Nope. They bypass tools like Cylance all the time. Static ML before execution can be useful to classify known threats and commodity malware. But APT and pentesters do not work like that. Modern pentesters do not even use exploits/exes much. They guess passwords, and come in through VPN and email gateways. They spear phish (word docs with macros, HTA files, etc). The move laterally with gained credentials (pass-the-hash, etc). They schedule scripts to run when your detectors are busy. The don’t send ransomware as an EXE. And if they did, they’d find a way to sign it to bypass the exe analysis anyway. I decided to blog this after spending time on the Black Hat vendor floor. I’m quite familiar with endpoint security. And the amount of money some vendors spend on marketing was simply impressive. But does their tech live up to the hype? Ask your pentest friends what they think.