Death by Noise: Abusing Alert Fatigue to Bypass the SOC (EDR Edition)
Black Hat USA 2025 · Day 1 · Briefings
Researchers from Comminate demonstrated that attackers can deliberately suppress or downgrade EDR alerts — not by defeating detection engines, but by exploiting SOC teams' tendency to ignore or suppress medium- and low-severity alerts. Using four mutation principles applied across two realistic attack chains, they achieved full attack execution with zero or near-zero alerts across CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne. ---
AI review
Solid offensive research that names the attack surface everyone quietly knew existed but nobody had systematically weaponized. Two complete attack chains, live demos against three major EDRs, zero alerts at the end — that's a result that speaks louder than a hundred threat intel blog posts. The four-principle mutation framework is clean and generalizable.