Most network intrusions are never caught by the security tools meant to stop them. That is the blunt takeaway from Kaspersky's review of its 2025 compromise assessment engagements, published this week by researchers Victor Sergeev and Amged Wageh, who examined dozens of corporate networks to find what defenders had missed. Across those investigations, roughly 60% of the incidents Kaspersky uncovered had slipped through because the customer's existing tools never raised a high-confidence alert, and only 20% had been found by hand. You can read the original report on Securelist.
The bigger problem is time. Nearly a third of the incidents Kaspersky found had been active for more than three months, and 52% of the high-severity compromises were discovered only after 90 days. The oldest live intrusion the team turned up in 2025 had gone unnoticed for about four years.
Hiding in plain sight for four years
The most striking case involved three Windows domain controllers, the servers that effectively hold the keys to an entire corporate network. Kaspersky found malicious files that had sat there since mid-2021, tucked into the C:\Windows\Fonts folder, a directory where Windows normally hides everything except font files from ordinary users. The files belonged to a cryptomining campaign the researchers track as NSABuffMiner, which spreads across internal networks using the SMB file-sharing protocol and the EternalBlue exploit (CVE-2017-0144). Microsoft patched EternalBlue back in March 2017, four years before this victim was compromised, a reminder of how long a single unpatched system keeps paying for a missed update. For years, the company had no idea attackers were burning its computing power to mine cryptocurrency on its most sensitive servers.
Why the alarms stay silent
A recurring theme is that cleanups do not stick. Kaspersky says 40% of the web shells it discovered (small scripts that hand attackers remote control of a server) were sitting in backups rather than on live systems, so restoring a backup can quietly reintroduce a threat long after it was supposedly removed. In one engagement, an infected web shell rode a backup onto an internal file server that was never meant to face the internet. The same blind spots show up in asset inventories: a quarter of engagements turned up untracked machines, often cloud Linux web servers that were never joined to the corporate directory and so escaped routine scans.
Attackers also lean heavily on tools that look legitimate. Kaspersky reports that remote management software such as TeamViewer, AnyDesk, and PsExec, along with built-in Windows utilities like certutil and wmic (known as living-off-the-land binaries), showed up in every single engagement that ended in a confirmed incident. Because administrators use the same tools every day, a port scan or a freshly created local admin account can read as routine maintenance or as an intruder moving sideways, and telling the two apart takes context that many security teams simply do not have.
What defenders should take away
Kaspersky's argument is that monitoring tools are necessary but not sufficient. The lowest rates of serious findings came from organizations that ran regular, proactive audits and kept in-house staff who could reverse-engineer malware and review low-confidence alerts by hand. The highest came from companies that only went looking after a known incident. The report presses defenders to treat incident response as a starting point rather than a finish line, pairing it with periodic threat hunting, an accurate asset inventory, disciplined patch management, and checks that backups are not harboring old infections. The long dwell times documented here echo other recent cases of attackers living undetected for months or years, from a year-long web shell hidden inside ArcGIS software to the EternalBlue exploit that still finds unpatched targets nearly a decade after it leaked.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.