About

EDRmetry

EDRmetry is an effective Linux EDR/SIEM Evaluation Testing Playbook that allows for
better understanding of DFIR scope through advanced threat emulation and learning
about Linux security checks mapped to
MITRE ATT&CK™ Framework.

Ask for a price list

Key Benefits

Linux EDR/SIEM Validation

Faster and More Effective Security Validation for Critical EDR/SIEM Linux Infrastructure → contextual security event and telemetry generation.

Offensive Knowledge Base

Centralized Red Teaming knowledge base for Linux environments →Reduced R&D Costs for development and operations.

Skills Development

Skills development in Linux detection, forensics, and incident response process through Practical Offensive Emulations.

Threat Hunting/DFIR

Results enable the preparation of hypotheses for Linux threat hunting, improving detection, and more efficient incident handling.

"Understanding the effectiveness of your Linux cybersecurity measures is more critical than ever. While you invest in expensive security tools like EDR/XDR, set up Security Operations Centers (SOCs), and implement Security Information and Event Management (SIEM) systems, how can you truly assess their performance against real-world Linux threats and complex attacks? How to choose and validate EDR/SIEM for your Linux needs? Learn about EDRmetry."

Leszek Mis Founder and CEO @ Defensive Security

Current Scope of EDRmetry Playbook

EDRmetry provides more than 240 Offensive Unit Tests with a modular approach, enabling flexibility for chaining them into complex attack scenarios. Each test is backed by documentation for quick understanding and usage. EDRmetry provides security teams a robust foundation for offensive testing and validation of Linux-focused EDR/SIEM solutions.

Check the current list of EDRmetry tests

  • User and Kernel-space tampering to evade traditional detection mechanisms
  • eBPF Rootkits: Advanced syscall hooking for stealthy manipulations
  • Fileless Execution Techniques: Pure memory-based payloads, avoiding disk traces entirely.
  • Generation of network traffic using one-liners and full C2 frameworks like Sliver, Metasploit, Merlin, Mythic, and others.
  • Ready-to-use webshell examples for various scenarios.
  • Living Off the Land Binaries real-world attack vectors
  • Code injection into running processes for stealth and persistence.
  • Encrypted Loaders: Testing encrypted payload execution for advanced evasion.
  • Ransomware Emulation: simulations written in C, Python, and Bash, mimicking ransomware behaviors for validation under stress scenarios

EDRmetry Components

EDRmetry Playbook

EDRmetry Playbook is a main component allowing users to explore and create Linux security tests:

  • Web-Based Knowledge Base with a User-Friendly Interface available behind the SSO gateway
  • Hundreds of Ready-to-Use Test Components
  • Matrix style, list-oriented view and Search bar
  • Editor mode with Admin privileges
  • On-premise or as SaaS

Attack Flow

Attack Flow is an integrated component that helps understand how attackers compose Linux ATT&CK techniques into attack chains by developing a representation of attack flows, modeling attack flows and creating visualizations to display attack flows.

  • Web-Based application available behind the SSO gateway
  • Tool for Building Advanced Offensive Strategies and creating attack visualizations
  • Designing Complex Attack Chains
  • On-premise or as SaaS

Testing Environment

EDRmetry Testing Environment includes a set of virtual machines. They can be installed within PurpleLabs or on-premise in your environment:

  • TARGET_X (RHEL9)
    • The main Linux VM under which attack emulations are carried out. Vulnerable by default:
      Services: Kafka / Httpd / Web app / SSH / Active MQ / Tomcat / Weblogic / Spring / MySQL / Docker / log4j and many more, Security misconfigurations, Weak passwords, Unsecure privileges
  • DEVEL_X (RHEL9):
    • A development DEVEL_X VM that mirrors TARGET_X, intended for rootkit and other source code compilation.
  • C2_X (Kali Linux):
    • external attacker machine dedicated to handling egress reverse shell connections, installing C2 frameworks, pivoting and many more
  • KALI_X (Kali Linux):
    • internal attacker machine dedicated to handling local reverse shell connections, installing C2 frameworks, pivoting and many more

Service Packages

  • EDRmetry 365 Basic:

    • Private, single-user Access to EDRmetry
    • 365 days Subscription Access
    • Updates and new security tests included
    • Private Instance with Admin Privileges
    • Testing Environment VM Images ready for download
    • 30 days of Dedicated Testing Environment Access in PurpleLabs
    • Full Technical Support

  • EDRmetry 365 Basic + Services [ENTERPRISE]:

    • All Elements of the Basic Package
    • Multiple users access to EDRmetry from the same company
    • 365 days of Dedicated Testing Environment Access in PurpleLabs
    • [OPTIONAL] 10 Days of Expert Consultations → Support for the validation process/understanding of the behavior and functionality of the EDR/SIEM engine 
      • Knowledge Transfer / Training / Workshops
      • Incident Response Services / Post-Breach Analysis 
      • Formulation of Approaches to Leverage the EDR System and Telemetry Sources:
        • Gaining a practical understanding of the system’s full functionality by applying real-world use cases.
      • Development of Templates Containing Steps and Areas for Basic Incident Handling Using EDR:
        • Establishing a structured approach for analyzing and handling incidents effectively within the EDR engine.
      • Includes access to the Linux Attack, Detection, and Live Forensics hands-on course:

Flow Design

I. Install EDR engine

Choose and install EDR engine you want to evaluate. 

II. Search Technique

Identify relevant techniques from a comprehensive EDRmetry database.

III. Choose offensive commands

Extract the necessary commands or code snippets and follow step-by-step instructions.

IV. Run attack emulations

Prepare attack chains or manually execute single offensive tests on vulnerable-by-design Linux-based systems.

V. Verify detections and alerts

Check detections, telemetry, and alerts generated within the chosen EDR/SIEM platform.

VI. Dig deeper

Make configuration changes or ask questions to the EDR/SIEM vendor.

Demo Videos

EDRmetry Demo #1

EDRmetry Demo #2

Market Challenges

  • Growing Need for Effective Evaluation of Cybersecurity Tools in Linux/Cloud Environments:
    • As Linux and cloud-based systems become increasingly integral, organizations face heightened pressure to ensure the efficacy of their cybersecurity solutions.

  • High Costs of Investment in EDR/XDR, SOC, and SIEM – Is It Really Effective?
    • Organizations demand measurable proof of value and functionality for these expensive tools.

  • Difficulty in Verifying Security Effectiveness Against Real-World Linux Threats:
    • Complexities in analyzing real attack scenarios, including malware and rootkits.

  • Lack of Efficient Tools for Validating, Testing, and Tuning Linux Security System Configurations
  • Need for Continuous Skills Development Among Security Teams in Linux Environments:
    • Critical systems demand comprehensive telemetry, contextual awareness, and event analysis across multiple layers (host, network, runtime, RAM, CI/CD pipelines)
    • Insufficient low-level technical knowledge within teams to address advanced threats.
  • Cross-functional collaboration among teams, including:
    • SOC (Security Operations Center)
    • Red Team / Blue Team / Purple Team
    • DevOps / DevSecOps / SecOps

Current approaches often fall short, leaving validation through emulation and active testing as the only viable path. EDRmetry is a resourceful platform designed to bridge theory with actionable insights into real-world offensive techniques aligned with the MITRE ATT&CK™ Framework.

Unique values

  • Close the gaps in your Linux Security posture by emulating Linux threats faster using a playbook with copy-paste “EDRmetries” testing units
  • Boost your offensive Linux skills from the central knowledge base in Matrix format
  • Learn about current trends in Linux attack techniques and tactics
  • Reduce costs and time needed for Linux EDR/SIEM evaluation testing and research
  • Focus on practical usage of offensive snippets of codes
  • Find criteria and features to consider when evaluating a Linux EDR platform
  • Run coverage checking of SIEM detections
  • Explain what expect from modern Linux EDR/SIEM products with a focus on the internals, capabilities, detections and operations
  • Be able to ask Linux EDR/SIEM vendors the right questions about their products
  • Create complete and complex Linux attack paths, full scope of Linux Kill Chain attacks is covered
  • Choose and validate the best Linux EDR/SIEM for your organization
  • Augment SOC efficiencies and knowledge level of your Linux teams
  • Extend the functionality of your Breach and Attack Simulation Systems (BAS enrichment)
  • Introduce you to commercial Linux EDR solutions and Open Source Run Time Security implementations

Linux Attack, Detection, and Live Forensics Course

Learn Linux Attack, Detection, and Live Forensics based on hands-on analyses of user space and kernel space Linux rootkits, C2 frameworks, and tools. Create low-level Linux attack paths, know better Linux internals, improve your Linux detection, understand the need for Linux telemetry, and stay prepared for Linux threats. 

Get Course Access

  • Gain a perfect understanding of important DFIR Linux/Network internals and investigation steps
  • Dive into the world of Linux syscall hooking techniques
  • See hands-on how rootkits work in well-prepared Detection PurpleLabs Cyber Range
  • Find interesting behavior patterns in binaries and logs
  • Learn what telemetry is needed to catch modern Linux threat actors
  • Find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations
  • Get the full picture of Linux attack paths including post-exploitation activities and artifacts left behind

Get EDRmetry price list

Leave us a message and we will get back to you very soon. 

We reserve that the sale and provision of access to EDRmetry is dedicated in the B2B format.

Please fill out the form to register

Our clients include