What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface

In Your Biggest Security Risk Isn't Malware — It's What You Already Trust, we made a simple argument: the most dangerous activity inside most organizations no longer looks like an attack. It looks like administration. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted utilities your IT team uses every day are also the preferred toolkit of modern threat actors. Bitdefender's analysis of 700,000 high-severity incidents found legitimate-tool abuse in 84% of them.

The reaction we heard most was a fair one: We know. So what do we actually do about it?

That's what Bitdefender's complimentary Internal Attack Surface Assessment is built to answer. It's a 45-day, low-effort engagement available to organizations with 250 or more employees that turns the abstract problem of "living off the land" into a specific, prioritized list of users, endpoints, and tools you can safely take away from attackers without breaking the business.

Why This, Why Now

A clean Windows 11 install ships with 133 unique living-off-the-land binaries spread across 987 instances. Bitdefender Labs telemetry found PowerShell active on 73% of endpoints, much of it invoked silently by third-party applications. This isn't a malware problem — it's an over-entitlement problem, and you can't patch your way out of it.