Kostas

Why Your EDR Needs a Partner: The Case for Application Control How threat intelligence-aware application control fills the gaps that EDR leaves open

...the missing layer.

Full write-up: www.edr-telemetry.com/blog/Why-You...

Why Your EDR Needs a Partner: The Case for Application Control How threat intelligence-aware application control fills the gaps that EDR leaves open

At EDR Telemetry project, we spend a lot of time measuring what EDRs can see. This article is about what they still cannot safely stop.

From LOLBAS to vulnerable drivers to unauthorized RMMs, I walk through the real-world gaps we keep seeing in telemetry and why application control is...

In the screenshot below, you can see an example of this Skill in use (I'm using GPT 5.2-low in Codex)

Link to the skill: github.com/tsale/awesom...

We have added a new analysis Skill thanks to @BlueTeamSteve! This skill can be used to quickly and accurately map the MITRE ATT&CK tactic and technique to threat behaviors and indicators you enter in the prompt, saving you a ton of time!

EDR Comparison - Compare Endpoint Detection & Response Solutions Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.

We’ve also expanded 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 options for organizations that need additional flexibility, scale, and support on top of the Advanced tier.

Check out the new tiers now: www.edr-comparison.com/pricing

EDR Comparison - Compare Endpoint Detection & Response Solutions Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.

𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥. We’ve also introduced 𝗕𝗮𝘀𝗶𝗰 𝗮𝗻𝗱 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿𝘀 to better reflect how different users engage with the platform. With the 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿, we’re introducing a deep dive into the technical justification and expert analysis behind every single feature in our comparison.

Since launching in November, the platform has already helped hundreds of consultants and enterprises navigate the complexity of EDR selection.

This release pushes things forward with a cleaner comparison UX, deeper evaluation context using MITRE ATT&CK evaluation data, and a new vendor added:

EDR Comparison - Compare Endpoint Detection & Response Solutions Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.

𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗡𝗲𝘄 𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗘𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲, 𝗠𝗜𝗧𝗥𝗘 𝗔𝗧𝗧&𝗖𝗞 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀, 𝗮𝗻𝗱 𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥

We want to start by thanking everyone who supported us as early adopters.

Feel free to contribute and use these skills to save a ton of time, like we already do.

github.com/tsale/awesom...

Learn about skills:
- developers.openai.com/codex/skills/
- support.claude.com/en/articles/...

𝗝𝘂𝘀𝘁 𝗹𝗮𝘂𝗻𝗰𝗵𝗲𝗱 𝗮𝘄𝗲𝘀𝗼𝗺𝗲-𝗱𝗳𝗶𝗿-𝘀𝗸𝗶𝗹𝗹𝘀 𝘄𝗶𝘁𝗵 @fr0gger_ !

Designed to save time during investigations and everyday DFIR tasks

Thomas has built an excellent malware triage skill, and I’ve added a couple of timeline analysis skills to help you get started.

github.com/tsale/EDR-Te...

This is exactly the kind of vendor collaboration the project aims to promote.
PR with full details and artifacts:

github.com/tsale/EDR-Te...

Big thanks to the C-Prot team for setting a strong example for Linux EDR transparency.

environment, validated event mappings, and published the raw logs from the evaluation so the community can independently verify everything.

Artifacts included:

• Real production telemetry logs
• Some screenshots from the platform

Validation material to reproduce the results can be found under

Add C-Prot telemetry coverage to Linux EDR telemetry matrix by tsale · Pull Request #151 · tsale/EDR-Telemetry EDR Telemetry Pull Request Contribution Details Adding comprehensive Linux telemetry support for C-Prot EDR, including detailed event mappings, field explanations, and validation artifacts. This co...

We’ve just added 𝗖-𝗣𝗿𝗼𝘁 EDR to the EDR Telemetry Project and it sets a new bar for Linux telemetry!

C-Prot is currently #1 in the Linux EDR table, with exceptional depth and quality of raw telemetry. What really stands out is the level of transparency: we got direct access to a production...

What are Skills? | Claude Help Center Skills are available as a feature preview for users on Pro, Max, Team, and Enterprise plans. This feature preview requires code execution to be enabled. Skills are also available in beta for Claude…

Be careful what you install and avoid using skills from unknown or unverified libraries.

Read more about skills here:
- support.claude.com/en/articles/...
- developers.openai.com/codex/skills/

What are Skills? | Claude Help Center Skills are available as a feature preview for users on Pro, Max, Team, and Enterprise plans. This feature preview requires code execution to be enabled. Skills are also available in beta for Claude…

One quick caveat tho, as skills libraries become more popular, where you will be able to search and find the right skill you want to install, we’re likely going to see malicious skills pop up that download and execute malware...

Agent Skills Give Codex new capabilities and expertise

Claude set a strong bar for structured, workflow-driven AI usage, and it’s no surprise we’re now seeing similar ideas across other platforms like OpenAI.

I’ve built DFIR and quick triage workflows that save me hours every time! The time savings really add up, and it’s completely changed how I work.

Pretty 😍

Merry Christmas everyone! Hope everyone’s enjoying some downtime 🎄

Much of it remains applicable today, along with the threat hunting series, which I’m especially proud of.

Cobalt Strike, a Defender's Guide - Part 2 The second part of the Cobalt Strike defender's guide, focusing on network traffic analysis and practical detection methods to identify Cobalt Strike beacons in your environment.

I’ve moved all of my blog posts from Medium to a new blog section on my personal website.

If you’re looking for a good read, I’d recommend my Cobalt Strike write-ups (Part 1 & Part 2) from 2021–2022.

kostas.page/blog/cobalt-...

Don't be naive. They will get rid of you at the first opportunity they find.

Many large companies are using AI and forcing their employees to use their AI models. They do this to train their AI models, getting them ready to replace many low-level analyst positions.

If you are a security analyst in one of these big organizations, you need to have plan B….

Haha thank you, man! Appreciate you. Jokes aside, having passion and doing what you love is a big motivator. Helping people is also another one. At the end, we all come out winners.

Ah, dammit! I think that might be an issue with the mobile version of the website. I'll check it out and fix it. Thank you very much! I guess this adds an element of challenge for signing up 😂

Regarding your question, it's easy, I don't sleep 😂

ThreatHunting Labs | Real Intrusion Training Hands-on threat hunting labs built from real intrusions, not simulations. Join the waitlist for early access.

The waitlist will close once a certain number of people have signed up and may reopen later if more testers are needed.

This is something I wish existed when I was starting in the industry, and something I still want today.

Register now, and more details soon.

threathuntinglabs.com

ThreatHunting Labs | Real Intrusion Training Hands-on threat hunting labs built from real intrusions, not simulations. Join the waitlist for early access.

• Work directly in 𝗘𝗹𝗮𝘀𝘁𝗶𝗰, 𝗦𝗽𝗹𝘂𝗻𝗸, 𝗼𝗿 𝗔𝘇𝘂𝗿𝗲 𝗗𝗮𝘁𝗮 𝗘𝘅𝗽𝗹𝗼𝗿𝗲𝗿 and learn to investigate and hunt using hypotheses.

𝗧𝗵𝗲 𝘄𝗮𝗶𝘁𝗹𝗶𝘀𝘁 𝗶𝘀 𝗻𝗼𝘄 𝗼𝗽𝗲𝗻!!

Those who sign up will receive a founders discount, early beta access, and the opportunity to provide feedback during development.

ThreatHunting Labs | Real Intrusion Training Hands-on threat hunting labs built from real intrusions, not simulations. Join the waitlist for early access.

actually work, not another set of CTF-like labs or check-the-box exercises.

• 𝗖𝗵𝗼𝗼𝘀𝗲 𝘆𝗼𝘂𝗿 𝗼𝘄𝗻 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻 𝗽𝗮𝘁𝗵: your choices determine how the investigation unfolds.
• 𝗡𝗼 𝗺𝗼𝗿𝗲 𝗸𝗲𝘆𝘄𝗼𝗿𝗱 𝗺𝗮𝘁𝗰𝗵𝗶𝗻𝗴. Answers are evaluated on intent and accuracy.

ThreatHunting Labs | Real Intrusion Training Hands-on threat hunting labs built from real intrusions, not simulations. Join the waitlist for early access.

📢 𝗜’𝗺 𝗮𝗻𝗻𝗼𝘂𝗻𝗰𝗶𝗻𝗴 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗟𝗮𝗯𝘀, 𝗹𝗮𝘂𝗻𝗰𝗵𝗶𝗻𝗴 𝗻𝗲𝘅𝘁 𝘆𝗲𝗮𝗿!

After building threat hunting teams for large MSSPs, creating DFIR Labs for TheDFIRReport, and sharing years of free threat hunting material, I want to bring everything together into one platform. Something closer to how investigations...

Behind the Curtain: How the EDR Telemetry Project Approaches Vendor Relations, Evaluations, and Transparency Introducing transparency indicators and explaining how we validate telemetry while staying independent.

However, those improvements still need to be interpreted in context, and understanding the access used during evaluation for additional context.

This post explains what changed and why: www.edr-telemetry.com/blog/Behind-...