Modern Endpoint Detection and Response systems depend on persistent, bidirectional communication with their cloud management console, enabling them to continuously report suspicious activity and receive updated instructions or response actions. If that communication is disrupted, the EDR continues to collect telemetry locally, but it can no longer generate alerts to the cloud console. Threat actors can abuse the Windows Filtering Platform or modify local name resolution components such as the hosts files to block EDR agent outbound communication. This allows them to blind the EDR cloud visibility without triggering a service crash or process termination. Loss of visibility in the endpoints, constraints the ability of defensive security teams to detect and respond to threats.