EDR installed is not EDR working: why we chose Guardz Ultimate for Microsoft 365

There is a particular conversation we have with new clients when we take over a Microsoft 365 environment for the first time. The previous IT provider has installed an EDR (endpoint detection and response) agent on every device. The dashboard is green. The reports say "compliant". On paper, the business is protected.

And then, in a discovery conversation, we ask the question that changes everything: "When was the last time anyone tested whether the EDR actually catches anything?"

The honest answer is almost always "never". A tool was bought, an agent was installed, a tick went in a box on the cyber insurance form, and that was that. The work of confirming the tool is actually defending the business was, somehow, not part of the deal.

"Be the Purple": the simple test most businesses skip

The phrase comes from the Guardz team. In a recent piece called Be the Purple: Is Your EDR Actually Working or Just Existing?, they argue that the most dangerous state for an EDR is not "off", it is "on but set to detect-only", or otherwise quietly not doing the job everyone assumes it is doing. We think that framing is exactly right, and it lines up with how Agile IT thinks about cyber security in general.

The colour code, briefly: red team is offensive (the attackers), blue team is defensive (the defenders), and purple is the mindset of running both, deliberately, against your own environment to find out what your defences actually do under attack.

Purple-teaming is a discipline most enterprises practise constantly. It is also one of the most under-used disciplines in the Australian SMB market, because most managed IT engagements were not sold with "we will continuously test your security" as a line item. The assumption was that buying a respected security product was the same as having a respected security posture. It is not.

Three common failure modes we see in EDR deployments that look fine on the dashboard:

• Detect-only mode left on by default. The agent watches attacks happen and writes them to a log nobody reads. Nothing is blocked. Nothing is contained. Alerts pile up unactioned.
• Ghost devices. A laptop is bought, never enrolled, connects to corporate systems anyway. The console shows 47 protected devices. There are actually 51. Four are running blind.
• Silent degradation. Software updates, policy conflicts, or exclusion lists chip away at coverage over months. No single alert fires. The protection just quietly thins out while the dashboard still says green.

The right way to find out which of these is happening in your environment is to test it deliberately, not to wait for an incident to do the testing for you.

Why we chose Guardz Ultimate

When Agile IT looked at the cyber security platforms available to layer over our clients’ Microsoft 365 environments, three characteristics mattered more than feature checklists:

1. Built for the SMB managed services model

Most enterprise security platforms were not built for a 25-person accounting firm. They were built for a 25,000-seat enterprise and then repackaged downward, with the complexity intact. Guardz was built from the ground up for the SMB managed service market, which means the platform fits the way Australian SMBs actually run, with the people they actually have.

2. Deep Microsoft 365 visibility

The single most important attack surface for a Microsoft 365 SMB is Microsoft 365 itself: identity, email, file sharing, app permissions, OAuth tokens. Guardz Ultimate sits inside that environment with proper API integration, monitoring identity risk, mailbox rules, token grants, and the kinds of subtle anomalies that distinguish a busy quarter-end from a quiet credential compromise.

3. Continuously validated, not just continuously running

This is the part that lined up with how Agile IT thinks about security. Guardz Ultimate includes ongoing validation of its own detection across MITRE ATT&CK techniques: testing that the coverage you bought is the coverage you have, today, on every managed endpoint. The platform does not just hope it would catch an attack. It rehearses catching one, deliberately, on a recurring basis.

What that looks like in an AgileSECURE engagement

Inside an AgileMANAGED engagement, with AgileSECURE enabled, the Guardz Ultimate overlay covers a defined set of practical controls:

• Managed detection and response across endpoints and the Microsoft 365 tenant, monitored daily, with response actions defined ahead of time
• Identity and access protection, with risk scoring on every sign-in and anomaly detection on identity behaviour
• Email and phishing protection layered on top of Microsoft Defender, picking up the threats that get past the first line
• Data loss prevention on sensitive document types and external sharing
• Posture monitoring across the tenant, tracking configuration drift and surfacing risk before it becomes incident
• Periodic validation of the detection itself, not just the alerts it generates

None of these controls is novel by itself. The combination, in a single managed console, validated continuously, sold per-user as part of a managed service rather than as a separate tooling project, is the part that matters for Australian SMBs.

How a Guardz-protected environment looks different in practice

The clearest test for whether a security platform is working is how the day-to-day actually feels in the business. With Guardz Ultimate in the AgileMANAGED stack, the practical changes are:

• When an unusual sign-in happens, it is investigated within hours, not when someone next looks at a console
• When a mailbox rule is created that forwards mail externally, it is flagged automatically, because it is one of the most common early signs of a business email compromise
• When a new third-party app is granted Microsoft 365 permissions, the grant appears in the daily review, not in a quarterly audit months later
• When the security operations team finds a detection coverage gap, the fix is part of the managed service, not a separate project the business has to fund

The point is not that incidents stop happening. They do not. The point is that incidents stop being a surprise, because the environment is being actively defended, not just hopefully monitored.

The honest part: this is not a silver bullet

A platform is one part of a security posture, not the whole thing. Guardz Ultimate inside AgileSECURE addresses the controls a managed IT partner can be accountable for. The other parts of a working security posture, the ones that sit with the business and its team, still matter and still need attention:

• Staff training that goes beyond a one-time induction
• Sensible policies around password managers, leaver processes and removable media
• A documented incident response plan with contact lists that work when email is down
• An honest cyber risk register reviewed at board level, even if the board is the owner and a co-founder

The role of the security platform is to give the team something defensible to work with, monitored by people who treat the work as a discipline rather than a checkbox. Guardz Ultimate, layered over Microsoft 365 inside AgileSECURE, is how Agile IT delivers that.

What this means if you are evaluating a managed IT partner

If you are looking at managed IT options, ask the question we ask every new client about their previous arrangement:

When was the last time anyone tested whether the EDR actually catches anything?

If the answer is "never", or "we have not thought about it that way", that is a flag. The question we want to be able to answer for our own clients is: last week, with documented results, and the cover is current. That is the standard Guardz Ultimate gives us a fair shot at meeting, every week.