Detection Chokepoints

Detection is a game of economics.

Make it expensive for attackers to avoid your detections.

Each entry targets an invariant prerequisite attackers can't bypass - detections anchored here survive tool rotation and obfuscation. Learn the framework →

? Badge guide
Research Broad baseline, high noise, not for alerting
Hunt Behavioral context, moderate noise, analyst triage
Analyst Production-ready, low noise, SOC alerting
Pre-Exec Fires before execution. ETW, web proxy, IOK.
High FP Expect significant noise
Medium FP Moderate noise, tune for your environment
Low FP Safe for production
New Added in latest update
Updated Modified in latest update
Tactic
Priority
Prevention · Application Control

Detection finds RMM/LOLBAS abuse. Application control stops it pre-execution. Learn how MagicSword blocks RMM / LOLBAS abuse →