As enterprises contend with a rapidly evolving threat landscape marked by AI-driven attacks and increasingly distributed work environments, endpoint security has emerged as a critical frontline of defence. In this conversation with Tech Achieve Media, Mathivanan Venkatachalam, Vice President at ManageEngine, shares insights on why traditional, reactive security models are falling short and how autonomous endpoint security is enabling organisations to shift towards proactive, resilient operations. He discusses the growing importance of AI-powered EDR, the challenges of tool sprawl, and the role of device trust in strengthening Zero Trust frameworks in real-world deployments.
TAM: Why have endpoints become the most critical, and vulnerable, layer in today’s enterprise security architecture?
Mathivanan Venkatachalam: Endpoints have become the convergence point for users, identities, data, and networks, making them central to how modern enterprises operate. With the advent of cloud and mobility, endpoints are no longer confined to a defined network perimeter. They frequently connect to public Wi-Fi, home networks, hotels, and conference environments, where traditional network controls have limited effectiveness.
Continuous user interaction across both corporate tasks and personal contexts further expands the attack surface. Even when users adhere to security protocols at work, the same devices are often used more casually elsewhere, increasing the risk of intentional or accidental exposure.
At the same time, each endpoint is a complex stack of operating systems, applications, browser extensions, plugins, and background services. Maintaining consistent security across thousands of such devices is operationally difficult, leading to inevitable gaps. Operating outside controlled boundaries also reduces visibility and control due to behavioral and configuration inconsistencies. Once compromised, endpoints provide direct access to user sessions, credentials, and enterprise systems, making them a high-value entry point for lateral movement.
TAM: Are traditional, reactive security models fundamentally inadequate in dealing with AI-driven threats?
Mathivanan Venkatachalam: Yes, traditional reactive security model is not sufficient against AI-driven threats. Today, AI-driven threats operate at speeds that used to be impossible by human threat actors. For instance, Anthropic observed an AI-orchestrated cyber espionage campaign where attackers used Claude Code to execute thousands of requests per second across sectors like technology, finance, manufacturing, and government, while targeting credentials, sensitive data, and persistence mechanisms.This is an attack execution, at a speed that can not be matched by human threat actors.
Beyond speed, these threats are inherently difficult for traditional models to detect. They often rely on previously unseen patterns which signature – and rule-based systems fail to recognize. They are flagged as alerts, requiring analysts to process and remediate them.
Security systems generate large volumes of alerts, overwhelming analysts. The time needed to investigate these alerts is often longer than the time attackers take to move laterally. Today, the average breakout time for modern attacks is often just a matter of minutes. This creates a fundamental mismatch between fast, AI-driven threats and slow, reactive defenses.
TAM: How is AI-powered endpoint detection and response (EDR) changing the speed and accuracy of threat mitigation?
Mathivanan Venkatachalam: AI-powered endpoint detection and response (EDR) is transforming threat mitigation by shifting security from a human-dependent model to an autonomous, human-assisted approach, bringing machine-speed execution to defense.
By continuously analyzing high-volume endpoint telemetry and network alerts in real time using AI-driven techniques such as anomaly detection and behavioral analytics, and correlating related events into unified attack chains, these systems can reduce hundreds of low-level alerts into a smaller set of actionable incidents. This allows analysts to focus on a handful of high-confidence threats instead of triaging large volumes of alerts, significantly reducing alert fatigue.
By modeling how legitimate tools are typically used versus how they are abused, AI-powered EDR can detect malware-free and living-off-the-land attacks that signature-based methods inherently miss. This improvement in detection accuracy directly translates into speed. By reducing reliance on manual triage and enabling immediate containment, AI-powered EDR significantly lowers mean time to mitigate, aligning defensive response with the pace of modern, AI-driven attacks.
TAM: Is tool sprawl one of the biggest risks in cybersecurity today, and can unified platforms realistically solve it?
Mathivanan Venkatachalam: Yes, tool sprawl is a significant risk, impacting both detection efficiency and response speed.
Fragmented security stacks slow down threat hunting. Analysts are forced to switch between multiple tools to investigate disjointed telemetry, validate, contain, and remediate threats. This leads to context switching, manual correlation, and potential blind spots.
For example, an alert from EDR may require validation in a SIEM, containment through identity tools, remediation via patch management, and further verification elsewhere. Each step adds complexity, delay, and risk, especially if integrations fail. Maintaining these integrations also becomes resource-intensive, particularly during upgrades, when they are most prone to breaking.
Tool sprawl also limits the effectiveness of AI-powered EDR, which depends on unified, high-quality data. In siloed environments, incomplete context reduces detection accuracy and response effectiveness.
Unified platforms can address this but only with disciplined consolidation. The goal is not a single tool, but a streamlined, interoperable stack. A well-architected platform reduces context switching, improves correlation, and enables real-time remediation. The most effective approach is controlled consolidation: fewer tools, deeper integration, and systems designed to scale without breaking.
TAM: What role does device trust play in making Zero Trust architectures actually effective in real-world deployments?
Mathivanan Venkatachalam: Just as EDR solutions correlate multiple signals to identify threats, combining trust signals across device, identity, and network strengthens Zero Trust enforcement.
Relying solely on identity-based trust has its issues. Detecting malicious user behavior, such as anomalous login patterns or unusual access activity, requires contextual analysis over time. In the early stages, these deviations often appear benign and fail to meet detection thresholds. During this window, access is still granted, creating an opportunity for compromise. In contrast, compromising user identity is far simpler, whether through social engineering or basic user negligence. In such scenarios, identity-based trust alone for Zero Trust authentication can weaken the security framework, since a verified identity does not necessarily imply a secure or uncompromised session.
This is why device trust remains a core pillar of Zero Trust architecture, alongside identity and network context. Unlike identity signals, which can be indirectly inferred and delayed, device posture provides more immediate and verifiable indicators of compromise or non-compliance. Incorporating device trust ensures that access decisions are based not just on who is requesting access, but also on the state of the device making the request. If the device state changes at any point, showing signs of compromise or non-compliance, access is dynamically restricted or revoked in real time. In practice, this is enforced through mechanisms such as MDM policy checks, patch status checks, EDR telemetry integration, and certificate-based device attestation, each contributing verifiable, real-time signals that reflect the true security posture of the endpoint. This shifts access control from a one-time verification to a continuous evaluation model, ensuring that security posture and access enforcement remain aligned, rather than relying on fragmented, point-in-time checks.
TAM: What does “autonomous endpoint security” mean in practice, and how much control are enterprises willing to hand over to AI?
Mathivanan Venkatachalam: Autonomous endpoint security reduces human involvement in repetitive, low-risk decisions while retaining control over high-impact actions. Most organizations adopt it gradually, starting with recommendations, moving to approval-based actions, and eventually enabling autonomy for low-risk scenarios.
EDR systems detect suspicious activity, reconstruct attack chains, validate them using behavioral models, assess risk, and recommend responses. High-confidence, low-impact actions such as quarantining files, blocking processes, or isolating endpoints are then executed automatically. These are time-sensitive and reversible, making them suitable for machine-speed response.
Autonomy is also extending to vulnerability management. AI-driven risk scoring prioritizes vulnerabilities based on exploitability, asset criticality, and real-time threat intelligence, going beyond static scores. This enables automated, ring-based patch deployment, where updates are rolled out progressively to minimize disruption.
However, enterprises remain cautious. High-impact actions like large-scale patching or account disablement still require human oversight. In essence, autonomy is selective and confidence-driven: machines handle speed and scale, while humans retain control over decisions that carry operational risk.
TAM: How is ManageEngine evolving its endpoint security offerings to help enterprises transition from reactive defence to proactive, resilient operations?
Mathivanan Venkatachalam: The threat landscape today is faster, stealthier, and increasingly AI-driven, requiring platforms that prevent, detect, and respond in real time. ManageEngine’s Endpoint Central has evolved from a unified endpoint management solution into a comprehensive security and management platform, maintaining a single source of truth through a single agent.
Its proactive capabilities such as privilege management, encryption, device control, browser and application security, and risk-based vulnerability management reduce the attack surface and close common gaps. It also extends into access security through context-aware private access, enabling application-level connectivity with continuous risk evaluation.
As a fail-safe, it includes next-gen antivirus and anti-ransomware, along with EDR capabilities that analyze telemetry from over 1,000 sources and map behaviors to MITRE ATT&CK for early detection.
When threats are identified, the platform correlates them with underlying risks such as missing patches or privilege risks and enables fleet-wide remediation from a single console. Built-in troubleshooting and tamper-proof backup ensure rapid investigation and reliable recovery. Together, this unified approach eliminates silos, reduces response time, and enables enterprises to move from reactive defense to proactive, resilient operations.
