Endpoint Telemetry Coverage Gaps: What Your EDR Cannot See

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Every EDR vendor sells a coverage dashboard that reports 98 percent green. That number is a lie of composition. It counts endpoints where an agent installer succeeded, not endpoints producing useful telemetry, not endpoints in scope, and certainly not the persistence layers and device classes that exist below or beside the agent. A senior detection engineer who treats the vendor number as ground truth will miss entire categories of compromise.
This guide is a structural tour of the gaps. We map what modern EDR genuinely cannot see by architecture, how to measure your real coverage rather than your installed coverage, and what compensating controls fill the holes. The goal is not to abandon EDR; it is to know precisely where it ends so you can build the rest of the detection stack with intent.
If you have never compared your EDR inventory to your DHCP lease table and your NetFlow speakers, you do not know your coverage. By the end of this guide, you will have a methodology to find out.
What Modern EDR Architecturally Cannot See
EDR agents are user-mode or kernel-mode processes that start after the operating system has booted. That single architectural fact creates a category of invisibility. Pre-OS components run before the agent exists: UEFI firmware, bootloaders, the Master Boot Record on legacy systems, and Option ROMs on peripherals. An implant in any of these layers, such as BlackLotus, MoonBounce, or LoJax, is loaded, executes its persistence logic, and hands off to the kernel before the EDR injects a single hook. The agent then reports a clean boot. Kernel-mode rootkits that subvert the same hooks the EDR depends on, particularly on systems with weak Kernel Patch Protection or vulnerable signed drivers loaded via BYOVD, can hide processes, files, and network connections from the agent itself. Then there is the unagentable estate: IoT sensors, OT controllers, network printers with embedded Linux, VOIP phones, ESXi hypervisors on older hardware, embedded Linux devices with no package manager, and increasingly the management planes of network appliances themselves. None of these can host an EDR agent, yet many sit on the same VLANs as your crown jewels and are reachable by adversaries who pivot through them precisely because they know you are not watching.
Measuring Real Coverage Rather Than Installed Coverage
Build a coverage matrix with three columns: device exists, agent installed, agent reporting in the last 24 hours with the expected event volume. The first column comes from your authoritative inventory, which for most organizations is a union of Entra ID joined devices, Intune or Jamf, your CMDB, DHCP leases, and a network discovery scan such as Rumble or runZero. The second column comes from your EDR console export. The third requires a query against your SIEM for agent heartbeat events and a baseline of expected process or syscall volume per endpoint type. Devices in column one but not column two are unmanaged. Devices in column two but failing column three are silent agents, which is operationally worse than no agent because they create false assurance. Segment the matrix by device class: Windows workstation, Windows server, Linux server, macOS, ESXi host, network device, OT device. Expect the silent-agent rate to be five to ten times higher on servers than workstations and to spike during patch windows. Report the silent rate weekly to leadership; it is the single most useful EDR health metric and almost nobody tracks it.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Closing the Gap on Unagentable Devices
For devices that cannot host an agent, network telemetry is the only practical detection surface. Three feeds matter. First, NetFlow or IPFIX from core switches and firewalls, ideally enriched with DNS query logs, gives you behavioral baselines for every speaker on the wire. A network printer that suddenly initiates outbound TLS to a residential ASN at 2 a.m. is detectable here even though it will never appear in your EDR. Second, DHCP logs with vendor class identifiers and option 55 fingerprints let you classify device types passively; a deviation from the expected fingerprint on a known MAC is a strong tampering signal. Third, span or tap traffic into a Zeek or Suricata sensor gives you protocol-aware visibility for lateral movement: SMB, RDP, WinRM, and LDAP connections originating from an OT device or a printer to a domain controller are nearly always malicious. Correlate these three feeds in your SIEM with the EDR coverage matrix to produce a single view: this asset has no agent, here is its behavioral baseline, here are the deviations. That is detection coverage for the unagentable estate.
Pre-OS and Firmware Integrity Monitoring
Below the EDR you need attestation, not detection. Start with UEFI Secure Boot enforced in audit-and-reject mode across the fleet, with the Microsoft third-party CA disabled where business requirements allow, and the Forbidden Signature Database, DBX, kept current via Windows Update or vendor tooling. Verify enforcement programmatically; do not trust BIOS settings to remain set. Next, leverage the TPM. Platform Configuration Register values, particularly PCR 0 through 7, measure the boot chain. Collect PCR values at enrollment, store the known-good set in a configuration database, and verify on every boot via Windows Device Health Attestation or a comparable Linux IMA setup. Any deviation is a high-priority alert. For hardware-attested platforms, HP Sure Start, Dell SafeBIOS, and Lenovo ThinkShield perform continuous BIOS verification independent of the OS and surface tamper events to a management plane your SIEM can ingest. On servers, redfish telemetry from iDRAC, iLO, or XCC provides equivalent visibility. None of this is detection in the EDR sense; it is integrity verification, and it is the only practical answer to the pre-OS persistence problem.
The Linux Telemetry Gap and How to Quantify It
Most EDR platforms were built Windows-first, and Linux coverage is consistently weaker in ways the vendor coverage dashboard will not surface. Hook depth is shallower; many agents rely on auditd or eBPF probes that produce a fraction of the event types the Windows kernel callbacks deliver. File integrity monitoring is often optional and off by default. Container visibility ranges from absent to surface-only, missing the namespace and cgroup context that makes Linux process events useful. Test your coverage explicitly. Pick a representative Linux server, run a controlled set of behaviors mapped to MITRE ATT&CK techniques for Linux: T1059.004 shell execution, T1055.009 proc memory injection, T1547.006 kernel module loading, T1543.002 systemd persistence, T1070.002 log clearing, T1021.004 SSH lateral movement. For each, record whether the EDR produced an event, what fields were populated, and how quickly. Compare to the same exercises on Windows. Document the gap and either layer in osquery, Falco, or Auditbeat to backfill the missing telemetry, or accept the gap and route detection responsibility to network-layer signals. Telling your leadership team you have EDR on Linux without this exercise is misrepresentation.
Operationalizing the Coverage Program
Coverage analysis only matters if it produces continuous, owned action. Assign an owner for each gap class: an endpoint engineer owns silent-agent remediation, a network engineer owns NetFlow and DHCP enrichment, a platform team owns UEFI and TPM attestation, and a detection engineer owns the Linux parity exercises. Set service-level objectives that are measurable: silent-agent rate below 2 percent within seven days of detection, 100 percent of Windows endpoints with PCR 0 to 7 baselines collected at enrollment, every unagented device class with at least one network-layer detection rule mapped to ATT&CK. Review the coverage matrix monthly in a forum that includes both detection and infrastructure leadership; gaps are usually infrastructure problems wearing a detection costume. Finally, feed coverage data into your threat modeling. When a new attacker technique drops, your first question should not be does our EDR catch it but rather where in our coverage matrix does this technique land, and do we have telemetry there at all. That reframing is what separates a mature detection program from a checkbox one.
The bottom line
EDR is necessary and insufficient. The agent sees a specific slice of activity bounded by where it can hook, when it loads, and which devices can host it. Pre-OS persistence, kernel-level subversion, unagentable devices, and weaker non-Windows coverage are not edge cases; they are predictable architectural gaps that adversaries already exploit.
The work is to measure your real coverage rather than your vendor-reported coverage, to layer network and integrity telemetry across the gaps, and to operationalize the program with named owners and measurable objectives. Do that and your EDR becomes a strong primary signal in a defense in depth strategy. Skip it and your green dashboard is a comforting fiction.
Frequently asked questions
Does enabling Secure Boot stop UEFI bootkits?
It raises the bar substantially but is not sufficient on its own. Bootkits like BlackLotus exploited a vulnerability in the Windows Boot Manager that was signed by the Microsoft CA, bypassing Secure Boot entirely until the DBX revocation propagated. Enforce Secure Boot, keep the DBX current, disable the third-party CA where possible, and pair the configuration with TPM PCR attestation to detect deviations from a known-good boot chain.
How do I tell the difference between a silent agent and a properly idle endpoint?
Baseline expected telemetry volume per endpoint class over a two-week window. A Windows workstation under normal use will produce thousands of process and module-load events per day; a server in steady state produces fewer but never zero. Define a per-class floor and alert when an endpoint falls below it for more than 24 hours. Correlate with network presence to distinguish powered-off from silently broken.
Can I rely on auditd for Linux detection if my EDR has weak Linux coverage?
Auditd is a viable backfill for syscall and file events but has well known performance penalties at scale and limited container awareness. For modern stacks, eBPF-based tools like Falco, Tetragon, or commercial Linux-native agents provide deeper, lower-overhead visibility with container context. Use auditd as a transitional layer; plan a migration to eBPF for production.
What is the fastest way to inventory unagentable devices?
Run an unauthenticated discovery scan with a tool such as runZero, Rumble, or nmap with service detection across all corporate VLANs, then reconcile the results against your EDR inventory and DHCP leases. Anything in the discovery scan and not in EDR is your unagentable or unagented set. Repeat monthly; the set grows continuously as IoT and OT devices are added without security review.
Should compensating controls for unagentable devices live in the SIEM or a separate NDR platform?
Both, in practice. NDR platforms produce stronger behavioral baselines and protocol-aware detections out of the box, particularly for east-west traffic. The SIEM is where you correlate NDR alerts with the EDR coverage matrix and identity context. Aim for NDR feeding alerts and enriched flow summaries into the SIEM rather than treating them as separate consoles with separate analyst workflows.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
