Three systems. Three numbers. All claiming to describe the same thing. The EDR says 98%. The CMDB says 87%. The honest answer is that nobody knows — and the spread between those numbers is the only signal that actually matters.
Three numbers sit in three different dashboards inside the same security organization, and each of them claims to describe the same thing. The EDR console reports endpoint coverage at 98%. The CMDB, queried for the same week, reports 87%. The honest answer to the question “what percentage of the assets that actually exist on our network are protected?” is that nobody knows. These are not rounding errors or reconciliation gaps that a clever join will close. They are three different definitions of coverage, calculated against three different denominators, and they all show up in the same board deck as if they were the same fact.
The EDR is counting what it sees. Its denominator is the set of devices that have checked in with its console at some point in the configured window. A device that fell off the network last quarter, or one that never had an agent installed in the first place, simply isn’t in the math. Coverage of 98% sounds excellent until you realize the tool is grading its own homework against the set of machines it already controls. The CMDB, meanwhile, counts what someone remembered to register. Its denominator is whatever last got entered, updated, or imported from procurement. It is a system of record, not a system of truth, and the truth drifts the moment a contractor spins up a laptop, a developer attaches an EC2 instance, or a department renames a server.
The asset that nobody is counting is the one that matters most. Modern environments produce ephemeral, opportunistic, and shadow assets at a rate that neither agent telemetry nor configuration databases can track unaided. Cloud workloads spin up and tear down inside a quarterly reporting cycle. BYOD devices touch corporate SaaS through identity, not through the asset register. Mergers add fleets that won’t appear in the CMDB for months. When the board asks “are we covered?”, a single percentage hides the fact that three teams are answering three different questions and rolling the result up as one number.
The CISOs we work with have stopped reporting endpoint coverage as a single figure. Instead, they report the delta — the spread between EDR-observed coverage, CMDB-asserted coverage, and a discovered-asset baseline pulled from network telemetry, identity logs, and cloud APIs. That spread is the real signal. A 1% gap between EDR and CMDB tells one story. An 11% gap between CMDB and discovered assets tells a very different one, and it usually points to a process failure, not a tool failure. The number that survives the board room isn’t the highest of the three; it’s the explanation of why they disagree and what it would cost to close the gap.
This is why the question the CISO should be asking isn’t “what is our coverage?” but “what is our denominator?” Until that question has an owner, a definition, and a refresh cadence, every coverage metric reported up the chain is a confidence statement about the tool, not the environment. Boards are getting better at sensing this. The follow-up question — covered against what? — is the one that ends careers when it lands without an answer.
At Metric Maestro, we help security leaders build the aggregated KPI that holds up when the questions get sharper: a single, defensible coverage number derived from reconciled denominators across EDR, CMDB, identity, and cloud discovery. If your board deck still leads with a percentage from one console, we should talk about the second slide — the one that explains what that percentage actually means.
Whitepapers
In-Depth Comparisons
Metric Maestro vs Archer GRC
Archer is built for enterprise risk management. Metric Maestro is built for security leaders who need to prove the value of their program to the board.
Metric Maestro vs DIY Security Reporting
Most security teams start with spreadsheets. At some point, the cost of that choice becomes impossible to ignore.