Calculator inputs
Formula used
Eligible Endpoints = Total Inventoried Endpoints − Approved Exclusions
Installed Coverage = Agents Installed ÷ Eligible Endpoints × 100
Reporting Coverage = Reporting Agents ÷ Eligible Endpoints × 100
Healthy Coverage = Healthy Agents ÷ Eligible Endpoints × 100
Compliant Coverage = Compliant Agents ÷ Eligible Endpoints × 100
Effective Protected Endpoints = minimum(Installed, Reporting, Healthy, Compliant)
Effective Coverage = Effective Protected Endpoints ÷ Eligible Endpoints × 100
Critical Coverage = Protected Critical Assets ÷ Total Critical Assets × 100
Stale Rate = Stale Agents ÷ Installed Agents × 100
Coverage Index = (Installed×0.28) + (Reporting×0.22) + (Healthy×0.20) + (Compliant×0.20) + (Critical×0.10) − (Stale Rate×0.15)
Coverage Gap = max(0, Target Coverage − Effective Coverage)
Residual Exposure = 100 − Coverage Index
How to use this calculator
- Enter the full number of inventoried endpoints currently tracked by your asset inventory.
- Add approved exclusions such as retired systems, lab devices, or short-term offboarding assets.
- Provide installed, reporting, healthy, and compliant agent counts from your endpoint protection platform.
- Enter stale agent count to reflect outdated or long-silent deployments.
- Add total critical assets and how many of them have verified protection.
- Set your target effective coverage percentage, then submit the form.
- Review the scorecards, results table, and Plotly chart above the form.
- Use the export buttons to save the result table in CSV or PDF format.
Example data table
| Business Unit | Total Endpoints | Exclusions | Installed | Reporting | Healthy | Compliant | Critical Protected |
|---|---|---|---|---|---|---|---|
| Corporate IT | 920 | 40 | 865 | 842 | 821 | 792 | 88 / 92 |
| Engineering | 730 | 28 | 691 | 672 | 650 | 624 | 64 / 68 |
| Remote Workforce | 610 | 36 | 548 | 503 | 476 | 451 | 39 / 45 |
| Servers | 240 | 6 | 234 | 228 | 223 | 218 | 218 / 225 |
This sample table helps security teams compare coverage maturity across different asset groups before remediation planning.
FAQs
1) What does effective coverage mean?
Effective coverage measures endpoints that are installed, reporting, healthy, and compliant at the same time. It is stricter than simple installation coverage and better reflects real operational protection.
2) Why are approved exclusions removed first?
Some assets are intentionally out of scope, such as retired hardware or approved lab systems. Removing them gives a fairer denominator and prevents distorted coverage percentages.
3) Why track stale agents separately?
A stale agent may still appear installed, yet provide outdated telemetry or weak protection. Tracking stale deployments highlights hidden coverage decay and cleanup needs.
4) What is a good coverage index score?
Many teams aim for 85 or above, while mature environments often target 95 or more. Your actual threshold should match regulatory, threat, and operational requirements.
5) Why is critical asset coverage shown separately?
Critical assets usually carry higher business and security impact. A strong overall score can still hide serious gaps if important servers, domain controllers, or privileged systems remain unprotected.
6) Can this be used for EDR, AV, or unified agents?
Yes. The calculator works for endpoint detection, antivirus, vulnerability, or unified endpoint agents, as long as your counts reflect a consistent scope and policy standard.
7) What causes non-reporting agent gaps?
Common causes include network isolation, broken services, proxy issues, stale certificates, outdated versions, sensor crashes, or devices not checking in after long offline periods.
8) How often should teams recalculate coverage?
Weekly is useful for active remediation cycles. High-risk or fast-changing environments may benefit from daily recalculation, especially after large deployments, patch windows, or incident response events.