← Projects
Tanium 2025

Tanium Anomaly Detection for Enterprise Software

Led the product design and launch of Tanium's anomaly detection capability — continuously identifying unauthorized, atypical, or high-risk software across enterprise endpoints and surfacing it through prioritized, actionable notifications.

AISecurityEnterpriseDetection

Anomaly Detection for Enterprise Software is a continuous detection capability that identifies software on endpoints that is atypical, unauthorized, or carries an elevated risk profile — and gives security and IT operations teams a single place to triage and act.

The problem

Enterprise security teams are drowning in software inventory data. Knowing what’s installed across thousands of endpoints is only half the problem — knowing what actually warrants attention is the harder challenge. Manual review of software inventories doesn’t scale, and most tools either alert on everything (alert fatigue) or nothing (blind spots).

What we built

A detection and triage system that runs continuously across endpoints and surfaces risk through Tanium Guide notifications. Key capabilities:

  • Risk classification — each detected application receives a risk level (High, Moderate, Low) and a classification explaining why it was flagged: Data Exfiltration, Remote Access, Entertainment, Security tools, AI Tools, and more
  • Guide integration — new anomalies surface directly in the Tanium Console as notifications, showing total count and most recently detected items
  • Anomalous Software page in Asset — split into High Risk and Moderate & Low Risk sections so teams prioritize the highest-severity items first
  • Endpoint drill-down — selecting any application shows exactly which endpoints it’s installed on, giving teams the context to remediate confidently
  • Approval workflow — teams can mark legitimate tools as approved, scoped to all computer groups or specific ones, so detection stays focused on what genuinely warrants attention

Impact

Shipped to Tanium Cloud customers on Windows and macOS. Moves security teams from blind spots in software inventory to a prioritized, classified view of risk — reducing the manual effort needed to find and remediate unauthorized applications across large, distributed environments.

What I learned

The approval workflow was the hardest product decision. Detection models will always surface tools that are intentionally deployed but look unusual. Building a robust way for organizations to encode their own standards — and keep detection focused on genuine risk — is as important as the detection itself.

← Back to all projects