What Your EDR Doesn’t See...Kostas Drops Receipts from the Telemetry Trenches

Alex (00:07.404)
Welcome back to Detection Dispatch, the podcast where we break down signals, stories, and the behaviors of the Security Operations Center.
I’m your host, Alex Hurtado, and today we’re cracking open the black box of the EDR world — Endpoint Detection and Response — with none other than Kostas, the man behind the DFIR Report and the EDR Telemetry Project.

He’s been hooking up the blue team community with forensics labs, telemetry mapping, and helping us see which modern EDRs actually have visibility.

So hello, Kostas — thank you so much for being here. I’ve been after you for a while!

From DFIR to DefendPoint

Kostas (00:52.019)
Thank you very much, Alex! Yes, we’ve both been busy, but I’m happy to be here.

Just to clarify — while I played a role in the early DFIR Report development, that’s not my main focus anymore.
My primary work is consulting through my company, DefendPoint Consulting, and I also run the EDR Telemetry Project, along with some other community initiatives.

The EDR Telemetry Project Explained

Alex (02:04.322)
I first discovered your work through DFIR, but your collaboration with Alex Torexia on the EDR Telemetry Project has been huge. Can you share how it’s evolved — and what’s next?

Kostas (03:05.998)
Yes, we started the project to help analysts see what their EDR actually collects — process creation, persistence mechanisms, file writes — all the good stuff.

That visibility allows teams to investigate and respond faster. If your EDR provides rich telemetry, you can understand an attack’s execution flow in seconds.
For example:

• Malware runs → process execution logs tell you what launched it.
• File creation telemetry → shows what dropped to disk.
• Persistence telemetry → reveals scheduled tasks or services.

Visibility = speed and accuracy in detection engineering.

Sysmon vs. EDR (2025 Reality Check)

Alex (06:01.456)
Let’s talk about Sysmon vs. EDR. Some people still think Sysmon can replace an EDR strategy. Personally, I think it’s supplemental — a kind of x-ray vision. What’s your view?

Kostas (06:20.000)
I agree. Sysmon is great for visibility — especially now with Sysmon for Linux — but it can’t replace EDR. It’s a supplement.

EDRs now come with complex detection pipelines, embedded memory forensics, AI-driven triage, and even response automation.
Sysmon can enhance, not replace.

Alex (06:44.334)
Exactly. EDR has evolved far beyond antivirus — and even beyond XDR in some cases.
But there’s still one issue: cross-domain visibility. Even with XDR, customization and integration are still too black-boxed.

Telemetry vs. Detection Logic — Breaking the Black Box

Kostas (08:05.378)
Right — telemetry and detection logic are different.
Telemetry is the raw visibility: the logs, the process data, the file events.
Detection logic is the vendor’s behavioral rules built on that data.

Vendors hide their rules for good reason — to prevent adversaries from bypassing them.
But that opacity also limits defender innovation.
So transparency in telemetry is essential — it lets teams create their own detections and hunt effectively, even if the vendor’s detections are locked down.

EDR Noise and Sysmon as an Audit Tool

Alex (11:59.262)
Sysmon can get noisy fast — but you mentioned something interesting: using Sysmon to audit your EDR.

Kostas (12:12.000)
Exactly. You can use Sysmon to validate your EDR visibility — check what your EDR is missing.
It’s noisy, yes, but proper filtering and configuration can help.
Every organization needs to tune telemetry to its environment to reduce false positives.

Choosing the Right EDR (Beyond Magic Quadrants)

Alex (13:20.000)
So let’s talk about choosing an EDR. Beyond Gartner Magic Quadrants — what really matters?

Kostas (13:36.546)
There’s a gap in the industry: we lack technical comparison tools for EDR.

Gartner gives you executive overviews — customer satisfaction, support tickets, etc.
But engineers need feature-by-feature comparisons:

• Does it allow custom detection logic?
• Can you respond directly from the console?
• How deep is telemetry?

That’s why I’m launching an EDR Comparison Service — a technical, feature-level evaluation instead of marketing fluff.

Detection Transparency and Customization

Alex (17:54.240)
Detection transparency is huge for me. I want to see if detections fire correctly and customize them.
Some vendors make that nearly impossible.

Kostas (18:12.000)
Exactly. Transparency varies widely. Vendors like Carbon Black are very open — others are not.
It often comes down to how much control you want versus vendor-managed simplicity.

Identity Protection and Integration

Kostas (19:43.297)
EDRs are evolving toward identity-based visibility — detecting credential misuse, lateral movement, and identity threats.
It’s the next frontier. Vendors like CrowdStrike are investing heavily there.

EDR Pricing and Data Retention

Alex (21:28.194)
Let’s talk pricing. Is it still per-endpoint or data-based?

Kostas (23:48.384)
Mostly per-endpoint, typically $100–$150 per month, but discounts scale with volume and contract length.
Default telemetry retention is only 7–14 days, which is not enough.

Teams should export data to cold storage or SIEM platforms for long-term retention and correlation.

“Seven days of telemetry is like a crime scene cleanup, not an investigation window.”

The Economics of Telemetry

Kostas (28:42.498)
EDR vendors face a balancing act — giving full telemetry costs money.
More data = higher storage cost = higher customer pricing.

That’s why the EDR Telemetry Project is so powerful — it shows what data you actually get, not what’s marketed.

Validating EDR Telemetry Before You Buy

Kostas (31:07.820)
Teams can use the EDR Telemetry Project to validate vendor visibility before purchasing.
Run tests with Atomic Red Team to confirm telemetry exists for your attack scenarios.
Cross-check against the GitHub repository and vendor docs.

MITRE ATT&CK Evaluations — The Rise and Fall

Alex (40:53.678)
Vendors are leaving the MITRE ATT&CK evaluations. What’s your take?

Kostas (41:47.630)
It’s unfortunate but understandable. Vendors spent too much time optimizing for tests instead of improving products.
The tests became marketing, not meaningful detection benchmarks.

We need feature-based evaluations, not just attack simulations.

Marketing Myths: AI Overhype & Underrated Features

Alex (47:27.086)
Marketing loves AI — but it’s not magic.

Kostas (47:52.000)
Right. AI can hallucinate. It’s 90% good, but that 10% can be dangerous.
You still need humans validating every alert.

Underrated features? Sandboxing.
Being able to safely analyze malware behavior inside your EDR is incredibly valuable but rarely marketed.

The Rise of the AI SOC

Alex (49:40.054)
Now everyone’s talking about AI SOCs — tools that correlate EDR, SIEM, and identity alerts using large language models. Will this finally connect everything?

Kostas (50:00.000)
Not yet. It’s early days.
AI can help summarize, correlate, and recommend actions, but it still hallucinates.
The future SOC will blend AI assistance with human validation.

“Think of AI as an analyst’s assistant, not a replacement.”

Prevention vs. Detection — The Endless Battle

Kostas (53:10.000)
Prevention is hard. Writing rules precise enough not to harm customers takes deep expertise.
Detection without telemetry is guesswork — prevention without precision is risk.

Open Source Power & Community Impact

Kostas (53:27.110)
The EDR Telemetry Project has been running two years strong — open-source and community-driven.
Vendors have improved their telemetry transparency because of it.

“Better telemetry makes stronger defenders. That’s the goal.”

Closing Thoughts

Alex (54:38.038)
Kostas, thank you for pulling back the curtain on EDR telemetry.

It’s wild seeing how far EDR has come — from antivirus to full behavioral pipelines.
And thanks for confirming what we all know: Sysmon ≠ EDR — it’s the x-ray, not the doctor.

Outro

Alex (56:32.112)
That’s a wrap for Detection Dispatch!
Big thanks to Kostas for helping us open up the EDR black box and validate that Sysmon is a supplement, not a strategy.

If you enjoyed this episode — like, follow, and drop a 5-star review.
Until next time:Keep your detections sharp, your telemetry clean, and your curiosity operationalized.