Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

ES0.9 The Endpoint Security Maturity Model

· Module 0 · Free
Operational Objective
Without a maturity model, endpoint security engineering has no framework for measuring progress. "Better than last month" is not a measurable goal. "Moved from Level 2 to Level 3 on the maturity scale" is. A maturity model provides the language for communicating to executives ("we are at Level 2, targeting Level 4 by year-end"), the criteria for self-assessment ("Level 3 requires custom detection rules with documented TP rates"), and the roadmap that connects today's state to the target state. This subsection defines a five-level endpoint security maturity model tailored to M365 E5 environments, provides assessment criteria for each level, and maps each level to the modules in this course that advance the organisation to the next level.
Deliverable: A five-level endpoint security maturity model with specific assessment criteria per level, a self-assessment tool for your current environment, and a roadmap connecting your current level to your target level through specific course modules.
Estimated completion: 25 minutes
ENDPOINT SECURITY MATURITY MODEL — FIVE LEVELSLEVEL 1: AD HOCAV running (default config)Partial MDE onboardingNo ASR enforcementNo custom detectionsNo forensic readinessNo documented policiesNE current stateReactive. Depends onvendor defaults.→ ES0-ES2LEVEL 2: BASELINE100% MDE onboardedAV cloud protection High+Safe ASR rules in blockLAPS deployedCompliance → CA activeDevice health monitoringFoundation establishedPrevention active.Basic hardening.→ ES3-ES5LEVEL 3: MANAGEDMost ASR rules enforcedCustom detections (10+)AIR tuned per alert typeMonthly hunting cadenceExclusion register managedSysmon + audit policiesDetection activePrevention + detection.Forensic ready.→ ES6-ES11LEVEL 4: OPTIMIZED20+ custom detectionsWeekly hunting cadenceCross-platform coverageSentinel cross-workloadAutomation playbooksVulnerability managedFull architectureAll layers active.Integrated + automated.→ ES12-ES14LEVEL 5: ADAPTIVETI-driven defenseRed/purple team validatedEvasion-aware detectionsContinuous validationGovernance frameworkDetection lifecycle mgmtContinuously improvingDefenses evolve withthe threat landscape.→ ES15 (capstone)

Figure ES0.9 — The five-level endpoint security maturity model. NE starts at Level 1 (ad hoc). The course takes the learner to Level 4 (optimized), with the capstone building the Level 5 (adaptive) framework. Each level has specific, measurable criteria.

Level assessment criteria

The maturity model is only useful if the assessment criteria are specific enough to produce an unambiguous level assignment. Each level has binary criteria — you either meet them or you do not.

Level 1 (Ad Hoc): You have an EDR product deployed on most devices. AV is running with default settings. Security controls are not systematically configured. Detection depends entirely on the vendor’s built-in alerting. No custom detection rules. No documented policies for endpoint security. Incident response for endpoint-related incidents is ad hoc — different analysts handle similar incidents differently. This is where approximately 70% of M365 E5 organisations operate.

Level 2 (Baseline): MDE onboarded on 100% of managed devices with validated sensor health. AV cloud protection at High+ with Block at First Sight enabled. At least the “safe set” ASR rules in block mode (LSASS protection, vulnerable driver blocking, USB untrusted process blocking). LAPS deployed across the fleet. Compliance policies enforcing conditional access for at least standard users. Device health monitoring dashboard operational. This level provides measurable prevention improvement over default configuration.

Level 3 (Managed): Most applicable ASR rules in block or warn mode with documented exclusions. At least 10 custom detection rules with documented TP rates above 30%. AIR configured with deliberate automation levels per alert type (not all at default). Monthly hunting cadence with documented hunts. Sysmon deployed on all endpoints. Advanced audit policies and PowerShell ScriptBlock logging configured. Exclusion register maintained with quarterly review. This level provides both prevention AND detection capability.

Level 4 (Optimized): 20+ custom detection rules covering the major ATT&CK tactics relevant to your threat model. Weekly hunting cadence with hunt-to-detection pipeline operational. Cross-platform coverage (servers and Linux in MDE). Sentinel integration with cross-workload detection rules. Automation playbooks for high-confidence automated response. Vulnerability management operationalized with remediation tracking. CIS hardening baselines applied. This level represents a complete, integrated endpoint security architecture.

Level 5 (Adaptive): Threat intelligence drives detection priorities. Red team or purple team exercises validate the endpoint security stack regularly. Evasion-aware detections that anticipate and account for attacker bypass techniques. Continuous validation using Atomic Red Team or similar testing frameworks. Governance framework with documented policies, exception management, change management, and compliance mapping. Detection lifecycle management (versioning, review, retirement). This level represents continuous improvement driven by the evolving threat landscape.

Scoring each layer: what the levels mean in practice

The maturity model is not a binary pass/fail — each layer is scored independently, and the scores reveal where investment provides the most improvement.

Onboarding at “Baseline” (score 2/5): MDE is deployed to most endpoints but not all. Some servers are missing. Linux has no coverage. Device health is checked manually. Moving to “Managed” requires: 100% onboarding across all device types, automated health monitoring with alerting, and device groups configured for differentiated policy application. The effort: moderate (ES2 covers this in 2-3 weeks).

ASR at “Ad hoc” (score 1/5): No ASR rules are in block mode. Some may be in audit mode from a previous attempt that was abandoned. No ASR monitoring exists. Moving to “Baseline” requires: at least 5 safe ASR rules in block mode with documented exclusions. Moving to “Managed” requires: 12+ rules in block mode, audit data analysis cadence, exclusion register. The effort: significant (ES4 covers this over 3-5 weeks because audit data collection takes time).

Detection at “Ad hoc” (score 1/5): Zero custom detection rules. Complete dependence on MDE’s built-in detections. No hunting activity. Moving to “Managed” requires: 15+ custom detection rules with documented TP rates, weekly hunting cadence, hunt-to-detection pipeline. The effort: significant but can run in parallel with other layers (ES8-ES9, weeks 5-8).

Forensic readiness at “Ad hoc” (score 1/5): Default audit policies, no PowerShell logging, no Sysmon. Moving to “Managed” requires: advanced audit policies, ScriptBlock logging, Sysmon deployed with a tuned baseline. The effort: moderate (ES11, weeks 6-8).

The scoring reveals NE’s improvement path: onboarding is closest to target (2/5 → 4/5 with focused effort). ASR and detection need the most work but provide the highest security improvement. Forensic readiness is the foundation that investigation depends on — deploy it in parallel with detection engineering.

Decision Point

Your self-assessment places you at Level 1. Your CISO wants Level 4 within 6 months. Is this realistic? It depends on resources. The course content covers the full journey from Level 1 to Level 5. The engineering work to implement it at NE’s scale (865 endpoints, 12 servers, 8 Linux servers) requires approximately 200-300 engineering hours across the 90-day plan — or roughly 15-25 hours per week of dedicated endpoint security engineering time. If you have a full-time security engineer, 6 months is achievable with margin. If endpoint security engineering is 20% of one person’s role, target Level 3 at 6 months and Level 4 at 12 months. Set realistic targets. Achieving Level 3 provides substantial security improvement. Overcommitting and failing to reach Level 4 is worse than committing to Level 3 and delivering it.

Try it: assess your maturity level

For each level, check whether you meet ALL criteria (not most — all). Your maturity level is the highest level where you meet all criteria.

Level 2 criteria check: (a) 100% MDE onboarded with active sensor health? (b) AV cloud protection at High+? (c) At least 3 ASR rules in block mode? (d) LAPS deployed? (e) Compliance policies enforce CA? (f) Device health monitoring active?

If you fail any single criterion in Level 2, you are Level 1 — regardless of how advanced your custom detections are. The maturity model is cumulative: you cannot be Level 3 without first meeting all Level 2 criteria. This is intentional. An organisation with 20 custom detection rules but no ASR enforcement has advanced detection on top of an unprotected endpoint — the attacker bypasses the detection by exploiting the missing prevention controls.

Record your current level and target level. The gap between them maps to specific modules in this course.

The maturity model as a communication tool

The maturity model serves a dual purpose: it is an engineering planning tool (which layers to improve, in which order) and an executive communication tool (where we are, where we are going, and what investment is needed to get there).

When presenting to the CISO, the maturity model visualises the gap between current state and target state across every layer. A spider diagram showing the current scores (1.2 average across 10 layers) overlaid with the target scores (3.5 average after the 90-day project) makes the scope of the improvement instantly visible. The delta between current and target drives the project plan. The progress from current toward target drives the monthly status report.

When presenting to the IT team, the maturity model identifies which layers require their collaboration. Onboarding (layer 1) needs the endpoint management team. Compliance (layer 2) needs Intune administrators. Server hardening (layer 7) needs the server infrastructure team. Each layer’s maturity improvement has specific dependencies on other teams — the maturity model makes these dependencies explicit and the timeline visible.

The quarterly re-assessment is not just measurement — it is the accountability mechanism. If a layer’s score does not improve between quarters, either the planned work was not executed (resource issue), the planned work was executed but ineffective (engineering issue), or the target was unrealistic (planning issue). Each explanation drives a different corrective action.

Compliance Myth: "We need to be at Level 5 to be secure"

The myth: Only the highest maturity level provides adequate security. Anything less is insufficient.

The reality: Level 3 (Managed) represents a significant security improvement over the Level 1 default that most organisations operate at. Level 3 provides: prevention (ASR rules enforced, AV tuned), detection (custom rules with validated TP rates), response (AIR configured), and forensic readiness (Sysmon, audit policies). Most organisations will stop the majority of attacks at Level 3. Level 4 and Level 5 are for organisations facing advanced, targeted threats — nation-state actors, organised crime groups with custom tooling, sophisticated insider threats. The target level should be proportional to the threat model. A 50-person professional services firm facing commodity threats needs Level 3. A defense contractor facing state-sponsored espionage needs Level 5. Assess your threat model before setting your target.

Troubleshooting

“We meet some criteria from Level 3 and Level 4 but not all from Level 2 — what level are we?” Level 1. The maturity model is cumulative. Advanced detections on an unprotected endpoint are like sophisticated locks on an open door. Fix the Level 2 gaps first — they represent the foundation that everything else depends on.

“Our management wants a maturity score, not a level — they want a number out of 100.” Convert the model to a weighted score: Level 1 criteria = 20 points, Level 2 = 20, Level 3 = 20, Level 4 = 20, Level 5 = 20. Partial credit within each level: if you meet 4 of 6 Level 2 criteria, score 13/20 for that level. Total: (Level 1 score) + (Level 2 score) + … = composite score out of 100. NE’s current score: approximately 20/100 (full Level 1, partial Level 2). Target: 70-80/100 (full through Level 3, most of Level 4).

Operational Artifact — Endpoint Security Maturity Assessment

The maturity assessment is a self-assessment tool. For each level, list the criteria. For each criterion, mark Met / Partially Met / Not Met. Calculate the level score and composite score. Record the date. Repeat quarterly. The trend shows progress. The gap between current and target identifies the next engineering priorities. Share the assessment with your CISO as the before/after evidence of the endpoint security engineering investment. Module ES15 (capstone) produces the complete maturity assessment for NE as part of the architecture document deliverable.

An organisation has: 100% MDE onboarded, AV at High+, 3 ASR rules in block mode, LAPS deployed, compliance enforcing CA, 15 custom detection rules with 40% average TP rate, Sysmon deployed — but no hunting cadence (the last hunt was 4 months ago). What maturity level are they?
Level 4 — they have 15 custom detections which exceeds the Level 3 requirement of 10.
Level 2. They meet all Level 2 criteria. They meet most Level 3 criteria (custom detections, Sysmon, ASR enforcement) but fail the "monthly hunting cadence" requirement. The maturity model requires ALL criteria at a level to be met before advancing. The missing hunting cadence means their detection capability is passive (automated rules only) without the proactive element that hunting provides. The fix is straightforward: establish a monthly hunting cadence. One hunt per month, documented with findings and any resulting detection rule updates. Once the hunting cadence is established and sustained for 2-3 months, they advance to Level 3.
Level 3 — the hunting requirement is a soft requirement and their custom detection count compensates for it.
Level 1 — without regular hunting, the detection layer is incomplete.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →