80% of Attacks Use No Malware. Your Endpoint Tools Won’t See Them.

Your endpoint security dashboard shows green. Every workstation reports protected status. Antivirus definitions updated this morning. EDR agents are running on 99.8% of devices. 

And somewhere in your network, an attacker is exfiltrating customer data using nothing but legitimate system tools and stolen credentials. Your endpoint protection has no idea this is happening. 

This isn’t a hypothetical scenario. It’s the reality of how most breaches occur in 2026. According to CrowdStrike’s threat intelligence, 79% of today’s detections are malware-free, a dramatic shift from 40% in 2019. The era of malware-dependent attacks is over. The era of living off the land techniques is here. 

What Changed: From Malware to Legitimate Tools

For decades, cybersecurity has focused on one primary threat: malicious software. Antivirus vendors built enormous signature databases. Machine learning models trained to identify suspicious code. Behavioral analysis looked for programs doing things programs shouldn’t do. 

All of that works brilliantly – against attackers who use malware. 

Modern attackers realized they don’t need malware when they can use PowerShell, Windows Management Instrumentation, Remote Desktop Protocol, and other tools that ship with every Windows installation. These aren’t exploits. They’re features. And when used by someone with valid credentials, they’re indistinguishable from legitimate administrative activity.

Unit 42’s Global Incident Response Report 2026 examined over 750 incident response engagements and found a clear pattern: hands-on-keyboard, identity-centric intrusions now dominate the threat landscape. In 87% of cases, attacker activity crossed multiple attack surfaces, requiring investigators to trace behavior across endpoints, identity systems, networks, and cloud services within the same intrusion. 

The kill chain has fundamentally changed. It used to look like this: 1. Deliver malicious payload via email or exploit 2. Execute malware on endpoint 3. Establish command and control 4. Achieve objectives 

Now it looks like this: 1. Steal valid credentials via phishing or credential stuffing 2. Log in as legitimate user 3. Use built-in tools for reconnaissance and lateral movement 4. Achieve objectives 

Notice what’s missing? Malware. Exploits. Anything that a traditional endpoint security service is designed to detect. 

The Living-Off-The-Land Playbook

Attackers have standardized on a set of techniques security researchers call “living off the land” – using legitimate system administration tools for malicious purposes. Here’s what that actually looks like in practice: 

PowerShell for everything. PowerShell is installed by default on every Windows system and has administrative access to nearly everything. Attackers use it for network reconnaissance, credential harvesting, privilege escalation, and data exfiltration. When a legitimate system administrator uses PowerShell to query Active Directory, and an attacker uses PowerShell to query Active Directory, the commands look identical to endpoint security tools. 

WMI for persistence and lateral movement. Windows Management Instrumentation provides programmatic access to operating system functions. Attackers use WMI for creating scheduled tasks, executing code remotely on other systems, and maintaining persistence without touching disk. WMI activity generates minimal logging in default configurations, making it nearly invisible. 

Native remote access tools. Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) exist for legitimate remote administration. Attackers with credentials use them for exactly the same purpose. There’s no behavioral signature to detect – this is the behavior these tools were designed for. 

PsExec and other Sysinternals tools. Microsoft’s own Sysinternals suite provides powerful system administration capabilities. PsExec in particular has become a favorite for lateral movement because it looks completely legitimate to endpoint protection. 

SpyCloud’s 2026 Identity Exposure Report found that 40% of malware infections occurred on endpoints with EDR or antivirus tools installed. But the more significant finding is what happened next: even after initial malware execution to steal credentials, subsequent attack activity used no malware at all. The infostealer did its job extracting credentials, then the attackers proceeded with entirely legitimate tools. 

Why Endpoint Detection and Response (EDR) Struggles

EDR represented a significant evolution from signature-based antivirus. Instead of just looking for known bad, EDR monitors endpoint behavior for suspicious patterns. It’s far more effective than antivirus software ever was. 

But it still fundamentally assumes malicious activity looks different from legitimate activity. When that assumption breaks down, EDR’s effectiveness drops dramatically. 

Consider a real scenario from Unit 42’s casework: an attacker gained access through compromised VPN credentials. They used RDP to connect to a jump server, ran PowerShell scripts to enumerate Active Directory, used WMI to install a scheduled task on a file server, and used Windows file-sharing protocols to stage data for exfiltration. Every single action uses native Windows functionality, performing exactly the tasks it was designed for. 

The EDR agent on each endpoint saw: – RDP connection: Normal for this jump server – PowerShell execution: Normal for administrators.
– WMI task creation: Normal administrative activity – File server access: Normal business operation 

Nothing triggered an alert until data left the network in unusual volumes. By then, the attacker had been inside for 6 days.

– WMI task creation: Normal administrative activity – File server access: Normal business operation 

Nothing triggered an alert until data left the network in unusual volumes. By then, the attacker had been inside for 6 days. 

This illustrates the core limitation: EDR excels at detecting malicious code execution and aberrant process behavior. It struggles with legitimate tools used maliciously by authenticated users. 

The Speed Problem: 72 Minutes to Exfiltration

Even when EDR does detect suspicious activity, speed matters enormously. Unit 42’s data shows that the fastest 25% of intrusions reached data exfiltration in just 72 minutes. The median breakout time – how long it takes attackers to move from initial access to lateral movement – fell to 48 minutes in 2025. 

This creates an asymmetry that favors attackers. They’ve automated reconnaissance, credential harvesting, and privilege escalation. They move at machine speed. Meanwhile, security teams operate at human speed: alerts need to be reviewed, investigated, escalated, and acted upon. 

In 72 minutes, a security analyst might not even see the alert yet, let alone investigate and respond. The window for prevention has closed before detection occurs. 

Traditional endpoint protection wasn’t designed for this speed. It was designed for malware that established persistence and operated over days or weeks. Analysts had time to investigate, consult threat intelligence, and coordinate a response. That luxury no longer exists. 

The Visibility Gap: Endpoints Are Only Part of the Attack Surface

Even perfect endpoint visibility wouldn’t solve the problem because attacks don’t stay on endpoints. Unit 42’s finding that 87% of incidents crossed multiple attack surfaces means endpoint telemetry alone can’t show the full picture. 

An attack that starts with a phishing email (email security layer), delivers stolen credentials (identity layer) used to access a cloud application (SaaS security layer), which grants access to an API (application layer) that queries a database (data layer), won’t be visible to endpoint security at all. The endpoint wasn’t involved. 

Modern enterprises run on cloud services, SaaS applications, serverless functions, and containerized workloads. The concept of “endpoint” is increasingly anachronistic. Kubernetes pods aren’t endpoints. Lambda functions aren’t endpoints. OAuth tokens moving between applications aren’t endpoints. 

Endpoint security tools secured computing in an era when most computing happened on physical machines and laptops. That era is ending. Cloud security services and identity security have become just as critical – and they require different tools and approaches. 

What Actually Works: Shifting Detection to Identity and Behavior

If malware-free attacks are now dominant, security controls must shift to what these attacks actually depend on: identities and behavioral patterns. 

Identity-based detection. Since these attacks use valid credentials, the signal to watch is how those credentials are used. Identity Threat Detection and Response (ITDR) monitors for anomalies like: – Access from new geographic locations or devices – Unusual time-of-day access patterns – Privilege escalation requests – Access to resources outside normal job function – Velocity anomalies (same account accessing multiple systems rapidly) 

These behavioral signals work regardless of whether malware is involved. An attacker logging in from a compromised credential behaves differently from the legitimate user, even when using identical tools. 

Network traffic analysis. While endpoints might look clean, network traffic still reveals command-and-control communication, lateral movement patterns, and data staging for exfiltration. Modern network detection focuses on encrypted traffic metadata, connection patterns, and volume anomalies rather than deep packet inspection. 

Deception technology. Since attackers using legitimate credentials will conduct reconnaissance of your environment, plant deception targets they’ll discover and interact with. Fake user accounts, honey pot systems, and canary tokens create tripwires that no legitimate user would trigger, but automated reconnaissance will hit. 

User and Entity Behavior Analytics (UEBA). Machine learning establishes baseline behavior patterns for every user and entity (including service accounts and machine identities). Deviations from baseline trigger investigation. This works whether the deviation comes from malware, compromised credentials, or malicious insiders. 

Compunnel’s security operations services integrate these complementary detection capabilities into a unified monitoring platform. Rather than relying solely on endpoint telemetry, security operations correlate signals across identity systems, network infrastructure, cloud environments, and application logs to detect attacks that no single tool can see. 

The False Sense of Security Problem

Perhaps the most dangerous aspect of malware-free attacks is that they allow organizations to maintain a false sense of security. All the security metrics look good: – ✓ 99.8% endpoint protection coverage – ✓ Malware detections and removals tracked
– ✓ Vulnerability scan compliance high – ✓ Patch management current 

None of these metrics measure what matters. An organization can achieve perfect scores on all of them while being actively compromised via stolen credentials and living-off-the-land techniques. 

Security leaders need to ask different questions: – How quickly can we detect compromised credentials in use? – What behavioral anomalies would trigger investigation? – Can we trace the attacker’s lateral movement across multiple systems? – How long does it take from alert to containment? 

These questions don’t have checkbox answers. They require mature security operations, integrated telemetry, and the expertise to interpret behavioral signals. 

The Skills and Staffing Challenge

Detecting malware is largely automated. Signature matching, static analysis, sandboxing – machines do most of the work. Analysts handle edge cases and false positives. 

Detecting malicious use of legitimate tools requires human judgment. Determining whether a PowerShell script is administrative maintenance or credential harvesting requires understanding the business context, knowing what’s normal for that user, and analyzing the commands for malicious intent. 

The cybersecurity talent shortage compounds this. Organizations struggle to fill security positions even for basic monitoring. Finding analysts who can perform behavioral threat hunting, understand attacker techniques, and distinguish malicious from legitimate use of admin tools is exponentially harder. 

This is driving the adoption of managed security services. Rather than trying to build internal SOC capabilities with scarce talent, organizations partner with providers who maintain teams of specialized analysts and invest in the tools and training needed to detect sophisticated threats. 

Compunnel’s managed cyber security services provide 24/7 monitoring by analysts specifically trained in detecting identity compromise and living-off-the-land techniques. The service includes behavioral baseline establishment, anomaly detection tuning, and threat hunting focused on the techniques that endpoint security tools miss. 

Rethinking Endpoint Protection Strategy

None of this means abandoning endpoint security. EDR still catches malware when it appears. Endpoint agents still provide visibility into process execution, file access, and registry changes. 

But endpoint security can’t be the primary security control anymore. It needs to be one layer in a defense-in-depth strategy that prioritizes identity protection and behavioral detection. 

A mature endpoint security strategy in 2026 includes: 

Modern endpoint protection that understands context. Next-generation EDR correlates endpoint telemetry with identity signals, network traffic, and cloud activity. An RDP session isn’t just “RDP session detected” – it’s “user who normally works in finance accessed engineering systems via RDP from a new device at an unusual time.” 

Privilege management and application control. If attackers can’t run PowerShell, they can’t use PowerShell maliciously. Application control and privileged access management restrict what users can execute, even with valid credentials. 

Memory protection. Fileless malware operates in memory rather than on disk. Memory scanning and protection catch these threats even when they never write to the filesystem. 

Integration with identity systems. Endpoint security needs real-time context about the user behind every action. Is this account’s behavior consistent with their role? Has this account been authenticated from multiple locations in a timeframe that makes that physically impossible? 

The Bottom Line for Security Leaders

The statistic that 79% of detections are malware-free isn’t just a data point. It’s a fundamental reframing of what “endpoint security” needs to mean in 2026. 

If attackers don’t use malware, security controls designed to detect malware won’t detect attackers. That’s not a flaw in the tools – it’s a mismatch between threat model and defense model. 

Organizations still operating under the assumption that endpoint protection equals comprehensive security are defending against threats that peaked in 2019. Meanwhile, the actual threats of 2026 – credential theft, living-off-the-land techniques, and identity compromise – bypass those defenses entirely. 

The shift required is from signatures and static rules to behavioral baselines and contextual analysis, from malware detection to identity protection. From endpoint focus to attack surface visibility. 

That shift doesn’t happen by buying a new endpoint security product. It happens by fundamentally rethinking security architecture around the tactics attackers actually use. 

The good news: organizations that make this shift dramatically improve their detection and response capabilities. They detect breaches in hours instead of days. They contain damage before exfiltration occurs. They protect what matters. 

The bad news: most organizations haven’t made this shift yet. Their endpoint dashboards still show green while attackers operate undetected in the gaps that those tools can’t see. 

Which category does your organization fall into? 

Your endpoint security is probably better than you think. Your detection capabilities are probably worse than you realize. Compunnel’s managed security services combine next-generation endpoint protection with identity monitoring, behavioral analytics, and expert threat hunting to detect attacks that bypass traditional tools. Our security operations center correlates signals across your entire attack surface – not just endpoints. Schedule a threat detection assessment to discover what your current tools aren’t seeing.