Security Core: Device

Why dedicated endpoint defense matters

Endpoints are where most attacks land. An unpatched device, a successful phishing click, or a malicious download on an employee's laptop is the most common entry point for ransomware, business email compromise, and data theft. Defending the endpoint well requires continuous monitoring of device telemetry, real time response to detected threats, ongoing tuning of detection rules, and the threat hunting work that surfaces what automated tools miss. This is full time work, performed by specialists who do nothing else.

Security Core: Device delivers that capability as a managed program with one accountable team operating across the fleet. The service runs continuously rather than as a periodic engagement, with the 24/7 SOC providing the around the clock coverage that endpoints actually need.

What is included

• Endpoint Detection and Response (EDR) - real time threat detection and response on Windows, macOS, and Linux at the same per endpoint price.
• 24/7 SOC monitoring - dedicated human analysts triage and respond to security events around the clock.
• Patch management - automated vulnerability scanning and zero day patching across the fleet, with patch windows that respect business hours.
• Threat hunting - ongoing deep dive analysis surfacing indicators of compromise that automated detection misses.
• Compliance reporting - audit ready logs and dashboards for HIPAA, SOC 2, FTC Safeguards, and similar frameworks.
• Incident response support - escalation into incident response when the SOC confirms a real intrusion.
• Threat intelligence feed - continuously updated indicators of compromise tuned into detection rules.
• Configuration baseline - endpoint configuration audited against current best practice.

How the service operates

EDR agents are deployed across every covered endpoint and stream telemetry into the SOC platform. The SOC operates in three tiers: Tier 1 analysts triage every alert within minutes, Tier 2 analysts investigate confirmed events, and Tier 3 senior practitioners handle incident response and threat hunting. Patch management runs on a documented cadence with business aware patch windows. Detection rules are tuned monthly against your environment so noise drops over time and signal stays high. Monthly reporting translates operational data into security posture conversations.

What you receive

• Continuous device monitoring through the 24/7 SOC.
• Patch orchestration with documented patch cadence and exception handling.
• Incident response support escalating into senior practitioners when needed.
• Monthly security posture report covering alert volume, mean time to detect, and posture trend.
• Quarterly business review with strategic conversation on threats and roadmap.
• Audit trail documenting monitoring, response, and remediation activity.

Who Security Core: Device is for

Organizations that need managed endpoint defense without identity coverage (where identity is handled internally or by another partner). Businesses required to demonstrate continuous monitoring and EDR for cyber insurance underwriting. Companies with mixed Windows, macOS, and Linux fleets that want consistent coverage across platforms. Regulated industries needing audit ready evidence of endpoint security.

Frequently asked questions

Can you patch Linux servers?

Yes. Patch automation works on Linux, Windows, and macOS. Custom patch schedules are supported for production servers.

What if some endpoints do not need the full SOC?

All devices on the Device SKU get the same level of monitoring and patch coverage. You cannot granularly opt out, but you can move low-risk devices to a separate licensing tier if needed.

How long does EDR agent installation take?

Typically 30 minutes per device via GPO, Intune, or manual install. Bulk installation across 1,000 devices usually completes within a week.

Does this work with our MDM or UEM?

Yes. EDR and patch management integrate with Intune, Jamf, and most enterprise UEM platforms without conflict.

Are IoT and kiosk devices covered the same way?

Yes. EDR agents run on Windows IoT, Linux kiosks, and embedded systems. Same detection and patch rules apply.

Can contractor personal devices be included?

Only if they install the EDR agent. Personal device management (MDM) is separate.

How do you handle patching for custom or legacy applications?

We support custom patch sources and legacy OS vendors. You define patch schedules per device group.

What happens when a breach is detected?

Our SOC initiates incident response playbooks: containment, forensics, and eradication steps. We escalate to your team within 15 minutes of confirmed threat.

Engagement model and program integration

Security Core Device is delivered on a per device, per month subscription with the same price for Windows and macOS. Onboarding deploys Microsoft Intune unified endpoint management, Defender for Endpoint EDR, BitLocker or FileVault encryption enforcement, and automated patching for the operating system and common third party applications. New hire devices ship directly to employees and are provisioned through Autopilot for Windows or Apple Business Manager for Mac so the user signs in and the device is enrolled, configured, and policy compliant without IT touching it.

The service is operated by the same SOC that runs Security Core identity and cloud monitoring, so an endpoint alert is correlated with identity and cloud signals before it is escalated. When a device is lost or stolen, the remote lock and wipe action is executed by an Anneal Tech engineer rather than by your internal staff. When a high severity patch is published, the rollout is scheduled, tested, and deployed against your patch window without an internal ticket. Compliance evidence is logged continuously and produced on demand for cyber insurance and audit cycles.

Security Core Device is the device half of the full Security Core program, and it pairs with Security Core Identity to cover the two surfaces where modern breaches actually originate. Organizations that want both pillars combined typically buy Security Core Complete or pull both into a Business Pro Complete bundle so devices, identity, and IT support are operated together rather than across separate vendors.

Why Anneal Tech

Security Core: Device is operated by Anneal Tech, with the same SOC and the same operational discipline as Security Core: Complete. The service pairs cleanly with Security Core: Identity, Business Pro, Incident Response, and our broader cybersecurity portfolio.

Contact Anneal Tech or book a Security Core: Device scoping call. Call 512-593-8001.