Application allowlisting (formerly called whitelisting) is a security control where only pre-approved software can run on an endpoint. Everything not on the approved list is blocked by default — even legitimate-looking but unauthorized programs.
Application allowlisting flips the security model. Antivirus and EDR work by blocking known-bad software; allowlisting works by only allowing known-good software. Everything else, including software nobody has seen before, gets blocked by default.
Most malware succeeds because the operating system happily runs whatever an attacker delivers — macros, scripts, executables, DLLs, PowerShell commands. Allowlisting forces every executable to be pre-approved. A ransomware payload arrives on an endpoint — it has no chance to run because it's not on the approved list. Same for legitimate tools used maliciously (PsExec, mimikatz, Cobalt Strike), and same for one-off attacker binaries that signature-based AV has never seen.
Old-school allowlisting was painful to operate — every approval was manual. Modern platforms (ThreatLocker, Microsoft Defender Application Control, AppLocker) use:
Regulated industries (healthcare, defense contractors, financial services), security-mature SMBs, and any environment where ransomware impact would be catastrophic. ThreatLocker is the dominant SMB allowlisting platform; Microsoft Defender Application Control is built into Windows enterprise SKUs.
Talk to a real engineer — free 30-minute consultation, no pressure pitch.
Ask Maverick 615-274-9555