Renewz

Huntress Under Fire for Controversial Research into Attacker Monitoring

Huntress Under Fire for Controversial Research into Attacker Monitoring
source: gettyimages
September 16, 2025

Security company Huntress has found itself at the center of a debate within the cybersecurity community following the publication of its recent research. Described by senior staff as "hilarious," the findings have sparked polarized opinions regarding ethics and privacy.

The Case: Monitoring an Attacker with EDR Tools

Huntress revealed that, after an attacker installed a trial version of its Endpoint Detection and Response (EDR) software, their activities were extensively tracked by the vendor. Notably, the attacker had used a premium Malwarebytes browser extension in an attempt to stay secure online.

The investigation’s highlights included the attacker performing a Google search for "Bitdefender" and downloading a trial version of Huntress's EDR via a sponsored link at the top of search results. This led to a surveillance campaign that covered the next three months, during which Huntress observed the attacker refine their methods using automation, AI, phishing kits, exploit kits, and malware.

Uncovering the Attacker’s Language Skills and Techniques

Throughout the monitoring period, Huntress noted the attacker’s frequent use of Google Translate to convert messages from Thai, Spanish, and Portuguese into English—suggesting multilingual capabilities likely employed in targeted phishing campaigns aimed at banking credentials.

Huntress expressed that such a level of detailed insight into an attacker's machine and behavior is rare, describing it as a "once-in-a-blue-moon" opportunity for defenders to understand adversary tradecraft.

Community Reaction and Ethical Concerns

Published on September 9, Huntress’s detailed blog post generated controversy. Some cybersecurity experts questioned the ethics behind continuous monitoring of an attacker without explicit notification or oversight.

Snehal Antani, CEO of Horizon3.ai, shared on X (formerly Twitter): "That visibility gave defenders unique insights, but it also raises a real question: Should a private company be allowed to monitor an adversary like that, or were they obliged to notify authorities once it crossed from IR into intelligence collection?"

Others criticized the privacy implications, labeling the research as an "invasion of privacy," while some expressed surprise at the amount of data EDR tools can access.

Huntress Responds and Clarifies Intentions

On the same day, Huntress defended its methodology, emphasizing that it used standard practices comparable to other EDR vendors. The company stated:

> "Our investigation aimed to research and respond to security threats, as well as educate the community about threat behaviors. The discovery was accidental and provided a rare window into the attacker’s techniques."

Huntress further explained that its team identified the attacker’s machine during routine investigations of malware alerts. The insights gained were shared to foster a better understanding of threat actor tactics, methods, and behaviors.

The company concluded by reaffirming its commitment to transparency, education, and helping defenders counter malicious actors:

> "This investigation exemplifies our core values: transparency, education, and disrupting hackers."

Final Thoughts

While Huntress's willingness to share detailed attack insights has been praised for its educational value, concerns over privacy, ethics, and the boundaries of offensive monitoring remain hotly debated in cybersecurity circles. As defensive tools gain more visibility into attacker activities, the conversation about responsible intelligence collection continues to evolve.

Related links

By submitting, I confirm I have the right to share this link and I agree to link back to this article from the submitted page. Duplicate URLs are rejected. Up to 5 links per page.

GraphQL · 140 ms 
query Q($id: Int!, $domain: Int!, $srcId: Int!, $hasSrc: Boolean!, $hasSelf: Boolean!) {
  self: qa_ai(where: {id: {_eq: $id}}, limit: 1) @include(if: $hasSelf) {
    id
    title
    text
    date
  }
  linksarticle: qa_ai(where: {domain: {_eq: $domain}, id: {_neq: $id}}, order_by: {id: desc}, limit: 8) {
    id
    title
  }
  linksbottom: qa_ai(where: {domain: {_neq: $domain}, id: {_lt: $id}}, order_by: {id: desc}, limit: 3) {
    id
    title
    domain
  }
  source: qa_ai(where: {id: {_eq: $srcId}}, limit: 1) @include(if: $hasSrc) {
    id
    title
  }
}
{
  "id": 6643741,
  "domain": 6,
  "srcId": 0,
  "hasSrc": false,
  "hasSelf": true
}