Loading...
BNM RMiT · PDPA · ISO 27001 · PCI DSS
Endpoint-as-a-Service Malaysia
EDR for every endpoint, managed 24/7 by nCrypt SOC — leased on a 36-month bundle. Sophos Intercept X or Kaspersky EDR Expert, on-prem management appliance, and incident-response retainer included.
Endpoint Threat Landscape
Endpoints are where most breaches begin — and most ransomware detonates
The endpoint — the laptop, the workstation, the server — remains the most common initial compromise point in Malaysian enterprise breaches. Phishing delivers a malicious macro or a credential-harvesting link. A user clicks. The attacker has a foothold on a device inside the network. What happens next depends entirely on what security controls are running on that device and on the network monitoring capability watching for lateral movement.
Three endpoint threat scenarios that EDR directly addresses: (1) Living-off-the-land attacks — adversaries using legitimate Windows tools (PowerShell, WMI, certutil, mshta) to execute malicious activity, bypassing signature-based detection. EDR detects the behavioural pattern regardless of the tool being legitimate. (2) Fileless malware — malware that runs entirely in memory, never writing to disk, and thus invisible to file-scanning antivirus. EDR captures memory injection events and process injection chains. (3) Ransomware detonation — EDR identifies the mass file encryption behaviour of ransomware within seconds and triggers automatic process termination and endpoint isolation, limiting the blast radius to files modified before detection.
For organisations under BNM RMiT, endpoint protection with continuous monitoring is a specific control requirement. Under PDPA 2024, the personal data on employee and customer-service endpoints is protected data — a compromised endpoint that exfiltrates customer records triggers mandatory breach notification. See the managed security leasing overview and consider pairing with SOC Sensor-as-a-Service for network-layer coverage alongside endpoint coverage.
Per-Endpoint Leasing
Why per-endpoint leasing fits growing organisations better than seat licences
Traditional EDR licensing is sold as annual seat licences — you buy a fixed number of seats, pay upfront or annually, and manage the renewal process each year. Seat-count growth requires additional purchase orders and budget cycles. Seat-count contraction wastes the licence budget you have already committed. For organisations with variable headcount — seasonal hiring, contractor-heavy workforces, post-merger integration — the fixed-seat model creates budget volatility.
The Endpoint-as-a-Service model uses per-endpoint monthly pricing at a fixed rate for the 36-month term. Adding endpoints mid-term is handled as a contract amendment — you notify nCrypt of the new devices, the agent is deployed, and the monthly invoice increases by the per-endpoint rate. There is no new purchase order, no vendor negotiation, and no budget cycle. The management appliance and SOC capacity are sized with growth headroom during the initial scoping.
The on-prem management appliance included in the bundle is a particular differentiator for regulated organisations. Cloud-managed EDR consoles — where the management and telemetry are hosted by the vendor on foreign cloud infrastructure — create the same data-sovereignty tension as cloud SIEM for BNM-licensed FIs. The on-prem appliance keeps all endpoint telemetry inside your network perimeter and the Malaysian nCrypt SOC. For the purposes of BNM RMiT data-sovereignty obligations, this architecture is cleaner than any cloud-native EDR alternative.
Frequently asked questions
What is the difference between EDR and traditional antivirus?
Traditional antivirus uses signature databases — it compares files against a list of known malware hashes. Attackers defeat it by modifying malware slightly (polymorphic malware) or by using legitimate system tools for malicious purposes (living-off-the-land attacks using PowerShell, WMI, cmd.exe). Endpoint Detection and Response (EDR) instead analyses behaviour — it monitors process execution trees, memory allocation patterns, file system modifications, network connections, and registry changes in real time. A process that launches PowerShell, downloads a script from the internet, and executes it in memory triggers a behavioural alert regardless of whether the script matches any known signature. EDR detects threats that antivirus is blind to, and provides the forensic context needed to understand and contain an incident.
Which should we choose — Sophos Intercept X or Kaspersky EDR Expert?
Both are world-class EDR platforms. Sophos Intercept X has strong integration with the Microsoft ecosystem — Defender, Intune, Sentinel — and an intuitive management console that your IT team can learn quickly. Sophos also has a mature managed threat response service that nCrypt integrates with for deeper SOC workflows. Kaspersky EDR Expert has the deepest behavioural detection engine for OT-adjacent environments and regulated sectors, and its threat intelligence network draws on one of the largest global sensor networks. For Microsoft-heavy environments with no OT footprint, Sophos. For mixed-vendor, OT-adjacent, or highly regulated environments (banking, government), Kaspersky. We size and quote both so you can compare.
What does the on-prem management appliance do?
The management appliance is the centralised console from which all endpoint agents are managed — policy deployment, detection review, forensic investigation, and response actions (process termination, endpoint isolation). Running the management appliance on-prem rather than in the vendor cloud keeps all endpoint telemetry — process execution logs, network connection logs, file activity — within your network. This is the data-sovereignty preference for BNM-regulated organisations. Mid-Market and Enterprise configurations include a high-availability management appliance pair to ensure the management function is never a single point of failure.
How does 24/7 SOC monitoring work with the endpoint agents?
nCrypt SOC analysts monitor the EDR alert queue continuously. High-severity alerts — ransomware behaviour, credential dumping, lateral movement indicators, C2 communication — are triaged within 15 minutes of firing. For confirmed active threats, the SOC executes the pre-approved response playbook: endpoint isolation (network-only, preserving forensic state), process termination, file quarantine. The customer receives a notification immediately and a detailed incident report within 4 hours. Lower-severity alerts (policy violations, suspicious but not confirmed malicious behaviour) are triaged within 1 hour and batched into the daily summary report.
Does this work for remote workers and macOS/Linux endpoints?
Yes. Both Sophos and Kaspersky EDR agents cover Windows, macOS, and Linux. Remote workers are protected through the agent running on the device regardless of network location — the agent communicates with the on-prem management appliance via an encrypted tunnel when off-network. For macOS-heavy environments (design firms, media agencies, technology companies), Sophos has the stronger macOS feature set. For Linux server protection — common in SaaS companies, cloud-native organisations, and hosting providers — Kaspersky has broader Linux distribution support.
What happens if an endpoint is compromised while we are waiting for the incident response team?
The SOC can remotely isolate an endpoint from the network — cutting all network access while preserving full local functionality and forensic state — within minutes of confirming a compromise. The endpoint continues to run, logs continue to be generated, and the investigation can proceed without the risk of the attacker using the compromised endpoint to move laterally. Isolation is a reversible action; the SOC can restore network connectivity once containment is confirmed. The 20-hour annual IR retainer included in the SMB tier covers the investigation and remediation work that follows containment.
Hardware-as-a-Service · 36-month bundle
EDR for every endpoint, monitored 24/7. From RM30/endpoint/month.
Sophos Intercept X or Kaspersky EDR Expert + on-prem management appliance + nCrypt SOC monitoring — bundled at 36-month per-endpoint pricing.
What's included in the bundle
EDR/XDR agent licences (Sophos or Kaspersky)
On-prem management appliance (HA in Mid-Market+)
24/7 SOC monitoring & response
Quarterly threat-hunt reports
Hardware refresh at month 30
Incident-response retainer hours included
Who this is for
- ✓Companies with 50-2,000 endpoints and no in-house SOC
- ✓Regulated industries needing audit-grade endpoint forensics
- ✓Hybrid workforces with high mobile-device exposure
Deployment timeline
Week 1
Appliance install, agent packaging, pilot deployment (10% of fleet)
Week 2-3
Phased rollout to remaining endpoints, tuning
Ongoing
24/7 monitoring, monthly tuning, quarterly threat hunts
Sample bundles by company size
SMB
RM 1,500 – 3,000 / month
50-100 endpoints, single management node
MidMarket
RM 3,000 – 8,000 / month
200-500 endpoints, HA management, server EDR
Enterprise
RM 8,000 – 25,000+ / month
500+ endpoints, multi-region, XDR with cloud + email + identity
Aligned to your regulatory obligations
BNM RMiTPDPAISO 27001PCI DSS
Frequently asked questions
Need a one-off engagement instead of a leased bundle?
See our consulting service →Get a EDR leasing quote
Share your user count, locations, and current stack. We'll respond within 24 hours.
Ready to size EDR for your environment?
Three minutes in the calculator. A precise quote emailed within 24 hours.
Financing available via our partner financial institutions. Indicative monthly figures based on standard 36-month terms; final pricing subject to credit assessment and signed master service agreement.