Solution · Migrations

Out with the old.
Without the mess in the middle.

Migrations die in the overlap — parallel agents, parallel bills, parallel alerts nobody trusts. Panaptico maps feature parity, models the dual-run explicitly, gates cutover on signed readiness, and tracks the sunset until the old vendor is actually gone.

Migration Canvas· SEP-FALCON-2026-001 · Day 42 of 90
dual-run · 48d to cutover
Symantec

Outgoing

Symantec Endpoint Protection

Active hosts
14,112
Annual cost
$1.24M
Policies
47
License ends
2026-08-15
CrowdStrike

Incoming

CrowdStrike Falcon

Deployed
8,940
Annual cost
$1.08M
Policies mapped
41
Integrations
12

Swap progress

8,940 / 14,112 hosts · 63%

Parity

4 caps

Adapted

4 caps

Retired

2 caps

Gap

1 cap

The gap

Migrations die in the middle.

01

The old vendor had options nobody remembers enabling

Feature archaeology is its own project. Half the policies that protect the business were toggled on by someone who left in 2022. Replacing the tool means discovering what the tool actually did.

02

Parallel running is parallel cost — and parallel alerts

Two agents, two consoles, two SIEM pipelines. The SOC sees every event twice and nobody trusts either one. Every week of overlap is a week of double bills.

03

Cutover is easy. Decommission is where migrations rot

The day the new system goes live, the project declares victory. Six months later the old vendor is still billing, still ingesting, still sending an audit report nobody reads.

Parity matrix

Feature parity isn’t 1:1. Your plan can’t pretend it is.

Every capability the outgoing vendor performs gets classified — kept, adapted, retired, or gap — and each classification ships with a plan signed by the owner who inherits it.

  • Real-time malware scanning

    SEP AV engine

    Falcon prevention

    parity

    feature-equivalent · signatures + NGAV

  • Behavioral detection

    SEP Insight / SONAR

    Falcon Charlotte AI

    adapted

    telemetry schema differs · queries rewritten

  • Application / device control

    SEP ADC policies

    Falcon USB / app groups

    parity

    23 rules auto-translated · 2 flagged for review

  • Firewall policy

    SEP client firewall

    Falcon firewall mgmt

    adapted

    syntax conversion · 47 rules → 41 rules

  • EDR / telemetry

    SEP EDR add-on

    Falcon Insight

    adapted

    SIEM schema migrated · Splunk TA swapped

  • Tamper protection

    SEP tamper

    Falcon sensor protection

    parity

    default on · policy exported

  • Disk encryption bind

    SEP + BitLocker hook

    Falcon + BitLocker hook

    parity

    recovery keys unchanged · Intune-held

  • Vulnerability scanning

    SEP Risk Insight

    Falcon Spotlight

    adapted

    CVSS model differs · thresholds re-signed

  • DLP (endpoint)

    SEP DLP module

    — not in Falcon

    retired

    moved to Netskope · separate project

  • Web / URL filtering

    SEP web control

    — not in Falcon

    retired

    Zscaler owns it · policy re-homed

  • Mobile device protection

    SEP Mobile

    — out of scope

    gap

    Intune MAM keeps mobile · documented exception

Coexistence

Old and new. Living together. On purpose.

The dual-run window is the riskiest stretch of any migration. Panaptico models it explicitly — which hosts run which agent, which alerts route to which console, how the overlap collapses day by day.

Symantec · outgoing100% → 0%
CrowdStrike Falcon · incoming0% → 100%
Pilotd0
W1 startsd10
Todayd42
SEP ramp-downd60
Last SEP agentd75
License endsd90

Overlap window

65 days

Dual-running hosts

8,940

Alerts de-duped

27.4K / wk

Double-bill days

65 · approved

Cutover readiness

Cutover is a signature, not a surprise.

Overall

86%

6 dimensions · gates CISO sign

Data migrated

94%

SEP events → Falcon lake

180d of history archived · 30d of live events dual-written

Policy parity mapped

87%

47 → 41 rules

6 rules merged · 2 flagged for review · diff signed by CISO

Alert routes re-pointed

100%

9 SIEM + 3 ticketing

Splunk indices, ServiceNow queues, PagerDuty services · all swapped

SOC playbooks updated

62%

18 of 29 runbooks

Queries rewritten for Falcon schema · remaining 11 on SOC backlog

Teams trained

71%

117 of 164 analysts

3-session curriculum · Falcon Console + Charlotte + triage

Rollback runbook signed

100%

RB-MIG-0014

SEP re-enable path · 4-hour RTO · signed IT Lead + CISO

Sunset ledger

The second half of a migration.

Agents come off. Servers reclaim. Licenses terminate at renewal. Every asset the outgoing vendor touched gets a closing entry — with an owner, a date, and an evidence bundle that proves it's actually gone.

7 asset classes · all dated · $1.24M recovered

  • SEP endpoint agents

    14,112 hosts

    Uninstall wave · Day 75 – 90

    IT Ops

    Day 75–90

  • On-prem SEPM servers

    3 VMs

    Decommission · VMware reclaim

    Platform

    Day 92

  • Symantec license

    $1.24M / yr

    Terminate at renewal · procurement notified

    Procurement

    2026-08-15

  • SIEM TAs (Splunk)

    3 TAs

    Uninstall · dashboards re-pointed

    SecOps

    Day 78

  • Historical telemetry

    180 days

    Archive to cold storage · audit-retained 7y

    Data

    Day 80

  • Firewall ACL carve-outs

    23 rules

    Remove SEP update URLs · CHG-7491

    Network

    Day 88

  • Endpoint install records

    Ansible roles

    Archive repo · tag frozen · read-only

    Platform

    Day 95

Swap the vendor.
Keep the knowledge.

Panaptico runs the migration end-to-end — parity mapped, overlap modeled, cutover gated, sunset ledgered. Nothing rots in the middle.

Try Panaptico freeBook a demo

← Rollouts·Related: Vendor change management