Skip to main content

Use Cases

The First Watch® platform is an event- and policy-driven system. ControlGuard provides deterministic protection, but its capabilities extend well beyond application whitelisting. This section describes key operational use cases that demonstrate how the platform supports visibility, controlled response, automated baselining, update governance, and production hardening.

Windows Event Collection

The First Watch® platform collects and processes Windows Event Logs from monitored endpoints, extending visibility beyond application control into system-level activity.

Collected events support three key outcomes:

  • Situational awareness — understanding what is happening on protected machines in real time
  • Forensic investigation — tracing the sequence of events that led to an incident
  • Policy-driven response — crafting automated responses that are triggered when specific events are detected

The platform also supports integration with Sysmon for enhanced telemetry, and ingestion of custom-generated events (e.g., monitoring CPU thresholds, detecting unexpected session activity, or tracking specialised operational parameters) through Python, PowerShell, or the First Watch SDK.

Event collection is purposeful and aligned with operational relevance — not a "collect everything" approach.

Response Mechanisms

Cybersecurity control typically follows the sequence: Protection → Detection → Response. The First Watch® platform prioritises deterministic protection through explicit policy enforcement. Where direct prevention is not technically feasible, controlled response mechanisms can be configured.

Examples of response actions include:

  • Resetting suspicious network connections
  • Terminating unauthorised processes on endpoints
  • Temporarily disabling user accounts under defined conditions
  • Restricting communication paths during investigation

All response actions are policy-driven, auditable, and reversible — they are never heuristic or autonomous. The platform continuously evolves to shift capability toward preventive enforcement wherever operationally safe.

Automatic Baseline

When ControlGuard is first deployed to an endpoint, it automatically inventories all existing software and builds an approved baseline. This baseline is constructed using three trust indicators:

  • Cryptographic hashes — unique fingerprint of every executable and library
  • Digital signatures — vendor certificate validation
  • File metadata — product name, company name, and file description

This baseline becomes the reference point for all subsequent enforcement decisions. Any new or modified file that does not match the approved baseline is flagged or blocked, depending on the active policy mode.

Automatic baselining allows organisations to move from initial deployment to operational visibility quickly, without manually cataloguing every executable on every machine.

Stopping Windows Updates

In industrial environments, uncontrolled Windows updates can introduce unexpected reboots, compatibility issues, and operational disruption. The First Watch® platform supports controlled governance of Windows updates through network-level restriction and policy-driven controls.

The same approach extends to third-party application updates. Each application must be evaluated individually — blanket disabling of updates without structured review may introduce greater long-term risk than controlled update management.

All update control decisions are aligned with the organisation's patch management policy.

Reviewing and Removing Bloatware

Before a Windows machine is placed into a manufacturing environment, it must transition from a general-purpose consumer operating system to a dedicated industrial workstation.

Out of the box, Windows includes consumer applications, background services, and features that are unnecessary — and potentially harmful — in a production setting. These can trigger unexpected reboots, consume network bandwidth, increase CPU and disk activity, and create unapproved software installation paths.

The First Watch® platform supports a structured approach to production hardening:

  • Remove consumer applications — gaming, media, personal productivity, and communication apps that serve no production purpose
  • Disable unnecessary features — print spoolers, search indexing, mixed reality, and other components not required by the control system
  • Reduce background services — telemetry, update delivery optimisation, error reporting, and other services that introduce silent network activity
  • Control the Microsoft Store — disable (not remove) to prevent unauthorised software installation while preserving system update infrastructure
  • Enforce application whitelisting — once hardened, lock the machine down so only approved software can execute

The industrial principle: a production machine is not a personal computer. It is an industrial asset. Every removed component reduces attack surface, improves predictability, and supports deterministic operation.