Devices

What belongs on the Devices row

Devices covers endpoint hardware: corporate laptops, desktops, servers (bare metal and virtual), mobile devices under MDM, and the OS-level controls that run on them. It does not cover OT/IoT assets (those have their own row), cloud-native compute without a discrete device identity (containers, serverless — those sit with Applications and Cloud), or the network fabric the devices connect through (Networks).

The row is wide because the work is layered: inventory, configuration management, patching, endpoint protection, detection, response, and recovery all have distinct tool categories. A typical stack has six to ten products contributing to Devices coverage across the seven function columns.

Coverage by function column

GOVERN × Devices is usually implicit — endpoint policies live in GRC/policy tooling. ANTICIPATE × Devices is thin except for intel feeds that correlate to device-level IOCs. IDENTIFY × Devices is where CMDB/CAASM plus vulnerability management do their heaviest work — this cell is the foundation for everything else in the row.

PROTECT × Devices is usually the most crowded cell in the matrix: EPP, EDR preventive features, application control, USB blocking, disk encryption, patching, configuration baselines, host firewalls. DETECT × Devices is dominated by EDR and XDR; supplemental tools (deception, memory forensics, file-integrity monitoring) add depth. RESPOND × Devices is EDR live response plus remote remediation tooling. RECOVER × Devices is endpoint-backup tooling plus the rebuild-from-gold-image runbook.

Overlap hotspots on this row

Cross-vendor endpoint overlap is the classic rationalization target. Organizations that migrated from Symantec/McAfee/Trend Micro to modern EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Cybereason) often kept the legacy EPP running for a transition period and never removed it. Any endpoint stack with two active vendors covering the same cell for longer than the agreed-upon migration window is pure spend.

Vulnerability management + configuration management is a second overlap cluster. Tenable, Qualys, Rapid7, and the config-assessment features of EDR products all compete for the same scan-and-report-findings work. Most organizations are better off picking one primary source of vulnerability truth and using the others only where they have unique capabilities (Snyk for source code, Wiz for cloud workloads, etc.).

Where 'You Already Own the Fix' usually shows up on Devices

The most frequent finding: EDR deployed and providing only its default telemetry while the platform has substantial additional capability sitting dormant. CrowdStrike Falcon Insight's custom IOAs, Defender for Endpoint's attack-surface-reduction rules, SentinelOne's static AI engine, Cybereason's MalOp prioritization — all are high-value capabilities that require configuration effort beyond 'install the agent.'

A second pattern: MDM products (Intune, Jamf, Kandji, Workspace ONE) with compliance policies enabled but not enforced. The policy dashboard shows green, conditional access in the IdP is not actually keying off it, and non-compliant devices continue to access production. The matrix cell reads Covered; operationally it is not.

Frequently asked