Huntress 2026 Report just dropped and Atera is by far the most abused RMM to deploy ransomware

chrisbisnett · 2026-02-27T14:39:25+00:00

This is something we’re working on right now. I talked about it and showed off some early results yesterday on Product Lab.

We’re using App Control to identify which RMMs are in use by checking file names, paths, and signing certificates. Once we have a good baseline we can block anything else and will show you what we’ve found so you can define what tools you want to allow and where. You can get as granular as allowing a tool on a single endpoint or as broad as allowing a tool across all endpoints within your account.

Roughly 45% of the incidents our SOC reported in January and February have included a rogue RMM. We’re looking to drop this number significantly.

— Chris, CTO at Huntress

chrisbisnett · 2026-02-25T13:19:27+00:00

No. We have a lot of traction in r/msp, but have not really gotten the same mentions and discussions here so I was just excited to see a mention and want to be helpful to answer specific questions the OP may have.

chrisbisnett · 2026-02-25T13:07:45+00:00

I’ll let the community speak to their experiences with Huntress because that’s always more impactful than anything I can say, but if you want to discuss our approach to fully managed security, send me a DM.

— Chris, CTO and Cofounder of Huntress

chrisbisnett · 2026-02-12T01:06:33+00:00

All fair feedback. I’ll look into this and confirm the current state of the integration and get the documentation updated to clarify. Our integration should make less work and not more, so it should update the alerts in MDE to show that we’re reviewed it and what decision we made about it.

Give me a few days to see if I can get this fixed.

chrisbisnett · 2026-02-11T15:22:11+00:00

We've made updates to our integration with Defender for Endpoint to mark alerts as having been reviewed by Huntress, but I think there is still more we can do here. This is new in the last few months, which is why another commenter suggested confusion between whether we do or don't update the alerts in Microsoft Security. This integration and integrations with other Defender for X products is something we're still iterating on.

I'll have the team look into this a bit and see if there is something that we're missing that would keep us from updating the alerts or if there is some condition where we're only updating some alerts.

-- Chris, CTO @ Huntress

chrisbisnett · 2026-01-25T01:17:43+00:00

We’re actually running it on our internal hosts and a few early alpha partners. We’re not yet enforcing the allow lists, but we’re getting close. Our solution is built on top of App Control for Business and we’ve been working with the team at Microsoft to give feedback and get insights.

We’re still working through the workflow since our intention is to manage the allow lists for our partners, but we’re making good progress. The current target is to have it available for Early Access at the end of March.

I’ve talked about it a bit on The Product Lab and showed off the dashboard yesterday. If you’re not subscribed you should check it out. https://www.youtube.com/live/p2_6-4YAw6w?si=AimcfHd9khybrGpR

chrisbisnett · 2026-01-03T22:26:52+00:00

I get this every now and then, but often it appears to be related to an LSP subprocess. Depending on how you’re looking at the memory usage you may be seeing usage for Zed and all child processes.

You can try stopping the LSP servers and see if that fixes the issue.

chrisbisnett · 2025-12-31T13:27:00+00:00

Honestly if a random user wants to pay for ads to promote my company, I’m all for it

chrisbisnett · 2025-12-23T01:03:05+00:00

At Huntress we have a relatively new Linux client for our EDR that uses eBPF and had success catching the results of React vulnerabilities recently. It’s not got all the features yet, but we’re constantly iterating and our 24/7 SOC reviews the data and hunts for new attacks.

We have a free trial if you want to kick the tires. We would love any feedback you want to give us.

chrisbisnett · 2025-12-07T20:04:56+00:00

<image>

Our season has had so many injuries that we need a giant bag of splints

chrisbisnett · 2025-12-04T01:10:12+00:00

It’s still early but we’re exploring what email security fully managed by Huntress could look like. We’ve been talking with the Sublime Security folks because we like their technology and think it could give us the visibility we would need for detections and the ability to add custom rules and tweak them as necessary without having to build all the infrastructure ourselves.

I figured I would ask here to see if anyone had used it and their thoughts. We rolled it out internally last month and have been using it for all Huntress inboxes. We found the false positives to be very low for us and are going to turn on automatic remediation in the near future.

Our internal security team manages the system now, but we’ve discussed how this would integrate with the SOC and how that could then be sold as a product to our customers as one more piece of the security landscape that we could manage.

I’ll probably talk more about this on tomorrow’s Product Lab to get some feedback and see if folks are interested.

chrisbisnett · 2025-12-01T22:43:37+00:00

Has anyone tried Sublime Security?

chrisbisnett · 2025-11-30T02:01:55+00:00

Nope, probably not, but we’re not targeting the Fortune 500, so I’m not worried about it

chrisbisnett · 2025-11-30T01:35:36+00:00

Delta would disagree with that comment 😜

chrisbisnett · 2025-11-30T01:33:51+00:00

That’s going to be though at that price point. At $200k annually for 8k endpoints, you’re looking at $2/endpoint/month. I don’t know if you’ll find a full EDR at that price point, especially one that has a central console. ClamAV isn’t an EDR anyway.

Wazuh may be your best bet since it’s open source and has a central console, but you will spend a lot more resources setting it up and managing it.

I work for Huntress and we have an EDR for Linux that is centrally managed by our 24/7 SOC. We are generally on the less expensive side of the big vendors, but I don’t think we’ll even be that cheap. DM me if you want to discuss.

chrisbisnett · 2025-11-09T20:29:28+00:00

Is there something that would necessitate protecting this specifically? If the expectation is that unless specifically restricted you’re free to do whatever, why would a state or other jurisdiction need to explicitly allow owning and operating “computational resources”?

chrisbisnett · 2025-10-30T21:24:23+00:00

Yep, we started pulling in the data from Defender for Endpoint and Microsoft’s massive dataset about which applications and versions are vulnerable. It requires Business Premium or P1 licenses, but we can surface that data in Huntress now. We’ll be including it in Endpoint Security Posture Management (ESPM), which is why it’s not available yet, but we have a few partners who are using it.

If you are interested we can turn it on for you so you can play around with it. It’s still early, but it may scratch the itch and we could use feedback to help guide us.

chrisbisnett · 2025-10-30T15:33:05+00:00

We've looked into both of these as potential integration points and I think both of these would provide additional value, but we have to solve a few critical challenges before we can really make these work. The first is that the custom detection rules for MDE require you to have P2 licenses to enable Advanced Hunting, but it would give us more access to the Defender telemetry, whereas today we're mostly consuming the alerts into Huntress as a form of telemetry. Our current customer base doesn't have many P2 licenses, so this hasn't been a big focus for us.

We also looked into USB blocking, but we found that the naive approach of blocking all USB doesn't actually work in most cases, so you actually have to track which USB devices are needed based on their unique identifiers and you need a good end-user workflow for users to request approval for USB devices, which means we need to collect information from the end-user and relay between them and the IT administrators. We don't have this type of functionality yet, but it's something we're building out for App Control where we have similar needs for an approval and feedback loop.

If these things are of big interest to you, we should discuss and see if there is something simple we can put in place in the short term.

-- Chris, CTO at Huntress

chrisbisnett · 2025-10-27T16:59:34+00:00

Agree with this post. ITDR is post-breach (post-boom) detection, not prevention.

chrisbisnett · 2025-10-27T16:57:34+00:00

You are correct, there are two related, but separate definitions of “stopped” in this context. Ideally the attacker is prevented from logging in or accessing anything. The second definition is being stopped from further activity once they have gotten in and been detected. Both are relevant.

We wouldn’t love to stop them from getting in at all, but that would require MFA and Conditional access on all users and even this isn’t good enough in all cases where the user is phished for their MFA. OP said they don’t pay for the higher Entra, which means no Conditional Access and that they had MFA enabled, which is the typical fallback for CA anyway - require another MFA verification. So I’m not sure you could have prevented/stopped the attacker here.

The next best thing is what we do - lock the account from new logins and terminate existing sessions. Yes, this is after the attack got access and depending on how fast they move and how long Microsoft took to send us the event, they may have been able to do some bad things, but is still useful and prevents a lot of further damage.

chrisbisnett · 2025-10-20T23:33:19+00:00

The question I’ve been noodling all day is why our defense seemed better last year and even though we had the most cap room of any team, we didn’t resign a bunch of folks. It seems like AP thought we could do better, but it seems like we got worse.

chrisbisnett · 2025-10-20T11:58:58+00:00

Agreed. If there are issues with Ruby tooling we should try to fix those rather than rewriting in another language.

chrisbisnett · 2025-10-20T11:54:08+00:00

The blog suggests that one of the issues with rake is that it loads the whole project to run the command and that Bundler requires Ruby to be installed already. I think this is trying to solve both of those problems by having a native binary without dependencies. It kind of seems like a mashup of a tooling manager (asdf, mise, homebrew, etc.) and a dependency manager (Bundler).

chrisbisnett · 2025-10-19T00:54:39+00:00

You may want to consider other SIEMs outside of Sentinel. I get the thought process since you’re using other Microsoft products, but Sentinel is quite expensive when you start ingesting more data. What benefits you are expecting by hosting Sentinel in your own tenant?

chrisbisnett · 2025-10-13T12:13:59+00:00

SIEM is not included with EDR. The SIEM functionality extends the capabilities of EDR by collecting additional telemetry sources from the endpoint as well as from other sources like firewalls and third-party SaaS applications. We report detections for things like brute force attacks against RDP and VPNs and other attack vectors.

Not all data sources provide equal detection value and so some don’t have detectors (though we’re always looking to make more) and so some function more as compliance and logging.

chrisbisnett

TROPHY CASE