[syntheticcorp]

I work in offense and they can be a huge impediment. Significant work goes into bypassing or staying undetected from these products. While not all the detection occurs at runtime, they report a lot of data back from the endpoint so historical detection can happen.

However what I see is essentially their true positive and false negative rate, I would be interested to know what the false positive rate is.

[semi-extrinsic]

Yeah, I guess this all boils down to your threat model in the end. As your post seems to indicate, if a dedicated attacker targets you, they're probably going to be able to work around the endpoint protection anyways.

I'm more curious about the case if your org is a few thousand people and you receive random low-effort attacks distributed across those people, will endpoint protection be a panacea?