"Bitdefender's analysis of 700,000 high-severity incidents found legitimate-tool abuse in 84% of them."
Living-off-the-land binaries on Windows 11: 133 binaries, 987 instances
Bitdefender paints a concise, uncomfortable picture: modern intrusions often do not look like malware at all but like routine administration. A clean Windows 11 install, the company notes, ships with 133 unique living-off-the-land binaries spread across 987 instances. Its telemetry found PowerShell active on 73% of endpoints, with much of that activity invoked silently by third‑party applications. The company frames the core problem as over‑entitlement — systems and users granted tools they do not strictly need — and argues that you cannot simply patch your way out of that condition.
The Internal Attack Surface Assessment: 45 days, for organizations with 250+ employees
To turn the abstract risk into actionable work, Bitdefender offers a complimentary Internal Attack Surface Assessment: a roughly 45‑day engagement available to organizations with 250 or more employees. The engagement is designed to run alongside whatever endpoint stack an organization already uses and follows four steps:
- Kickoff and behavioral learning: GravityZone PHASR builds behavioral profiles for every machine‑user pair, typically over 30 days.
- Attack Surface Dashboard review: participants receive an exposure score (0–100) and a prioritized list of findings across five categories — living‑off‑the‑land binaries, remote admin tools, tampering tools, cryptominers, and piracy tools — each mapped to the specific users and devices they affect.
- Optional reduction sprint: organizations may apply controls manually or let PHASR's Autopilot enforce them; users can request access back through a built‑in one‑click approval workflow.
- Reduction review: a final session quantifies how much surface was shrunk and surfaces shadow IT and unauthorized binaries discovered during the process.
GravityZone PHASR, automation, and early results
Bitdefender positions GravityZone PHASR — its Proactive Hardening and Attack Surface Reduction technology — as the engine of the assessment. PHASR's Autopilot can enforce controls and provide a workflow for returning access when needed, reducing manual overhead. Early‑access customers, the company reports, have reduced their attack surface by 30% or more in the first 30 days; one customer said it achieved close to 70% reduction by locking down living‑off‑the‑land binaries and remote tools, and importantly, did so "without investigation overhead or end‑user disruption."
Gartner projections and the move to preemptive controls
Bitdefender cites Gartner forecasts to frame why organizations should act now: Gartner projects that preemptive cybersecurity will account for 50% of IT security spending by 2030, up from less than 5% in 2024, and that 60% of large enterprises will adopt dynamic attack surface reduction (DASR) technologies by 2030, up from less than 10% in 2025. The rationale the company offers is mechanical: when most intrusions involve no malware and adversaries move in minutes, "detect and respond" is too slow a loop — you must remove the moves attackers can make in the first place.
How the CISO, the SOC and IT admin, and the business decision‑maker benefit
Bitdefender outlines distinct outcomes for specific roles. For the CISO, the assessment produces "a defensible, board‑ready exposure number that moves week over week, mapped to behaviors attackers actually use." For the SOC and IT admin, the company claims up to 50% less investigation and response workload because entire classes of suspicious‑but‑legitimate behavior no longer occur on endpoints that don't need those capabilities. For the business decision‑maker, the engagement yields documented, ongoing surface reduction — a record Bitdefender says regulators, auditors, and cyber‑insurers increasingly expect to see.
Bitdefender closes on a practical line: if you run a Windows‑heavy environment with 250 or more users, you can obtain a precise, prioritized map of internal risks within 45 days, at no cost, and without changing your existing stack. The company adds a blunt final point: compromises will keep happening; whether one becomes a breach depends almost entirely on what an attacker can reach once they're in. The fastest way to shorten that list, Bitdefender argues, is to look at it.




