I will second the suggestion to add some sort of Application Control/Whitelisting feature. I know you mentioned it's on the longer term roadmap, but I'm not sure what that timeline looks like. Application whitelisting is becoming a preferred endpoint control, in fact, the Australian ASD emphasizes it in their "Essential Eight" controls (https://www.cyber.gov.au/publications/essential-eight-explained). I've used Microsoft's built in Software Restriction Policies, and while those still generally work, they are no longer being actively developed/supported by Microsoft. Applocker is the suggested replacement, but that's only available in Enterprise, which is very costly to license, so many small to medium sized business use Windows Pro. Application control is also becoming a common feature in business endpoint products. I reviewed several of the main business endpoint vendors, and it's included in some fashion by the following: Symantec Endpoint Protection McAfee Trend Micro Worry-free Services Kaspersky ("Trusted Applications Mode") Bitdefender F-secure PSB I like the configurability that HIPS offers, but it cannot quite replicate the "default deny" capabilities of a whitelisting approach.