ThreatLocker

What ThreatLocker actually does

ThreatLocker takes the opposite approach to traditional EDR. Instead of detecting and responding to known bad behavior, it blocks everything not explicitly allowed. Application allowlisting means only approved software runs. Period. If ransomware, a zero-day exploit, or a rogue script isn’t on the list, it doesn’t execute.

Ringfencing goes further by controlling what approved applications can do. Even if PowerShell is allowed, you can prevent it from accessing the internet or interacting with specific file paths. Storage control governs access to USB drives, network shares, and cloud storage. Elevation control manages admin privileges on a per-application basis.

The learning mode is critical. ThreatLocker observes your environment first, catalogs what software runs normally, and builds a baseline allowlist. You then refine and lock down. The platform is popular with MSPs because the centralized management console handles policies across multiple client environments.

Who it’s best for

• MSPs managing endpoint security across multiple client environments
• Organizations in highly regulated industries that need strict software execution control
• Companies that want a deny-by-default security model on endpoints
• IT teams tired of chasing the latest threat and want a preventive-first approach
• Environments with standardized software stacks where allowlisting is operationally feasible

Pricing reality check

ThreatLocker’s per-endpoint monthly pricing is competitive and accessible, especially for MSPs. It’s generally less expensive than enterprise EDR platforms like CrowdStrike or SentinelOne, but the comparison isn’t apples-to-apples — ThreatLocker is a prevention tool, not a detection and investigation platform.

The real cost is operational. Managing allowlisting policies requires ongoing effort. New software deployments, updates, and legitimate tools need to be approved. If you don’t have a process for handling approval requests quickly, users will revolt. Budget for the staff time to maintain policies, not just the license cost.

Alternatives to consider

• CrowdStrike/SentinelOne — Detection-focused EDR with some application control capabilities. Broader threat visibility but different philosophy.
• Airlock Digital — Application allowlisting with a similar deny-by-default approach. Strong in government and defense.
• Carbon Black App Control — VMware’s allowlisting solution. Enterprise-focused with more complex management.
• Huntress — If you want managed detection rather than strict prevention. Complementary, not competitive.

The Charting Cyber take

ThreatLocker’s philosophy is sound: if unauthorized code can’t run, most attacks fail before they start. The allowlisting approach stops ransomware, fileless malware, and supply chain attacks that detection-based tools might miss. Ringfencing adds a layer that even well-funded attackers struggle to bypass.

The trade-off is operational friction. Allowlisting only works if someone maintains the lists. In dynamic environments with frequent software changes, this becomes a full-time job. ThreatLocker’s learning mode and approval workflows help, but this is not a deploy-and-forget tool. It’s most effective in standardized environments — think dental offices, law firms, and manufacturing floors — where the software stack rarely changes. If your developers are installing new tools daily, allowlisting will create more problems than it solves.