The Endpoint Stopped Being a Laptop a Long Time Ago
Executive Summary
When most organizations say "endpoint security," they are picturing a specific thing: a corporate laptop, managed by IT, running an endpoint detection and response agent that watches for malicious behavior. For roughly two decades, that mental model was adequate, because the laptop genuinely was the primary place where compromise began and where defenders could most usefully watch.
That model has quietly become a liability. The endpoint — defined as the place where work happens, where access is exercised, and where a compromise can take hold — has fragmented across a landscape far larger than the managed laptop. Cloud workloads spin up and disappear. Mobile devices access corporate data from anywhere. Contractors and partners connect from hardware the organization will never manage. And increasingly, the most consequential "endpoint" is not a device at all but an identity, exercising access from wherever it happens to be.
A security program that has poured its endpoint investment into agents on corporate laptops is defending the place attacks used to start, while attacks increasingly start somewhere else. The endpoint strategy has to expand to match where the attack surface has actually gone.
Why This Matters Now
Several shifts have pulled the center of gravity away from the managed device. The move to cloud relocated enormous amounts of computing to workloads that no traditional endpoint agent was designed to protect — ephemeral, automated, and often invisible to device-centric tooling. The normalization of remote and hybrid work scattered the workforce across home networks and personal devices, dissolving the assumption that endpoints sit within a controlled environment. And the rise of contractors, partners and bring-your-own-device arrangements means a significant share of the devices touching corporate resources are simply not under the organization's control at all.
Most importantly, identity has become the connective tissue of compromise. The modern attack frequently does not need to plant malware on a hardened laptop; it needs to obtain credentials and use legitimate access. An attacker operating through a valid identity from an unmanaged device may never trigger the laptop-based controls the organization invested in, because the laptop was never involved. Endpoint security that does not account for identity and unmanaged access is watching one door while attackers walk through several others.
CISO2CISO Insight
Ask where your endpoints are and the honest answer is no longer "in the building" or even "on the asset list." They are wherever your data is accessed and your access is exercised — which is everywhere, on hardware you increasingly do not own.
Where the Endpoint Actually Lives Now
A modern endpoint strategy starts by acknowledging the full range of what an endpoint has become.
The managed device still matters — but it is one category, not the whole. Corporate laptops and workstations remain a critical surface, and strong detection and response on them is still foundational. The error is treating that as the entirety of endpoint security rather than as one part of a larger surface.
Cloud workloads are endpoints. The servers, containers and functions running in cloud environments are where a great deal of computing — and a great deal of valuable data — now lives. They require protection designed for their ephemeral, automated nature, which traditional device agents do not provide.
Mobile is an endpoint, and a privileged one. Mobile devices access email, applications and data, and they do so from outside any controlled network. Treating mobile as a lesser concern than the laptop ignores how much sensitive access actually flows through it.
Unmanaged devices are endpoints you do not control. Contractor laptops, personal devices and partner hardware touch corporate resources without the organization's ability to install an agent. The strategy has to assume their presence and control what they can reach, rather than pretending they are not part of the surface.
Identity is the endpoint that ties it all together. Because so much compromise now operates through legitimate access, the behavior of identities — across all these devices — is itself a surface to watch. The convergence of endpoint and identity telemetry is where modern detection increasingly happens.
From EDR to a Converged View
The tooling response to this fragmentation has a direction, if not always a clean label: convergence. Endpoint detection and response was built to watch the device. Extended detection and response — and the broader move toward correlating signals across endpoints, identity, cloud and network — exists because no single surface tells the whole story anymore.
The value is not in any one product category. It is in the principle that a compromise today leaves traces across multiple surfaces, and that detecting it reliably requires correlating those traces rather than watching each surface in isolation. An attacker who phishes a credential, logs in from an unmanaged device, and accesses a cloud workload has touched three surfaces and might evade controls watching only one. The defensive answer is a converged view that can connect those events into a single picture.
This does not mean abandoning strong endpoint detection on managed devices. It means recognizing that endpoint security has become one input into a broader detection capability, rather than a self-contained discipline — and resourcing it accordingly.
Executive Framework
| Dimension | Laptop-era endpoint security | Modern endpoint security |
|---|---|---|
| The endpoint | Managed corporate laptop | Devices, cloud workloads, mobile, identities |
| Control model | Agent on the device | Layered, including unmanaged-access control |
| Primary signal | Device behavior | Correlated device, identity and cloud signals |
| Unmanaged devices | Out of scope | Assumed present, access controlled |
| Identity | Separate concern | Central to endpoint detection |
| Tooling | EDR on endpoints | Converged detection across surfaces |
What CISOs Should Do Next
- Redefine "endpoint" in your strategy to include cloud workloads, mobile, identities and unmanaged devices — the definition determines what gets protected.
- Maintain strong detection and response on managed devices as a foundation, but stop treating it as the entirety of endpoint security.
- Extend protection to cloud workloads with controls designed for their ephemeral, automated nature rather than retrofitting device agents.
- Assume unmanaged devices are part of your surface and control what they can reach, rather than relying on an ability to manage them that you do not have.
- Converge endpoint and identity telemetry, since so much modern compromise operates through legitimate access that device-only controls never see.
- Invest in correlated detection across surfaces, so that an attack touching device, identity and cloud is detected as one event rather than missed as three unrelated ones.
Board-Level Questions
- When we talk about endpoint security, are we protecting the full surface where compromise begins — or just our managed laptops?
- How are we protecting cloud workloads and mobile devices, which now carry a large share of our valuable access and data?
- What can an unmanaged contractor or personal device actually reach in our environment, and how do we control it?
- Can we detect an attack that operates through legitimate identity and access, even when no managed device is involved?
Final Executive Takeaway
The image of endpoint security as an agent on a corporate laptop is not wrong so much as it is incomplete to the point of danger. It describes a real and still-important surface, but it describes a shrinking fraction of where compromise actually begins. The endpoint has fragmented — into the cloud, onto mobile, across unmanaged hardware, and ultimately into identity itself — and the security strategy has to fragment with it, or rather expand to cover all of it.
The organizations that keep pouring their endpoint investment into the laptop while attackers increasingly operate through cloud workloads, unmanaged devices and stolen identities are defending the last war. The endpoint stopped being a laptop a long time ago.
The right question is not "is our EDR deployed?" It is "do we have visibility wherever our data is accessed and our access is exercised — across every device we own, every device we don't, and every identity that ties them together?"
*To be continued...*
