Traditional cybersecurity guidance emphasized antivirus protection (AV), network firewalls, and periodic vulnerability scanning. Today, these measures are part of baseline cyber hygiene rather than comprehensive defense.

Traditional antivirus vs. novel attacks

Traditional antivirus tools (AV) compare files against a database of known malware, which is efficient for blocking off-the-shelf threats but struggles with polymorphic or custom malware that constantly changes its signature. With new malware being created every second, traditional AV may also miss unknown signatures. 

Visibility gaps

Organizations’ ever-expanding attack surfaces of cloud environments, SaaS applications, and OT and IoT devices have increased the risk of visibility gaps due to unmonitored assets or unlogged data flows (network traffic that passes through an environment without being recorded or analyzed). This lack of visibility is significantly more dangerous than security tools that don’t have all of the latest features. 

For example, “Shadow AI,” employees using unauthorized AI tools, has become a major visibility gap, as has the increasing number of cloud environments businesses employ. Many organizations don’t monitor internal "East-West" cloud traffic flows, allowing attackers to move laterally between cloud environments.

Persistence over speed

Ransomware-as-a-service (RaaS) has accelerated many ransomware attacks (some payloads deploy in under 15 minutes); however, more sophisticated threat actors have increasingly been avoiding “loud” attacks (e.g., immediate, widespread file encryption) in favor of “low-and-slow” techniques. This approach is about attackers maintaining a silent, authorized lifeline into the network while they find high-value data to exfiltrate and encrypt for double or triple extortion. 

Increasingly, attackers use techniques like command and control (C2) and living-off-the-land (LotL), hijacking legitimate administrative tools, such as PowerShell, to conceal their activity. As actors silently map networks, escalate privileges, move laterally, and steal data, they also deploy survival mechanisms (e.g., registry run keys, malicious services) to maintain access even after reboots or credential changes. 

Identity is the new perimeter

The shift toward cloud infrastructure and SaaS has put identity credentials on the front lines of defense. A rapidly increasing number of machine identities (e.g., APIs, microservices) has further broadened the attack surface. With their often high-level permissions and historically limited oversight or MFA protection, these accounts are prime targets.

From brute force and credential stuffing to sophisticated spear phishing, OAuth attacks, and MFA fatigue, attackers have a deep playbook of credential abuse techniques. These tactics allow them to simply log in, rather than trying to hack through a firewall. 

The AI arms race: offense and defense

AI is a double-edged sword in cybersecurity. Threat actors use agentic AI to automate reconnaissance and vulnerability discovery. Generative AI allows them to craft highly convincing, targeted spear-phishing emails, as well as deepfake audio and video.

In a professionalized threat landscape, cybersecurity best practices take a defense-in-depth approach. This strategy implements layered controls so that if any particular control fails, another is there to step in. Minimizing dwell time—the period that an attacker is inside a network before detection—is the biggest factor in containing the “blast radius” of an attack.

Harden endpoints and identities

While a modern security posture operates with an “assume breach” mindset, hardening endpoints and identities is still a crucial part of a layered defense, especially given today’s decentralized environments.

Endpoint security posture management (ESPM) continuously monitors endpoints for vulnerabilities like misconfigurations, unpatched software, and unapproved applications, enforcing control over configuration state and allowed apps. Identity security posture management (ISPM) performs similar scanning for identity-related risks—such as excessive privileges, dormant accounts, and policy gaps—and enforces control over the configuration to remove exposures that an attacker could abuse. Together, these tools can help limit the “unforced errors” that attackers take advantage of.

Continuous monitoring of endpoints, identities, and logs

In addition to the activities and controls of basic security hygiene, it’s necessary to implement continuous ingestion and analysis of telemetry and logs to give broad optics across an organization's IT environment. This enables focusing on behaviors rather than signatures to spot sophisticated techniques like LOTL and fileless malware.

Endpoint security strategies center on endpoint detection and response (EDR). For instance, if PowerShell or remote monitoring and management (RMM) software is periodically connecting to an unknown external IP address, EDR can flag this behavior as a potential sign of malicious activity, such as ransomware. (For more ransomware prevention tips, read Best Ransomware Protection Solutions and Strategies for Enterprises.)

Identity and cloud security best practices include implementing the principle of least privilege (PoLP), enforcing MFA, and monitoring for signs of credential theft, such as impossible travel (logging in from New York and then London minutes later) and unusual admin account creation. Monitoring cloud identities and admin activity relies on identity-focused security controls, such as identity threat detection and response (ITDR) for platforms like Microsoft 365.

A security information and event management (SIEM) solution correlates these logs,  along with data from firewalls, antivirus, identity systems, and other network infrastructure to give your security team unified visibility across multiple environments. 

Clear and tested incident response playbooks

An incident response (IR) plan is the foundation for organizational security and compliance. This framework should include scenario-specific playbooks for likely threats, such as ransomware, business email compromise (BEC), and unauthorized cloud access. Playbooks must define clear roles (e.g., incident commander, legal liaison, etc.) and step-by-step response procedures, beginning with thresholds for when alerts escalate to human investigation. 

IR plans can’t be taken on faith. They have to be tested and refined through tabletop exercises and “live-fire” simulations. This process ensures an efficient response that mitigates damage.

Even with the best security tools, many organizations experience breaches due to operational pitfalls. These can include:

Treating security as a one-time project

Annual or quarterly compliance audits only provide a snapshot of a moment in time. Security must be an ongoing process. With new software vulnerabilities constantly being discovered, legacy hardware incompatibilities, and “IT drift” (configurations changing over time), continuous threat exposure management (CTEM) is essential. 

Part of this ongoing process is employee security training. Managed SAT (security awareness training) helps build a “human firewall” with regular phishing simulations and can dramatically reduce an organization’s susceptibility to this major attack vector.

Ignoring alert fatigue and unmanaged noise

According to IBM, the average security team manages a stack of 83 separate security solutions. This tool sprawl creates an overwhelming number of alerts that leads to mental exhaustion, makes alert triage more challenging, and increases the risk of an intruder slipping through the cracks. Adopting a unified security platform and a Managed Security Operations Center (SOC) can significantly relieve this burden.

Failing to validate security controls

A common trap businesses fall into is assuming their tools are working exactly as intended without verifying them against real-world attacker behavior. Misconfigurations or drift in security settings can render even the most expensive EDR or firewall ineffective. Managed ESPM and Managed ISPM enable continuous monitoring of configurations, looking for drift, and bringing endpoints and identities back into compliance. Breach and attack simulation (BAS) tools can provide automated, ongoing testing to identify vulnerabilities.

Overreliance on AI

Automation can be a powerful tool for ingesting log data and isolating high-risk or noisy threats, but it has limitations. Distinguishing an authorized administrator’s legitimate activity from a sophisticated “hands-on-keyboard” attack often requires nuanced human analysis. Relying too heavily on AI risks low-noise attacks going missed or, on the flip side, constant operational disruptions.

Achieve enterprise-grade detection and response capabilities with Huntress Managed Security Platform. Our managed EDR, ITDR, and SIEM enable modern best practices through active monitoring and expert-led 24/7 response. Explore Huntress today.