We Don't Block Apps.
We Block Attacker Techniques.
Traditional application control decides what software is allowed. MagicSword focuses on what attackers actually weaponize. Our threat intelligence tracks abused tools and automatically turns that research into enforcement rules across Windows, macOS, and Linux, without complex policy tuning or user disruption.
Traditional Application Control
Starts With Guessing
Most application control platforms are built around allowlisting. Security teams attempt to decide which applications are legitimate and allow them to run. Everything else is blocked. But attackers stopped bringing their own malware. They abuse tools your organization already approved: legitimate RMM tools, vulnerable drivers, malicious certificates, and built-in OS binaries across Windows, macOS, and Linux. If those tools are already approved, the allowlist becomes the attack surface.
Custom executables, trojans, and ransomware. Detectable by signature and hash, the era blocklists were built for.
Attackers weaponize built-in OS tools, PowerShell, WMI, certutil, mshta. No malware to detect because the tools are already trusted.
Legitimate RMM tools, vulnerable kernel drivers, and signed admin utilities weaponized at scale. Your allowlist becomes the attack surface.
82% of detections in 2025 were malware-free, attackers used legitimate tools your allowlist already approved.
SOURCE: CROWDSTRIKE 2025 GLOBAL THREAT REPORTMagicSword Starts With How
Attacks Actually Happen
Instead of trying to predict what software might be safe, MagicSword tracks the tools attackers actually abuse in real breaches. When new abuse patterns appear in the wild, MagicSword translates them directly into enforcement rules. Protection evolves based on real attack behavior, not assumptions, reducing risk without disrupting operations or requiring constant policy management.
From abused binaries and vulnerable drivers to malicious certificates and dual-use tools, MagicSword tracks everything traditional EDR misses.
Living Off the Land
Built-in OS tools weaponized by attackers, PowerShell, certutil, mshta, and hundreds more across Windows, macOS, and Linux.
Vulnerable Drivers
Signed kernel drivers exploited in BYOVD attacks to disable security tools and gain kernel-level access.
RMM Tool Abuse
Legitimate remote monitoring tools abused for lateral movement and persistent access in enterprise breaches.
Malicious Certificates
Revoked, compromised, and criminal code-signing certificates used to sign malware and bypass trust checks.
EDR Killers
Purpose-built tools designed to disable, tamper with, or blind endpoint detection and response products.
Dual-Use Utilities
Legitimate admin and system tools routinely abused by attackers for credential dumping, lateral movement, and reconnaissance.
17+ sources across Windows, macOS, and Linux updated every 2 hours. That research DNA powers every MagicSword policy.
Different Intelligence Leads to
Different Security Outcomes
Other platforms decide what software is allowed. MagicSword decides what attacker techniques are not.
Traditional Application Control
MagicSword Threat-Driven Control
Learn how threat-driven application control differs from traditional allowlisting approaches.
Threat Intelligence Is
the Enforcement Engine
Other vendors license third-party feeds and call it 'threat intel.' We do the original research, and our product enforces it automatically across Windows, macOS, and Linux.
Discover
Team discovers new abused binaries, vulnerable drivers, malicious certificates, or dual-use tools through original security research.
Catalog
Cataloged across LOLBAS, LOLDrivers, and LOLRMM with full technical analysis, detection signatures, and abuse context.
Enforce
Findings feed directly into the MagicSword policy engine, auto-generating deny rules across Windows, macOS, and Linux with zero manual configuration.
Protect
Customers protected before the threat hits the news cycle. No manual policy updates. No lag between discovery and defense.
Their intel is third-party licensed or reactive. We find it first because we do the research across binaries, drivers, certificates, and tools.
Threat Intelligence That
Becomes Enforcement
MagicSword combines open-source and proprietary intelligence to track attacker techniques across platforms. These sources update continuously and feed directly into your WDAC policies.
| SOURCE NAME | TYPE | PLATFORM | CATEGORY |
|---|---|---|---|
| LOLBAS | Open Source | Windows | Living Off the Land |
| LOLDrivers | Open Source | Windows | Vulnerable Drivers |
| LOLRMM | Open Source | Windows · macOS | RMM Abuse |
| LOOBins | Open Source | macOS | Living Off the Land |
| GTFOBins | Open Source | Linux · macOS | Living Off the Land |
| MSFT Revoked Certificates | Open Source | Windows | Revoked Certificates |
| Microsoft VDBL | Open Source | Windows | Vulnerable Drivers |
| MS Recommended Block | Open Source | Windows | App Control Bypass |
| Cert Graveyard | Open Source | Cross-Platform | Criminal Certificates |
| MagicSword macOS Intel | Open Source | macOS | Threat Hunting |
| PROPRIETARY / PREMIUM SOURCES | |||
| Sysinternals | Premium | Windows | System Tools |
| MagicSword Intel Blocklist | Premium | Windows | Threat Hunting |
| NirSoft / JoeWare | Premium | Windows | Credential Tools |
| EDR Killer Block List | Premium | Windows | Security Evasion |
| Actively Exploited Signers | Premium | Cross-Platform | Certificate Abuse |
| MalwareBazaar CSCB | Premium | Cross-Platform | Malware Signing |
New intel source added every quarter. Coverage expanding continuously.
The Research Behind the Product
The MagicSword founders created LOLDrivers and LOLRMM and are key maintainers of LOLBAS, the open-source projects thousands of security professionals reference daily. That research DNA powers every MagicSword policy. Explore all of our community projects.
LOLBAS
Key maintainers of the industry standard for tracking abused Windows binaries. Referenced by MITRE ATT&CK.
347+ binaries catalogedLOLDrivers
Created the vulnerable driver database that Microsoft, CrowdStrike, and major EDR vendors reference.
892+ drivers trackedLOLRMM
Created the definitive catalog of RMM tools abused for lateral movement in enterprise breaches.
156+ RMM tools catalogedWhen Attackers Lose Their Tools,
They Lose Their Playbook
When PowerShell abuse is restricted, they try WMI.
When WMI is blocked, they try RMM tools.
When those paths are restricted, the attack becomes harder, slower, and more visible.
Most attackers simply move on to environments where these tools remain unrestricted. That is the goal of threat-driven application control.
Make the environment too difficult to attack.
See How MagicSword Blocks
What Others Miss
We will audit your environment against our 17+ threat intelligence sources covering Windows, macOS, and Linux and show you the gaps your current solution leaves open.
No credit card required · Deploy in 48 hours · Windows, macOS, and Linux coverage