45-Day Audit Maps Admin Tools, Cuts Attack Surface

Bitdefender launched a 45-day Internal Attack Surface Assessment that runs alongside existing endpoint defenses and uses GravityZone PHASR to profile administration tool use on Windows endpoints. Bitdefender reported PowerShell was active on 73% of endpoints and that early customers reduced internal attack surface by 30% to nearly 70%.

Bitdefender Labs analyzed 700,000 high-severity incidents and found legitimate-tool abuse in 84% of those cases. The company reported a default Windows 11 installation contains 133 distinct living-off-the-land binaries across 987 instances. Telemetry shows many PowerShell invocations are started silently by third-party software.

The assessment runs in four phases over roughly 45 days. The initial phase builds behavioral profiles for each machine-user pair, typically during a 30-day learning period. After that period organizations receive an Attack Surface Dashboard with an exposure score from 0 to 100 and a prioritized list of findings.

Findings are grouped into five categories: living-off-the-land binaries, remote administration tools, tampering tools, cryptominers and piracy tools. Each finding is mapped to the specific users and devices affected.

Organizations can opt into a reduction sprint to apply controls. Controls may be enforced manually or through PHASR’s Autopilot. Users who need a blocked tool can request access through a one-click approval workflow. A final reduction review quantifies how much surface was removed and reports any shadow IT or unauthorized binaries discovered during the assessment.

The company reported several early-access customers reduced their attack surface by 30% or more within the first 30 days, and one customer reported close to a 70% reduction after locking down living-off-the-land binaries and remote administration tools. Bitdefender reported those results were achieved without added investigation overhead or disruption to end users’ daily work.

The assessment is complimentary for organizations with 250 or more employees and is intended for Windows-heavy environments. It produces a prioritized list of users, endpoints and tools that can be restricted to limit what an intruder can do after gaining initial access.

Gartner forecasts preemptive cybersecurity will account for about 50% of IT security spending by 2030, up from under 5% in 2024, and projects 60% of large enterprises will adopt dynamic attack surface reduction technologies by 2030, compared with less than 10% in 2025. Gartner noted many intrusions involve no new malware and that attackers can move laterally in minutes.

Organizations that meet the size criteria can request the Internal Attack Surface Assessment to begin profiling and prioritizing internal risks.