Device or Network: Where Should Threat Detection Actually Live?

One of the oldest debates in security operations is deceptively simple: where do you put the sensor? On the endpoint — the laptop, the server — where you can see exactly what a program does? Or on the network, where you can see how machines talk to each other? Each camp has a real case, and each blind spot is the other's strength.

WithSecure's grant US12652295B2, "Arrangement and a method of threat detection in a computing device or a computer network" (issued June 9, 2026; CPC H04L 63/1416, anomaly detection, and H04L 63/1441, intrusion response), answers the debate in its own title: device or network. The method spans both vantage points, because the honest engineering answer to "endpoint or network" is "both, correlated."

Here is why neither alone is enough. Endpoint detection sees what a process does on one machine but is blind to the machine it cannot run on — a printer, an IoT sensor, an unmanaged device. Network detection sees every machine's traffic but cannot see what happens inside an encrypted session or on the local disk. An attacker who knows you only watch endpoints will live on the network; one who knows you only watch the network will hide inside an endpoint.

The practical takeaway for defenders: coverage is the product of where you can see, and gaps are where attackers settle. The value of a method spanning both is correlation — an event that looks innocent on the endpoint (a process opening a connection) and innocent on the network (one machine contacting another) can be plainly malicious when you line the two up. The whole is more than the sum, which is exactly why vendors patent the combination rather than either half.

One analogy, then it is gone: an endpoint sensor is a security camera inside each room; a network sensor is a camera on every hallway. Catch the burglar with either and you are lucky; catch them by watching the hallway feed and the room feed together and you can prove the path they took. Why it matters for the beat: incident reconstruction — the kind that produces a credible breach disclosure — depends on having both feeds. A patent is a method, not a finished product, but this one reflects the settled consensus that the device-versus-network argument was always a false choice.