What "we have antivirus" actually covers
When a customer questionnaire or a nervous board member asks how you protect your laptops, the easy answer is "we have antivirus." It feels like a complete answer. It usually isn't.
Antivirus is real and useful. It is also narrow. It answers one question well: is this file known to be bad? It compares the files on a machine against a list of known-bad signatures and blocks the matches. That is worth having, and most companies your size already run something that does it, either the antivirus that came with your laptops or the protection bundled with a device subscription.
The trouble is that "is this file known to be bad" is step zero, not the finish line. Plenty of the way an attacker actually gets in and stays in never trips a file scanner at all. So if antivirus is the whole plan, the plan has gaps you can't see from where you're standing.
Antivirus checks files. Attacks stopped relying on files.
Signature matching only works when there is a file to match. For years, that was a fair bet, because attacks arrived as malicious attachments and downloads. That bet has gone stale.
Attackers increasingly break in with no malware file at all. They sign in with stolen credentials, which looks like a normal login. They use tools already built into the operating system, like PowerShell and the Windows command line, to move around and do their work. This is called living off the land: nothing gets downloaded, so there is no file for a scanner to flag. CrowdStrike's 2025 Global Threat Report found that 79% of the detections it observed in 2024 were malware-free, up from a reported 40% in 2019. A pure file scanner is blind to most of that.
This is where behavioral detection earns its place. Endpoint detection and response, usually shortened to EDR, watches what programs on a machine are doing rather than what their files look like. A Word document that suddenly launches PowerShell, which then reaches out to an unfamiliar server, is suspicious behavior whether or not any file on disk matches a known signature. EDR flags the behavior. Antivirus, by design, only sees the file.
You can't protect the laptop you forgot you had
Even the best detection on a machine only helps if the machine is one you know about. Antivirus protects the devices it is installed on. It does not tell you which devices exist. That distinction quietly decides how much of your company is actually covered.
This is why the CIS Controls, a widely used set of security recommendations, lead with two that sound almost too basic: know every device you own (Control 1) and know every piece of software running on them (Control 2). They come first because everything else depends on them. You cannot patch, configure, or monitor a machine you don't know is yours. The inventory is the foundation, not the paperwork.
The cost of an incomplete inventory shows up in the numbers. The Verizon 2025 Data Breach Investigations Report found that 46% of the systems carrying stolen corporate login credentials were unmanaged devices, sitting outside the company's security tools entirely. Nearly half. Those machines weren't badly protected. They were invisible.
The patch you didn't know was missing
Antivirus does not patch anything. It can tell you a known-bad file showed up, but it has nothing to say about the out-of-date software that let an attacker in through the front door. Keeping software updated is a separate job, and it is one of the more important ones.
Unpatched and misconfigured software is a top way attackers get in. In the Verizon 2025 report, exploiting a known vulnerability was the way in for about 20% of breaches, up roughly a third from the year before. The same report found that remediation is slow: for the internet-facing devices attackers target most, the median time to fully patch ran to about a month, and many were never fully patched at all. A month is a long time when the weakness is public.
The point is not a specific deadline. It's that the work is continuous and the window is short. New weaknesses are disclosed constantly, attackers start probing for them quickly, and a patch that isn't applied is just a documented way in. This is ongoing operational work, and it's nobody's job by default. Antivirus certainly isn't doing it.
The same logic applies to your collaboration tools, which is the other surface most growing companies leave half-managed. We wrote about the Microsoft 365 settings most companies never turn on for the email and cloud side of the same problem: you own the protection, but owning it and running it are not the same thing.
An alert nobody reads is not protection
Say you do have EDR, and it's watching behavior properly. There's still a gap, and it's the one that decides whether an alert becomes a contained incident or a breach.
Good detection produces a lot of alerts. More than a small team without a dedicated security person can read, let alone sort the real ones from the noise. And the alerts don't keep office hours. An antivirus toast or an EDR notification can fire at 9pm on a laptop that's zipped inside someone's bag on the way home. Detection is the easy part now. What happens in the minutes after is what stops a breach, and that part is about people and authority, not software.
This is the same idea as real response, applied to your devices. A notification tells you something looked wrong. Response means someone is already watching, already has the agreed-upon authority to act, and can isolate the affected machine and stop the spread without waiting for a meeting. The difference is whether someone is defending the company or just describing what's happening to it.
It's common, when we start with a company, to find capable endpoint protection already installed and its alerts flowing to a shared inbox that no one has opened in weeks. The tool was doing its job. The job just stopped at the alert.
What endpoint management actually is
Put the whole picture together plainly. Endpoint management is a handful of connected jobs:
- Inventory so you know every device that exists and belongs to you.
- Configuration and hardening so each device is set up to a sensible baseline rather than to whatever it shipped with.
- Patching so known weaknesses get closed and stay closed.
- Behavioral detection (EDR) so you catch what a file scanner can't see.
- Monitoring and response by people so the alerts those tools produce reach someone who can read them and act.
"We have antivirus" is one box inside one of those jobs. That's not a criticism of antivirus, which does its narrow job well. It's a map of how much else there is, and how much of it runs on attention rather than on a license.
None of this is a reason to throw out what you have. If your laptops came with a capable endpoint product, the tool is probably fine. The gap is almost never the tool. It's the management layer on top of it: a complete inventory, a real configuration baseline, patch visibility, and someone watching the alerts with the authority to respond. That layer is exactly the work we do. The first part you can see and act on yourself: open your inventory, check what's patched, find out where your alerts go. The next part, keeping all of it running and watching what it generates, is where an extra pair of hands takes over.
Where this starts
Endpoint Security & Management
Workstation security and management for Windows, macOS, and Linux. We apply security baselines, enforce policies, track patch status, and can manage daily endpoint operations when your team needs more coverage.
Where it goes next
Managed Detection & Response
24/7 detection and response across endpoints, email, cloud systems, collaboration tools, and SaaS apps. The same engineers who investigate alerts also improve detections and coordinate response.