After thinking of it for a while, I do not think it is such a big issue. The threat actor was probably an adversary to existing huntress customers and the EDR probably reacted to his tooling and mistakes.

When doing red team engagements, we do the same, install same security solutions as the customer and work around it. It could be what happened here?

That the analysts spotted him and were able to connect it to existing cases is just good craftsmanship.

I no longer feel that it’s relevant to discuss a red line here. Huntress just did their job.