ThreatLocker has a real learning curve. It will break things if you don't deploy it carefully. It is also one of the most effective endpoint security controls available at any price point. Here's what you actually need to know.
ThreatLocker is a zero-trust endpoint security platform that takes a fundamentally different approach to protection: instead of trying to detect and block known threats, it denies everything by default and only allows what you've explicitly approved.
That sounds simple, but it's a significant philosophical shift from traditional security tools. Rather than asking "is this threat known?", ThreatLocker asks "has this been approved?" If the answer is no, it doesn't run, regardless of whether it's known malware or a brand new zero-day.
The foundation of ThreatLocker. Define exactly which applications are permitted to run on your endpoints. Anything not on the list is blocked. This stops ransomware, malware, and unauthorized software dead, even if it's never been seen before by any security vendor.
The initial setup involves a "learning mode" where ThreatLocker observes your environment and builds an allowlist based on what's already running. This is critical, skip learning mode and you will break things badly.
Ringfencing controls what approved applications are allowed to do, not just whether they can run. You can define rules like: "Microsoft Word is allowed to run, but it cannot access the network, cannot spawn cmd.exe, and cannot read files outside of Documents." This kills the entire class of macro-based attacks where Office documents are weaponized to download payloads.
Granular control over what can access storage locations. Block USB drives, limit which applications can read sensitive directories, prevent ransomware from encrypting network shares. Especially valuable in healthcare and finance environments with strict data access requirements.
Allows users to run specific applications with elevated privileges without needing local admin rights, a common MSP headache where users need to install certain software but giving them full admin is too risky. Solves that elegantly.
Per-endpoint firewall rules that follow the device regardless of network location. Define which ports and protocols each application can use, block lateral movement paths, control outbound connections. Works well layered with your existing firewall infrastructure.
⚠️ Critical deployment note: Do not skip learning mode. Do not rush the initial rollout. ThreatLocker will block legitimate software if your allowlists aren't built correctly. Plan for a 2-4 week learning period per environment, and have a rollback plan for your first few deployments.
A few general principles worth following regardless of environment:
This is where ThreatLocker earns its place in almost every compliance conversation. Application allowlisting is explicitly required or strongly recommended by NIST SP 800-167, CIS Controls, CMMC, and most cyber insurance questionnaires now ask about it directly.
If your clients are pursuing cyber insurance and getting dinged on endpoint controls, ThreatLocker is often the fastest path to closing those gaps, especially combined with a documented security policy that references your allowlisting controls.
Pro tip: ThreatLocker pairs directly with a well-documented security policy. If you're deploying ThreatLocker, make sure your clients have an Acceptable Use Policy and an Endpoint Security Policy that references it, auditors want to see both the technical control and the documentation.
ThreatLocker pricing is per-endpoint-per-month with MSP partner rates available. Like Huntress, the exact numbers require a direct conversation, but they're competitive for what you get, and the ROI argument is easy to make once you've prevented your first ransomware incident.
ThreatLocker is not a plug-and-play tool. It requires investment in deployment, configuration, and ongoing management. But what it gives you in return is a fundamentally more secure endpoint posture than anything signature-based can provide.
For MSPs who take the time to learn it properly, it becomes one of the most valuable tools in their stack, both for security outcomes and for differentiating their service offering. "We deploy zero-trust endpoint controls" is a much stronger conversation than "we run antivirus."
MSP partner program available. Start with a demo, their team will walk you through the deployment process.
Learn More About ThreatLocker →No spam. Just practical guidance on CMMC compliance and new resources when we publish them.