Kostas
@kostastsale.bsky.social
Running ➡ http://defendpoint.ca | http://edr-telemetry.com | https://edr-comparison.com/ | http://detectionstream.com | 🇬🇷🇨🇦
I just finished a big update for the EDR Telemetry website. We’re preparing for many exciting updates and want to make sure we’re ready 🙂
Check it out and let me know what you think - www.edr-telemetry.com
Check it out and let me know what you think - www.edr-telemetry.com
EDR Telemetry Project: Transparent Benchmarking & Telemetry Analysis for Businesses
Explore transparent, vendor-neutral EDR telemetry benchmarks. Make confident security decisions with real-world data and practical analysis for your business.
www.edr-telemetry.com
November 22, 2025 at 10:47 PM
I just finished a big update for the EDR Telemetry website. We’re preparing for many exciting updates and want to make sure we’re ready 🙂
Check it out and let me know what you think - www.edr-telemetry.com
Check it out and let me know what you think - www.edr-telemetry.com
I'm reviving Teletracker. Missed working on it and it deserved a second life.
I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface.
Demo video attached. Let me know your thoughts!
I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface.
Demo video attached. Let me know your thoughts!
November 20, 2025 at 9:14 PM
I'm reviving Teletracker. Missed working on it and it deserved a second life.
I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface.
Demo video attached. Let me know your thoughts!
I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface.
Demo video attached. Let me know your thoughts!
𝗦𝘂𝗿𝗶𝗰𝗮𝘁𝗮 𝗶𝘀 𝗻𝗼𝘄 𝗽𝗮𝗿𝘁 𝗼𝗳 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺 𝘄𝗶𝘁𝗵 𝗽𝗹𝗮𝘆𝗴𝗿𝗼𝘂𝗻𝗱𝘀 𝗮𝗻𝗱 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀!
Big update for anyone working on network detections.
𝗜𝗻𝗰𝗹𝘂𝗱𝗲𝗱:
• 45k+ ET rules available out of the box
• Full ET Open ruleset preloaded
• Build and validate custom Suricata rules
Big update for anyone working on network detections.
𝗜𝗻𝗰𝗹𝘂𝗱𝗲𝗱:
• 45k+ ET rules available out of the box
• Full ET Open ruleset preloaded
• Build and validate custom Suricata rules
DetectionStream Just Got a Major Upgrade: Suricata Integration is Here!
I’m excited to share some big news! We’ve just rolled out a massive update to DetectionStream, and it’s one that I had planned to add for a…
kostas-ts.medium.com
November 20, 2025 at 5:37 PM
𝗦𝘂𝗿𝗶𝗰𝗮𝘁𝗮 𝗶𝘀 𝗻𝗼𝘄 𝗽𝗮𝗿𝘁 𝗼𝗳 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺 𝘄𝗶𝘁𝗵 𝗽𝗹𝗮𝘆𝗴𝗿𝗼𝘂𝗻𝗱𝘀 𝗮𝗻𝗱 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀!
Big update for anyone working on network detections.
𝗜𝗻𝗰𝗹𝘂𝗱𝗲𝗱:
• 45k+ ET rules available out of the box
• Full ET Open ruleset preloaded
• Build and validate custom Suricata rules
Big update for anyone working on network detections.
𝗜𝗻𝗰𝗹𝘂𝗱𝗲𝗱:
• 45k+ ET rules available out of the box
• Full ET Open ruleset preloaded
• Build and validate custom Suricata rules
Cloud Flare’s outage yesterday came down to one thing. A feature file in Bot Management quietly doubled in size and blew past an internal limit, which cascaded across their proxies.
Full writeup ➡️ blog.cloudflare.com/18-november-...
Full writeup ➡️ blog.cloudflare.com/18-november-...
Cloudflare outage on November 18, 2025
Cloudflare suffered a service outage on November 18, 2025. The outage was triggered by a bug in generation logic for a Bot Management feature file causing many Cloudflare services to be affected.
blog.cloudflare.com
November 19, 2025 at 4:25 PM
Cloud Flare’s outage yesterday came down to one thing. A feature file in Bot Management quietly doubled in size and blew past an internal limit, which cascaded across their proxies.
Full writeup ➡️ blog.cloudflare.com/18-november-...
Full writeup ➡️ blog.cloudflare.com/18-november-...
Me trying to launch my new EDR comparison service while Cloudflare has an outage🤦♂️
a group of people are standing on a track and one of them is wearing a red hat .
ALT: a group of people are standing on a track and one of them is wearing a red hat .
media.tenor.com
November 19, 2025 at 12:00 AM
Me trying to launch my new EDR comparison service while Cloudflare has an outage🤦♂️
🚀 𝗧𝗵𝗲 𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗶𝘀 𝗻𝗼𝘄 𝗹𝗶𝘃𝗲.
If you’ve been following the EDR Telemetry Project, this is the next step:
A full breakdown of how each EDR actually implements its features.
🔥 𝗟𝗶𝗳𝗲𝘁𝗶𝗺𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗹𝗲 𝗳𝗼𝗿 𝗲𝗮𝗿𝗹𝘆 𝗮𝗱𝗼𝗽𝘁𝗲𝗿𝘀 (𝗹𝗶𝗺𝗶𝘁𝗲𝗱 𝘁𝗶𝗺𝗲).
Intro blog: edr-comparison.com/blog/navigat...
If you’ve been following the EDR Telemetry Project, this is the next step:
A full breakdown of how each EDR actually implements its features.
🔥 𝗟𝗶𝗳𝗲𝘁𝗶𝗺𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗹𝗲 𝗳𝗼𝗿 𝗲𝗮𝗿𝗹𝘆 𝗮𝗱𝗼𝗽𝘁𝗲𝗿𝘀 (𝗹𝗶𝗺𝗶𝘁𝗲𝗱 𝘁𝗶𝗺𝗲).
Intro blog: edr-comparison.com/blog/navigat...
EDR Comparison - Compare Endpoint Detection & Response Solutions
Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.
edr-comparison.com
November 18, 2025 at 12:00 PM
🚀 𝗧𝗵𝗲 𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗶𝘀 𝗻𝗼𝘄 𝗹𝗶𝘃𝗲.
If you’ve been following the EDR Telemetry Project, this is the next step:
A full breakdown of how each EDR actually implements its features.
🔥 𝗟𝗶𝗳𝗲𝘁𝗶𝗺𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗹𝗲 𝗳𝗼𝗿 𝗲𝗮𝗿𝗹𝘆 𝗮𝗱𝗼𝗽𝘁𝗲𝗿𝘀 (𝗹𝗶𝗺𝗶𝘁𝗲𝗱 𝘁𝗶𝗺𝗲).
Intro blog: edr-comparison.com/blog/navigat...
If you’ve been following the EDR Telemetry Project, this is the next step:
A full breakdown of how each EDR actually implements its features.
🔥 𝗟𝗶𝗳𝗲𝘁𝗶𝗺𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗹𝗲 𝗳𝗼𝗿 𝗲𝗮𝗿𝗹𝘆 𝗮𝗱𝗼𝗽𝘁𝗲𝗿𝘀 (𝗹𝗶𝗺𝗶𝘁𝗲𝗱 𝘁𝗶𝗺𝗲).
Intro blog: edr-comparison.com/blog/navigat...
My favourite thing about using AI is that I don't have to choose how to name sh*t anymore. That's mostly:
- Blog Titles
- Script names/variables/functions etc.
- DB table names/columns
It was draining me, I can't go back... 😂
- Blog Titles
- Script names/variables/functions etc.
- DB table names/columns
It was draining me, I can't go back... 😂
November 18, 2025 at 6:16 AM
My favourite thing about using AI is that I don't have to choose how to name sh*t anymore. That's mostly:
- Blog Titles
- Script names/variables/functions etc.
- DB table names/columns
It was draining me, I can't go back... 😂
- Blog Titles
- Script names/variables/functions etc.
- DB table names/columns
It was draining me, I can't go back... 😂
Proud to share that DetectionStream is now collaborating with the Sigma community to create opportunities for people to learn and grow within detection engineering.
We’ve set up two channels for general discussions and challenge creation.
Join here: discord.gg/KfdbeQpp
We’ve set up two channels for general discussions and challenge creation.
Join here: discord.gg/KfdbeQpp
November 17, 2025 at 1:30 PM
Proud to share that DetectionStream is now collaborating with the Sigma community to create opportunities for people to learn and grow within detection engineering.
We’ve set up two channels for general discussions and challenge creation.
Join here: discord.gg/KfdbeQpp
We’ve set up two channels for general discussions and challenge creation.
Join here: discord.gg/KfdbeQpp
Suricata support is coming to DetectionStream.com this upcoming week!
You’ll be able to:
➡️ View and edit all emerging rules
➡️ Test your detections instantly against your PCAPs (everything client-side)
➡️ Create your detections and share them with everyone (AI optional😉)
🔜🔜🔜
You’ll be able to:
➡️ View and edit all emerging rules
➡️ Test your detections instantly against your PCAPs (everything client-side)
➡️ Create your detections and share them with everyone (AI optional😉)
🔜🔜🔜
DetectionStream - Sigma Detection Rules Platform
Search, analyze, and convert Sigma detection rules with AI-powered creation. Access 3,100+ curated rules with advanced filtering and multi-platform conversion.
DetectionStream.com
November 16, 2025 at 10:58 PM
Suricata support is coming to DetectionStream.com this upcoming week!
You’ll be able to:
➡️ View and edit all emerging rules
➡️ Test your detections instantly against your PCAPs (everything client-side)
➡️ Create your detections and share them with everyone (AI optional😉)
🔜🔜🔜
You’ll be able to:
➡️ View and edit all emerging rules
➡️ Test your detections instantly against your PCAPs (everything client-side)
➡️ Create your detections and share them with everyone (AI optional😉)
🔜🔜🔜
As I was looking for malware (like you do on a quiet Friday afternoon 😂) I found a classic fake “your system is infected” page. After the fake scan, the Renew Now button goes straight to Avast through an affiliate link🤣🤣
TAs doing a 180, selling AV to get their commission LOL
TAs doing a 180, selling AV to get their commission LOL
November 14, 2025 at 8:40 PM
As I was looking for malware (like you do on a quiet Friday afternoon 😂) I found a classic fake “your system is infected” page. After the fake scan, the Renew Now button goes straight to Avast through an affiliate link🤣🤣
TAs doing a 180, selling AV to get their commission LOL
TAs doing a 180, selling AV to get their commission LOL
Anthropic basically spent the whole piece highlighting how their AI can be leveraged for intrusion activity, but didn’t give defenders a single IOC or attribution hint 😩 But hey, you now know their AI is good for pen-tests...
90% Flex
10% Value
🔗: www.anthropic.com/news/disrupt...
90% Flex
10% Value
🔗: www.anthropic.com/news/disrupt...
Disrupting the first reported AI-orchestrated cyber espionage campaign
A report describing an a highly sophisticated AI-led cyberattack
www.anthropic.com
November 14, 2025 at 1:49 AM
Anthropic basically spent the whole piece highlighting how their AI can be leveraged for intrusion activity, but didn’t give defenders a single IOC or attribution hint 😩 But hey, you now know their AI is good for pen-tests...
90% Flex
10% Value
🔗: www.anthropic.com/news/disrupt...
90% Flex
10% Value
🔗: www.anthropic.com/news/disrupt...
Just in: DoorDash breached…
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
November 13, 2025 at 9:22 PM
Just in: DoorDash breached…
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
Did a big server rack upgrade today and took cable management seriously for the first time. It all looks so neat and professional. I don’t think I could ever go back, there is something special about it😮💨
Time to put it to use 😆 Big things coming next year… watch this space!
Time to put it to use 😆 Big things coming next year… watch this space!
November 13, 2025 at 3:14 AM
Did a big server rack upgrade today and took cable management seriously for the first time. It all looks so neat and professional. I don’t think I could ever go back, there is something special about it😮💨
Time to put it to use 😆 Big things coming next year… watch this space!
Time to put it to use 😆 Big things coming next year… watch this space!
🍁🍂 Winter rides are 🔥
November 9, 2025 at 12:31 AM
🍁🍂 Winter rides are 🔥
It’s been just 1 week since launch and 150+ people have registered, shared feedback & competed on the leaderboard! Huge motivation to keep building 💪
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
November 8, 2025 at 6:50 PM
It’s been just 1 week since launch and 150+ people have registered, shared feedback & competed on the leaderboard! Huge motivation to keep building 💪
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
A new strain called PromptFlux uses Google’s Gemini to regenerate its code every hour for evasion. Its prompts are basically self-update instructions.
Imagine if you tweak the txt prompts to say “Create a 10,000-word report on...”, that'd be funny 😂💸💸
cloud.google.com/blog/topics/...
#ImposeCost😂
Imagine if you tweak the txt prompts to say “Create a 10,000-word report on...”, that'd be funny 😂💸💸
cloud.google.com/blog/topics/...
#ImposeCost😂
GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools | Google Cloud Blog
Google Threat Intelligence Group's findings on adversarial misuse of AI, including Gemini and other non-Google tools.
cloud.google.com
November 6, 2025 at 11:16 PM
A new strain called PromptFlux uses Google’s Gemini to regenerate its code every hour for evasion. Its prompts are basically self-update instructions.
Imagine if you tweak the txt prompts to say “Create a 10,000-word report on...”, that'd be funny 😂💸💸
cloud.google.com/blog/topics/...
#ImposeCost😂
Imagine if you tweak the txt prompts to say “Create a 10,000-word report on...”, that'd be funny 😂💸💸
cloud.google.com/blog/topics/...
#ImposeCost😂
Linux is finally getting some love 🐧
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
November 6, 2025 at 10:18 PM
Linux is finally getting some love 🐧
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
This is the coolest coin I’ve ever received. Huge props to @Defcon604 for everything they do for the Vancouver community. Was awesome presenting to a packed room of 50+ folks, great energy and engagement all around. 🔥
November 4, 2025 at 7:43 PM
This is the coolest coin I’ve ever received. Huge props to @Defcon604 for everything they do for the Vancouver community. Was awesome presenting to a packed room of 50+ folks, great energy and engagement all around. 🔥
When I started DetectionStream, I wanted to make learning detection frameworks less…boring. Theory is great, but where do you actually practice?
So I built something: the Sigma Training Platform. It’s basically what I wish existed when I was learning this stuff….👇
So I built something: the Sigma Training Platform. It’s basically what I wish existed when I was learning this stuff….👇
DetectionStream: Introducing the Sigma Training Platform
Introducing DetectionStream's Sigma Training Platform: Learn detection engineering through gamified challenges with real-time feedback.
kostas-ts.medium.com
November 2, 2025 at 6:33 PM
When I started DetectionStream, I wanted to make learning detection frameworks less…boring. Theory is great, but where do you actually practice?
So I built something: the Sigma Training Platform. It’s basically what I wish existed when I was learning this stuff….👇
So I built something: the Sigma Training Platform. It’s basically what I wish existed when I was learning this stuff….👇
📢DetectionStream quick update.
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
November 1, 2025 at 12:32 AM
📢DetectionStream quick update.
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
A normal InfoSec Friday be like... 😂
November 1, 2025 at 12:01 AM
A normal InfoSec Friday be like... 😂
🚀 𝗕𝗶𝗴 𝘂𝗽𝗱𝗮𝘁𝗲 𝗳𝗼𝗿 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺!
I’ve just rolled out authentication, unlocking new personalization features while keeping the core experience open to everyone.
• 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹: You can still explore, test, and learn without an account.
• 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝗱: If you do log in, you can now sa...
I’ve just rolled out authentication, unlocking new personalization features while keeping the core experience open to everyone.
• 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹: You can still explore, test, and learn without an account.
• 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝗱: If you do log in, you can now sa...
DetectionStream - Search, Convert & Create with Detection Frameworks
Free platform for searching, analyzing, and converting Sigma detection rules with AI-powered rule creation. Access the complete SigmaHQ repository with advanced search and multi-platform conversion.
detectionstream.com
October 24, 2025 at 4:56 PM
🚀 𝗕𝗶𝗴 𝘂𝗽𝗱𝗮𝘁𝗲 𝗳𝗼𝗿 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺!
I’ve just rolled out authentication, unlocking new personalization features while keeping the core experience open to everyone.
• 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹: You can still explore, test, and learn without an account.
• 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝗱: If you do log in, you can now sa...
I’ve just rolled out authentication, unlocking new personalization features while keeping the core experience open to everyone.
• 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹: You can still explore, test, and learn without an account.
• 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝗱: If you do log in, you can now sa...
I recently came across the permissive trial access that the OpenEDR platform provides, and it got me thinking, they're definitely not the only ones doing this...
So I decided to use OpenEDR as a case study to highlight a broader issue: 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘁𝗼𝗼𝗹𝘀 𝗯𝗲𝗶𝗻𝗴 𝘄𝗲𝗮𝗽𝗼𝗻𝗶𝘇𝗲𝗱 𝗯𝘆 𝘁𝗵𝗿𝗲𝗮𝘁 𝗮𝗰𝘁𝗼𝗿𝘀.
So I decided to use OpenEDR as a case study to highlight a broader issue: 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘁𝗼𝗼𝗹𝘀 𝗯𝗲𝗶𝗻𝗴 𝘄𝗲𝗮𝗽𝗼𝗻𝗶𝘇𝗲𝗱 𝗯𝘆 𝘁𝗵𝗿𝗲𝗮𝘁 𝗮𝗰𝘁𝗼𝗿𝘀.
Detecting Abuse of OpenEDR’s Permissive EDR Trial: A Security Researcher’s Perspective
1. Introduction
kostas-ts.medium.com
October 22, 2025 at 2:33 PM
I recently came across the permissive trial access that the OpenEDR platform provides, and it got me thinking, they're definitely not the only ones doing this...
So I decided to use OpenEDR as a case study to highlight a broader issue: 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘁𝗼𝗼𝗹𝘀 𝗯𝗲𝗶𝗻𝗴 𝘄𝗲𝗮𝗽𝗼𝗻𝗶𝘇𝗲𝗱 𝗯𝘆 𝘁𝗵𝗿𝗲𝗮𝘁 𝗮𝗰𝘁𝗼𝗿𝘀.
So I decided to use OpenEDR as a case study to highlight a broader issue: 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘁𝗼𝗼𝗹𝘀 𝗯𝗲𝗶𝗻𝗴 𝘄𝗲𝗮𝗽𝗼𝗻𝗶𝘇𝗲𝗱 𝗯𝘆 𝘁𝗵𝗿𝗲𝗮𝘁 𝗮𝗰𝘁𝗼𝗿𝘀.
𝗦𝗲𝗲𝗶𝗻𝗴 𝘀𝗼𝗺𝗲 𝘀𝗲𝗰𝗿𝗲𝘁𝘀𝗱𝘂𝗺𝗽 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗶𝗻 𝘁𝗵𝗲 𝘄𝗶𝗹𝗱 𝗹𝗮𝘁𝗲𝗹𝘆, 𝗮𝗻𝗱 𝗶𝘁’𝘀 𝘁𝗿𝗶𝗰𝗸𝘆 𝘁𝗼 𝗰𝗮𝘁𝗰𝗵 𝗯𝗲𝗰𝗮𝘂𝘀𝗲 𝗼𝗳 𝗮𝗹𝗹 𝘁𝗵𝗲 𝗳𝗮𝗹𝘀𝗲 𝗽𝗼𝘀𝗶𝘁𝗶𝘃𝗲𝘀.
The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...
𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...
𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
October 22, 2025 at 4:36 AM
𝗦𝗲𝗲𝗶𝗻𝗴 𝘀𝗼𝗺𝗲 𝘀𝗲𝗰𝗿𝗲𝘁𝘀𝗱𝘂𝗺𝗽 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗶𝗻 𝘁𝗵𝗲 𝘄𝗶𝗹𝗱 𝗹𝗮𝘁𝗲𝗹𝘆, 𝗮𝗻𝗱 𝗶𝘁’𝘀 𝘁𝗿𝗶𝗰𝗸𝘆 𝘁𝗼 𝗰𝗮𝘁𝗰𝗵 𝗯𝗲𝗰𝗮𝘂𝘀𝗲 𝗼𝗳 𝗮𝗹𝗹 𝘁𝗵𝗲 𝗳𝗮𝗹𝘀𝗲 𝗽𝗼𝘀𝗶𝘁𝗶𝘃𝗲𝘀.
The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...
𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...
𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
Here we go again… F5 disclosed a serious intrusion by a sophisticated nation-state threat actor who gained long-term access and stole files from their development and knowledge systems. Likely potential source code and undisclosed ready to exploit.
1/
1/
myF5
my.f5.com
October 17, 2025 at 4:28 AM
Here we go again… F5 disclosed a serious intrusion by a sophisticated nation-state threat actor who gained long-term access and stole files from their development and knowledge systems. Likely potential source code and undisclosed ready to exploit.
1/
1/