"Of all the incidents discovered, 20% were found manually, while enterprises missed 60% because of the absence of high-confidence alerts from the tools in place," Kaspersky's 2025 Compromise Assessment analysis reports.
How long threats can hide — and why that matters
Kaspersky found that prolonged dwell times were common and consequential. Thirty point eight percent of all discovered incidents had historical activity spanning more than three months; among high-severity compromises, 52% were only identified after more than 90 days. The oldest missed incident in 2025 dated back roughly four years. One detailed case involved three domain controllers harboring files created in June–July 2021 and linked by Kaspersky Threat Intelligence to a crypto-mining campaign named NSABuffMiner that spreads via SMB exploitation of EternalBlue (MS17-010).
Detection failures: tools, telemetry, and the human gap
The report maps a recurring pattern: tools alone are insufficient when not operationalized. Sixty percent of incidents were missed because no high‑confidence alert was generated; 20% were found only through manual investigation. Organizations without continuous monitoring or threat hunting saw their incidents skew sharply toward greater impact — lack of 24/7 monitoring raised the share of medium/high‑severity incidents to 84–86%. Specific detection gaps were highlighted in memorable cases: a PurpleFox in-memory rootkit and XMRig miner went unnoticed where memory inspection was disabled and signatures were out of date; an in‑memory LionTail implant required volatile memory dumps and reverse engineering to detect. Kaspersky also notes that remote management utilities and LoLBins appeared in every compromise assessment that resulted in an incident, complicating the distinction between legitimate admin activity and malicious abuse.
Backups, inventories and accidental persistence
Malicious artifacts survive and return when backups and inventories are incomplete. Kaspersky found that 40% of discovered web shells resided in backups; overall, 64% of web‑shell incidents were classified as high severity. Asset inventory gaps were identified in 25% of engagements, creating blind spots — for example, cloud‑only Linux web servers not joined to Active Directory that nonetheless were backed up and silently reintroduced infected files when restored. One case cited a web shell embedded inside a .rar backup on an internal file server copied from an offline machine; forensic work revealed a common local administrator password had been set across many servers using PsExec and a .cmd script.
Operational readiness: playbooks, forensics, and communication
The operational side of incident response showed repeated weaknesses. Forensic package collection was required in about 59% of cases, reflecting limited historical visibility and rotated logs; yet many organizations lacked the ability to collect such data. Remote eradication (file/registry removal) was carried out in 39% of engagements but was often delegated through ticketing to IT teams, introducing delays. Communication problems affected response execution in 32% of projects — unclear action confirmations, delayed owner validation, compromised channels, and staff turnover were typical blockers. Kaspersky emphasizes that 39% of engagements needed mid‑engagement plan updates as new artifacts emerged, underscoring that incident response playbooks must be treated as living documents.
What this means for technologists, procurement leaders, and executives
- Technologists and security teams: run a comprehensive detection engine health check within 30 days of project closure, enable memory inspection where appropriate, baseline LoLBin and remote management usage, and introduce a Tier 1 alert validation team to review low‑confidence events.
- Procurement and MSSP overseers: outsourcing does not guarantee coverage — require demonstrable EPP health checks, up‑to‑date threat intelligence feeds, and clear SLAs for continuous monitoring and hunting activities rather than a set‑and‑forget posture.
- Executives and IT managers at affected enterprises: prioritize asset inventory hygiene and patch management (the NSABuffMiner case shows legacy vulnerabilities can be exploited years after a patch is available), and treat incident response playbooks and communication workflows as operational artefacts to be exercised and updated.
Kaspersky's 2025 compromise assessments deliver a blunt conclusion: detection must be maintained as an active capability — not a checkbox. Pairing timely incident response with regular, proactive compromise assessments, sustained threat hunting, and clear operational playbooks reduces the likelihood that low‑visibility threats become high‑severity compromises.




