Why Even the Best EDRs Get Hacked

In April 2025, SentinelOne, a leading endpoint detection and response (EDR) vendor, revealed it had been targeted by sophisticated cyber-espionage campaigns, including China-linked PurpleHaze attacks and infiltration attempts by North Korean operatives. This incident underscores a critical truth: even the most advanced endpoint security solutions are not impervious to determined adversaries.

While SentinelOne’s proactive detection mitigated the threat, the attack highlights the limitations of relying solely on endpoint protection and traditional defense-in-depth strategies.

At SecuLore, we believe that robust cybersecurity demands a paradigm shift—prioritizing continuous network monitoring, deep packet inspection (DPI), and a staffed 24/7 Security Operations Center (SOC) to stay ahead of evolving threats.

SentinelOne’s disclosure revealed that the PurpleHaze threat cluster, linked to the Chinese state-sponsored APT15 (Nylon Typhoon), conducted reconnaissance on its systems and high-value clients. Additionally, over 1,000 fake job applications from North Korean operatives using 360 false identities attempted to infiltrate the company. The attackers leveraged advanced tactics, including the GoReShell backdoor and ScatterBrain-obfuscated ShadowPad malware, exploiting n-day vulnerabilities in CheckPoint gateway devices to compromise over 70 organizations globally between July 2024 and March 2025.

While SentinelOne’s internal telemetry and rapid response contained the threat, the incident exposes a broader issue: no single layer of defense, no matter how sophisticated, is foolproof. Endpoint detection, while critical, focuses on securing individual devices. Determined adversaries, however, exploit gaps in visibility—whether through supply chain weaknesses, insider threats, or network-level intrusions—that endpoint solutions alone cannot address.

Defense in depth, the long-standing cybersecurity strategy of layering multiple controls (e.g., firewalls, antivirus, EDR, and intrusion detection systems), aims to create redundancy to thwart attacks. However, the SentinelOne incident illustrates why this approach, while necessary, is insufficient in today’s threat landscape:

1. Sophisticated Adversaries Bypass Layers: State-sponsored actors like PurpleHaze use advanced persistent threats (APTs) that exploit zero-day and n-day vulnerabilities, often targeting supply chain partners or unmonitored network segments. These attacks can evade even the most robust endpoint protections by moving laterally across networks.
2. Blind Spots in Endpoint-Centric Security: EDR solutions excel at detecting and responding to threats on devices but lack visibility into network traffic. For example, the ShadowPad malware used in the SentinelOne attacks relied on network-based command-and-control (C2) communications, which could go undetected without comprehensive network monitoring.
3. Delayed Detection and Response: Defense-in-depth layers often operate in silos, leading to fragmented visibility. Without real-time correlation of endpoint and network data, organizations may miss critical indicators of compromise, allowing attackers to dwell undetected for weeks or months.
4. Supply Chain Vulnerabilities: The SentinelOne attack began with a compromise of a former hardware logistics provider, highlighting how third-party vulnerabilities can bypass internal defenses. Defense in depth rarely accounts for external partner risks, which require proactive monitoring beyond organizational boundaries.

These limitations reveal that defense in depth, while foundational, cannot keep pace with adversaries who exploit the interconnected nature of modern IT environments. To close these gaps, organizations must complement endpoint security with advanced network monitoring and human expertise.

Network monitoring, particularly with deep packet inspection, provides the visibility and context needed to detect and respond to threats that evade endpoint defenses. Unlike EDR, which focuses on device-level activities, DPI analyzes the content and metadata of network traffic in real time, offering several advantages:

• Comprehensive Threat Detection: DPI can identify malicious patterns, such as C2 communications or data exfiltration, that endpoint solutions might miss. For instance, the GoReShell backdoor used in the SentinelOne attacks relied on reverse SSH connections, which could be detected through anomalous network traffic patterns.
• Lateral Movement Detection: Attackers often move laterally across networks after gaining initial access. DPI provides visibility into east-west traffic, enabling early detection of suspicious activity, such as unauthorized access attempts or malware propagation.
• Zero-Day and N-Day Exploit Identification: By analyzing packet payloads, DPI can detect exploits targeting unpatched vulnerabilities, like the CheckPoint gateway flaws exploited in the SentinelOne incident, before they reach endpoints.
• Supply Chain Threat Monitoring: DPI can monitor traffic to and from third-party vendors, identifying anomalies that may indicate a compromised partner, as seen in the SentinelOne supply chain attack.

At SecuLore, our network monitoring solutions leverage DPI to provide granular insights into network activity, ensuring organizations can detect and respond to threats in real time. This approach bridges the gaps left by defense-in-depth strategies, offering a proactive defense against sophisticated attacks.

Technology alone is not enough. The SentinelOne incident demonstrates that even cutting-edge tools require human expertise to interpret and act on alerts effectively. A staffed 24/7 SOC is the linchpin of a modern cybersecurity strategy, offering:

• Real-Time Threat Hunting: SOC analysts proactively hunt for threats, correlating network and endpoint data to identify subtle indicators of compromise. In the SentinelOne case, rapid investigation of the logistics provider intrusion was key to containing the threat.
• Incident Response and Mitigation: A 24/7 SOC ensures immediate response to incidents, minimizing dwell time. Analysts can isolate compromised devices, block malicious traffic, and coordinate with external partners to address supply chain risks.
• Continuous Improvement: SOC teams analyze attack trends and update detection rules, ensuring defenses evolve with the threat landscape. For example, insights from the PurpleHaze campaign can inform new DPI signatures to detect similar threats.
• Human Judgment for Complex Threats: Automated systems may struggle with nuanced attacks, such as the North Korean infiltration attempts using fake identities. SOC analysts bring contextual understanding to distinguish legitimate from malicious behavior.

SecuLore’s 24/7 SOC is staffed by experienced analysts who combine DPI-driven network insights with endpoint data to deliver unparalleled threat detection and response. Our team operates as an extension of your organization, providing the expertise needed to stay ahead of sophisticated adversaries.

The SentinelOne incident is a stark reminder that even the best endpoint detection vendors are not immune to attack. Defense in depth, while essential, cannot address the full spectrum of modern threats, from supply chain compromises to network-based attacks. To stay resilient, organizations must embrace a proactive approach that combines advanced network monitoring with deep packet inspection and a staffed 24/7 SOC.

At SecuLore, we empower organizations to move beyond reactive security. Our solutions deliver real-time visibility, actionable intelligence, and expert response, ensuring you can detect and defeat even the most sophisticated adversaries. Don’t let the next attack catch you off guard—contact SecuLore today to strengthen your cybersecurity posture.