Plaidnox InfoSec
PLX-2025-025 . Confidential
Security EnablementCrowdStrike Falcon94.2% Coverage

Endpoint Security Assessment
[REDACTED]

EDR/XDR deployment coverage review and configuration assessment for [REDACTED] across 4,820 endpoints including servers, workstations, and managed laptops. CrowdStrike Falcon deployment completeness and detection configuration reviewed. Engagement ref. ENG-2025-0563.

Report IDPLX-2025-025
Client[REDACTED]
EDR Coverage4,540 / 4,820
AssessedQ1 2025
01 . Overview

Endpoint Security Assessment

Plaidnox reviewed the CrowdStrike Falcon EDR/XDR deployment for [REDACTED] across 4,820 managed endpoints. Overall sensor deployment is at 94.2% (4,540 of 4,820 endpoints) . above the industry minimum of 90% but below the recommended 98% for financial services. The 280 uncovered endpoints are predominantly Linux application servers hosting payment-processing APIs and 48 legacy Windows Server 2012 R2 instances that CrowdStrike Sensor 7.x cannot support.

Configuration review identified 3 critical gaps: prevention policies are in detection-only mode for 40% of sensors, lateral movement detection (NTLM relay, Kerberoasting) is not enabled, and no custom IOA rules exist for Parkway-specific attack scenarios.

02 . Deployment Coverage

Sensor deployment inventory

4,820
Total Endpoints
4,540
Covered (94.2%)
280
Uncovered
48
EOL / Legacy
Asset TypeCountCoveredCoverageRisk
Windows Workstations3,2003,19899.9%Good
Windows Servers48047298.3%Good
Linux App Servers74052270.5%Critical
macOS Devices35234898.9%Good
Legacy Server 2012 R24800%Critical
03 . Configuration Gaps

Policy and detection configuration

IDFindingPriority
EP-G01218 Linux app servers hosting payment APIs uncovered . high-value target without EDR visibilityCritical
EP-G0248 Windows Server 2012 R2 EOL . no EDR support and no Microsoft security patches since 2023Critical
EP-G0340% of sensors in detection-only mode . ransomware and process injection not blocked, only alertedHigh
EP-G04Lateral movement detection disabled . Kerberoasting, NTLM relay, Pass-the-Hash will not triggerHigh
EP-G05No custom IOA rules . detection relies solely on Falcon's generic ruleset with no Parkway contextMedium
04 . Remediation Roadmap

Endpoint security improvement plan

ActionTimelineOwner
Deploy Falcon sensor to 218 uncovered Linux payment API serversWk 1-3IT / Plaidnox
Migrate workloads off 48 EOL Windows Server 2012 R2 instancesWk 2-12IT / Management
Enable prevention mode for all 40% detection-only sensors via policy updateWk 1IT
Enable lateral movement detection (Identity Protection module)Wk 1-2Plaidnox / IT
Develop and deploy 12 custom IOA rules for Parkway-specific threat scenariosWk 3-6Plaidnox
Conclusion
Linux payment API server coverage gap and EOL instances are the priority risks
[REDACTED] has a strong foundation with 94.2% endpoint coverage, but the 218 uncovered Linux servers processing payment APIs represent a critical blind spot. Combined with 48 EOL Windows Server 2012 R2 instances and 40% of sensors in detect-only mode, the effective prevention capability is significantly lower than headline numbers suggest. Enabling prevention mode (1 week) and deploying Linux sensors to payment tier servers (within 3 weeks) are the two actions with the highest immediate impact.
Plaidnox InfoSec . endpoint
Confidential . Authorised Distribution Only