EDR platforms are powerful — and most enterprises run them at maybe 40% of capability. Here are the twelve recurring mistakes we find on first audit, ordered by how often they actually lead to a breach.
Configuration & coverage
Default policies left in place six months after rollout. Every EDR vendor ships defaults that prioritise low false-positive rates over real coverage.
Servers excluded from EDR because of perceived performance impact. Modern agents are tuned for server workloads — exclusion is rarely justified.
Cloud workloads outside the EDR footprint entirely. The east-west traffic between cloud workloads is exactly where lateral movement happens.
MacOS and Linux endpoints treated as second-class. Attackers no longer treat them that way.
Detection & tuning
Alert fatigue masking real signal. If your team is muting more alerts than they investigate, the platform is configured against you.
No baseline of normal behaviour for crown-jewel applications. Detection without baseline is detection without meaning.
Threat-hunting hypotheses never written down. If you cannot say what you are hunting for, you are not hunting.
Response & integration
EDR not integrated with SIEM. The signal becomes harder to correlate, not easier.
Containment playbooks tested only on paper. The first time you isolate a host should not be during a real incident.
No identity correlation. EDR alerts without identity context are half the picture.
Operations
Patching the EDR agent treated as low priority. The agent itself is an attack target.
No quarterly review of the policy stack. Rules drift. Threats change. Quarterly review is the floor, not the ceiling.
This piece is part of the Cylentrix Research Office series. For the deeper reference architecture and engagement model behind it, request a confidential briefing.