What 45 Days of Watching Your Tools Will Tell You About Your True Attack Face
In Your Biggest Security Risk Isn’t Malware – It’s What You Already Trustwe made a simple argument: the most dangerous activity within many organizations no longer looks like an attack. It looks like management. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted tools your IT team uses every day are also the toolkit of choice for today’s threat actors. Bitdefender’s analysis of 700,000 high-severity incidents found legitimate tool abuse 84% of them.
The response we heard was mostly positive: We know. So what do we actually do about it?
That’s what Bitdefender recommends Insider Attack Site Inspection designed to respond. A 45-day, low-effort collaboration available to organizations with 250 or more employees that turns the seemingly invisible problem of “living off the land” into a specific, prioritized list of users, storage locations, and tools that you can safely remove from attackers without disrupting the business.
Why This, Why Now
A clean Windows 11 install ships with 133 unique live-in-outside binaries distributed in 987 cases. Bitdefender Labs telemetry detected PowerShell is running on 73% of endpoints.many of which silently request third-party applications. This isn’t a malware problem — it’s an overfitting problem, and you can’t work your way out of it.
Gartner is now planning that preemptive cybersecurity will account for 50% of IT security spending by 2030, up from less than 5% by 2024.and that 60% of large enterprises will use attack surface mitigation (DASR) technology by 2030, up from less than 10% by 2025.. The reason is mechanical: when most hackers don’t include malware and enemies move in minutes, “detect and respond” is a slow loop. You have to eliminate the moves the attackers can make in the first place.
How Testing Works
The participation takes place in four steps over a period of 45 days, sponsored by GravityZone PHASR – Bitdefender’s Proactive Hardening and Attack Surface Reduction technology – and sits alongside any storage stack you’re already running:
- Initiation and behavioral learning. PHASR builds behavioral profiles of all machine-user pairs, typically over 30 days.
- Attack Surface dashboard update. You get an exposure score (0–100) and a critical list of findings across five categories: extraterrestrial drones, remote control tools, tampering tools, cryptominers, and criminal tools – each mapped to specific users and the devices they touch.
- Voluntary reduction sprint. Use the controls manually or let PHASR’s Autopilot steer you. Users can request access back by using a built-in single authorization workflow.
- Reduction review. The last session explains how much space you have lost and what IT reputation and unauthorized binaries have come up with.
Early access customers have reduced their attack surface 30% or more in the first 30 dayswith one close report 70% by locking LOLBins and remote tools – without end user investigation or interference.
What It Means for Different Stakeholders
- For CISOs: a defensible exposure number, suitable for a week-to-week board, mapped to the behavior that attackers use.
- For the SOC and IT manager: up to 50% less burden of investigation and responsesbecause all categories of suspicious-but-legal behavior don’t happen in places they don’t need to.
- When making business decisions: documented, ongoing site reductions – increasingly what regulators, auditors, and cyber insurers want to see.
Start Where Attackers Are Already
The previous article concluded with the principle: the most important risks are no longer outside or unknown — they are inside your environment. This ends with practice: you can have an accurate, prioritized map of those risks within 45 days, at no cost, without changing your existing stack.
If you are running a Windows-heavy environment with 250 or more users, request your Internal Attack Surface test here. Compromise will continue to happen. Whether someone is breaking the law depends entirely on what the attacker can achieve once they’re in. The fastest way to narrow down that list is to view it.
