How to Run a Security Platform Review: What to Check When Tools Are Underused
Security licences are expensive. Security staff time is limited. And in almost every organisation we work with, there are platforms that are licensed, deployed, and running in a mode that provides significantly less protection than the team believes. The gap between what a security tool is capable of and what it is actually configured to do is often large, and it is a gap that rarely gets examined systematically. Teams are busy managing incidents, handling requests, and keeping up with day-to-day operations. Reviewing whether the tools they rely on are actually doing what they are supposed to do falls off the list.
A security platform review addresses this directly. It is a structured assessment of what each platform in the security stack is configured to do, whether it is doing it, and whether the output is being used. The goal is not to generate a report of findings. It is to identify the changes that would most improve actual security coverage given the tools the organisation already has. Done well, a platform review often finds significant security improvements that cost nothing in additional licensing.
Starting the Review: Inventory and Ownership
The first step is creating a clear inventory of every security platform in use, who owns the configuration, and what it is supposed to detect or prevent. This sounds straightforward but often is not. Platforms get purchased by different parts of the business, inherited through mergers, or deployed by a previous team member with knowledge that left with them. The inventory step frequently surfaces tools that exist in the environment without a clear owner and with configurations that nobody has reviewed recently.
For each platform, document the intended purpose, the current configuration state, and the last time the configuration was reviewed. The gap between the intended purpose and what the current configuration actually enforces is where the review focuses next. A platform that was deployed to enforce application allowlisting but is currently running in audit mode only is not preventing anything. A firewall that has not had its rule set reviewed in three years may be permitting traffic that was temporarily allowed during a project and never restricted again.
What to Check in Each Category
The specific checks vary by platform type, but the underlying questions are consistent:
- Is the platform deployed to the coverage it was intended for? Endpoint agents that are not installed on all endpoints, network sensors that have gaps in coverage, and cloud connectors that are not ingesting all relevant accounts all reduce protection below what the organisation believes it has.
- Are alerts and detections being reviewed and actioned? A platform generating alerts that nobody is reading provides no security value. Check whether alert queues are being cleared, whether SLA targets for triage are being met, and whether alerts have been suppressed in ways that eliminate genuine detection.
- Is the platform integrated with the rest of the stack? Tools that operate in isolation require manual correlation. Understanding what data is flowing where and what is not being correlated surfaces gaps in the detection picture.
- Are policies appropriate for the current environment? Default configurations, policies inherited from a previous environment, and settings that predate significant infrastructure changes are all common sources of misconfiguration.
The False Sense of Security Problem
The most important thing a platform review surfaces is the difference between believed coverage and actual coverage. Organisations commonly report that they are protected by an endpoint detection and response platform, a next-generation firewall, and a cloud access security tool, and then discover during a review that the endpoint agent has not been updated in eight months, the firewall rules include several permanent any-to-any permissions from a legacy migration, and the cloud tool is not monitoring two of the three cloud tenants in use.
Each of those findings represents a genuine exposure. More importantly, the organisation was making security decisions on the assumption that those controls were working. Investments in additional tooling were being considered while the existing tools were misconfigured. A platform review corrects that picture and allows decisions to be made on the basis of actual, rather than assumed, coverage.
Turning Findings Into Improvements
A platform review produces a prioritised list of configuration and operational improvements. Prioritisation should be based on the security impact of the gap and the effort required to close it. Gaps in coverage of high-value systems come first. Misconfigurations that create known exploitation paths come next. Operational improvements to alert management and integration follow.
The improvements should be tracked, assigned, and verified. Verification matters because configuration changes in security platforms can have unintended effects, and a change that closes one gap should be checked to ensure it has not opened another. We recommend retesting the highest-priority findings after remediation to confirm the coverage has improved as expected.
To discuss a security platform review for your environment, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







