Stop buying more EDR until you’ve fixed identity and SaaS: a pragmatic 90-day plan

By Ash K
Stop buying more EDR until you’ve fixed identity and SaaS: a pragmatic 90-day plan

The uncomfortable truth

Most incidents we triage in 2025 do not begin with a kernel exploit on an endpoints; they begin with identity and SaaS: consent grants, token theft, weak conditional access, and sprawling privileges. Yet boards still ask which “next-gen EDR” to buy. That’s backwards.

EDR is essential — but not sufficient

Great EDR stops a lot of noise. It does not stop a malicious OAuth app reading an executive’s mailbox, or a contractor’s over-privileged token exfiltrating Drive. When your primary data and auth live in the cloud, control planes matter more than yet another agent.

Where your next dollar should go

  1. Own access decisions: Mandatory MFA, strong device posture, and per-request Conditional Access. Kill legacy protocols.
  2. Least privilege for humans and machines: RBAC reviews, JIT elevation (PIM), and service principal hygiene.
  3. Consent governance: Central approval flows, risky-scope review, and continuous monitoring of app grants.
  4. SaaS baselines: Standardize secure defaults for Google Workspace, M365, Slack, GitHub, Atlassian. No exceptions.
  5. Exposure management: Inventory identities, tokens, and scopes like you inventory CVEs. Measure and burn down the worst exposures weekly.

A pragmatic 90-day plan

  • Days 1–15: Disable legacy auth; block user consent; require device compliance for admin roles; enable token protection/CAE.
  • Days 16–45: Stand up JIT admin; review top 50 service principals and their scopes; remove unused OAuth grants; add detections for new app registrations and inbox rules.
  • Days 46–75: Baseline major SaaS tenants; enforce tenant restrictions and enterprise browser controls; document exceptions with owners and expiry dates.
  • Days 76–90: Run two red team exercises targeting consent and token replay; measure time-to-detect and time-to-revoke; present metrics to the board.

How to talk about this with leadership

Frame it as risk traded for results: reducing the chance of business email compromise, wire fraud, and data leakage — the very incidents that actually hit the P&L. Ask for outcomes, not tools: “90% of app grants require approval,” “zero legacy protocols,” “JIT for all admins,” “mean time to revoke < 30 minutes.”

Opinion: Buy EDR where you lack visibility — then stop. Until identity and SaaS are hardened, additional agents are diminishing returns. Secure the control plane first, and you’ll prevent the breaches your agents never see.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.