For years, our work focused on investigating real-world intrusions, ransomware, malware-free attacks, and post-breach activity inside enterprise environments. Again and again, the same pattern appeared: attackers were not relying on sophisticated malware. They were abusing legitimate tools.
PowerShell. Remote monitoring software. Signed binaries. Vulnerable drivers. Traditional detection kept improving, but the attacks kept succeeding because the execution path was still open.
MagicSword was created to stop Living Off the Land attacks and unwanted application practice before they execute. The product starts from attacker behavior, turns that research into policy, and helps security teams remove abused paths without turning every legitimate application into an allowlisting project.
"Security should not be about explaining breaches after they happen. It should be about preventing them."
What we investigated
Real intrusions, ransomware, and malware-free attacks
What kept recurring
PowerShell, signed binaries, RMM tools, and vulnerable drivers
What we built
Prevention-first control for abused execution paths
MagicSword is built by people who have spent years studying how attacks unfold in real environments, then turning that knowledge into tools defenders can use.
Co-Founder and CEO
Security researcher and entrepreneur focused on practical defense.
Former Director of Threat Research at Splunk. Previously, Jose co-founded Zenedge, acquired by Oracle. He is known for creating and contributing to security projects used by defenders across attack simulation, detection content, and application abuse research.
Co-Founder and CTO
Threat researcher and security architect focused on hands-on attacker behavior.
Former Senior Threat Researcher at Splunk. Michael has more than a decade of experience in security architecture, threat hunting, detection engineering, and advanced investigations. He is the co-founder of Atomic Red Team and co-host of Atomics on a Friday.
The goal is not responding faster to something that already ran. The goal is making sure the abused path never runs at all.
When attackers automate trusted-tool abuse, alerting after launch is already too late.
MagicSword focuses on restricting the execution paths attackers repeatedly use.
Policies are guided by real attacker behavior, open research, and continually updated abuse patterns.
The goal is to stop unwanted application practice before it becomes a breach workflow.
Alongside Jose and Michael, the MagicSword team includes Andres, Julie, Natalia, Carlos, and other builders working across research, engineering, product, and customer workflows. The shared work is simple: help security teams stop attacks before they execute.
Prevention-first endpoint security
