What are the main techniques attackers use to bypass EDR solutions?

Attackers commonly use obfuscation (such as recompiling and encoding/encrypting malware), malicious action avoidance ("Living Off the Land" tactics), and bypassing EDR detection methodologies (like unhooked processes and kernel-level operations) to evade endpoint detection and response (EDR) solutions. These methods are designed to make malicious code unrecognizable, blend in with legitimate system activity, or operate outside the visibility of EDR tools. Source

How does obfuscation help malware evade EDR detection?

Obfuscation involves altering code or binaries so they are not immediately recognized as malicious. Techniques include recompiling code with minor changes, inserting non-executing code, or encrypting code so it is only readable at runtime. These methods primarily bypass static analysis and can also challenge heuristic analysis, making it harder for EDR solutions to detect threats before execution. Source

What is 'Living Off the Land' (LOTL) and how does it help attackers evade detection?

'Living Off the Land' (LOTL) refers to attackers using legitimate operating system tools and processes to carry out malicious activities. By avoiding overtly malicious actions and leveraging native OS components, attackers can evade dynamic analysis and delay detection by EDR solutions until they perform more obvious malicious actions. Source

How do attackers use unhooked processes to bypass EDR monitoring?

EDR solutions monitor processes by 'hooking' them to visualize executions. Attackers can attempt to spawn or unhook processes (such as instances of ntdll in Windows) so that their actions are not monitored, making malicious activity invisible to the EDR. Techniques like the BlindSide method, discovered by Cymulate's Threat Research Group, exemplify this approach. Source

What are kernel-level attacks and why are they difficult to detect?

Kernel-level attacks operate at a privileged layer of the operating system, often loading before the EDR platform itself. These attacks can be invisible to most EDR tools and may involve altering the BIOS or injecting code into core OS processes. Due to strong native protections, kernel-level attacks are rare and typically require physical access and high-level credentials. Source

Why is layered security important for defending against EDR evasion?

Layered security ensures that even if attackers bypass endpoint defenses, other controls (such as email, network, and firewall protections) can detect or block malicious activity. This multi-level approach is essential for building resilience against advanced evasion techniques. Source

How can organizations validate the effectiveness of their EDR controls?

Organizations can use platforms like Cymulate to simulate real-world attack scenarios and validate the effectiveness of their EDR and other security controls. This proactive approach helps identify gaps and improve overall security posture. Source

What is the BlindSide technique and how does it relate to EDR evasion?

The BlindSide technique, discovered by Cymulate's Threat Research Group, is a method for EDR evasion that involves manipulating process hooks to make malicious actions invisible to EDR monitoring. This highlights the need for continuous validation and advanced detection strategies. Source

How does Cymulate help security teams address EDR evasion tactics?

Cymulate enables security teams to build and run custom attack chains, simulating advanced evasion techniques to test and improve the effectiveness of EDR and other security controls. The platform provides actionable insights to close gaps and strengthen defenses. Source

Where can I learn more about EDR evasion and defense strategies?

You can explore Cymulate's blog series on EDR bypass techniques, including detailed explanations of obfuscation, LOTL, and kernel-level attacks, as well as defense strategies. Visit the Cymulate Blog for more resources.

What are the key features of the Cymulate platform?

Cymulate offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. Source

Does Cymulate support integration with EDR and XDR solutions?

Yes, Cymulate integrates with a wide range of EDR, XDR, and other security technologies, including BlackBerry Cylance OPTICS, Carbon Black EDR, Cisco Secure Endpoint, CrowdStrike Falcon, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page .

How does Cymulate automate the validation of security controls?

Cymulate automates security validation by running continuous, real-world attack simulations across all IT environments. It validates the effectiveness of security controls, prioritizes exposures, and provides actionable insights for remediation. Source

What is Cymulate's approach to exposure prioritization?

Cymulate validates the exploitability of exposures and ranks them based on prevention and detection capabilities, business context, and threat intelligence. This helps organizations focus on the most critical vulnerabilities. Source

How does Cymulate help with lateral movement attack prevention?

Cymulate's Attack Path Discovery module automates testing for lateral movement, helping organizations identify and mitigate risks related to privilege escalation and internal movement by attackers. Source

What is the Cymulate Threat Library and how is it maintained?

The Cymulate Threat Library contains over 100,000 attack actions aligned to MITRE ATT&CK and is updated daily with the latest threat intelligence, ensuring organizations can test against current and emerging threats. Source

How easy is it to implement and use Cymulate?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configurations. Customers report that the platform is intuitive, easy to use, and provides actionable insights with just a few clicks. Source

What educational resources does Cymulate provide?

Cymulate offers a Resource Hub, blog, webinars, e-books, and a glossary of cybersecurity terms to help users stay informed about the latest threats, research, and best practices. Resource Hub

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Source

What problems does Cymulate solve for security teams?

Cymulate addresses challenges such as fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. Source

How does Cymulate improve operational efficiency?

Cymulate automates security validation processes, saving up to 60 hours per month in testing new threats and increasing team efficiency by up to 60%. Source

What measurable outcomes have customers achieved with Cymulate?

Customers have reported up to an 81% reduction in cyber risk within four months, a 52% reduction in critical exposures, and a 20-point improvement in threat prevention. Case Study

Are there case studies showing Cymulate's impact?

Yes, case studies include Hertz Israel reducing cyber risk by 81% in four months, a sustainable energy company scaling penetration testing, and Nemours Children's Health improving detection in hybrid environments. See more at the Cymulate Customers page .

How does Cymulate address the needs of different security personas?

Cymulate tailors solutions for CISOs (metrics and risk communication), SecOps (automation and efficiency), red teams (offensive testing), and vulnerability management teams (validation and prioritization). Source

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface, ease of implementation, and actionable insights. Testimonials highlight its user-friendly dashboard and the immediate value it provides. Customer Quotes

How does Cymulate help with compliance and regulatory testing?

Cymulate automates compliance and regulatory testing, especially for hybrid and cloud environments, helping organizations meet industry standards and prove resilience to auditors. Case Study

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Security at Cymulate

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), hosts data in secure AWS data centers, and follows a strict Secure Development Lifecycle (SDLC) with regular vulnerability scanning and penetration testing. Source

Is Cymulate GDPR compliant?

Yes, Cymulate incorporates data protection by design and has a dedicated privacy and security team, including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO), ensuring GDPR compliance. Source

What product security features does Cymulate offer?

Cymulate includes mandatory 2-Factor Authentication (2FA), Role-Based Access Controls (RBAC), IP address restrictions, and TLS encryption for its Help Center to enhance product security. Source

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a personalized quote, schedule a demo .

How does Cymulate differ from other security validation platforms?

Cymulate stands out with its unified platform (BAS, CART, Exposure Analytics), continuous threat validation, AI-powered optimization, complete kill chain coverage, ease of use, and measurable outcomes. It also offers the most advanced attack simulation library with daily updates. Source

What advantages does Cymulate offer for different user segments?

CISOs benefit from quantifiable metrics and risk communication, SecOps teams gain automation and efficiency, red teams access advanced offensive testing, and vulnerability management teams improve validation and prioritization. Source

What support options are available for Cymulate customers?

Cymulate provides email support, real-time chat support, a knowledge base, webinars, e-books, and an AI chatbot for technical assistance and best practices. Source

How quickly can Cymulate be implemented?

Cymulate can be deployed quickly in agentless mode, allowing organizations to start running simulations almost immediately after deployment. Source

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity. About Us

Where can I find Cymulate's latest news, research, and events?

Stay updated through the Cymulate Blog, Newsroom, and Events & Webinars pages. Access all resources in the Resource Hub .

How Attackers Bypass EDR: Techniques & Defense Strategies

By: Cymulate Research Lab

Last Updated: March 17, 2026

This is the second blog in a two-part series that highlights EDR and how attackers try to bypass these controls and evade detection. In Part 1 of this series, we examined the most common methodologies for endpoint defense – anti-virus scanning, Endpoint Detection and Response (EDR), and eXtended Detection and Response (XDR). In this post, we will talk about the common methods used by threat actors to overcome these defensive operations in pursuit of their goals.

Obfuscation

The primary method of bypassing endpoint defenses is making sure your code and binaries aren’t recognized immediately as malware in the first place. Since even more traditional static analysis anti-virus tools also perform heuristic examination these days, this also means that code blocks within files and binaries must also not be recognizable, or they may be flagged as known malicious code. Threat actors accomplish this goal in many different ways, but they each will generally fall into a few specific categories.

Recompiling

By making small changes to the code that is written, then running that “new” code through a compiler (which converts files written in a programming language into executable code), a threat actor can make their files appear to be dissimilar to known malware files. Generally, this can be accomplished by either adding additional non-executing code into an existing malware file or by re-compiling the original file in another programming language.

Common examples include inserting comments (which don’t actually execute anything) or re-compiling a malware file originally written in C++ as a component file in a C# binary. The goal is to create a new file that – when run through the mathematical hashing operation – produces a totally different hash from the original file. This technique would only bypass static analysis because once the file actually begins executing it must still perform malicious actions that dynamic analysis would detect.

Encoding/Encrypting

By altering the code of a malware file itself to be unreadable except under specific circumstances, static analysis would not be able to identify what that file would do if it were opened or executed. Common examples include encrypting the code that will run until it is decrypted at the time of execution or scrambling the commands to be executed in an arbitrary order and re-arranging them during execution into valid command sets. As with recompiling, this technique is most useful in bypassing static analysis. This technique also challenges heuristic analysis as the code blocks themselves would not indicate malicious intent until they are decrypted or un-scrambled at runtime.

Malicious Action Avoidance/Living Off the Land

The best threat activity happens in plain sight, and this method of bypassing defenses takes advantage of the fact that some actions are expected to occur within a given Operating System. As an example, malware that does not attempt to gain higher privileges and sticks to using native components of the Operating System itself (often referred to as “Living Off the Land” or LOTL) would be able to execute without raising the suspicions of dynamic analysis until the moment they attempt to do something overtly malicious like encrypt large amounts of data. While a good EDR would block the malware once it recognized what was going on, the malware itself may have already caused damage by the time that detection was made and action was taken.

It is important to realize that, while the most common situations where this type of attack would succeed involve exploiting weaknesses in an application or Operating System, such vulnerabilities are not always required for an LOL attack to execute. Normal operations within a Windows, Linux, or MacOS device can still be bent toward malicious goals if the threat actor were to gain authorized credentials and access. Because of this, LOL-type attacks have become a common method of avoiding detection by EDR solutions until the attacks are ready to perform overtly malicious actions, and sometimes provide evasion entirely.

Bypassing EDR Detection Methodologies

Finally, EDR solutions themselves are only as effective as their ability to visualize what a file or binary is attempting to do. If the EDR could be “blinded” in one or more ways, then a malware file could execute without interference from the defensive solutions. It should be noted that modern EDR solutions go to great lengths to avoid this type of evasion, and most utilize multiple methods of visualizing executions specifically to reduce the potential for evasion to succeed. Bypassing can be performed by a wide variety of techniques, but much as was seen with obfuscation earlier, they will generally fall into one of two categories.

Unhooked Processes

When operating in user space – the area of Operating Systems where applications are typically run and where user interaction takes place – any process not explicitly excluded from examination by an EDR will be “hooked.” Hooking is the term used to describe how an EDR will visualize executions that occur by monitoring the processes that run those executions. For example, in Windows, when an application runs it will do so as an instance of the ntdll process. By hooking each instance of ntdll that is spawned, the EDR can monitor all executions that occur to determine if they indicate malicious intent. The actual process is significantly more complex, but this is how the EDR can monitor all user-level executions at a high level.

If a threat actor can cause an instance of ntdll to be spawned that is not hooked by the EDR – or if they can remove the hooks after the instance is spawned – then actions taken by that malware would be rendered invisible to the EDR itself. There are many different methods used to either spawn unhooked processes or to unhook processes already in existence, including the BlindSide technique discovered by the Cymulate Threat Research Group.

Kernel-Level Operation

In addition to the user-level operations that most of us are familiar with from using Windows, MacOS, and Linux, there is another layer of operation that is by design invisible to the user. This higher level of operation is referred to as kernel-level and is reserved for the use of key components of an operating system and a limited number of extremely high-priority operations.

Because kernel-level operations can load before the EDR platform itself starts up, Operating System vendors go to extraordinary lengths to ensure that only highly trusted operations can ever exist in the kernel level, mostly related to the functions of the Operating System itself. Through the use of vulnerabilities or by compromising the boot process of a machine, it is possible to launch malware that operates at the kernel level, rendering it invisible to most EDR tools. Examples of this type of malware would include attacks that alter the Basic Input/Output System (BIOS) of a computer or that inject their code into core operating system processes but do not run that code until the system reboots, so that they can run at kernel-level.

While devastating, such attacks are extraordinarily difficult to actually pull off. The kernel itself is well protected, with the Operating System either notifying on any change to kernel-level code or just outright rejecting any attempt to inject code. Because of these native protections, kernel-level attacks typically require physical access to a device with credentials providing administrative access at the highest levels.

Summary

Bypassing EDR protections is not an easy process. Typically, multiple methodologies would need to be brought to bear to ensure that the malware files are successfully written to disk and executed, as a single mistake in either area would lead to discovery and quarantine/destruction of the malware itself. However, with the right techniques and the right access, threat actors can bypass the defenses of even the most advanced EDR platforms. Layered security at multiple levels of operations (email, networking, firewalls/proxies, endpoint, etc.) are necessary to overcome the ability of threat actors to bypass endpoint defenses and are still a required part of cybersecurity resilience.

To learn how you can validate the effectiveness of your controls, request a demo of the Cymulate platform.

Our highly experienced and diverse researchers are fluent in security intelligence practices, combining expertise in private security, military, and intelligence experience. Continuously examining the cyber-threat landscape, our experts deliver in-depth visibility into today’s threats and the actors behind them.

More about Author

Table of Contents

Obfuscation Malicious Action Avoidance/Living Off the Land Bypassing EDR Detection Methodologies Summary

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

Exposure Validation: Continuous Testing Should Drive Continuous Improvement

What’s your end goal? How exactly does this security project make you more secure? Like any technology initiative, those two

Report

2026 Gartner® Market Guide for Adversarial Exposure Validation

The guide covers AEV use cases, key features, and market trends to improve threat exposure visibility and defenses.