ThreatLocker Unveils Its First Detection Tool To Alert MSPs About Attempted Cyberattacks

For the 4,000 MSPs that use ThreatLocker’s endpoint security platform, the detection capabilities will help them to better secure customers, while their reliance on endpoint detection and response ‘is going to be massively reduced,’ founder and CEO Danny Jenkins tells CRN.


Endpoint security firm ThreatLocker announced Thursday its first-ever capabilities for detection of malicious activity, such as an attempted cyberattack, in a move to help managed services providers do even more to protect their end customers.

In connection with its Zero Trust World 2023 conference, ThreatLocker unveiled Ops, a new threat detection tool that aims to augment the capabilities of the 4,000 MSPs using its platform.

[Related: ThreatLocker CEO: More Access Controls Are Needed To Improve Overall Security]

Sponsored post

Because ThreatLocker’s “application allowlisting” functionality ensures that malware cannot run in customer IT systems, the company hadn’t previously focused on detection of cyberattacks. That’s because detection becomes much less necessary for cyber defense when malicious software is automatically blocked from running, as it is by the ThreatLocker solution, according to co-founder and CEO Danny Jenkins.

However, ThreatLocker has recognized that even if it’s just an attempted cyberattack on an IT system, there is still value in being able to detect that activity, since it can often help an MSP to take other cyber defense measures for the customer that’s been targeted, Jenkins told CRN.

And while ThreatLocker has already significantly displaced the need for using endpoint detection and response (EDR) solutions with application allowlisting and its other capabilities, the new Ops tool could displace even more usage of EDR by MSPs, Jenkins said.

“I think the reliance on EDR is going to be massively reduced by using Ops,” he said.

For 3rd Element Consulting, a Mechanicsburg, Pa.-based MSP and ThreatLocker partner, it’s clear that there will be a number benefits of the new Ops tool, according to CEO Dawn Sizer.

For one thing, being able to detect an attempted attack that was blocked by ThreatLocker’s solution can be helpful in terms of demonstrating the value of the product for protecting customers, Sizer said. “Sometimes it is nice to be able to sit down with a client and say, ‘By the way, this happened, this is what it looked like, and this is why it was stopped.’”

The detection capabilities can also enable an MSP like 3rd Element to then take other defensive actions on behalf of a customer in response, Sizer said. Because hackers often follow a standard playbook during a cyberattack, “chances are we know what the next step is going to be. And this can allow us to anticipate what’s coming,” she said.

For instance, if an attacker was detected attempting to access a server through “brute force” password guessing, their next step might be to deploy phishing emails in an effort to get a password that way, Sizer noted. In response to the information provided by the detection tool that workers’ email inboxes could be targeted next, an MSP could tighten up a customer’s email security policies, she said.

Ultimately, having these sorts of threat detection capabilities to complement ThreatLocker’s functionality is “something that we’d all wanted, and we were hacking it together on our own previously,” Sizer said. “This will just make it so much easier.”

Ops is a “community-based platform” because it will leverage findings and detection rules that are provided by its community of users at MSPs and customers, Jenkins said. Users can then also subscribe to receive information that is most relevant to them, such as findings about the key industries that they serve as an MSP, he said.

Additionally, ThreatLocker announced Wednesday that its Third Wall automated security plug-in, which had previously been available for MSPs that use ConnectWise Automate, will now be available for all MSPs to use. ThreatLocker acquired Third Wall in November.

ThreatLocker made the product announcements Thursday as it continues to see surging growth, with the company’s revenue expected to more than double in 2023 compared to last year, said Jenkins, who was named the No. 1 top IT innovator by CRN for its 2022 Top 100 Executive list.

Orlando, Fla.-based ThreatLocker grew its revenue by 300 percent in 2022, year-over-year, and now employs 240. In April 2022, the company raised $100 million in Series C funding led by private equity firm General Atlantic.

In addition to application allowlisting, ThreatLocker also offers other capabilities including “ringfencing,” which places limitations on what types of actions an allowed application is able to take.

Ringfencing has proven to be a very powerful capability for helping customers to securely use the applications that are needed for running their business, according to Michael Kamen, founder and CEO at Edge Solutions Group, a Santa Monica, Calif.-based MSP and ThreatLocker partner.

For instance, Microsoft Teams might need access to a certain folder in order to send files, but it probably doesn’t need access to PowerShell, a Windows tool that is frequently abused by hackers, Kamen said.

“By establishing these ringfencing policies, ThreatLocker is able to restrict an application’s access to the operating system, which I think is crucial in a Windows system,” he said.