Skip to main content

The Conti ransomware crew’s EDR Tier List is a wake-up call for anyone who thinks buying a shiny new security tool is the end of the story. It’s not. It’s barely the beginning.

Let’s break down what this means for organisations and why, as someone who’s spent years researching and talking about ransomware and its impact, I’m convinced purple team testing is the missing link between theory and reality.

The Conti EDR “LOL” List: What’s Really Going On?

Conti ranked Endpoint Detection and Response (EDR) solutions from “S Tier” (hardest to evade) to “LOL Tier” (so easy to bypass, it’s laughable). The shocker? Microsoft Defender for Endpoint landed in the “LOL” category. Now, don’t get me wrong, Defender isn’t a bad product. But as the attackers pointed out, it’s only as strong as its configuration. Too many organisations just run it out of the box, never enabling advanced protections or tuning it for their unique environment. That’s like buying a top-of-the-line alarm system and never setting the PIN.

The real kicker? Conti claims they can bypass every EDR on the list. Some just take a little more effort than others. The message is clear: tools alone won’t save you. How you use them matters just as much-maybe more.

Why Purple Teaming Changes the Game

Here’s where purple team testing comes in. It’s not just another buzzword. It’s a collaborative approach where offensive (red team) and defensive (blue team) experts work together, side by side, to simulate real-world attacks and see how well your people, processes, and technology actually hold up.

I’ve seen too many organisations fall into the “set it and forget it” trap with security tools. They buy the latest EDR, tick the compliance box, and assume they’re safe. But as Conti’s rankings show, attackers are constantly probing for weaknesses-especially in default or poorly configured systems. Purple teaming exposes these gaps in a way that traditional pen tests or audits simply can’t.

What Purple Teaming Delivers

  • Real-time knowledge transfer: Your defenders see exactly how attackers operate, learning not just what to fix, but why and how to fix it.

  • Configuration over comfort: You find out if your “S Tier” tool is actually running in “LOL Tier” mode because of poor setup or missing logs.

  • Skills, not just tools: Teams stop relying blindly on tech and start building the critical thinking and response skills that can’t be outsourced or automated.

  • Collaboration, not blame: Red and blue teams work together to build a culture of continuous improvement, not finger-pointing.

Don’t Let Complacency Be Your Weakest Link

From my years leading security teams, I can tell you: complacency and over-reliance on tools are the root causes of most avoidable breaches. The research I’ve been part of highlights the same issues time and time again: poor logging, lack of offensive security knowledge, codependent SOC relationships, and unhealthy reliance on tools. If you’re just throwing money at tech without investing in people and process, you’re setting yourself up for a fall.

Purple team testing isn’t just a technical exercise. It’s a mindset shift. It’s about empowering your defenders, surfacing blind spots, and making sure your investment in security actually pays off when it matters most.

The Bottom Line for Damovo Clients

If you want to know how your EDR (or any security tool) will stand up when the next Conti or their copycats come knocking, don’t just trust the marketing.

Test it.

Break it.

Fix it.

And do it together.

Purple teaming is the best way I know to turn security from a checkbox into a competitive advantage. So, next time you see a ransomware gang ranking your defences, don’t panic. Take it as a challenge and let’s make sure your name never ends up in their “LOL” tier.

Want to chat about how purple team testing could help your organisation? Drop me a line. I promise, no sales pitch-just real talk about what works and what doesn’t in the fight against ransomware.