Use case · Security control coverage

You deployed the controls. Are they still on every device?

You made the investment. The rollout closed at 100%. But the fleet turns over every day, agents fail quietly, and coverage drifts the moment no one is watching. The dashboard still says you are protected. That is the most dangerous number in security: a false sense of coverage.

See your coverage on your data How it works
koopic · control coverage
illustrative
Believed coverage
100%
Actual coverage
85%
EDR CrowdStrike / Defender
94%
157 devices uncovered
Web proxy (zero trust) SWG / SSE agent
84%
408 devices uncovered
Patch / scanner agent Tenable / Qualys
92%
215 devices uncovered
MDM enrollment Intune / Jamf
97%
84 devices uncovered
Disk encryption BitLocker / FileVault
99%
16 devices uncovered

The gap you cannot see is the one that gets used.

Koopic measures your security control coverage by comparing each control - EDR, MDM enrollment, patch and scanner agents, disk encryption, the web proxy / zero-trust agent, or any tool you connect - against a unified asset inventory built from every source. It surfaces the exact devices missing a control, assigns an owner for each gap, and tracks coverage to a healthy state, so security leaders can prove coverage instead of assuming it.

How a "fully protected" fleet gets breached

A laptop is re-imaged after a hardware fault. IT restores it and ships it back the same day. The EDR agent never goes back on - not on purpose, just missed in the rush. The device shows up in the directory, in MDM, in the asset list. By every list you check, it looks normal.

Three weeks later that one machine clicks the wrong link. There is no EDR to catch the execution, no web-proxy agent to block the callback. The thing your whole program was built to stop runs unopposed - on the one box that quietly fell out of coverage.

Your dashboard said 100%. Reality was 99.4%. The breach started in the 0.6% nobody could see.

Why it happens

Coverage does not fail loudly. It drifts.

A control deployment is a project with an end date. Coverage is a living number that moves every single day after that date - usually down, and usually in silence.

The fleet churns every day

New hires, hardware refreshes, re-images, decommissions, BYOD. Every change is a chance for a device to come online without a control - or to drop one and never get it back.

Agents fail silently

An agent gets uninstalled during troubleshooting, crashes after an OS update, or simply stops checking in. Nothing alerts you. The device still shows up in your other tools, so it looks fine.

No single owner of the gap

One team deploys the tools, another manages the endpoints, another runs the program. The gap belongs to everyone and no one - so it sits.

You measured at rollout, not today

Coverage was "100%" the day the project closed. That number is a snapshot, not a live signal - and it has been drifting ever since.

Track any control

Is the zero-trust agent actually everywhere?

Zero trust only works if the web-proxy / SSE agent is on every device - the one machine without it routes around your entire policy. Koopic treats the proxy agent as a coverage signal like any other: present, missing, or stale, on every device in your inventory. EDR, MDM, patch agents, disk encryption - same idea, one view.

  • See the named devices missing each control, not just a percentage
  • Catch stale agents that check the box but stopped reporting
  • Watch coverage trend toward a healthy state instead of guessing
web proxy (zero trust) · gaps 408 uncovered
LAP-FIN-2241 agent not installed Finance
SRV-APP-0093 agent stale · 41d Platform
LAP-SAL-1180 agent not installed Sales
WS-ENG-0571 agent removed Engineering
LAP-HR-0345 agent stale · 17d People
illustrative
From blind spot to plan

Coverage you can prove. An owner for every gap.

Visibility is step one. Closing the gap - and keeping it closed - is an accountability problem. Koopic supports both ways of running it.

Centralized

One coverage dashboard and a plan

When the security or digital team owns deployment, lead with a single live coverage view and a remediation plan: what is uncovered, what is being fixed, and a trend line moving toward a healthy state you can take to leadership.

Federated

A scorecard per team or business unit

When ownership is distributed, give each team or business unit a scorecard for its own devices. Everyone can see where they stand, the gap has a name next to it, and coverage stops being someone else's problem.

How it works

No new agent. It reads the tools you already run.

01

Unify

Koopic connects to your EDR, MDM, scanners, cloud, directory and on-prem sources and merges them into one deduplicated record per device - the trustworthy denominator for coverage.

02

Compare

Each device is checked against every control's own feed. In the inventory but missing from a control - or present but stale - is a gap, including the devices no single tool would report.

03

Assign & track

Put an owner on every gap, centrally or per team, and watch coverage trend toward a healthy state over time. Coverage you can prove, not assume.

Security control coverage FAQ

How does Koopic know a device is missing a control?
Koopic builds one unified inventory from every source you connect - EDR, MDM, scanners, cloud, directory, on-prem. A device that appears in that inventory but is absent from a given control's own feed (or is present but stale and not checking in) is a coverage gap. Because the denominator comes from every source, you see the devices a single tool would never report on.
Which controls can you track coverage for?
Effectively any control that reports the devices it runs on - EDR, MDM enrollment, patch and vulnerability-scanner agents, disk encryption, and the web-proxy / zero-trust (SSE) agent are common examples. If a tool exposes which assets it covers, Koopic can turn it into a coverage signal.
Is this the same as my EDR console showing me its agents?
No. Your EDR console can only show you devices it already knows about - it cannot show you the device that never got the agent. Koopic compares the control against your full unified inventory, so the blind spot becomes visible instead of invisible.
Who gets held accountable for the gaps?
Your call. Koopic supports a centralized view - one coverage dashboard, a remediation plan, and a trend line toward a healthy state - and per-owner or per-business-unit scorecards, so each group is accountable for its own devices. Most teams start centralized and turn on ownership scorecards as the program matures.
Do I have to replace any of my tools?
No. Koopic sits on top of the security and IT tools you already run and turns their data into a coverage and risk signal. You keep your stack; Koopic gives you the cross-tool view none of them can produce alone.

Find out what your real coverage is

We will connect a sample of your data and show you, on your own fleet, exactly where your controls are - and where they are not.

See your coverage on your data Talk to us