of detections
were malware-free
“EDR, XDR, MDR, and SIEM detect these attacks, but do not prevent them
CrowdStrike 2026 Global Threat Report
Living off the Land attacks are costing billions
Kaseya
RMM tool weaponized to deploy REvil ransomware across 1,500+ companies
RMM abuse
$500M+
downstream impact
Change Healthcare
ALPHV/BlackCat exploited remote access tools affecting millions
LOLBAS abuse
$2.2B
remediation costs
Mark & Spencer's
Scattered Spider used legitimate admin tools to breach retail systems
SimpleHelp RMM abuse
£700M+
market value lost in days
Your EDR sees the threatMagicSword stops it
Detects what's malicious by nature
- Malware & trojans
- Ransomware payloads
- C2 & beaconing
- Infostealers & RATs
- Exploit payloads
- Lateral movement
Prevents what's malicious by use
- RMM abuse
- BYOVD / drivers
- LOLBAS / dual-use
- Signer abuse
- Browser extensions
- EDR killers
MagicSword + EDRSame Endpoint, Same TelemetryDifferent Problems
Your EDR and MagicSword live in the same place, see the same things, and solve different problems
Powered by research alongside
















Your Policy Knows What to Block Before You Deploy It
Backed by 19+ threat intelligence feeds, updated every 2 hours, that automatically generate enforcement-ready rules. You start protected, not from scratch.
Learn how our threat intelligence worksRemote Management Tools
The #1 vector in major breaches. Blocked by default, allow only what you use.
Living-off-the-Land Binaries
PowerShell, PsExec, Sysinternals: controlled, not banned.
Vulnerable Drivers
BYOVD attacks stopped at the kernel level. No EDR tampering.
Your Environment Data
Collect audit logs, auto-allow what your teams need. Nothing else.
From Policy to Enforcement in 48 Hours
Three simple steps to go from zero to fully enforced application control. Create your policy, deploy in audit mode, then analyze and enforce, all in under 48 hours.
Create Your Policy
Create a policy in minutes. Choose a profile, describe what your teams use, and MagicSword automatically builds your rules, pulling from live intelligence on abused RMM tools, Windows binaries, Sysinternals misuse, and known-bad driver publishers.

Deploy in Audit
Deploy with our lightweight agent or go agentless via PowerShell, GPO, SCCM, or Microsoft Intune. Run in Audit for 24–48 hours to learn what your endpoints actually use before enforcement.

Analyze & Enforce
Investigate everything running across your fleet. Software inventory, parent-child process trees, filesystem scanning, and AI-powered risk analysis give you full visibility. Auto-tune your policy with one click, then enforce when you're ready.

From One Command to Audit-Mode Visibility
Install on macOS, Linux, or Windows in seconds. Then sign up free to register the endpoint and start collecting visibility against the legitimate tools attackers abuse.
curl -fsSL https://www.magicsword.io/install.sh | bashThe installer can run before you create an account. Already installed? Sign in to register your endpoint.
Works with your stack
Customer Stories
How Customers Turn Application Control Into an Operating Practice
Regional Government / Public Sector
Defending 1,100 Endpoints Without Additional Headcount
A German public-sector team built a practical WDAC program across 1,100 endpoints without hiring a dedicated application-control engineer.
1,100
endpoints protected
15
person IT team
Financial Services / Capital Asset Management
They Knew the Risk. They Just Needed a Way to Eliminate It.
A U.S. financial services team closed a known trusted-tool attack surface across 1,500 Windows endpoints without adding agents.
1,500
Windows endpoints
~125
IT staff



