would take five minutes for the agent to receive the change. Or, we would tell the agent to enter a specific mode, and it would take five minutes for the agent to comply. This caused some delays in our ability to deliver services. However, the cloud provider has eliminated this issue. We now typically wait no more than thirty seconds for the agent to respond to our requests. This was a problem when we first started using the cloud agent, but it hasn't been a problem for about six months now.

We have had no scalability issues whatsoever, even though our largest environment is only about 75 endpoints. We are not working at the same scale as much larger companies, but for our size, ThreatLocker has been perfectly scalable. Whether I am deploying to one person or ten people, the same script is pushed out by the RMM and everything loads up in ThreatLocker within a matter of minutes.

The technical support team at ThreatLocker is incredibly experienced and knowledgeable. I especially value two things about interacting with them. I never have to wait long for a response. As chief operating officer, if a problem reaches my desk, it means that everyone below me has already tried and failed to solve it, or they simply didn't want to get ThreatLocker support involved. Since I have the most experience in-house, I'm usually the one who engages with ThreatLocker support. When I do, I never have to wait long to speak to someone who knows what they're doing. I always get escalated to the right level technician, even if I'm initially connected with more junior tech. ThreatLocker doesn't waste time walking me through scripts, procedures, and processes. Instead, they escalate my issue to the right person immediately so that they can help me solve whatever creative problem we're facing.

Positive

We had some experience with Microsoft's AppLocker, but managing it required too much manual effort for our small team that required a dedicated full-time employee. ThreatLocker Allowlisting is much easier to manage.

The initial deployment was straightforward. ThreatLocker provided the script to use in our RMM software. To deploy the software, we made some tweaks to accommodate our environment. We were then able to push out the agent in an entirely automated fashion. We had three people involved on our end, but it could have been done by a single person. We divided responsibilities to bring the product to market faster.

The implementation was completed in-house with the support of the ThreatLocker team.

In addition to the overall time savings, there are also quantifiable costs associated with the number of malware attacks that have been stopped by ThreatLocker. I can think of at least four or five instances where an executable file was blocked by ThreatLocker before it could be detected by SentinelOne or any of the other security solutions on the machine. It is difficult to say definitively whether SentinelOne would have detected these files after execution, but I do know that ThreatLocker has helped to improve our productivity and our clients' productivity by preventing users from installing unauthorized software, such as iTunes on work computers or Spotify on protected machines. By limiting users to only approved software, ThreatLocker has also made our jobs easier as IT service providers, as we no longer have to spend time hunting down unauthorized software, uninstalling things, or remediating malware, bloatware, adware, etc. As a result, we are dealing with far fewer rogue browser extensions, which has led to a reduction in tickets and overall management overhead.

We realized the benefits of ThreatLocker Allowlisting after six months of use. This was because we needed to become familiar with the product, build our baselines, and understand how it worked. We also needed to establish routines, build workflows, train our technicians, and educate our clients on how to interact with the software. By the six-month mark, we began to see a return on investment, and it was fully realized by the one-year mark.

The price of ThreatLocker Allowlisting is reasonable in the market, but it is not fantastic. It is also much less expensive than some other products we use.

We considered Auto Elevate from Cyberfox and Microsoft's AppLocker, but managing Microsoft's AppLocker would have required too much manual effort for our small team which would require a dedicated full-time employee. ThreatLocker Allowlisting is much easier to manage. ThreatLocker Allowlisting is a more comprehensive solution, and we liked the way that ThreatLocker said they would support us better than the other companies. With the other companies, it was more of a traditional support model, but with ThreatLocker, we have an average wait time of 30 seconds on our support chat. In the year and a half, almost two years, that we've been with ThreatLocker, this has always been the case. We've never had to wait more than 30 minutes to get a live human being who is an expert on ThreatLocker. If they can't solve the problem, they'll escalate it to someone who can. Beyond that, they stand behind their product. Because it's such a complicated product, and we're a small company, this was all the difference to us. We knew that if we had problems, we would have their team to lean on for help, and they've stood behind their product.

I would rate ThreatLocker Allowlisting nine out of ten. ThreatLocker Allowlisting is not a perfect product, but they do a fantastic job of continuing to improve it and make it more approachable.

There are management and overhead costs, as well as maintenance costs associated with changing or updating the lists. There is also some limited maintenance required as programs and hashes change. Additionally, we need to make some updates to properly maintain the lists, consolidate policies, and so on.

Try ThreatLocker risk-free and work with their team. They can make their complex product more approachable so that users can see its benefits and capabilities.

Our clients require a zero-trust solution for their servers. They need to ensure that nothing happens to the server without authorization — nothing comes in, goes out, or gets corrupted. We put ThreatLocker on the server to block anything that attempts to run without permission. We use ThreatLocker across our whole platform. We continue to pound the table on how great it is and tell our customers that they need it. It is currently deployed for multiple MSP and MSSP clients on their servers and workstations. 

I don't know if ThreatLocker has improved the organization itself, but it has prevented a few clients from doing the dumbest things possible. Our clients are sleeping better at night. I was at dinner with a rep from ThreatLocker when my client accidentally fell for a scam and contacted a fake number for Apple support. She got a message saying that her IP had been stolen. She tried to let them access the system, but ThreatLocker wouldn't allow anything to load. My phone blew up with alerts. 

Meanwhile, my client called, asking me to give "Apple Support" access. I told her to hang up because her IP couldn't be stolen. She was arguing about fake support, and I told her to Google "Stolen IP address scam." She looked it up and realized it was fake, so she hung up with him. She was mad at me for a bit but apologized the next day. If she didn't have ThreatLocker, they would be holding her files for ransom, or she would be leaking data.

It hasn't reduced our help desk tickets so far, and this is something they warn you about. They told us that it was going to be messy in the beginning. They didn't beat around the bush. They said we should expect some dust when we break ground. There will be dust and dirt everywhere, and we'll track it in many places. However, we will clean it up, put some sod down, and make it look beautiful. Until then, the house will be muddy. We expected some pain initially, which is why they do weekly calls with us until we get it to run correctly.

They provide fast access to Cyber Hero support, so they can help you at the drop of a hat. They also put a secure app on your phone to approve things on the fly if the clients are trying to do an update over the weekend. ThreatLocker provides everything you need to get the plane off the ground, and it flies well. Sometimes, clients get annoyed because they can't access something, but I tell them it's a necessary evil. 

I tell them that their network is like flying on a plane. I say, "I know that you want TSA precheck and to be right at the front of the line, but your network doesn't have that. You didn't pay for it with the government." I point out that their security is more important than speed and access. We don't live in a fast-network world anymore. Everything has to be checked and double-checked.

I think it will free up help desk staff after we get past the initial stage, but the clients need to be trained the same way they do with emails. They need to understand that we won't blindly allow anything to work on their network. We will look at it first and ensure everything is how it should be. Finally, we will let it in, but everything will be ring-fenced or limited once it's in. We won't run that program until we figure out how to do that. If my clients are expecting an update, they can't keep that information to themselves. They need to let me know so we can arrange an upgrade time, and I can provide them with a window. We'll run it with some restrictions to ensure they're okay. 

Allowlisting hasn't enabled us to consolidate tools. It's another tool in the toolbox, and everything has its place. After the Colonial Pipeline cyber attack, the president issued an executive order requiring zero trust. ThreatLocker fills that gap. You still have other blind spots, though. We need an email security solution and network monitoring to identify suspicious devices on our network searching for a vulnerability. You can't have ThreatLocker on everything. You can't have it on a printer or a specific firewall, but you can have it on an operating system. There are other blind spots that require attention.

Using ThreatLocker is effortless because I can access it from an app on my phone, so I can help clients after hours. My client had an issue while I was at dinner, and I didn't have a tech on the problem, but I could deal with it from my phone. I can see what the client is doing and approve or deny it. It helps me deliver better service to my clients when they need it.  

ThreatLocker also has a service where one of their techs can call you on Zoom and go through anything denied for the last week. They will train you until you feel comfortable enough to do it yourself. I've dealt with one of their techs from the UK, who was knowledgeable, friendly, and an excellent teacher.

I only needed about six or seven sessions before I didn't need him anymore, but the training didn't stop. They continue to train until you can handle each client request, see what was blocked, and determine why. You can understand why something was blocked and how to dive deeply into it. You can also click "Chat With a Cyber Hero," and somebody will help. It has been a wonderful experience overall. 

We typically use ThreatLocker with ring-fencing when requested. You only ring-fence applications. For example, Microsoft Office doesn't ever need to open PowerShell. It will get flagged automatically if that happens. We know what programs should and should not have access to. The printer should never open an FTP port. Allowlisting automatically sets those policies and says this device has printing functions but can't access an FTP port. 

Allowlisting establishes trust for every access request regardless of origin. In light of new regulations about zero trust, compliance issues, and litigation risks, we must be careful about what gets out and what doesn't get out. Ring-fencing and zero-trust strategies are two ways to do that. We have to run applications, but we don't want them to do anything except what we want. We get the best of both worlds. An application doesn't run if we don't know what it does, and necessary applications will only run with specific rules.

ThreatLocker could offer more flexible training, like online or offline classes after hours. The fact that they even provide weekly training makes it seem silly to suggest, but some people can't do it during the day, so they want to train after work. They could also start a podcast about issues they see frequently and what requires attention. A podcast would be helpful to keep us all apprised about what's going on and/or offline training for those people who can't train during the week.

I have used ThreatLocker since July 2022.

ThreatLocker is highly stable.

ThreatLocker has been very scalable so far. 

I rate ThreatLocker support ten out of ten.  Everyone else should follow their support model. ThreatLocker has a built-in help desk feature. It's one of the best I've seen. An icon in the bottom right corner says "Chat With a Cyber Hero." When I first clicked on it, someone responded in eight seconds. I was like, "Holy cow, that's fast!" They've solved every issue in under five minutes. 

Positive

We rolled out Allowlisting from their portal and then deployed it on servers and critical workstations. It was straightforward and reassuring. We have Kaseya, and we didn't know if we had been affected by the breach. ThreatLocker was there with boots on the ground on a Saturday to help us get secure. They reassured us everything was okay. 

Using ThreatLocker has made us look like real players in the security space. That's a huge deal. You have a seat at the table when you look like a real player. You see value in everything they do. You understand the program and can see what they're pre-populating it with. You can get training from a Cyber Hero almost immediately. 

Most importantly, you can get weekly training to teach you along the way. You can stop and pick it up whenever you need. They are that good. I'm going to have some of my other techs go through the training so everybody can be trained to do a ThreatLocker assessment.

Others say ThreatLocker is too expensive, and I tell them they're dreaming. It's well-priced for what it does.

Before adopting ThreatLocker, we didn't even know this type of solution existed. We were affected by the Kaseya ransomware attack and forced to shut our server down. We were scared, so we called up ThreatLocker and asked if they could help us. 

They asked to get into our server and see if we were hit. They also looked at the program agent mod to help other people who were impacted. They dropped everything to work with me on a Saturday. Who does that?  

I rate ThreatLocker AllowListing 11.5 out of 10. It's one of the best products on the market, and every MSP needs it because of the zero-trust rules imposed by the executive order. The product does what it says, and the support is fantastic. The training is excellent. They take care of you. You'll know what's happening, and your client will sleep better at night.

In this industry, companies often promise they will help you when you run into trouble. However, they aren't there more often than not. For example, Microsoft tested its software in the beginning and put out a beta version. When they release a new operating system, everyone knows is the beta version, and we're all beta testers. We have to be the ones to tell Microsoft about our issues through the built-in error reporting, and we don't want to report it to Microsoft because we know they won't do anything with it.

We know that they no longer take it seriously. They let us do their work as testers for their beta product. It's refreshing to deal with a product like ThreatLocker where I get support in eight seconds. As soon as I open the chat, they're there typing away. When I start a chat with AT&T, Spectrum, or any of those, I get a message saying, "Support will be with you momentarily." You see the three little dots don't move, and you need to wait five to twenty minutes to get support. ThreatLocker puts out a great product backed up with excellent support and training. What else do you need?

We use ThreatLocker for application allowlisting to enhance security. This is particularly beneficial in school environments, where it prevents students from bypassing security measures by downloading unauthorized applications like VPNs and elevation control, enabling specific local users to gain temporary administrator privileges when running designated applications.

ThreatLocker utilizes a cloud-based system where an agent is deployed on a server or workstation, either on-premise or in a cloud environment like Azure. This agent connects to the ThreatLocker cloud for management and security functionalities.

ThreatLocker simplifies the process for administrators to approve or deny requests. Built-in applications streamline approvals as ThreatLocker manages all associated rules. If a built-in application exists, administrators simply select and allow it. However, if a built-in application is not available, administrators can select from various parameters to create a customized rule. Overall, ThreatLocker provides a relatively easy and efficient approval process.

We use ThreatLocker's ringfencing feature to implement the principle of least privilege. This allows us to control applications like Microsoft Word and Chrome by permitting them to run while restricting potentially malicious actions, such as Word executing PowerShell scripts. This granular control enhances the security of our environment by limiting what applications can do.

ThreatLocker enhances security by verifying the trustworthiness of all access requests, regardless of origin. Its built-in checks ensure applications match their claimed identities, such as confirming that "Word" is indeed Microsoft Word. Additionally, ThreatLocker provides a testing environment to execute executables and scripts in a virtual machine, verifying their legitimacy. Finally, integration with VirusTotal allows for hash analysis, providing further validation. These combined checks offer a robust system for confirming the authenticity of user application requests.

We saw the benefits of ThreatLocker quickly, especially during security incidents. For example, we had a customer where ThreatLocker successfully blocked a threat actor's attempts to install malware and exfiltrate data using legitimate tools. This immediate visibility is crucial, particularly in environments like schools where students might use various unapproved Chrome extensions. ThreatLocker allows for swift action, like blocking ten different VPN extensions, preventing further unauthorized activity.

ThreatLocker has allowed us to consolidate applications by deciding which ones we permit, such as choosing between Firefox or Chrome, while not permitting Opera or Brave. This means we only focus on two browsers for patching and security purposes. It helped us to immediately identify and block unnecessary Chrome extensions in schools, like VPN extensions. We have experienced quick visibility into what students are trying to use and gained more control over our applications.

I find the application control valuable. ThreatLocker provides visibility into user activity and application usage, empowering organizations to define acceptable applications and web browsers. Additionally, elevation control eliminates the need for local administrators by streamlining privilege elevation for specific applications and updates, resolving the challenges customers previously faced with managing local admin rights.

A valuable addition to ThreatLocker would be a column in the audit page displaying a VirusTotal score for each file. This would allow for quick identification of potentially malicious files during allowlisting. Currently, ThreatLocker has a risk scoring system, but integrating VirusTotal results would provide more granular insight. This would enable users to efficiently assess the safety of audited files and prioritize those flagged by multiple antivirus engines for further investigation.

I have been using ThreatLocker for about two years.

The system is generally stable, with one exception during a customer demo where the portal froze and some applications failed to load.

ThreatLocker is scalable. We have customers with ten endpoints to thousands of endpoints. It scales well across different customer sizes and requirements.

ThreatLocker's customer support is exceptionally fast, typically connecting me with a representative within a minute of submitting a ticket and enabling a Zoom call within three to five minutes. While the support team demonstrates knowledge about ThreatLocker, they occasionally provide hasty answers without proper verification, leading to subsequent revisions.

Positive

The initial setup was easy and well-supported by ThreatLocker's documentation and training.

Most new onboardings require approximately 21 days of learning mode before transitioning to secure mode. Therefore, it typically takes about 21 days to a month for an environment to reach secure mode.

I am the one responsible for all the ThreatLocker deployments.

The implementation was completed in-house.

I handle the technical aspects, while my manager deals with pricing. Although the pricing seems good, there have been inconsistencies in contract negotiations. What we are told during calls sometimes differs from what is communicated later causing frustration.

We considered CyberFOX, but it prioritized elevation over allowlisting. ThreatLocker remains the only effective allowlisting tool we've found.

I would rate ThreatLocker nine out of ten.

The agent can be set to update automatically, which is the default setting. ThreatLocker handles the maintenance of the agents. Once in secure mode, the primary maintenance task is approving new application requests from users.

We use the solution as a zero-trust application. We put it on all of our customer machines. We're a security operations company that performs, security, and compliance services for different companies. For all of the companies that we support, we put Threat Locker on. As a zero-trust application, we know the only applications that we've approved are going to be able to function in those customer environments and be that much more secure.

The solution has improved the organization by making sure every customer is more secure. It doesn't allow anything we don't know or haven't approved to run on any machine.

Every single feature has been invaluable.

It's very easy for administrators to approve or deny requests using the cloud listing. 

You get good visibility with this product - more than anything else on the market. Threat Locker is amazing for providing that visibility. I know every single thing about a request due to the way they process it and the data they show us. We have the ability to see everything that an application is actually going to do. 

We do use ring-fencing for every customer. It's great at blocking known and unknown threats. It's the only thing that I know, without a doubt, will do the job. I know that if I haven't made a policy for something, it still will not let it run.

It's the best, period, for allowing us to assess allowed listings and establishing trust for every request.

Overall, the solution has helped us consolidate applications and tools. It's definitely helped reduce unnecessary software. 

We've been able to reduce operating costs based on tool consolidation. However, it would be a difficult number to calculate. 

The reporting could be improved. They're already working on some things with that. That said, as far as its functionality, its stability, and my trust level in it, I honestly don't know how it could get better.

We've been using the solution for two years.

We have never had a problem with stability. 

We have 2500 machines. There are different customers using it. Some are government entities and some are public. Organizations range from very small to extremely large. 

The solution is 100% scalable. 

Technical support is the best in the business. 

Positive

While we have used different solutions, nothing compared to what this solution provides. 

We have different deployment models for each customer. It's an application that I install on every machine in my customer's environment. 

The deployment is very straightforward. In a couple of clicks, you are finished. 

The implementation depends on the customer. For some customers, we install to the machine. Others, we push it out. Some also have scripting so that if you have an RMM tool, It's an easy little script that you push out via the RMM tool or even as a PowerShell script. Their deployment is something else that sets them apart since it's so easy to get it on either one machine or a mass deployment of machines.

You only need one person for deployment. 

The product doesn't require maintenance. Everything is handled on the back end. 

We used a third party to deploy the solution. We don't support the machine it's installed on. We only do security. We use multiple third parties. 

We have 100% witnessed an ROI. It sells my service. 

The pricing is correct.

We did evaluate other options. We've tested everything from top to bottom. For example, we looked at Fortigate and Palo Alto as well as some options from Cisco and Microsoft. None offered the same level of detail.

We're a partner. 

We have witnessed an immediate time to value using this solution. 

I'd rate the solution ten out of ten. I'd advise others to pull the trigger and get it. They'll love it. The solution provides a level of security that is unmatched. 

ThreatLocker is our standard security stack, with very few exceptions. We use it for all of our MSP clients, MSSP clients, and recently for IR response cases. We use ThreatLocker to control application installations and take advantage of its ring-fencing option, which prevents otherwise good applications from interacting maliciously.

Administrators can easily approve or deny requests using the log listings.

The overall visibility into software approval requests of end users is very good.

ThreatLocker and ring-fencing are two of the main ways to prevent applications from interacting with each other, outside of application control. This means that we can take two otherwise non-malicious applications and prevent them from speaking to each other. A good example is Microsoft Word and Microsoft PowerShell. We wouldn't want Word to interact with PowerShell.

From a visibility standpoint, we like Allowlisting's ability to establish trust from every access request, regardless of its origin. However, there is nothing quite like the application control feature, even in an XDR or EDR solution. We are looking for the process path, CERT, and other information to identify the application.

Allowlisting has helped reduce the number of our help desk tickets. There was an initial spike in configuring trusted applications, but it has definitely cut down on supporting applications that should not be part of an organization anyway, such as PDF readers and browsers outside of the standard. Once we add an acceptable group of applications, we no longer support any deviations from that. Allowlisting has cut down on some of the ticketing there.

Allowlisting has helped us consolidate applications and tools. For example, we have standardized on a list of allowed browsers because those are the browsers that are patched regularly. We have also standardized PDF readers and Office suites, such as LibreOffice and Microsoft Office.

We saw the benefits of Allowlisting quickly. We observed that applications, such as PowerShell, were able to run freely within an environment, and that there was a high likelihood that one of these tools could be used maliciously without any effective deterrents. None of the EDR, XDR, logging, and forwarding SOX solutions were able to stop such an attack from proceeding.

Application control, ring-fencing, and storage control are the most important features, followed closely by elevation.

More visibility in the built-ins would be nice.

The learning curve is wide because there are a lot of things to learn. 

I have been using ThreatLocker Allowlisting for two years.

ThreatLocker Allowlisting has had minimal downtime, comparable to, if not exceeding, Microsoft's uptime standards.

ThreatLocker Allowlisting is easily scalable. We doubled our endpoint count in three days, and we know that we can scale.

The support team is the best we've had by far. I don't think I've ever waited more than a minute, They usually answer our call in about 30 seconds.

Positive

The initial setup was straightforward. We pushed ThreatLocker Allowlisting out from our RMM automation system. We have also pushed it out in other ways, and it is always straightforward.

Two of our people were involved in the deployment.

We used ThreatLocker's onboarding process support for the implementation.

The pricing is fair and there is no hard sell.

I would rate ThreatLocker Allowlisting ten out of ten.

The alert board for maintenance requires monitoring.

Potential users should expect to dedicate resources to ThreatLocker Allowlisting. It is not a set-and-forget solution. There is a learning curve, but Cyber Hero support is available to help users through it. Unlike some other products that onboard users and then leave them to the ticketing system, ThreatLocker provides continued support. It is important to note that ThreatLocker Allowlisting cannot be simply turned on and left alone. It requires in-house resources to properly manage at scale.

We are a managed service provider offering comprehensive network and security monitoring for other service providers. We remotely monitor our clients' systems, many of which utilize ThreatLocker. This application allows us to provide end-to-end technical support, including proactive protection against malicious scripts and applications. ThreatLocker prevents unauthorized installations and execution of potentially harmful programs, such as PowerShell or CMD scripts, by blocking them in real-time. Essentially, it's a comprehensive security application that logs events, captures data, and aids in recovery and analysis, enabling us to understand and respond to security incidents effectively.

We have deployed ThreatLocker in the Azure and AWS clouds for some of our customers, while others utilize it in a hybrid model.

Administrators can easily approve or deny requests using their ThreatLocker allow list. With full access, an administrator can enable learning mode or create exclusions for any user, allowing them to execute specific files or actions within their user space.

The software provides superior visibility into end-user software approval requests compared to other EDR applications I've encountered. Real-time scanning is available when an exclusion occurs, and the software captures comprehensive logs of all activity on the machine.

We use allowlisting once a user access request is submitted. We verify the reason for the request and, once verified, we send an email notification to the requesting user. After approval through the ThreatLocker console, the user can access and execute the requested resources.

ThreatLocker has significantly improved numerous techniques that mitigate vulnerabilities and viruses initiated on the back end of a network. This prevents recurring attacks that utilize script files or various hacking methods by stopping them at the network level.

Previously, users with installation privileges often installed various third-party applications without oversight. ThreatLocker prevents unauthorized application execution, requiring users to submit installation requests. Since most users are reluctant to request third-party applications, this policy significantly reduces the volume of help desk tickets related to software installation and troubleshooting.

ThreatLocker helps consolidate applications and tools.

ThreatLocker's most valuable feature is its scanning capability, which executes all types of executable files. Rather than denying specific applications, it denies all applications originating from the back end, providing comprehensive protection.

ThreatLocker would benefit from incorporating an antivirus feature or comprehensive 24-hour log monitoring, a valuable enhancement for both business and enterprise-level users.

I have been using ThreatLocker Protect for approximately seven to nine months.

I haven't experienced any performance or stability issues with ThreatLocker.

ThreatLocker is highly scalable and useful for real-time protection.

ThreatLocker's technical support process could be streamlined by reducing the number of steps required to reach a human agent. Currently, users must navigate through multiple chatbot interactions before being connected, which can be time-consuming and frustrating.

Neutral

The initial setup involves deploying the solution through an agent procedure within cloud platforms. Configuration is done according to system administrator instructions, and policies are set accordingly.

A team of five is involved in deploying and configuring ThreatLocker, as well as monitoring its use.

The measurable benefits of using ThreatLocker include ensuring real-time protection of organizational resources and maintaining user authentication and protection levels to reduce risks. It fosters business growth by securing the business module.

I rate ThreatLocker Protect eight out of ten.

There is no maintenance required by the customers.

The endpoint value typically falls within the range of 300 to 450 per MSP, although this can vary depending on the client. Larger enterprise-level clients may have up to 500 endpoints.

I recommend purchasing the exact number of agent subscriptions needed for the environment to avoid unnecessary expenditures.

We use it over our 31 clients, and twelve hundred devices. We use it over all of our Windows workstations and Mac workstations to prevent unauthorized installs and downloads of applications.

Allow Listing is great. The biggest improvement has been knowing that something unauthorized isn't going to get installed on anyone’s machines. Even if somebody did manage to get into their systems, they wouldn't be able to do anything without us knowing about it.

Definitely, the allowed listing and the Zero Trust platform are the most useful aspects of the solution.

It is very easy for an administrator to approve and deny requests. So easy in fact that I have given it to a majority of our client's main point of contact, where they are able to approve them, whether it's via their mobile cell phone or logging into the portal on their computers.

The overall visibility into software approval requests of end users is very good. We can see everything that we need to see including the application path, the user that requested it, and the computer host name. When it's approved on the workstation endpoint, it pops up with a text box saying, “Hey, this has been approved. Click here to install your application.”

We allow listing with the ring-fencing. We do implement that when needed. For example, for Word and Excel, there's no need for those to talk out to PowerShell and command prompt, so we do have those ring-fenced where they cannot speak to that.

Their combination for blocking unknown threats on attacks is good. If it's not something we've previously approved, it does get locked every time. Sometimes it even gets in the way of our day-to-day, which is good. It's what we wanted it to do. It does its job a little too well.

It is great for establishing trust for every access request no matter where it comes from. Whether the user is an admin or not, they all still have to get their software approved. Once it has been approved, it makes it easy for everyone as they're able to install it on their own without approval again.

It helped reduce our organization's help desk tickets. We haven't had nearly as many clients submitting tickets, say, for example, McAfee installing when they're trying to install Adobe. We approve Adobe and we don't install the McAfee install. That will get in the way a lot, and we have seen a major reduction in tickets such as those.

Being able to not have to worry about what everyone's installing all the time has definitely improved our ability to focus our attention on other projects.

The new portal that they just released took care of a whole lot of improvements. 

There are some times when applications get submitted, and the hashes don't really line up. It would be excellent if there was a way for the hashes to point to a known application. The biggest example I have is probably web browser plug-ins. Those come up and they look very gross and don't give you very much information at all so you have to go to Google and look up what they are.

I've used the solution since February of 2022. It's been about a year and eight months. 

The stability is very good. I have not seen any outages.

It is deployed to every single endpoint that we currently manage Windows-wise and then a majority that we manage Mac-wise. We currently have 712 computers being monitored.

They continue to grow. They produce Mac releases, Windows updates, and patches. 

Technical support is great, they get to the requests before we can go through them. 

Positive

We did not previously use a different solution.

The initial setup was pretty straightforward to the point where the documentation was good enough that I could have a level one brand new green tech to handle it and be confident.

Deploying it through DATTO RMM is probably the biggest way we deploy and then we might have a manual agent deployment if necessary.

We utilized two people for the deployment. 

It does require maintenance. We'll do monthly check-ins with Threat Locker and an account manager to go over just to see what we can improve. 

The deployment was handled in-house. 

We have seen an ROI via the amount of hours we save not having to worry about looking at different applications getting installed. We also don't have to worry about clients getting ransomware attacks and things like that, so that has helped us a lot.

Pricing is a little high, however, you get what you pay for.

We did look at other solutions before choosing this solution. 

We have noted time to value. It's easier than ever to approve very quickly rather than having to talk with clients to see what they are trying to install. The virtual deployment allows you to see what's going on super quick. The onboarding was pretty extensive. It took us a solid six to eight months before seeing time to value. 

I'd rate the solution eight out of ten. 

I'd advise others that if they use the product they have lots of peace of mind and sleep better knowing your clients are better protected.