SecTor 2025 | EDR Bypass Testing: A Systematic Approach to Validating Endpoint Defenses

Endpoint Detection and Response (EDR) solutions have become a cornerstone of modern cybersecurity strategies. However, their very success has made them prime targets for attackers who now routinely incorporate EDR evasion and bypass techniques into their toolsets, as evidenced by recent cybercrime leaks. This escalating threat necessitates a shift from reactive defense to proactive, systematic validation of EDR capabilities.

This presentation will detail the comprehensive EDR bypass tracking and testing program developed and implemented at eSentire. We will explore the common EDR attack surfaces (user-mode components, kernel callbacks, tamper protections like PPL) and general bypass methodologies. The core of the talk will introduce our systematic approach, including the EDR Bypass Matrix—an internal framework for tracking techniques and test results across a group of supported EDR products. We will showcase our custom testing methodology, automation infrastructure (including a Sandbox Manager application), and provide concrete examples of bypasses, along with their variants and mitigation strategies. The session aims to equip attendees with insights into building robust EDR testing programs and fostering a more resilient security posture.

By:
Jacob Gajek | Principal Security Researcher, eSentire
Ryan Hasmatali | Software Developer, eSentire

Presentation Materials Available at:
https://blackhat.com/sector/2025/briefings/schedule/?#edr-bypass-testing-a-systematic-approach-to-validating-endpoint-defenses-47686Black HatRead More