How Does Easy Anti-Cheat (EAC) Work?

Easy Anti-Cheat (EAC) is a kernel-mode anti-cheat owned by Epic Games. It loads a signed Windows driver at game launch, runs in ring 0 alongside the kernel, registers process and image-load callbacks via PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine, scans process memory and loaded drivers against signature databases streamed from Epic servers, and exports behavioral telemetry for server-side review. EAC protects Fortnite, Apex Legends, Rust, Dead by Daylight, and roughly 130 other titles.

What Is Microsoft Pluton?

Microsoft Pluton is a TPM 2.0 implementation integrated directly into the CPU silicon as a security subsystem. Unlike discrete TPMs (separate chips on the motherboard) or firmware TPMs (fTPM/PTT running in CPU TEE), Pluton is physically integrated into the processor die and signed by Microsoft's root CA. It ships in AMD Ryzen 7000+ series, select Intel Core Ultra parts, and Qualcomm Snapdragon X. Pluton is NOT spoofable in software and has no separate chip to physically replace.

What Is Secure Boot and Why Do Anti-Cheats Require It?

Secure Boot is a UEFI firmware feature that cryptographically verifies the OS bootloader and kernel against a database of signed signatures. Only Microsoft-signed (or vendor-signed) boot code can execute. Anti-cheats require it because Secure Boot prevents loading rootkit-level cheats that hook the boot chain itself. With Secure Boot off, an attacker can patch the Windows bootloader, load unsigned drivers, and operate below the anti-cheat's visibility. Fortnite mandated Secure Boot on Feb 19, 2026; Vanguard requires it on Windows 11.

What Is TPM 2.0 and How Does It Affect Cheating?

TPM 2.0 (Trusted Platform Module 2.0) is a tamper-resistant cryptoprocessor that ships in every modern PC — discrete chip, firmware-TPM (fTPM/PTT), or integrated into the CPU as Microsoft Pluton. It stores cryptographic keys, signs attestation quotes, measures boot state via PCRs, and exposes a hardware-rooted device identity via the Endorsement Key (EK). Anti-cheats use the EK as a non-spoofable HWID and validate boot state via attestation. The EK cert is NOT spoofable in software.

What Is Riot Vanguard? Valorant Anti-Cheat Explained 2026

Vanguard is the most invasive consumer anti-cheat that has ever shipped at scale. Riot launched it with Valorant in 2020 and extended it to League of Legends in 2024. It's the first AC that the broader public learned to be openly afraid of — not because of what it can read, but because of when it runs and what it requires you to enable.

Boot-time driver: ELAM and beyond

Vanguard's kernel driver (vgk.sys) is registered as an Early Launch Anti-Malware (ELAM) driver. ELAM means Windows loads it before any other third-party driver during boot, giving Vanguard first-mover visibility on every driver that loads after it. This is by Microsoft design — ELAM was meant for anti-malware vendors — but Riot is the consumer AC that actually uses it. The practical effect: when you reboot, Vanguard sees everything. You cannot "load before" it.

Hardware requirements: TPM 2.0, Secure Boot, IOMMU

On Windows 11, Vanguard enforces TPM 2.0 enabled, Secure Boot enabled, and where the chipset supports it, IOMMU/VT-d enabled. The TPM 2.0 requirement isn't decorative — Vanguard reads the TPM's endorsement key (EK) certificate as a non-spoofable hardware identifier. This is the foundation of Riot's HWID ban regime: an account banned with EK hash X means EK hash X is on the list forever, and EK certificates are burned into the TPM at manufacture. You can change EK-derived material via TPM2_Clear and recreate primary keys, which moves the surface hash, but the EK certificate itself is not spoofable in software — it's signed by the TPM vendor's CA.

What Vanguard reads

Vanguard hooks process creation, thread creation, image load, and registry callbacks. It performs signature-based scans of all loaded drivers, periodically re-walks the kernel module list (PsLoadedModuleList), validates page-table state for IOMMU compliance, queries SMBIOS values to fingerprint motherboards and BIOS vendors, hashes loaded DLLs, and exports telemetry to Riot's backend. The driver intercepts attempts to open handles to Valorant or LoL processes and rejects all but Riot-authorized callers.

Why Vanguard is harder than EAC or BattlEye

Three factors stack: (1) boot-time loading via ELAM gives Vanguard a strictly larger view than late-loading drivers; (2) hardware attestation via TPM EK creates a non-software-spoofable identifier that survives every OS reinstall; (3) Riot enforces a kernel-level "trust nothing" stance — any unsigned driver loaded after Vanguard gets the system flagged. The Jan 2026 ban wave (340K HWID bans in 5 days) and the 2.3M cumulative 2025 number tell you what the result looks like in practice.

Limits and gray zones

Vanguard cannot see what's running on a second physical machine. This is why high-end Valorant cheating in 2026 has bifurcated into (a) DMA + AER-clean cards + IOMMU-handling SMM patches, expensive and constantly arms-raced, and (b) full Linux-host TPM clearing tricks documented in late 2025 to rotate EK-derived hash material — though these break attestation, and Vanguard's response has been to push for mandatory attestation enforcement. Both paths are not in our wheelhouse; RawCheats does not sell Valorant cheats (see our Valorant policy answer).

Forward look — Pluton and full attestation

Vanguard is the AC most aggressively aligned with Microsoft's Pluton roadmap. Pluton's integration into the CPU silicon (AMD Ryzen since the 7000 series, Intel rolling out via Core Ultra) makes the TPM physically inaccessible from a separate device. When Pluton attestation is mandatory across the consumer Windows install base, the TPM-clearing surface narrows further. Vanguard is the AC most likely to make full hardware attestation a hard launch requirement for ranked play within 24 months.

How this affects everything else

Vanguard's mere existence shifted the entire industry. EAC, BattlEye, and Defense Matrix all benchmark against Vanguard's invasiveness. The "should I enable TPM 2.0?" question is downstream of Vanguard. The 2026 Fortnite TPM+IOMMU mandate is downstream of Vanguard normalizing those requirements. Whether or not you ever play Valorant, Vanguard is the AC you should understand — see our HWID Spoofer Complete 2026 Guide for what's still spoofable in this environment.

The Vanguard 2024-2026 ban-volume timeline

Riot has been one of the most public AC vendors about ban totals. The 2025 totals: over 2.3M HWID bans across Valorant and League of Legends combined, with the largest single ban wave being approximately 340,000 accounts banned over five days in January 2026. Per-game breakdown isn''t fully disclosed but Valorant accounts for the majority. The pattern: weekly wave bans, occasional surge waves when accumulated cases clear confidence thresholds simultaneously, and continuous low-volume daily bans for high-confidence individual cases.

Why Vanguard remains the strictest baseline

Compared against every other consumer AC in 2026, Vanguard has the strictest baseline because (a) it loads at Windows boot via ELAM rather than at game launch, giving it strictly larger visibility; (b) it enforces TPM 2.0 + Secure Boot as hard launch requirements on Windows 11 rather than soft warnings; (c) Riot''s server-side ML pipeline is exceptionally well-trained on Valorant''s narrow gameplay shape, making behavioral detection sharper; (d) HWID enforcement uses TPM EK cert hashes as a primary anchor rather than as one signal among many. Each individual choice has analogs at other AC vendors, but the combination is unique to Vanguard. This is what makes the "I don''t cheat in Valorant" choice the structural one for the cheat industry, not a tactical preference.

What Is Riot Vanguard?