Skip to main content
Nimbus

Marvel Rivals EAC status in 2026 — what cheats are safe?

EAC + NEP, the second-stage kernel driver, and what serious overlays do to stay ahead. A 2026 anti-cheat landscape read from the team that ships Nimbus.

Nimbus team8 min read
Marvel Rivals anti-cheat illustration — EAC and NEP layered shield over a stylized game scene

What Marvel Rivals actually runs

Marvel Rivals ships with a two-layer anti-cheat stack:

  1. Easy Anti-Cheat (EAC) — Epic's user-mode + kernel-mode anti-cheat. Same stack as Apex Legends, Fortnite, Hunt: Showdown, and many others. Mature, well-funded, and updated continuously.
  2. NEP — a second-stage nProtect-derived kernel driver that loads alongside Marvel on session start. NEP installs as a randomly-named service per session (e.g. NEPrsbtt9s last session, different next), which makes it harder to surgically kill without tipping EAC.

The two layers don't duplicate work. EAC handles process scanning, memory integrity, signature matching, and the network-side ban pipeline. NEP handles low-level hardware fingerprinting, kernel callbacks, and certain "is this process being inspected" checks.

This post is the educational read — what the layers do, how the ban pipeline works, and what serious overlays do at a high level to stay alive. It's not an operational guide. We don't publish specific bypass techniques, because that's exactly the kind of detail EAC's threat intel team reads in the morning.

What EAC catches and what it doesn't

Public discussion of "what EAC catches" tends to be either marketing hype ("EAC catches everything!") or marketing cope ("EAC catches nothing!"). Reality is much narrower. EAC catches:

  • Known process-module hashes. Every cheat binary EAC has ever seen — leaked, sold, public — is fingerprinted. If your loader drops the same file into the game, that's an instant flag.
  • Signature patterns. Even if the hash differs, EAC scans process memory for byte patterns of known cheats — common ImGui import tables, KeyAuth call sequences, the typical manual-map header arrangement.
  • Behavior heuristics. Hooking ProcessEvent, hooking the D3D11/D3D12 swap chain, scanning UWorld at fixed offsets — all observable from kernel-mode, all behaviorally distinct.
  • Reports + telemetry correlation. When 10 players report one account, EAC pulls the session telemetry and matches it against the cheat library. The "I got reported and immediately banned" pattern usually means a behavioral marker was already on file and the reports pushed it over the threshold.
  • Hardware identifiers. The kernel driver reads stable HWIDs on every session. When a banned-account HWID re-registers on a new account, that's the HWID ban wave we see periodically.

EAC does not catch:

  • "Just FOV adjustments" — no, those still get hooked through the same hooks every aimbot uses; the FOV being modest doesn't hide the hook.
  • "Just reading memory" — reading is detectable too; kernel callbacks can see external reads from non-privileged processes.
  • "Visual-only cheats" — color triggerbots, recolor mods, removed-shadow tweaks all touch the rendering pipeline, which is one of the most-watched surfaces.

The honest read is that every cheat is detectable in principle. What separates a safe overlay from a banned one is how aggressively it minimizes the things EAC actually scans for, and how quickly it rotates when EAC adds new signatures.

NEP — the second-stage kernel driver

NEP loads after EAC, named randomly per session. Its role is the hardware fingerprint + kernel callback layer:

  • Driver callbacks for process creation, thread creation, and image load. These let NEP see when something new joins the Marvel process tree — including injected DLLs.
  • HWID enumeration at a level user-mode can't easily spoof. This is the substrate of HWID bans: the ban is on a fingerprint NEP computes, and resetting the OS doesn't change it.
  • Self-protection — NEP refuses to be unloaded, watches for processes trying to enumerate it, and logs suspicious behavior to its own buffer that EAC reads on disconnect.

Because NEP is per-session and random-named, the older "just kill the NEP service before launch" trick is mostly dead in 2026. Killing it shows up as an explicit anti-anti-cheat behavior in EAC's telemetry, which is its own ban signal.

The ban pipeline: how a ban actually happens

When someone gets banned, the usual sequence is:

  1. Session telemetry uploads during play and at disconnect. EAC sees process tree, loaded modules, hook surfaces, HWIDs.
  2. Reports accumulate from teammates / opponents who flag the account during or after a match.
  3. Behavioral confidence is computed — a weighted score across "matched known signature", "hooked watched function", "abnormal aim variance", "abnormal kill cam", etc.
  4. Manual review queue for borderline scores, automatic processing for high-confidence.
  5. Ban issuance — account-level, with HWID propagation to block immediate re-registration on the same hardware.

The lag between telemetry upload and ban is what people mistake for "EAC doesn't catch X". Bans for behavior on Tuesday often go out Friday night in a "ban wave". A cheat that worked "undetected" for a week may have already been flagged on day one.

What serious overlays do at a high level

We're being deliberately abstract here. Specifics are not the content of this post. At the architecture level, a serious overlay in 2026 does these things:

  • Loads via signature-free delivery. No fixed file path, no fixed module name, no predictable import table.
  • Rotates signatures every build. Identical functionality, different bytes. EAC has to re-learn the cheat each ship.
  • Avoids the loud hook surfaces. Hooks that aim/ESP code can technically read from are not all equal — some are watched closely, some aren't. Serious overlays use the unwatched paths.
  • Plays nice with NEP. Doesn't kill it, doesn't enumerate it, doesn't trip its self-protection callbacks. Treats NEP as a fact of life and works around it, not against it.
  • Stays out of HWID hot zones. Doesn't expose the cheat's detection surface to kernel-mode HWID reads.
  • Pushes patch updates within minutes. Every time EAC ships a new scanner, the serious overlay ships a new payload. Lag is death.
  • Plausible-defaults the UI. Every visible feature in the cheat menu has a conservative default — modest FOV, no box ESP, no kill-cam-obvious behavior. The user can crank things up, but the default protects them.

Notice that all of this is architectural, not operational. We don't tell you "skip module X, hook function Y" — that's the kind of detail that gets the next ship of the entire overlay class flagged.

What we specifically do for Nimbus

In broad strokes (no specifics):

  • CI watches the Marvel Rivals manifest every 60 seconds. On patch delta, we rebuild within minutes — see /changelog for shipped builds. Hours-behind is the bigger ban risk than any specific technique.
  • Signature rotation on every build. Identical code, different binary. We don't ship the same hash twice.
  • Information ESP over box ESP by default. Cooldowns, ult charge, summons. No boxes on live opponents. Box ESP exists in the menu but ships off — the spectator-review surface that catches box ESP is one of the most-watched in 2026.
  • Hero-aware aim with per-hero smoothing tuned to look like good habits, not snap-bot. Every hitscan hero has a different smoothing curve. Every projectile hero has a real gravity-solve. Spectator review on a Nimbus user looks like a player with excellent fundamentals.
  • HWID lock + key isolation so leaks can't dilute the userbase. See our HWID guide.
  • Conservative humanizer on the aim — variance windows, brief pauses, occasional misses. Looks like aim, not like a state machine.

We are not the only overlay that does these things, but we'd put our patch cadence and our spectator-review profile up against anyone in the cluster. If you want to see how we compare to other overlays explicitly, see best Marvel Rivals overlay in 2026.

What you can do as a player

Three things in your control matter more than you think:

  1. Don't crank settings to the obvious. Default FOVs exist for a reason. The most-detected feature is always the most-obvious feature. Modest beats max.
  2. Don't run multiple overlays in parallel. Each adds an independent detection surface. Stacking three free cheats is worse than running one good paid one.
  3. Don't grief. High-rated reports flow into manual review. The fastest way to get caught is to give your opponents the conviction to report you.

The teams that fail at all three of these get caught the fastest, regardless of overlay choice. The teams that get the basics right play safely for a long time on any well-engineered overlay.

Bottom line

Marvel Rivals' anti-cheat stack — EAC + NEP — is mature, actively maintained, and catches every category of cheat in principle. What separates a banned account from a long-lived one is the engineering work the overlay team does, the patch cadence they keep, and the discipline the player brings.

The safe cheats in 2026 are the ones run by teams that take this seriously. We try to be one of them. Read are overlays safe for the buyer-side stress test, and best Marvel Rivals overlay in 2026 for how we line up.

See the Nimbus difference · Compare · Buy Nimbus

Try Nimbus — from $5/day

Hero-aware aim with gravity-correct projectile lead. Information ESP — cooldowns, ult charge, summons. Minutes-not-hours patch turnaround.

More from the blog

Keep reading