Skip to main content

Missed incidents and threat response gaps: Insights from Kaspersky compromise assessment report

July 2, 2026

A new report from the Kaspersky Compromise Assessment division highlights that many organizations are missing cybersecurity incidents due to reactive approaches, insufficient monitoring, and operational deficiencies. The report reveals that in 31% of incidents that were analyzed, malicious activity in organizations had been going on for over three months. Over half (52%) of high-severity compromises were only discovered after 90 days of going undetected, and the oldest incident identified over the last year remained undetected for as long as four years.

Monitoring tools and controls are not self-sufficient. Of all the incidents discovered, 20% were found manually, while 60% were missed by enterprises because of the absence of high-confidence alerts from existing tools. This indicates a critical reliance on automated tools that are not always effectively configured or monitored. Monitoring tools must be continually configured and adapted to the ever-changing threat landscape, and the human element remains vital: analysts need to actively review low-confidence alerts that often go uninvestigated.

Malicious files restored from backups. For many organizations, their backup systems were a blind spot. As many as 40% of all discovered web shells (malicious scripts or programs) resided undetected in backups, which meant they could be restored after initial incident response activities were completed. Backup integrity and content should be thoroughly inspected.

Communication issues may lead to missed incidents. Nearly a third (32%) of compromise assessments revealed internal communication issues like unclear action confirmation or knowledge loss due to staff turnover. This highlights the need for regular exercises to test not only technical playbooks but also human and communication workflows, as well as operational level agreements.

The incident response practices must be regularly updated. For incident response to be truly efficient and effective, playbooks must be treated as "living documents" that are regularly updated as new artifacts and threat intelligence emerge. Failing to adapt incident response plans to the evolving threat landscape significantly increases the risk of missing critical threats and allowing compromise.

Organizations face not only external risks, but also hidden threats within their infrastructure, and signs of compromise are not always obvious. Proactive security audits make it more likely that organizations will detect a compromise. Integrating regular, third-party compromise assessments into organizational processes can reduce the probability of unexpected high-severity incidents and improve overall risk posture,” comments Amged Wageh, expert at Kaspersky Compromise Assessment.

Read the full report on Securelist.

Kaspersky recommends organizations:

  • Conduct a comprehensive detection engine health check within 30 days, prioritizing telemetry integrity and rule relevance.
  • Introduce a Tier 1 alert validation team to review all low-confidence detection events on a defined schedule.
  • Ensure robust 24/7 monitoring augmented with threat hunting capabilities focusing on baselining, low-fidelity alerts, and emerging adversary techniques.
  • Reevaluate the vulnerability management pipeline to ensure continuous patching and audit log activation across all critical assets.
  • Update security awareness curricula to address credential leakage from personal devices and reinforce secure BYOD practices.
  • Conduct periodic tabletop exercises to test technical playbooks and sharpen team skills and communication workflows.
  • Establish operational-level agreements to govern and facilitate communication between different teams and standard operating procedures for proper documentation.


About Kaspersky Compromise Assessment

Kaspersky Compromise Assessment is a service that focuses on uncovering active cyberattacks as well as previous unknown attacks that have flown under the radar of your IT security tools and processes. The goal of the service is to provide high level of assurance as to whether or not your network is compromised and evaluate the overall security posture with independent expert analysis.


Missed incidents and threat response gaps: Insights from Kaspersky compromise assessment report

A new report from the Kaspersky Compromise Assessment division highlights that many organizations are missing cybersecurity incidents due to reactive approaches, insufficient monitoring, and operational deficiencies. The report reveals that in 31% of incidents that were analyzed, malicious activity in organizations had been going on for over three months. Over half (52%) of high-severity compromises were only discovered after 90 days of going undetected, and the oldest incident identified over the last year remained undetected for as long as four years.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Innovating the industry with a Cyber Immunity approach, Kaspersky safeguards consumers, businesses, critical infrastructure, and governments from cyberthreats, with over a billion devices protected to date.

Kaspersky ensures Cybersecurity True to Business, focusing on providing clear outcomes, protecting revenue, easing workloads and preventing downtime. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services for organizations of every size, from small businesses to large enterprises, combining proven AI-driven protection technologies with simple management and expert support.

Recognized in independent tests and trusted by millions of individuals worldwide and nearly 200,000 organizations, Kaspersky helps detect threats earlier, respond faster and operate with greater confidence and freedom, protecting what matters most to our clients. Learn more at www.kaspersky.com.

Related Articles Press Releases