We spent years investigating breaches and writing detections for the same techniques: PowerShell, RMM tools, signed binaries, vulnerable drivers. Different victims, same paths. We got tired of watching defenders get the alert after the damage had already started, so we built for prevention instead.
Detection became the job, not the goal. We were good at it. It still wasn't enough.
Most attackers were not showing up with brand-new malware. They were turning already-trusted software into the way in. Nothing exotic. Just weaponized.
Traditional application control starts with managing software. MagicSword starts with attacker behavior. Instead of asking teams to build every rule from scratch, we turn real-world research into policies they can audit, tune, and enforce.
We built MagicSword to remove that pain: start with how attacks actually happen, turn the research into prevention policy, and help teams block the path without breaking the business.
"The goal is not to explain the breach faster. The goal is to make the abused path fail."
What we investigated
Real intrusions, ransomware, and malware-free attacks
What kept recurring
PowerShell, WMI, RMM tools, signed binaries, and vulnerable drivers
What we built
Application control for the paths attackers keep reusing
MagicSword comes from years spent shipping detections, running investigations, publishing research, and maintaining the open-source projects defenders use when real attacks hit.
Co-Founder and CEO
Security researcher and builder focused on defenses people can actually use.
Former Director of Threat Research at Splunk. Jose previously co-founded Zenedge, acquired by Oracle, and has spent years turning attacker tradecraft into open-source tools, detection content, and research defenders can put to work.
Co-Founder and CTO
Threat researcher and security architect focused on the techniques that keep working.
Former Principal Threat Researcher at Splunk. Michael has more than a decade of experience in security architecture, threat hunting, detection engineering, and advanced investigations. He is the co-founder of Atomic Red Team, LOLDrivers, and LOLRMM, and co-host of Atomics on a Friday.
Detection still matters. It tells you what to fix. MagicSword closes the loop by turning real attacker research into controls teams can audit, tune, and enforce.
Read the prevention argumentAbused binaries, drivers, RMM tools, certificates, and dual-use utilities feed directly into MagicSword controls.
MagicSword focuses on what attackers weaponize, not a blank allowlist of every app a business approves.
Teams can see what would be blocked, tune exceptions, and move to enforcement without writing XML by hand.
Policies evolve as the research changes, so prevention does not lag behind the next abused tool.
A small group of researchers, operators, and builders turning field lessons into controls teams can deploy.
Head of Sales
Marketing Director
Sales Operations Specialist
Content Marketing Specialist
Prevention-first endpoint security