[jabroni_salad]

Yes, I have operated carbon black, huntress, and crowdstrike and they all work very well at stopping real attacks. You are always going to have edge cases, but there's a lot of power in being able to roll back anything even if it wasn't initially blocked. Within a few minutes of badstuff.exe being flagged I can have a graph of everything it's ever touched, how it got there, say with certainty if consumer data was impacted, and know everything that was exfiltrated. We can go back to patient zero and see everything that it branches out to and freeze every iteration of it out of the network instantly. And it's easy, you used to be down for weeks and hire a DFIR firm to puzzle it out. Now it's a button.

[vladvasiliu]

> there's a lot of power in being able to roll back anything even if it wasn't initially blocked. Within a few minutes of badstuff.exe being flagged I can have a graph of everything it's ever touched, how it got there, say with certainty if consumer data was impacted, and know everything that was exfiltrated.

I can certainly see the value in that.

But does that work when the threat is actually "new"? Say, some badstuff.exe managed to run and do its thing without being flagged by the EDR. Somehow you found out about it, say on another box. Can you investigate a posteriori how it got on the initial box and what it did there?