For years, cybersecurity strategies have been built around a simple assumption: stop malicious files, stop the attack.
Threat actors have evolved.
Today’s attackers don’t need to bring malware into your environment. They’re using what’s already there — trusted tools and legitimate administrative utilities — to move undetected, escalate privileges, and operate in plain sight.
And the hardest reality to accept is this: most organizations don’t know how exposed they are until it’s too late.
Legitimate Tool Abuse You Can’t See
A recent analysis of 700,000 high-severity security incidents revealed two unsettling findings.
- First: 84% of cyberattacks now abuse legitimate tools to evade detection
- Second: Specific types of tools and their capabilities are at higher risk of abuse
Upon further analysis, we found that up to 95% of access to these risky tools is completely unnecessary. This is not an edge-case scenario.
Consider a clean Windows 11 environment. A standard installation includes well over a hundred native binaries that can be abused for Living off the Land (LOTL) attacks — tools like PowerShell, WMIC, Certutil, and others that were not designed with adversarial use in mind.
These binaries are trusted by default, deeply embedded in the operating system, and often required for legitimate administrative tasks or necessary for other applications to work. That makes it difficult to restrict them without impacting productivity or creating an administrative nightmare. Trying to detect malicious activity after bad actors have started to abuse these tools is unsustainable because of the difficulty in discerning intent and the speed of modern, AI-enabled attacks.
The risk isn’t just that these tools exist, it’s that most organizations have little visibility into how widely they’re accessible, who can use them, and whether that access is necessary in the first place. This creates a vast, largely unmanaged attack surface hiding in plain sight.
Adding to the problem is that detection and response tools struggle to discern between malicious intent and legitimate work when risky tools trigger alerts. Security teams are left investigating activity that looks routine, often recognizing the threat only after damage has been done.
In effect, your environment can be compromised without triggering the alerts you rely on.
Investing in EDR and XDR remains critical. But if users, or attackers, have unnecessary access to powerful tools, your attack surface is far larger than you realize. Every unnecessary permission creates another potential path an attacker can exploit, without introducing anything suspicious into your environment.
Investigating Legitimate Tool Abuse
If this feels like something you should investigate, you’re right.
But most security teams don’t have the time or resources to map how trusted tools are used across the organization. Identifying where access is excessive, where shadow usage exists, and how those patterns translate into real attack paths is complex and time-consuming.
Even when teams suspect the risk, proving it and prioritizing it is difficult. That’s why this problem often goes unaddressed. Not because it isn’t important, but because it isn’t visible.
Start With More Insight, Not More Tools
Closing this gap starts with understanding your actual exposure and how attackers can exploit it. But it does not need to be complicated or time-consuming if you utilize the complimentary Bitdefender Internal Attack Surface Assessment.
It’s designed to provide a clear, data-driven view into how trusted tools could be used against your organization. And rather than asking your team to run a trial or deploy new tooling, the assessment is structured to be low-bandwidth and guided. It focuses on identifying unnecessary access, highlighting where risk exists, and providing prioritized recommendations, without disrupting users or adding operational burden.
In the end, you’ll get the clarity you need to act with confidence.
From Reactive to Proactive
Security strategies have long focused on detecting and responding to threats. But LOTL attacks demand a shift in thinking. We must couple strong detection with another approach: reducing the number of ways attacks can succeed in the first place.
What if the most effective control isn’t detecting misuse but preventing it altogether? This is where proactive security begins and where many organizations still have blind spots.
See Your Environment the Way Attackers Do
You no longer need to guess where your risks are. You can see them. Bitdefender’s complimentary Internal Attack Surface Assessment helps you understand how attackers could move through your environment by living off the land and abusing the tools you already trust.
