Tech

Private security agents need complete data. Here’s how to check if yours is correct.

Photo of Mosegas Mosegas Send an email 8 hours ago
0 0 6 minutes read
Private security agents need complete data. Here’s how to check if yours is correct.

The endpoint agent cannot report its absence. The 2026 Axonius Actionability Report, which was conducted with the Ponemon Institute and surveyed 662 IT and security professionals, put a number on the space SOC teams have been working on for years. For Axonius customers, 12.7% of devices in the 298,000 device inventory are missing their expected security agent.

If the device does not have an agent, no management console shows it. If the CMDB record is old, no reconciliation is flagged. The work that installed Claude Enterprise without purchasing created a SaaS operating environment, an identity environment, and an API-token footprint that endpoint telemetry alone would not have a reliable inventory. The coverage percentage in the EDR dashboard by structure is incomplete because the reporting mechanism cannot detect what it does not cover.

That gap is more important now than it was six months ago. SOC and XDR vendors are pushing independent investigations and fixes into production. Those agents will query the same dashboards, trust the same coverage percentages, and act on the same blind spots that human analysts have learned to work in. A human analyst second guesses the 98% number. An independent agent takes it for granted and moves at machine speed.

Three independent symbols meet in the same space

Gravitee’s 2026 survey of 900-plus managers found that 88% reported confirmed or suspected AI-related incidents, and only 14.4% deployed agents with full security clearance. The Axonius/Ponemon report found 52% of respondents would allow independent agents to act on recommendations – while 63% said basic data lacked valuable information. The CSA’s Agetic Trust Framework requires certified data management before agents can make any acquisitions.

Mike Riemer, Field CISO at Ivanti, said that known vulnerabilities in Azure honeypot networks can now be attacked in less than 90 seconds. “Traditional security measures continue to work,” Riemer told VentureBeat.

The caveat is that those measures only protect what they can see. An EDR agent deployed across 87.3% of the list of devices leaves the remaining 12.7% without that agent’s telemetry, policy implementation, and discovery logic.

Special shipping data measures the scale

Joe Diamond, CEO of Axonius, told VentureBeat that the average CISO sees about 50% of what’s on the network. “Say 50% of their land is sitting in the dark,” Diamond said. “They don’t know what it is, where it is, or who has access to it, if it’s secure, if it’s not secure.”

Usage data from more than 900 Axonius customers confirms those numbers. TransUnion went from 70% to 99% endpoint coverage after out-of-band verification. Western Union went from 85% to 99% by combining data from 38 tools and cutting manual labor in half. Lumen received 1.1 million assets, of which CMDB showed 17,000. That translates to about 37,000 unmanaged endpoints per organization sitting outside of every policy, every patch cycle, and every discovery rule.

Diamond pointed to the Mythos, an Anthropic model of frontier thinking, as a sign that the speed of a machine attack force would make any alien asset far more dangerous than it is today. “People tend to have shiny object syndrome,” he said. “If you don’t understand what 50% of your environment looks like from a traditional perspective, and you think you’re going to run into AI control, your plan will fail.” Diamond called the broader AI revolution “as big, if not bigger, than the Internet.”

Three methods compete to close the gap

No single structure solves the problem of visibility today. The three methods are competing, each with named tradeoffs security teams should check before buying.

A dedicated integration layer uses bidirectional API adapters to build the current array. Axonius uses 1,400-plus adapters and is now getting Claude Enterprise coverage with its Anthropic adapter (GA June 15). “We created a bidirectional API integration with all the IT systems and all the security controls to create an up-to-date inventory of what the environment looks like,” Diamond told VentureBeat.

Platform-native EDR and XDR intelligence build rich legacy content within the agent footprint. The depth within the agent area is an advantage. The limit is structural. Platform-native intelligence is bound by what the agent can see, and the Ponemon report gap has identified life precisely where that seems to end.

Modern CMDB requires continuous reconciliation against three or more independent call sources. Only 13% of organizations reconcile daily, according to Axonius/Ponemon data. The remaining 87% work on old records that include incorrect prioritization in any auto-repair pipeline.

EDR data readiness: Five gates before automatic correction

Before you let independent SOC agents close tickets or detain assets, this checklist tells you that your EDR and asset data are strong enough to trust. It’s vendor-agnostic, works with any EDR and CMDB, and gives you five pass/fail gateways to use in a single operational session.

Hazardous Area

What the data shows

Limit of readiness

The step you should take is now

The delta of the legacy asset

Ponemon: only 45% are covered in one view. Forrester TEI: 150% more properties than previously identified. Lumen: 17K on CMDB vs. 1.1M found.

Delta ≤10% between discovery, CMDB, and EDR agent computation. Delta greater than 10% blocks auto-correction until it reconciles.

Run API-based discovery against all segments. Vary against CMDB and EDR console count. Match the quarter minimum.

Unmanaged AI services

Gravitee: 88% confirmed or suspected AI events. Only 14.4% have full security clearance. Anthropic adapter (GA June 15) receives an unmanaged installation of Claude Enterprise.

No high-risk AI services without authorized purchase. Weekly SaaS availability scan. Uncontrolled high-risk situations trigger an IR assessment before a separate review.

Use SaaS discovery or protocol-level adapters for AI service discovery. Perform a weekly scan. Move unmanaged events to the IR queue.

CMDB record accuracy

Phone: only 13% reconcile daily (RSAC 2026). Brooks Running: 20% server difference between console and standalone discovery. Top adjustment barriers: unclear prioritization, unclear ownership, inconsistent data.

≥85% of records verified against 3+ independent telemetry sources. There are no old or orphaned records in the active maintenance queue.

Cross-reference CMDB against cloud inventory, EDR telemetry, and IdP indexing. Continuous reconciliation replaces annual audit cycles.

End agent coverage gap

Ponemon: the agent cannot report its absence (page 8). TransUnion: 70% to 99% after verification out of band. RSAC 2026: 12.7% of 298K medium devices are missing the expected agent.

≥95% agent coverage confirmed by out-of-band detection. Many CISOs set this as a minimum before allowing independent maintenance. There are no self-reported metrics in the board reports.

Run network-based or API-driven discovery against a list of managed devices. Coverage below 95% disables the automatic repair scope.

Property ownership map

Ponemon: 32% tag consistently. Only 51% give ownership to new disclosures (page 9, 16). TransUnion: 12K to 190K properties with mapped identities.

The owner was given in 24 hours. Tags are compatible across all clouds, EDR, CMDB. Three systems showing three owners = failure.

Automate identity with cloud tags, IdP group membership, or CMDB metadata. Map property, configuration, and business owner as separate fields.

Five questions to ask before authorizing independent SOC action

  1. What independently verifies endpoint agent coverage outside of the EDR console?

  2. How does SOC bridge the gap between EDR, CMDB, cloud inventory, IdP, and discovery tools?

  3. Can AI agents work on assets with unknown or disputed ownership?

  4. Can the program distinguish “unsafe” from “undetectable”?

  5. What data quality gate prevents independent correction when availability or ownership falls below a threshold?

A board-friendly risk framework

Kayne McGladrey, an IEEE Senior Member, confirmed the pattern in several published VentureBeat interviews. The structural gap in your self-report is not new. What is new is that independent agents will work on them at machine speed without the institutional applications developed by human analysts many years ago. Diamond clarified the board’s findings in an April 2026 press release: “Findings are cumulative because the data is not trusted, ownership is unclear, and all asset classes are not even in the picture.”

The CSA’s Agetic Trust Framework requires that any agent promoted to the highest level of independence must pass five gates, including demonstrated accuracy and security testing. The EU AI Act’s Article 50 transparency obligations come into force on 2 August 2026. The May 2026 Digital Omnibus pushed the high-risk system obligations up to December 2027, but organizations deploying SOC agents on incomplete asset data face an immediate operational risk that exceeds any time limits.

Good sentence for the board: Our EDR reports are structurally incomplete because the end agent cannot report its absence, and we ensure coverage with out-of-band availability before sending independent agents to work on those reports at machine speed.

The security director’s playbook

  1. Start out-of-band acquisition this week. Compare the results with your export CMDB value and the EDR console value. If the delta exceeds 10%, stop the automatic correction scope until the gap is bridged.

  2. Use SaaS discovery for AI services. Employees are putting AI before procurement, before security. Weekly scans are small. Escalate any dangerous out-of-control incident in your incident response queue for evaluation before separate review.

  3. Map property ownership to maintenance liability. Ponemon found only 32% of organizations use tags consistently. If the three systems show three different owners of the same asset, the automatic configuration has no routing target. Configure the ownership layer before deploying the agents that depend on it.

  4. Kill only self-reported coverage metrics. Any risk calculation or board report that relies solely on EDR console reported entries is based on data that the reporting system cannot verify. It requires out-of-band verification for every cover number that informs the risk decision.

Photo of Mosegas Mosegas Send an email 8 hours ago
0 0 6 minutes read
Photo of Mosegas

Mosegas

Related Articles

GTA 6 Confirms Price Tag, Ultimate Edition, Midnight Pre-Orders and More

GTA 6 Confirms $80 Price Tag, Ultimate Edition, Midnight Pre-Orders and More

5 hours ago
Ford also hired 350 engineers to fix what went wrong with its AI systems

Ford also hired 350 engineers to fix what went wrong with its AI systems

6 hours ago
It’s a Dumb Time to Buy an Xbox, Even With Upcoming Price Increases

It’s a Dumb Time to Buy an Xbox, Even With Upcoming Price Increases

6 hours ago
This Garmin smartwatch is on sale while Prime Day lasts

This Garmin smartwatch is on sale while Prime Day lasts

7 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by