An attacker’s blunder gave us a look into their operations

I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?

It's definitely not a product for an individual user. Controls like this are useful in certain arenas where you need total visibility of corporate devices. As with any highly privileged tool or service, compromise of it can be a big problem. That said, the goal with tools like this is to usually lock down and keep a close eye on company issued laptops and the like so you know when one gets stolen, hit by some malware, or somebody does things with it they aren't allowed to be doing (e.g. exfiltrating corp data, watching porn at work, running unauthorized executable, connecting to problematic networks, etc.).

As an example, if you're at a FedRAMP High certified service provider, the DoD wants to know that the devices your engineers are using to maintain the service they pay for aren't running a rootkit and that you can prove that said employee using that device isn't mishandling sensitive information.

This makes sense, but in this case, isn't the company behind Huntress having direct access to this data still a problem? For example, if the government purchased Outlook licenses, I'd assume DoD can read clerks' emails, but Microsoft employees can't. I imagine worst case compromising a lot of Huntress' users is just a question of compromising of its developers, like one of the people in the authors section of this article.

Many businesses outsource their SOC to third parties like Huntress, Carbon Black, SentinelOne, all of whom offer very fancy Endpoint Detection and Respone (EDR) tools. Just about every EDR solution is a Cloud/SaaS offering provided either directly or indirectly through a third party Managed Service Provider (MSP). We call this Managed Detection and Respone (MDR). From technical and privacy standpoints, it probably sounds like a huge risk, but it's also worth acknowledging that EDR companies operate immense threat intelligence platforms through real-time monitoring of customers. From a C-suite perspective, it makes a lot of sense to offload the specializations of real-time protection and malware analysis to EDR solutions. There are risk managers who have quantified the risk tolerance for these types of products/arrangements. The company legal department, the CFO, and the board of directors are all satisfied with the EDR solutions placement on the Gartner quadrant and SOC Type 3 report saying the EDR provider follows best practices. Sometimes it's even a requirement for "cyber insurance" which a business may need depending on the industry. For better or for worse, EDR is how most institutions secure their IT infrastructure today.

For worse, I would say. This kind of thing is about accountability shuffling and not at all about improving security.