If EDR is so great, why are attackers spending so much time figuring out how to get around it?
A recent investigation by Sophos uncovered something that should get the attention of every business leader. Cybercriminals are now using AI agents to help build, test, and refine malware specifically designed to evade Endpoint Detection and Response (EDR) tools. Rather than launching attacks blindly, attackers are creating dedicated testing environments where malware can be continuously improved until it slips past security controls. This development highlights an important reality: attackers are becoming faster, more automated, and more effective at finding weaknesses in traditional security approaches.
According to a recent Help Net Security report covering Sophos research, investigators discovered a sophisticated malware development framework that used AI agents to help create and test EDR evasion techniques. The environment included malware testing labs, command-and-control infrastructure, payload generation tools, and automation designed to evaluate how well malicious code could avoid detection by leading endpoint security products. The framework reportedly supported dozens of evasion methods and allowed attackers to continuously refine their techniques.
Researchers found evidence that the threat actor was using AI to analyze security research, identify bypass opportunities, automate testing workflows, and generate malware components. The goal was simple: determine what security products can detect and then modify the malware until detection rates decrease.
While Sophos did not publicly identify the ransomware group involved, the company confirmed that the threat actor is actively targeting organizations around the world, including businesses in the United States.
Many executives assume cybersecurity attacks happen because someone forgot to install a patch or clicked on a phishing email.
While those issues still matter, this incident demonstrates something different.
Attackers are now operating more like software companies. They are investing in research, automation, testing environments, and AI-driven development processes. Instead of hoping malware works, they are validating and improving it before launching attacks against real organizations.
That means businesses are facing adversaries that can rapidly adapt to defensive technologies.
The result can be devastating.
A successful breach can lead to:
According to IBM's 2024 Cost of a Data Breach Report, the average global cost of a data breach reached $4.88 million, the highest ever recorded. IBM also found that 70% of organizations experienced significant or moderate operational disruption following a breach.
Yes.
It is important to understand that EDR solutions provide valuable visibility and detection capabilities. However, the Sophos research specifically focused on building malware designed to bypass those tools. The entire purpose of the testing framework was to identify weaknesses in detection mechanisms and exploit them.
This is not a new trend.
According to Verizon's 2025 Data Breach Investigations Report, credential abuse accounted for 22% of breaches, while exploitation of vulnerabilities accounted for 20% of breaches. The report also found that third-party involvement in breaches doubled to 30%.
Attackers increasingly combine:
The challenge is that many of these activities look normal enough to delay detection.
By the time security teams identify malicious behavior, attackers may have already moved laterally, stolen data, established persistence, or deployed ransomware.
Traditional security strategies are often built around a "Detect and Respond" philosophy.
The idea is straightforward:
The problem is speed.
Modern ransomware groups operate much faster than they did a few years ago. AI-assisted development can further accelerate their ability to create new malware variants and test evasion techniques. When attackers successfully bypass detection tools, the window for response becomes extremely small.
Security teams are also facing increasingly complex environments that include cloud systems, remote workers, third-party vendors, SaaS applications, and hybrid infrastructure.
Even with strong detection capabilities, organizations can struggle to stop attacks before damage occurs.
A growing number of security leaders are recognizing that prevention must become a larger part of the security strategy.
Rather than focusing exclusively on detecting malicious activity after execution begins, prevention-first models seek to stop unauthorized actions before they can run.
This approach is often described as Isolation and Containment.
Instead of asking:
"Can we detect the attack?"
The question becomes:
"Can the attack execute at all?"
Isolation and Containment strategies focus on:
This model helps organizations remain resilient even when attackers use credential abuse, exploit legitimate tools, or successfully evade detection mechanisms.
One example is AppGuard, a proven endpoint protection solution with a 10-year track record focused on prevention through Isolation and Containment. Rather than relying primarily on detecting malicious behavior after execution, AppGuard helps prevent unauthorized activity from executing in the first place.
Business leaders should assume that detection technologies alone will not stop every attack.
Practical steps include:
Most importantly, organizations should evaluate whether their security strategy focuses too heavily on finding attacks after execution instead of preventing them before they begin.
The Sophos findings reveal a significant shift in the threat landscape. Attackers are no longer simply writing malware. They are using AI-assisted development, automated testing environments, and dedicated malware laboratories to improve their ability to evade security controls.
As cybercriminals become more sophisticated, businesses must recognize that detection alone cannot be the entire strategy. The future of endpoint security increasingly depends on limiting what attackers can do even when they successfully bypass traditional defenses.
Business owners who want to better understand how prevention-first security can stop attacks before damage occurs should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.
Like this article? Please share it with others!