Why every engineer on our team runs Bitdefender (the March 2025 mandate)

An engineer (not in our team, but contracting on a one-off discovery call) copied an SFTP password from a shared 1Password vault to a sandbox machine to test a backup restore.

The sandbox machine had a clipboard-stealer dormant from a months-old browser extension compromise. The credential was exfiltrated to a remote server within seconds of being copied.

We detected the unusual SFTP login attempt from a Romanian IP 14 minutes later via the client's monitoring, rotated every credential the contractor had touched in the previous 90 days, and locked their access.

No client data was lost. No production site was compromised. But it was the closest call we had had in years, and it was preventable.

Endpoint protection: Bitdefender or equivalent paid AV with real-time scanning, web shield, and ransomware monitoring. Free AV is not acceptable for engineers touching client production systems.

Full-disk encryption: FileVault on macOS, BitLocker on Windows, LUKS on Linux. Enforced and verified at onboarding.

Hardware-key MFA: YubiKey or equivalent FIDO2 for every account that can touch a client site (1Password, GitHub, hosting dashboards, WordPress admin where possible).

Shared password vault with audit log: 1Password Business with credential access logged per engineer. No personal storage of client credentials. Ever.

Quarterly access review: every quarter, we audit which engineer has access to which client and revoke anything stale. Departing engineers lose all access within 24 hours.

Your maintenance provider is a privileged tenant on your site. They hold the keys. The security posture of the engineer's laptop is part of your attack surface, whether you can see it or not.

Most agencies do not publicise their internal security baseline because they do not have one. Ask any provider you are evaluating: 'what is required on every engineer's machine?'. The quality of the answer tells you everything.

We publish ours so prospective clients can compare. If you are an agency owner evaluating outsourcing partners, this is the kind of question that separates real engineering operations from a freelancer network.

Every new engineer's machine is verified against the 5-control baseline on day 1. No client access until verified.

We dropped two contractor relationships in 2025 because they would not meet the baseline. Short-term revenue cost, long-term trust win.

We added a 'security baseline current as of' field to every engineer's internal profile. It is reviewed quarterly. Anything older than 90 days triggers a re-verification.

Naming a specific product is a credibility signal, not an endorsement deal. Bitdefender consistently ranks at the top of AV-Comparatives and AV-TEST independent tests; it is the product we pay for and run.

If you prefer a different paid AV (ESET, Kaspersky outside sanctioned regions, Sophos, CrowdStrike for the enterprise tier), the mandate is paid endpoint protection from a top-tier vendor, not Bitdefender specifically. The brand matters less than the discipline of paying for and running it.