Endpoint hardening: CIS Benchmark compliance, disable unnecessary services/accounts, enable FDE, host firewall rules, EDR deployment, application control, automatic updates, UAC, Credential Guard.
CIS Benchmark Level 1 = practical security baseline. Level 2 = higher security, more impact on usability. DISA STIGs are government requirements. Automated compliance checking (SCAP) validates hardening. Hardening reduces attack surface before attackers arrive — proactive defense.