Bitdefender Research Shows Legitimate Tools in 84% of High-Severity Incidents; New Assessment Maps Attack Surface in 45 Days

TL;DR Bitdefender's analysis of 700,000 high-severity incidents found legitimate-tool abuse present in 84% of cases, shifting focus from malware detection to access control. The vendor has released a complimentary 45-day Internal Attack Surface Assessment for organizations with 250 or more employees, using behavioral profiling to identify and reduce exposure to living-off-the-land binaries and administrative tools without disrupting business operations. Early testers report attack surface reductions of 30–70% in the first month.

What happened

Bitdefender published research findings and launched a methodology for organizations to audit and reduce their internal attack surface. The work centers on a counterintuitive finding: most high-severity incidents analyzed did not rely on novel malware or zero-days, but on legitimate administrative tools—PowerShell, WMIC, netsh, Certutil, MSBuild—already present and trusted on endpoints.

The analysis examined 700,000 high-severity incidents. The scope and timeframe of this dataset—whether it covers a specific region, industry vertical, or time period—are not specified in the available materials.

A clean Windows 11 installation ships with 133 unique living-off-the-land binaries distributed across 987 instances. Bitdefender Labs telemetry also found PowerShell active on 73% of endpoints, often invoked silently by third-party applications rather than by human operators.

The assessment itself is a 45-day engagement available at no cost to organizations with 250 or more employees. It runs alongside existing endpoint detection and response (EDR) or antivirus tooling and uses GravityZone PHASR (Proactive Hardening and Attack Surface Reduction) to build behavioral profiles of machine-user pairs over approximately 30 days, generate an exposure score (0–100), and apply or recommend controls to restrict access to tools based on actual job function.

Early-access customers reported reducing attack surface by 30% or more within the first 30 days, with one organization reporting a reduction close to 70% by restricting access to living-off-the-land binaries and remote administration tools.

Why it matters

The shift from detection to prevention reflects a change in attack timelines. If adversaries move within minutes of gaining initial access and most intrusions involve no malware, a traditional "detect and respond" security model becomes inadequate. Removing the tools and access paths attackers can exploit in the first place becomes the faster constraint.

For security operations and systems administration teams, reducing unnecessary tool availability also reduces investigation noise. According to Bitdefender's claims, departments could see up to 50% less investigation and response workload because suspicious-but-legitimate behavior no longer occurs on endpoints that do not require those tools.

The research aligns with analyst projections. Gartner projects that dynamic attack surface reduction (DASR) technologies will be adopted by 60% of large enterprises by 2030, up from less than 10% in 2025, and that preemptive cybersecurity spending will grow from less than 5% of IT security budgets in 2024 to 50% by 2030.

For compliance and risk teams, documented surface reduction over time provides the measurable, board-level artifact that regulators, auditors, and cyber-insurers increasingly expect to see.

Affected systems and CVEs

Windows 11
PowerShell
WMIC
netsh
Certutil
MSBuild
GravityZone PHASR
Bitdefender Internal Attack Surface Assessment

No CVE assigned at the time of publication.

What to do

Request access to the Bitdefender Internal Attack Surface Assessment if your organization meets the minimum threshold (250 or more employees).
During the assessment's behavioral learning phase (approximately 30 days), log typical user and machine activity to build accurate profiles.
Review the generated exposure score and prioritized findings across five categories: living-off-the-land binaries, remote admin tools, tampering tools, cryptominers, and piracy tools.
Apply controls manually or use PHASR's Autopilot to enforce restrictions automatically.
Implement a user request workflow for access restoration if business requirements change.
Document surface reduction progress over time for compliance and audit purposes.

Open questions

What is the specific timeframe (date range) of the 700,000 incidents analyzed by Bitdefender?
What geographic regions or industry verticals are represented in the incident dataset?
What criteria determine whether the 45-day assessment timeline is appropriate for organizations above the 250-employee minimum?
What is the identity of the early-access customer that achieved a 70% reduction?
How exactly are behavioral profiles built, and what granularity of machine-user pairing is used?
What specific metrics and thresholds define each point on the 0–100 exposure score?