Two controls, opposite assumptions
Antivirus and application control sit at opposite ends of the same problem.
Antivirus assumes execution is allowed by default and tries to recognise the bad. Application control assumes execution is denied by default and only permits the known good. One is a filter against known threats. The other is a boundary around the entire executable surface.
Both have their place. But they make opposite assumptions about what is normal on an endpoint, and that has a much bigger consequence than it usually gets credit for.
Why application control gives a tighter posture
When only authorised software is allowed to run, several things become true at once:
- unknown and zero-day binaries do not execute, regardless of detection signatures
- the environment becomes more uniform, because the set of permitted software is finite and known
- shadow IT is structurally constrained, not just discouraged
- the software inventory becomes a side effect of the control, not a separate exercise
- containment is built in — code that was not approved cannot run, even if it lands on the device
Antivirus cannot make those guarantees, because it is operating against an open-ended search space. Application control changes the shape of the problem.
So why is the adoption picture so lopsided
Antivirus is treated as a baseline expectation. It is hard to find a managed enterprise environment that does not have some form of endpoint protection in place — it is on procurement checklists, regulatory frameworks, and cyber insurance forms by default.
Application control is a different story. Industry coverage and academic research consistently describe its enterprise adoption as low. One commonly cited survey suggests fewer than a third of organisations actively use allowlisting, and academic studies describe global adoption as low even at large enterprise organisations that arguably should have implemented it.
So there is a stronger control, recommended by major frameworks including the Australian Cyber Security Centre's Essential Eight, available natively in Windows, and yet the adoption pattern looks nothing like antivirus.
The reason is not the technology
The technology is there. WDAC and AppLocker are built into Windows. They are part of the operating system. There is no agent to procure, no kernel module to debate, no licensing minimum to clear before getting started.
The gap is not technical. It is operational. Application control is hard to do well because it is a combination of three things that have to come together at once:
- the technology, which most environments already have
- the process, including discovery, approval, deployment, exception handling, and rollback
- the people, with enough WDAC experience to make the lifecycle sustainable
Antivirus succeeds in the market because it can be installed and largely left alone. Application control cannot. It demands an operating model around it, and that is what most programs underestimate.
Where this leaves most environments
Most teams already accept the security argument. They are not debating whether application control is valuable. They are stuck on whether they can sustain it.
That is where the conversation needs to shift. The real question is not "should we do application control" but "what would make the lifecycle of application control predictable enough to actually run in production."
When that question has an answer, the technology becomes the easy part.
How WDACManager fits
WDACManager is built on the assumption that the WDAC technology is already present in every Windows endpoint. The platform does not replace it. It manages the lifecycle around it, so that policy generation, deployment, exception handling, and rollback behave like a platform function rather than a bespoke project every time.
That is what closes the adoption gap. Not a different enforcement engine. A better operating model around the engine that is already there.
Antivirus became universal because it was easy to operate. Application control becomes universal when the operating model around it stops being the hard part.