VYPR
researchPublished Jul 2, 2026· 1 source

Kaspersky Report Reveals Widespread Gaps in Incident Detection, Highlighting Persistent Threats

Kaspersky's 2025 compromise assessments found that 60% of security incidents were missed by existing tools, with many threats lingering for months or even years.

Kaspersky's annual Compromise Assessment report for 2025 paints a stark picture of the cybersecurity landscape, revealing significant deficiencies in how organizations detect and respond to threats. The assessments, which combine threat intelligence, log analysis, and forensic investigations, uncovered that a staggering 60% of security incidents were missed by existing security tools, underscoring a critical gap between deployed defenses and actual threat activity.

The findings indicate a pervasive problem of undetected threats, with nearly a third of all discovered incidents taking over three months to be identified. The longer a threat remains dormant within a network, the greater its potential severity. The report highlights that 52% of high-severity compromises were only discovered after 90 days of undetected presence, and in one alarming case, an incident had gone unnoticed for a full four years.

Remote management tools and Living-off-the-Land Binaries (LOLBins) were identified as common enablers for threat actors, appearing in all detected incidents. This reliance on legitimate system tools makes them particularly difficult to distinguish from normal network activity. Furthermore, the research found that malicious files, such as web shells, were frequently discovered residing in backups, with 40% of such instances going unnoticed until a thorough compromise assessment was conducted.

The report emphasizes that monitoring tools alone are insufficient without operational maturity and skilled human analysis. Organizations that lacked continuous monitoring and proactive threat hunting activities were found to have an 84-86% increased likelihood of experiencing high- and medium-severity incidents. Conversely, those with in-house capabilities for malware reverse-engineering faced fewer high-severity outcomes.

Communication breakdowns within incident response teams were also cited as a significant factor in missed incidents, affecting nearly a third of the assessments. The study stresses the importance of treating incident response playbooks as living documents, requiring regular updates to incorporate new threat intelligence and artifacts to ensure efficiency and effectiveness.

Geographically, the META region accounted for the majority of identified incidents (71%), followed by APAC and CIS regions. The government sector was the most affected (29%), followed by education (19%) and financial (17%) sectors. The primary reasons for requesting compromise assessments were general audits (56%), followed by authority reporting (19%) and post-incident checkups (17%).

Analysis by detection logic families revealed that Credentials from dumps (12.4%), Specific living-off-the-land (LOTL) tools (11.2%), and Specific malware families (11.2%) were the most dominant indicators of compromise. These high-fidelity indicators signal a range of persistent threats, from dormant malware to sophisticated multi-stage attacks.

Ultimately, the Kaspersky report serves as a critical call to action, urging organizations to move beyond reactive security measures. It underscores the necessity of proactive threat hunting, robust monitoring, continuous updating of incident response plans, and investing in skilled personnel to effectively combat the evolving threat landscape.

Synthesized by Vypr AI