I've spent a significant part of my career participating in NATO cyber defense exercises - large-scale, red team/blue team operations designed to stress-test the real-world resilience of enterprise security stacks across allied nations. These are serious exercises, with serious adversary simulations. And one pattern repeats itself with remarkable consistency across nearly every engagement I've been part of: the red team neutralizes EDR early.
Not occasionally. Not as a fallback. As a deliberate, planned first step in the attack chain.
That experience shaped how I think about enterprise security architecture. So when ESET published research last week documenting 54 distinct "EDR killer" tools actively in use across ransomware campaigns - exploiting 34 signed, legitimate drivers to gain kernel-level access and silently disable endpoint protection before encryption runs - I wasn't surprised. I was validated.
This is not a theoretical risk. It is operational tradecraft.
The Endpoint is the Target
Endpoint detection and response has been the centerpiece of enterprise security investment for the better part of a decade, and for good reason. Modern EDR platforms offer deep behavioral visibility, fast detection, automated response, and increasingly, AI-assisted threat analysis. Tools like SentinelOne's Singularity have genuinely raised the bar for what endpoint security can do.
But that success has made EDR the primary obstacle adversaries want to remove.
The ESET research describes an extremely mature ecosystem of tools purpose-built to do exactly that. Using a technique known as Bring Your Own Vulnerable Driver (BYOVD), attackers load a legitimate, signed (but vulnerable) kernel driver onto a target system. Because the driver is signed by a trusted vendor, it bypasses standard controls. Once loaded, the attacker weaponizes the driver's kernel-mode access to terminate EDR processes, disable security services, and tamper with the callbacks that allow endpoint agents to observe system activity.
The result: your endpoint protection goes dark, silently, before the ransomware payload ever executes.
What struck me most in the ESET analysis is how industrialized this has become. These aren't bespoke, nation-state-only capabilities. They are commoditized tools sold on underground marketplaces, forked from public proof-of-concept code, and embedded directly into ransomware-as-a-service affiliate toolkits.
The sophistication barrier is low.
The availability is high.
And the motivation to use them is clear: encryptors are inherently noisy, but a well-executed EDR kill buys an attacker the silence they need.
What NATO Exercises Taught Me
In the exercises I've participated in, the blue team typically enters with a high degree of confidence in their endpoint stack. They've deployed agents widely, tuned their policies, and built playbooks around EDR alerts. And in the first few hours, that confidence feels justified - the EDR is catching things, generating telemetry, feeding the SOC.
Then the red team pivots.
The attack chain shifts toward kernel-level techniques. The red team attempts to bypass the installed EDR or disables the EDR altogether. The telemetry from the EDR goes quiet. And suddenly the blue team is flying blind - not because the attacker disappeared, but because the sensor they were relying on was taken offline.
What determines whether the blue team recovers - or doesn't - is almost always the same factor: whether they have independent visibility that doesn't depend on the endpoint agent being alive.
The network doesn't lie. Even when endpoint controls are compromised, the attacker still has to move through the infrastructure. Lateral movement leaves traces. Command-and-control traffic traverses the wire. Unusual protocol behavior, anomalous connection patterns, and staging activity all remain visible to a well-deployed network detection and response solution - because NDR operates independently of anything running on the endpoint. Additionally, NDR is outside the attack path, so it cannot itself be attacked.
In exercises where NDR was in the stack, teams were able to detect and respond to the attack chain even after EDR had been silenced or bypassed. In exercises where it wasn't, the red team typically had a much easier job.
Two Threat Stories, One Strategic Conclusion
The ESET research is one half of a deeply unsettling picture that emerged this week. The other half comes from the US CISA, which issued an alert following the March 11 cyberattack on medical technology firm Stryker Corporation - attributed to the Iranian-linked Handala group. That attack reportedly wiped over 200,000 corporate devices and exfiltrated terabytes of data, not by deploying traditional malware, but by compromising Microsoft Intune and weaponizing the endpoint management platform itself against the organization.
Read these two stories together, and the message is stark: sophisticated adversaries are specifically engineering their operations to operate in the spaces where endpoint-centric controls are blind, compromised, or turned against their owners.
ESET put it clearly in their research: organizations need detection strategies that monitor, flag, contain, and remediate threats at every stage of the attack lifecycle. That language is important. Every stage. Not just the stages where your endpoint agent happens to still be running.
NDR is Not a Replacement - It's the Independent Layer
I want to be clear about something: none of this is an argument against EDR. The right answer is not to choose between endpoint visibility and network visibility. It is to insist on both - with neither layer depending on the integrity of the other to function.
EDR and NDR are complementary controls, not competing ones. EDR gives you deep process-level telemetry on the host. NDR gives you an independent, tamper-resistant view of what is traversing the network. When they work together, correlated detections become far more confident and far harder for an attacker to evade. When the endpoint agent goes dark, the network layer continues watching.
At Stamus Networks, this is the architectural conviction behind Clear NDR®. Network-level detection built on the depth and community heritage of Suricata, delivering high-fidelity, explainable detections that security teams can act on - even when … especially when … endpoint controls have been circumvented.
The adversaries have already figured out how to kill your EDR. The question is whether you have a security layer that survives that kill.
Read the ESET research on EDR killers: https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html
Read the CISA alert on endpoint management hardening: https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization
