In my company, we did a production pilot in my environment where I work to evaluate the tool's capabilities, and our use case was looking for unmanaged endpoints, like workstations that may have fallen out of management by their management server, like McAfee, Tanium, SCCM, or similar things.

The tool's query wizard isn't bad. Suppose you have ever used or even talked to anybody about other products that use vendor-specific queries, like Splunk, which is supposed to be one of the harder ones to use and master. Compared to Splunk, Axonius has made the tool a little more user-friendly where it is a little easier to use, and that is really the bread and butter of the product because that is where you get all your reporting from on your assets to make determinations on what you are looking for, like security or and if you wanted to use it for asset management, you could. As it pulls so much data, there are other options in the query that you could choose from depending on what information you were trying to obtain about your environment.

There was an issue with the tool, and sometimes, the biggest problem was that there was a need to determine if one machine was the same machine. Sometimes, you would have to go into the interface, and Axonius realized that after which it offered tools that you can run, erase, or remove certain assets that didn't duplicate to have them rediscovered again or to see if that may help or aid. Sometimes, when you redeploy servers or make changes to servers, Axonius may pick that up as another entity when it's really not, and then you could have multiple records for the same server, in which case that can be confusing when you are trying to run reports and queries to get information. Axonius hasn't really been around that long. I think it's only about five years old. It was originally an Israeli company. I believe the tool was developed in Israel. I work as a government contractor. We use it in the government, and the tool had to actually stand up as a federal government agency relationship management here in the United States to be able to even use it to meet the requirements of the government because it is a foreign company. In the beginning, it was a little slow going because the tool was still getting established to be able to have the government as a customer of the US government. Axonius has continually improved that product throughout the process. When my company started to use the tool, it was in its infancy, and it was a virtual appliance. Axonius evidently had two different appliances at a time. I don't know if it has them today because it has been a little while now. Axonius had one tool for the private sector and then one for the government with more hardened security features that met certain what they call STIGs or security baselines that the government operates under. Axonius would try to give you a hardened or pre-hardened appliance, which was good. In such a case, they know as well if you want to apply certain security parameters to their servers to meet requirements. The tool is usually aware of what will cause an issue, and the product works with you pretty well.

I have been using Axonius for two years.

Basically, what the tool does is that the more endpoints you have to manage, the more you scale the platform up. For instance, the tool has benchmarks; if you go out to their website, it lists how many assets you are going to manage and what kind of server resources you would need to configure. For instance, if you are going to do all our stuff in VMware, you can go to the VMware shop. All these servers are basically virtual appliances, and if you are familiar with the ones that are pre-configured with the OS and the app, and if you import those into your VMware environment, then you can have the option to configure how many front-end CPUs you are going to use and how much memory you are going to allocate to the virtual machines. The core node itself usually gets the beefiest or the most resources because it hosts the database. It initiates a lot of all of the fetches or queries that you run against your database. You set all that up in advance based on the number of endpoints you think you are going to be managing. You can scale it up afterward, so if you end up having more environments that you wanna add to it that you didn't initially plan for, then you can go in and change the resources on the server, like add a few more CPUs or more memory. The tool has it all broken down on its website as far as the scale that you would need is based on the number of endpoints that you want to manage, and even the licensing is based on it. Everything is based on how many endpoints you want to manage.

My company probably had 60,000 endpoints and about 20,000 or 30,000 users as it integrated with Active Directory. You can get user information, too, even though it is really about assets and endpoints. The tool can gather so much other stuff because it's really pulling all kinds of data to correlate, and that is what it does. It correlates with data. We had multiple Active Directory domains, which had thousands of users, and you can connect it to each individual Active Directory domain so that it can reach into that domain and retrieve. All the read-only stuff, like I was saying before. If you do the read-only implementation, it is a lot safer because it is just read-only. You only need to grant the service account read-only access in a typically read-only role, which is offered by a lot of different solutions. Axonius has a typical read-only role that you can implement on the back-end server for the service account, so it can't go beyond read-only unless you will be taking actions, remediating, and doing automation. When things need to change, you need something greater than read-only for your service accounts to be able to take action.

The solution's technical support was good. The tool has a technical account manager and then an engineer. Both of them worked with you, and they were very responsive and quick to help us fix any issues that we had with the tool. At some point in time, I know that the product will mature. When you go to patch the product or upgrade the product, it was being developed when we were using it, so we weren't able to use it yet because it was still under development, and it was, like, a patching server, which is almost like what Microsoft WSUS server is, where you have a server in your environment that you can use potentially, or you could even go across the internet. There are machines that are more air-gapped where they can't talk to the internet directly. You could potentially have a server like in your DMZ, and it could talk to Axonius and pull down patches. Then, your servers inside could talk to that to automate patching, and Axonius was working on it. As it is going to be a year in December, I think the tool is probably up and running, and it might even be using it now. There were different kinds of initiatives that Axonius was working on at the time to improve the product, and now the tool is getting more cloud integration as well. The tool has its Azure and AWS offerings. If you know anything also about the architecture, the main server is called the core server, and it has a database known as MongoDB, which basically collects and stores all the data. We have the other server role. We used a couple of server roles, and one was the core server because you have to have that since it is where the GUI is hosted. When you connect to the GUI, you are actually connecting to the core node. It's presented from the core node, and then they have what they call collectors. You can take those collectors and place them throughout your environment, and what is nice about the collectors is that they only use a single TCP port. You could place the collector in an environment that may collect several different types of data from different assets. In such a case, if you didn't use the collector, you would have to have multiple firewall rules. If you are collecting data from Microsoft servers, like Active Directory and SCCM, DHCP, and certain Microsoft services or Linux services or other products as well, Axonius integrates with a ton of tools. The tool had around 700 adapters that it had developed, and some of them were better than others as far as their maturity and what they gathered because we would go into it, and we would connect one of these adapters thinking that we were going to get all the data. Axonius publishes what you can collect. It is good to go out and look at the adapter and what kind of data it can gather before you use it. It may not give you what you are looking for. We connected to probably ten or twelve different connections or adapters to different products in our environment. We had multiple collectors deployed, and it was nice because you just had to get one firewall rule implemented, as it would collect everything locally in that subnet where all those back-end servers lived. Then, all those ports and protocols were there because it was in a VLAN, and they were already opened anyway, so you didn't need any firewall rules there. The tool saves you time with firewall rules because where I work, firewall rules can be a headache because you have to go through change management and do all this stuff to get them implemented, and that can take time as it all gets scrutinized. It is nice to be able to just have one port open or one TCP port, really, for the collector node, which is the communication from the core node to the collector node to actually pump that data back from the collector to the core node to be put into the database. I rate the support a ten out of ten.

Positive

Gartner classifies Axonius as a CASM tool. I am not familiar with the tool's competitors. I don't know because that is kind of a newer thing and not brand new, but probably within the last two or three years. It is the first time I have heard of it. I know there are other tools that offer a similar capability. Axonius is an attack surface type tool, and what is cool is that when you have a known vulnerability, like, a day zero, and there's no real fix for it just yet or the vendors are working on it, and they may have to have some workarounds, you can run queries against your whole environment to find those assets that may be affected so that you know right away what your security posture would be in the event of a day zero for whatever asset we're talking about. In this case, then you would have a clear picture of the number of assets that I need to perform this workaround until the vendor can come up with a patch. In that instance, it kind of serves as an asset manager because you are looking at it for assets. The confusing thing to people about the product is that it grabs so much data about your environment that you can use it for a multitude of purposes, and asset management, which could definitely be one of them, but they don't market the product as an asset management tool. We used it as a CASM tool.

The product's initial setup phase is pretty straightforward. My company operates in a VMware environment, so we get the pre-configured VMware servers that are offered. We just import those into VMware, the servers, and basically figure them out for our environment with TCP/IP and DNS. NTP and all the normal stuff that you would do for servers to deploy are good for working with, but they don't give you full SSH access. The tool has a menu-driven tool that you can use too, and it has been maturing over time because when the product was first rolled out, and we started using it, we had a lot of interaction with their security and their engineers because they don't want you to go in and have full SSH access because you could cause issues as you won't know what you are doing. You could break their product, and so they limit your access on purpose so that you won't cause any issues. If you need anything that requires more access, then they give you access, after which you have to get with them. They are responsive and help you troubleshoot with Microsoft Teams so that they can see what we are doing. We can have sessions where we can share stuff, and they just tell us what to do. And they'll send us, you know, syntaxes that we need to input, you know, stuff like that. As we have gone along, the menu-driven tool they call the toolbox, or Axonius toolbox, is what you use for, like, day-to-day administration to do the basic back-end server stuff, and that toolbox is actually reachable through SSH access on the back-end servers on the CLI. You don't see that in the user interface where the regular users would be doing queries and using the product as a user. I am talking about administrative stuff here.

For us, the product's deployment phase was a little challenging because we had to deal with other departments and business units. We were dependent on the tool's team because they had the keys to their kingdom, so we had to work with them to get the product deployed and get it connected to their systems because they had to, in some cases, make a service account for us and configure it to be read-only, give us the password, and then we would input that on our side to be able to connect to their system their back end system. There was change management involved. There were server firewall rules. Typically, we did that collector, which was a server role, and we would implement a collector in the environment, and then we would just the collector in that environment would just fetch the data from those different servers with those pre-configured accounts. Sometimes, they could be domain accounts if whatever solution it was was domain joined. It was able to have a Windows service account if it wasn't a Windows system. Windows systems are pretty much domain-joined, and you could use an Active Directory service account on those systems that we could set up. Then, we would tell them what we made, and then they would add it on their side, and then it would work. There were some hiccups here and there, of course, getting that stuff straightened out. It probably took about six months for us to get everything working just because of the scale of our environment and all the different people that we had to work with. It really becomes a delay because they own those systems.

I never heard anybody bulk at it because we have other products, such as security products, as well. The product's price is more in line with or maybe a little lower in price than some of the other tools. It is kind of what I heard mentioned, but I don't know for sure because I didn't really deal in dollars and cents.

Axonius is used in our company's daily security operations to manage and secure assets, and it has its own query analyzer. You can run queries against the data that has been retrieved in the database to make assessments of your environment on a daily basis. The tool has what is known as adapters, and those adapters connect to systems within the environment to pull data into a central repository to basically crunch data and deduplicate it down to what is called a master endpoint record, which is a single entity that represents basically one machine across multiple management platforms as a client machine, and then you can do queries against it. The tool pulls in so much data that you could actually use it for other things. The first thing that comes out of anybody's mouth when they hear about the product is that it is an asset management tool, but our use case really wasn't associated with it, and we didn't get it for that. The tool is more secure than some other products. The tool is all about security. We have high-level security audits where someone will randomly come in and evaluate your environment by surprise, so you don't have time to prepare because they want to see what your operating stature is and if you have a normal operating stature. When someone comes in to evaluate our environment, and they look for machines that are not being managed by their servers, and they could actually present a vulnerability, then it can definitely hurt your security score in the end when they are coming in to evaluate your security posture.

The tool has automated capabilities that can remediate machines. It can. The tool definitely has automation capability, but we didn't use that. We were just basically using it to pull data from our management servers about the clients they manage to make determinations on our endpoints. You won't always know sometimes if your endpoint is functioning or not if you have so many of them. Basically, what it does is that it just connects you to all your management servers that manage those clients, and you can see graphically because, in the interface, it actually shows for the entity in question, like, say, it is just a workstation. It will show each management tool and the icon for that management tool, as well as the vendor's icon next to it, to show you that it is checked in with that server and that it's actually communicating with that server as a client machine to give you an idea if you have any endpoints that aren't being managed from any one of your management servers for your management tools.

When it comes to integrations, the tool uses service accounts to do it, and they have a notion of a read-only service account, which is what we use. Or you can have one that has more authority or rights where it can actually take action. We did a production pilot because we needed real data. Originally, we did a pilot in a lab environment, but those servers in our lab environment don't really have a lot of data that is meaningful to us. We did a production pilot, which was accepted because we used read-only accounts, and all they will do is just pull data, and all the system needs, the management servers need, or all the service account needs is a read-only role on the servers so that it can just read the data and pull that data. It was a safer bet for us because we were just doing the production pilot. We needed real data to evaluate the product and see if it would meet our needs. The accounts were actually just read-only, which was the safe way to go in a production environment. The only thing that you had to worry about was that Axonius advertises that certain systems can take a performance hit when they get when that job runs, and they call it a fetch, and it runs periodically, and you can control that. You are in complete control of what time it fetches. We did it off hours, and we actually worked with the different teams to schedule it because if they had any operations that they ran off hours, we didn't want to interfere with that. We worked within the individual teams that manage those servers, like SCCM's team, McAfee's team, and Tenable's team, to be able to make sure that we were optimizing our fetches around their schedule that was good for that platform.

The performance issues in the tool have been optimized to a level by Axonius, where the tool can tell by the stream of data what kind of performance they are getting across the wire, like the network. The tool knows the network bandwidth that is being used and things like that, and it will actually adjust that on its own. There are only really a couple of systems that advertise, and one of them was SCCM, which is now MECM. I believe that Microsoft has changed SCCM to MECM. I think it was Tenable because Tenable can have multiple repositories that you can configure for the product to use, and we can schedule those off hours. I just think that certain systems, depending on how much data they are going to fetch, can take a hit depending on how busy they are and stuff like that. In the end, we really didn't have any problems once we worked with the individual teams to polish and schedule the right fetch for the platform because they were SMEs who knew about the product. SMEs have worked with the tool, and we really didn't have any issues in the beginning because we worked with those individual teams where there was some coordination with the tool.

The tool does have AI initiatives, but we have not yet integrated the product with any AI features. We didn't get the funding to continue our pilot as well. In December, I think it will be a year since the product has been turned off. Users have liked the product, and it is possible that it may receive funding in the future, in which case it could be powered back on and then brought back to life because, basically, they are virtual machines in VMware on-premises. Axonius does have a SaaS offering that you can run on AWS and Azure. We had an on-premise solution, and we managed everything completely. For more infrastructure as a service, we have a little private cloud.

I would recommend the tool to others because it is kind of unique in what it does. I have never seen another tool do this before where it doesn't talk to any clients itself, so it is agentless. It pulls from your back-end servers and then correlates the data that it receives on those servers to create what I was saying before is what they call a master endpoint record, which represents a single entity across all those servers that may be like a workstation that is being managed that is definitely communicating and getting its updates to its management servers with all you know, and it could be because it is a client with multiple servers. I don't know any other tool that really does that in that fashion where there is no impact on the endpoint itself.

I have been out of the loop for a little while now, and I haven't been using the tool. There are probably all kinds of new capabilities in the tool that I am not even aware of because when we were on it, I was working on it day to day for, like, a couple of years. So we were pretty up to date on all the new features that were coming out, some of their roadmap items, and where they were going with their product. Now, I have kind of been out of the loop for a little bit. I guess what you would probably think about is whether or not you would use it on-premise or in the cloud environment, depending on what kind of assets you have. As I understand, I think now it can reach back from the cloud through a gateway of some kind that you may have in your environment so that it could potentially get your on-premise stuff and cloud stuff altogether to where you didn't have to have separate installations. The tool does have integrations where you can have multiple sites, and they roll up all their data to a server in the cloud. You could just report right from the cloud on all the assets that were on-premises across your enterprise. The tool has a lot of capability. The product that we had was actually used on Rocky Linux, which is a Red Hat tool. The tool would release patches periodically or a monthly patch that was a security patch that they would give you that you would install for security. The tool would also have updates or upgrades where you could roll out upgrades, which is something that we usually did during the evenings when we had a maintenance window so that the user base wouldn't be using it.

I am not really a security person. I am more of a virtualization engineer, so I work with VMware stuff and infrastructure and stuff like that. Our security people loved it because it did what the vendor said it would do, as they were able to find workstations and even other devices that weren't being managed. Not only that, it is good to find network devices that you may not be aware of that may be causing you a problem or could be security-related. One of the things with Axonius was that in some environments, it could find these little networks, like a Raspberry Pi or something like that, plugged into the network or something that shouldn't be plugged into the network. It would be able to find these devices where nothing else really could. The tool really kinda does work as they say, and it could help you with your security posture.

I rate the tool a ten out of ten.