ThreatLocker is a well-known kernel-driver-based application control and ringfencing platform. Lavawall® delivers application control without a kernel driver, removing BSOD risk, eliminating cloud-callback dependencies, and surviving Remote Desktop Session Hosts where kernel-level agents typically struggle.
Where Lavawall® wins for MSPs
No kernel driver — there is no BSOD risk, no driver-signing dance, and no compatibility breakage when Microsoft ships a kernel update.
Works without callback to the cloud — critical for clients in remote, regulated, or air-gapped environments.
Pre-approves installers cleanly, not by file hash, so vendor updates don’t silently break your allowlist policy every Patch Tuesday.
Works on Remote Desktop Session Hosts where kernel-level agents historically fall over.
Runs standalone on any modern Windows fleet — no learning-mode aggregator or ringfencing model required to get value.
Bundled into the same console as patching, GRC, M365 breach detection, helpdesk, remote support, and replacement prioritization. One vendor, one bill, one platform.
Built by ThreeShield, an MSP and audit firm with CISSP and CISA certifications — designed first for our own clients.
Cross-platform endpoint coverage on Windows, macOS, and Linux from one agent and one console.
Where ThreatLocker wins
Mature ringfencing model that limits what allowed applications can do (network, registry, files, child processes) at a granular level.
Large existing MSP customer base with established workflows and 24/7 Cyber Hero support.
Strong learning-mode tooling for getting up and running on a noisy environment.
Established storage and elevation modules with detailed control surfaces.
Feature comparison
| Feature | Lavawall® | ThreatLocker |
|---|---|---|
| Kernel driver required | No | Yes |
| BSOD / kernel-bug-class risk | No | Possible — kernel-level code paths |
| Operates without cloud callback | Yes | Cloud-dependent for policy and learning |
| Remote Desktop Session Host (RDS) support | Yes — designed to work | Historically problematic |
| Pre-approval model | By signed installer, not file hash — survives vendor updates | Hash- and signature-driven; vendor updates can require re-tagging |
| Works alongside endpoint AV / EDR (Defender, Huntress, Sophos) | Yes — integrated and correlated | Yes |
| Bundled GRC framework mapping | 15+ frameworks including CMMC 2.0 | Add-on |
| Bundled patching across Windows / macOS / Linux | 7,500+ applications | Not included |
| Bundled M365 / Azure / Google Workspace breach detection | Yes | Not included |
| Bundled helpdesk and remote support | Yes — same console | Not included |
| Cross-platform (Windows, macOS, Linux) from one agent | Yes | Primarily Windows + macOS, with Linux server support |
| Pricing model | Bundled into Lavawall® tier; no minimums | Per-endpoint subscription, typically annual |
Who should pick which?
Pick Lavawall® if…
Your team has been burned by kernel-level agents in the past — bluescreens, signing-cert renewals, RDS host crashes, or driver-update outages.
You support clients in regulated or remote environments where reliable cloud callback cannot be assumed.
You want application control bundled with patching, GRC, breach detection, helpdesk, and remote support, not as a standalone seven-figure category-bet.
You have a heterogeneous fleet (Windows, macOS, Linux) and want one agent and one console covering all three.
You are an MSP focused on cyber-insurance readiness and audit-evidence collection rather than on building deep ringfence rule sets per client.
Pick ThreatLocker if…
You are committed to a kernel-level zero-trust ringfencing model and have the engineering bandwidth to maintain rule sets at scale.
You need ThreatLocker-specific modules (Storage Control, Elevation Control, Network Access Control) configured exactly the way ThreatLocker delivers them.
Your clients explicitly request ThreatLocker by name in their cyber-insurance questionnaires.
Frequently asked
- Why is "application control without a kernel driver" significant?
- Kernel-level agents have caused production outages across multiple endpoint security vendors over the past several years. Removing the kernel driver removes an entire class of failure mode (BSODs, driver-signing breakage on Microsoft updates, RDS-host instability) and reduces the privileged-code attack surface. Lavawall’s approach trades some of the surface depth of ringfencing for far higher reliability.
- Does Lavawall® support pre-approving installers?
- Yes — Lavawall® pre-approves by signed installer rather than by file hash, so vendor updates don’t silently break your allowlist on Patch Tuesday.
- Can I run ThreatLocker and Lavawall® together during evaluation?
- Yes. They monitor different surfaces and can coexist while you compare alert quality, policy maintenance burden, and end-user impact before deciding which to retire.
- What about elevation control?
- Lavawall® includes admin-elevation control for the cases where standard users must run a one-off action with admin rights — comparable to the AutoElevate use case — without an additional kernel-level driver.