The Conti ransomware group published an “EDR Tier List” on X (formerly Twitter), grading well-known Endpoint Detection and Response tools from S Tier (hardest to evade) down to “LOL” Tier (trivial to bypass). A surprise entry in the bottom tier is Microsoft Defender for Endpoint (MDE), which the gang says is easy to sidestep in its default state. Conti later boasted they can bypass all listed products, although some need more effort than others. The overarching lesson: even top-ranked security software is ineffective if it is left on factory settings or poorly tuned.
Conti hackers publish a league table of EDR tools – and configuration is the real winner
Cyber-criminal collective Conti has taken to X with an eye-opening “EDR Tier List”. The chart ranks familiar Endpoint Detection and Response products by how easy they are to dodge:
• S Tier – toughest to sidestep
• A & B Tiers – respectable, but beatable
• C & D Tiers – barely slow attackers down
• “LOL” Tier – laughably ineffective
One eyebrow-raiser is Microsoft Defender for Endpoint, dumped into the “LOL” bucket. Security professionals were quick to defend MDE’s capabilities, pointing out that many firms run it straight out of the box without enabling its advanced protection features. Conti’s rating highlights that problem: default settings are soft targets.
The gang later bragged they can evade every tool on the list given time, although some require “more elbow-grease”. Their post sparked fierce debate online, yet it underlines a simple truth:
Buying first-class security software is only half the job – tuning and continuous monitoring make the difference.
Key points for defenders
1. Harden the defaults – enable all prevention and EDR modules, not just the free bits.
2. Review policies regularly – threat actors adapt; your configuration must keep pace.
3. Validate with red-team drills – assume nothing until you’ve tested it in anger.
Even an “S-Tier” product becomes paper armour if it sits idle on stock settings.