It's curious they're just "monitoring" rather than preventing.

In a serious environment you'd run IPE with dm-verity/fs-verity to ensure binaries are whitelisted and integrity-checked at every execution.

lol no one does that (edit: or, rather, that is extremely uncommon, even in "serious" environments, for a ton of reasons).