Defensive Gap Analysis¶

Cross-Segment Defensive Coverage Matrix¶

The following matrix maps kill chain phases against major security product segments, rating coverage based on the actual defensive capabilities observed against real-world attacker techniques documented in the Threat Actor deep-dives.

Key takeaway: Endpoint products dominate coverage for malware execution, persistence, and privilege escalation --- the phases where file-based indicators and behavioral rules are well-understood. Coverage drops sharply for LOTL execution, edge device delivery, valid account abuse, and encrypted C2 --- the phases where modern adversaries concentrate their tradecraft.

Defensive Coverage Visualization¶

flowchart LR
    subgraph strong["Strong Coverage"]
        direction TB
        A["Endpoint Malware\nDetection"]
        B["Email Phishing\nFiltering"]
        C["Known Signature\nMatching"]
        D["Ransomware\nPrevention"]
    end
    subgraph partial["Partial Coverage"]
        direction TB
        E["Lateral Movement\nDetection"]
        F["Cloud Workload\nMonitoring"]
        G["Data Exfiltration\nPrevention"]
        H["Privilege Escalation\nDetection"]
    end
    subgraph weak["Weak Coverage --- Critical Gaps"]
        direction TB
        I["LOTL / Fileless\nDetection"]
        J["Edge Device\nMonitoring"]
        K["Identity-Based\nAttack Detection"]
        L["Encrypted C2\nAnalysis"]
        M["OT/ICS\nVisibility"]
        N["Multi-Stage\nCorrelation"]
    end
    strong --> partial --> weak
    style strong fill:#2e7d32,color:#fff
    style partial fill:#f9a825,color:#000
    style weak fill:#c62828,color:#fff

The pattern is clear: defenders are strongest where attacks are most visible (file-based malware, email phishing) and weakest where attacks blend into normal operations (LOTL, valid credentials, encrypted channels). Sophisticated actors have shifted their tradecraft accordingly.

This asymmetry has a compounding effect: as defenders invest more in the "strong" categories (better endpoint protection, more advanced email filtering), attackers shift further toward the "weak" categories --- creating an arms race that widens the gap rather than closing it. Closing the structural gaps requires fundamentally different detection approaches, not incremental improvements to existing product categories.

Deep-Dive: Six Structural Defensive Gaps¶

The following sections examine each gap in detail: what makes detection hard, which threat actors exploit it, and where market opportunities exist. These gaps were identified by cross-referencing attacker TTPs documented in the Threat Actor deep-dives against the defensive capabilities analyzed in the 14 segment deep-dives.

1. Living-off-the-Land (LOTL) Detection Gap¶

The challenge: Every invocation of powershell.exe or wmic by an attacker looks identical at the process level to the same invocation by an IT administrator. EDR products detect known-bad command-line patterns (e.g., encoded PowerShell, AMSI bypass strings), but sophisticated actors --- particularly Chinese threat actors --- deliberately avoid these signatures. They use standard administrative commands executed in standard ways, differing from legitimate use only in intent and context --- attributes that are extremely difficult to capture in detection rules.

The MITRE ATT&CK framework documents dozens of techniques that rely on built-in OS utilities: T1059 (Command and Scripting Interpreter), T1047 (WMI), T1218 (System Binary Proxy Execution), and T1053 (Scheduled Task/Job) among the most prevalent.

Which actors rely on LOTL:

• China / Volt Typhoon: The defining LOTL operation. Volt Typhoon achieved multi-year persistence in US critical infrastructure using almost exclusively native Windows tools, avoiding custom malware entirely (CISA Advisory AA24-038A).
• Russia / APT28 (Fancy Bear): Combines custom implants with LOTL for post-exploitation movement (Mandiant APT28 Report, 2023).
• Ransomware affiliates: Pre-encryption reconnaissance and lateral movement frequently relies on PsExec, WMI, RDP, and native scripting.

Why current EDR struggles: Behavioral baselines require extensive tuning per environment. Most organizations lack the detection engineering resources to build and maintain LOTL-specific analytics. CrowdStrike, SentinelOne, and Microsoft Defender all offer LOTL-related detections, but false positive rates remain high enough that many SOC teams disable or deprioritize these rules.

Scale of the problem: Microsoft's own telemetry shows that PowerShell executes billions of times per day across enterprise environments. Even a 0.1% false positive rate on PowerShell-based detections generates thousands of alerts daily in a large organization --- well above the threshold where SOC analysts can investigate each one.

2. Edge Device Blind Spot¶

The scope of the problem: Edge devices are the first thing an external attacker touches --- and often the last thing a defender monitors. The average enterprise network contains hundreds to thousands of edge devices across dozens of vendors and firmware versions. Firmware-level implants can survive reboots and factory resets. Integrity verification tools are nascent or nonexistent for most device families. Even basic logging is inconsistent --- many edge devices generate syslog output in non-standard formats that SIEM platforms struggle to parse effectively.

Which actors exploit this:

• China / Volt Typhoon: Extensively targeted Ivanti Connect Secure, Fortinet FortiGate, Sophos firewalls, and Cisco routers for initial access and persistence (CISA AA24-038A).
• Iran: APT groups exploited VPN appliance vulnerabilities (Pulse Secure / Ivanti) for access to government and defense networks (CISA AA21-321A).
• Initial Access Brokers: Mass-scan for edge CVEs (Citrix Bleed, Fortinet CVE-2023-27997, Ivanti CVE-2024-21887) within hours of public disclosure, selling access to ransomware operators.
• Ransomware operators: Citrix Bleed (CVE-2023-4966) and Fortinet vulnerabilities were among the top initial access vectors in 2023--2024 ransomware campaigns (Mandiant M-Trends 2024).

The supply chain dimension: Edge device vendors themselves are part of the problem. Firmware update cycles are slow (quarterly at best), end-of-life devices remain deployed for years after vendor support ends, and vulnerability disclosure coordination between device vendors and defenders is inconsistent. Organizations often cannot patch edge devices without scheduling maintenance windows that impact availability.

3. Identity-Based Attack Gap¶

Attack surface breadth:

• Credential theft: Infostealers (Raccoon, RedLine, Lumma) harvest credentials at industrial scale. Billions of credentials circulate on dark web markets and Telegram channels (SpyCloud 2024 Identity Exposure Report).
• OAuth / token abuse: Russia / SVR (APT29) specializes in abusing OAuth tokens and application consent flows in Microsoft 365 and Azure AD environments, bypassing MFA entirely (Microsoft Threat Intelligence, Jan 2024).
• Password spraying at scale: Iran conducts massive password spray campaigns against enterprise VPNs and cloud services.
• MFA fatigue / bypass: Scattered Spider and other ransomware affiliates use MFA fatigue (push notification bombing) and SIM swapping to defeat second-factor authentication.
• Service principal abuse: Cloud-native attacks increasingly target service accounts, managed identities, and API keys that lack MFA entirely.

Why current defenses fall short: Identity and Access Management (IAM) products focus on provisioning and authentication --- ensuring the right users get the right access. They are not designed to detect post-authentication abuse: an attacker using valid credentials who behaves abnormally after login. SIEM/SOAR can correlate identity events but requires extensive custom detection engineering.

The non-human identity explosion: Machine identities (service accounts, API keys, certificates, managed identities) outnumber human identities by an estimated 45:1 in enterprise environments. These non-human identities typically lack MFA, have overly broad permissions, and are rarely rotated. Cloud-native attacks increasingly target service principals and workload identities that are invisible to traditional identity governance. See Underserved Areas for the non-human identity market gap analysis.

The cloud identity sprawl problem: A typical enterprise has identities across Active Directory, Entra ID (Azure AD), Okta, AWS IAM, GCP IAM, and dozens of SaaS applications. No single tool provides unified visibility across all identity providers. Attackers exploit this fragmentation --- compromising a credential in one identity provider and using it to access resources governed by another, crossing the visibility boundary between security tools.

4. Encrypted Traffic Analysis Gap¶

The scale of encrypted C2: According to Google Transparency Report data, over 95% of web traffic traversing Google's network is encrypted. Enterprise environments mirror this proportion. A C2 beacon making HTTPS requests to a cloud-hosted endpoint every 30 minutes is statistically invisible in an organization generating millions of HTTPS sessions per day.

Compounding factors:

• TLS 1.3: Encrypts the certificate handshake (via Encrypted Client Hello / ECH), eliminating a key metadata source that defenders previously used for passive inspection.
• DNS-over-HTTPS (DoH): Moves DNS resolution into encrypted HTTPS channels, neutralizing DNS-based C2 detection and threat intelligence feeds that rely on DNS visibility.
• Cloud service abuse: Actors use legitimate services (Azure Blob Storage, Google Drive, Slack, Notion, Cloudflare Workers) for C2 --- the destination domains are indistinguishable from normal business traffic. APT29 (Russia) and APT41 (China) both use cloud-hosted C2 extensively.
• Domain fronting / CDN abuse: Traffic appears directed at a trusted CDN (e.g., Cloudflare, Fastly) but is routed to attacker infrastructure behind the same CDN.

Detection challenge: TLS inspection (break-and-inspect) introduces latency, breaks certificate pinning, raises privacy concerns, and is increasingly infeasible as ECH adoption grows. Organizations need detection methods that work on encrypted traffic metadata rather than decrypted payloads.

Regulatory pressure compounds the problem: GDPR and other privacy regulations limit the ability to decrypt employee traffic. Healthcare (HIPAA), financial services, and government environments face additional restrictions. The tension between security visibility and privacy compliance creates a structural barrier to traditional network monitoring approaches.

5. OT/ICS Visibility Gap¶

The IT/OT convergence risk: As OT environments connect to IT networks for remote monitoring, data analytics, and cloud integration, attack paths from IT to OT proliferate. An attacker with IT network access can pivot to OT systems through poorly segmented network boundaries, shared credentials, or historian servers that bridge both environments.

Which actors target OT:

• Russia / Sandworm: Deployed Industroyer/CrashOverride against Ukraine's power grid (2016) and Industroyer2 (2022). Sandworm has the most demonstrated capability for destructive OT attacks (ESET Industroyer2 Analysis, 2022).
• China / Volt Typhoon: Pre-positioned in US water, energy, and transportation infrastructure --- not for espionage but for potential wartime disruption of critical infrastructure OT systems (CISA AA24-038A).
• Hacktivist / state-adjacent groups: CyberAv3ngers (Iran-linked) targeted US water utility PLCs in late 2023, exploiting default credentials on Unitronics Vision series PLCs --- devices that were internet-facing with no authentication (CISA AA23-335A).

Legacy protocol risk: Industrial protocols like Modbus (designed in 1979) and DNP3 transmit commands in cleartext with no authentication. An attacker on the OT network can send arbitrary commands to PLCs and RTUs --- including commands that alter physical processes --- without needing credentials. Modern protocols like OPC UA offer encryption and authentication, but adoption is slow and backward compatibility requirements mean insecure protocols persist.

Detection maturity: Most OT environments operate at Level 0--1 detection maturity. Asset inventories are incomplete, network monitoring is limited to IT/OT boundary firewalls (if present), and OT-specific protocol analysis is rare. The SANS 2023 OT/ICS Cybersecurity Survey found that only 24% of organizations have dedicated OT security monitoring. See the OT/IoT Security segment for a detailed market analysis.

6. Multi-Stage Attack Correlation Gap¶

The alert fatigue connection: Enterprise SOCs face 10,000+ alerts per day. Studies consistently show 40--60% of alerts go uninvestigated (Ponemon Institute, 2023). When individual alerts lack context, analysts cannot distinguish a true multi-stage intrusion from background noise. This is the operational manifestation of the alert fatigue problem documented in Pain Points.

What is missing:

• Automated kill chain reconstruction: Given a suspicious event, automatically traverse related events backward and forward in time to reconstruct the full attack chain.
• Cross-tool correlation: Attacks cross EDR, NDR, IAM, cloud, and email boundaries. No single tool sees the whole picture, and SIEM/XDR correlation rules are brittle and require constant tuning.
• Long-horizon analysis: SIEM retention is often limited by cost (ingest-based pricing). Attacks with weeks-long dwell times may span multiple retention windows.
• Context enrichment: Raw telemetry (process started, network connection made, file accessed) lacks the business context needed to assess risk. An analyst seeing "PowerShell connected to Azure Blob Storage" cannot determine severity without knowing which user, what data, what time of day, and what baseline behavior looks like.

The dwell time reality: Mandiant's M-Trends 2024 report found a global median dwell time (time from compromise to detection) of 10 days. For espionage-motivated actors like Volt Typhoon, dwell times measured in months to years are documented. Detection systems optimized for real-time alerting are architecturally mismatched to threats that unfold over extended periods.

Detection Maturity Model¶

The following table maps key attacker techniques to a five-level detection maturity model. Most organizations operate at Level 1--2, creating structural advantages for attackers who use techniques requiring Level 3+ defenses.

The maturity levels are:

• Level 0 (None): No detection capability for this technique
• Level 1 (Basic): Signature or rule-based detection with high false positive rates
• Level 2 (Intermediate): Tuned detections with some behavioral analysis
• Level 3 (Advanced): Context-aware detection with low false positive rates and active threat hunting
• Level 4 (Optimized): Continuous validation, automated response, and proactive defense

Gap-to-Opportunity Summary¶

The following table maps each defensive gap to the primary threat actors exploiting it, the security product categories most affected, and the emerging solutions addressing it. Market maturity ratings reflect the current state of vendor solutions addressing each gap:

• Nascent: Few vendors, no established category, limited enterprise adoption
• Early: Emerging vendor category, growing awareness, limited production deployments
• Growing: Established vendor competition, increasing enterprise adoption, analyst coverage

Implications¶

For Product Builders¶

The six gaps identified above represent the highest-value product opportunities in cybersecurity:

1. LOTL/behavioral detection that reduces false positives below analyst fatigue thresholds
2. Edge device integrity monitoring --- a near-greenfield category
3. ITDR for post-authentication identity threat detection
4. Encrypted traffic analysis that works without payload decryption
5. OT-native detection that understands industrial protocols
6. AI-driven attack chain correlation that reconstructs multi-stage campaigns

The common thread across all six gaps: the hardest problems are context problems, not signature problems. Products that can deliver environmental context --- "is this normal for this user, this device, this network?" --- at scale and with low false positive rates will define the next generation of defensive tooling.

Cross-reference: Underserved Areas for market sizing and competitive density analysis; Emerging Tech for enabling technologies.

For Investors¶

Defensive spending is shifting toward the gaps documented here. Categories with the strongest growth tailwinds:

• ITDR: Fastest-growing subcategory within identity security, driven by the credential epidemic and cloud identity sprawl
• OT/ICS security: Regulatory mandates (NIS2, NERC CIP, TSA directives) force spending regardless of budget cycles
• XDR / attack correlation: Platform consolidation trend aligns with the multi-stage correlation gap
• Edge device security: Smallest existing vendor base relative to the severity of the threat

Acquisition signals: Recent M&A activity validates these gap categories. CrowdStrike's acquisitions in identity security, Palo Alto's investments in OT visibility, and Cisco's acquisition of Oort (ITDR) all track the gaps identified here. Early-stage startups in edge device security and encrypted traffic analysis represent potential acquisition targets for platform vendors seeking to close coverage gaps.

Spending trajectory by gap:

For Practitioners¶

Detection investments yielding the highest ROI given current threat patterns:

1. Identity monitoring: Deploy ITDR or, at minimum, enable Azure AD / Entra ID risk-based conditional access and monitor OAuth consent grants. The identity vector is the most exploited and least monitored.
2. Edge device hardening: Implement firmware update discipline, disable unnecessary management interfaces, and forward edge device logs to SIEM. Low cost, high impact.
3. LOTL detection tuning: Invest in detection engineering for the top 10 LOTL binaries (PowerShell, cmd, WMI, certutil, mshta, rundll32, regsvr32, bitsadmin, msiexec, schtasks). Environment-specific baselines beat generic rules.
4. Network segmentation: Microsegmentation limits lateral movement and buys time for detection. The most cost-effective control against ransomware propagation.
5. Deception technology: Honeytokens and honeypots are low-noise, high-signal detection mechanisms. A fake credential that triggers an alert when used has a near-zero false positive rate --- any use is malicious by definition. Underdeployed relative to efficacy.

Key Takeaways¶

1. Defenders are fighting the last war. The security industry's strongest capabilities (signature-based malware detection, email filtering, endpoint protection) address attack techniques that sophisticated adversaries have already moved beyond.

2. The six gaps are interconnected. An attacker who enters via an edge device vulnerability (Gap 2), uses valid credentials (Gap 3), moves laterally with LOTL techniques (Gap 1), and exfiltrates over encrypted channels (Gap 4) crosses four defensive blind spots in a single campaign. Closing one gap without addressing the others provides limited protection.

3. Context is the missing ingredient. Every gap shares a common root cause: defenders lack the environmental context to distinguish malicious activity from legitimate operations. The next generation of security products must be context-native --- built around environmental baselines, identity correlation, and behavioral understanding rather than signatures and rules.

4. The market is responding, unevenly. ITDR and OT security have attracted significant vendor and investor attention. Edge device security and LOTL-specific analytics remain underserved relative to the severity of the threat. The most acute gap --- multi-stage attack correlation --- is being addressed primarily by platform vendors (XDR) rather than purpose-built solutions.

5. Organizations do not need to reach Level 4 everywhere. Pragmatic defenders should identify which gaps are most relevant to their threat model and focus on reaching Level 3 for those specific techniques. The Threat Actor deep-dives provide the threat modeling context needed to make that determination.

Sources¶

• CISA, "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure" (Advisory AA24-038A, Feb 2024): https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
• CISA, "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors" (Advisory AA23-335A, Dec 2023): https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
• CISA, "Iranian Government-Sponsored APT Actors Exploiting Vulnerabilities" (Advisory AA21-321A, 2021): https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a
• Mandiant, "M-Trends 2024 Special Report": https://www.mandiant.com/m-trends
• Microsoft Threat Intelligence, "Midnight Blizzard Guidance for Responders" (Jan 2024): https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
• ESET, "Industroyer2: Industroyer Reloaded" (Apr 2022): https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-finds-industroyer2-used-against-ukraine/
• SpyCloud, "2024 Identity Exposure Report": https://spycloud.com/resource/2024-identity-exposure-report/
• CrowdStrike, "2024 Global Threat Report": https://www.crowdstrike.com/global-threat-report/
• Ponemon Institute, "The State of Security Operations" (2023): https://www.ponemon.org/
• FBI Congressional Testimony, "The CCP Cyber Threat to the American Homeland" (Jan 2024): https://www.fbi.gov/news/testimony/the-ccp-cyber-threat-to-the-american-homeland-and-national-security
• SANS Institute, "2023 OT/ICS Cybersecurity Survey": https://www.sans.org/white-papers/sans-2023-ot-ics-cybersecurity-survey/
• Mandiant, "APT28 Targets Diplomatic Entities" (2023): https://www.mandiant.com/resources/blog/apt28-targets-diplomats
• Gartner, "Top Trends in Cybersecurity 2023" (identifying ITDR as a top trend): https://www.gartner.com/en/articles/top-trends-in-cybersecurity-2023
• Google Transparency Report, "HTTPS Encryption on the Web": https://transparencyreport.google.com/https/overview
• ODNI, "2024 Annual Threat Assessment of the U.S. Intelligence Community": https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf

Glossary¶

This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.

A¶

B¶

C¶

D¶

E¶

F/G¶

H¶

I¶

L¶

M¶

N¶

O¶

P¶

R¶

S¶

T¶

V¶

X¶

Z¶