Black Hat USA 2025 | Death by Noise: Abusing Alert Fatigue to Bypass the SOC (EDR Edition)

Many security incidents today don't occur due to a lack of alerts—they happen because the right ones are ignored. In this talk, we demonstrate how attackers can achieve their goals while triggering only medium and low severity alerts, which make up the majority of SOC alerts and are often overlooked or not thoroughly investigated. Instead of disabling EDRs or relying on highly complex techniques, attackers can blend into the noise. We walk through how adversaries adapt common TTPs across platforms to bypass SOC operations. By targeting endpoints and cloud workloads protected by CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint, we show how default critical/high-severity alerts can be consistently downgraded to medium/low or suppressed — all while maintaining attack effectiveness. Our goal is to expose critical SOC blind spots in the ways SOC teams interpret, prioritize, and act on alerts. In many environments, even custom detections that could close critical gaps are deprioritized because they add to the overwhelming volume of low and medium severity alerts. Without rethinking how alerts are created, prioritized and investigated, defenders will continue missing threats. We'll discuss custom detections to detect these TTPs and automation is the key to scale the investigations. By: Rex Guo | CEO/Co-Founder, Culminate Inc. Khang Nguyen | Founding Security Researcher, Culminate Inc. Presentation Materials Available at: https://ift.tt/x1JvHfs

source https://www.youtube.com/watch?v=Xd4y4hkXprE