The Promise of Detection
Modern security programs are built around visibility. Endpoint detection and response (EDR), security information and event management (SIEM), user and entity behavior analytics (UEBA), and extended detection and response (XDR) promise to surface malicious activity by monitoring behavior at scale.
This visibility is necessary. Without it, organizations operate blind.
But detection assumes something fundamental: that attackers will behave differently from legitimate users. That assumption holds for opportunistic threats, commodity malware, and unsophisticated intrusion attempts. It breaks down entirely against skilled adversaries.
How Skilled Attackers Actually Operate
Experienced attackers do not announce themselves through obvious anomalies. They avoid exploits that crash services or drop noisy payloads. Instead, they operate through the same interfaces employees and systems use every day—"living off the land" and staying inside what looks permissible.
They log in using valid credentials. They access systems through approved APIs. They escalate privileges through inherited roles, misconfigured permissions, and trusted service accounts. They move slowly, often over weeks or months—using dwell time to learn the environment.
From the perspective of detection tooling, nothing appears wrong. The attacker is authenticated. The actions are permitted. The workflows are approved. To the detection stack, the attacker looks like a user doing their job.
Why Alerts Fail in Practice
Detection systems are pattern-based. They identify deviations from baselines, known indicators of compromise, or statistically unusual behavior. Skilled attackers understand this and deliberately remain within those baselines.
The result is a predictable failure mode:
- Alerts fire continuously on benign anomalies—misconfigured devices, new software deployments, or unusual but legitimate user behavior
- Analysts become desensitized to volume and false positives
- High-confidence signals are buried beneath low-context findings
Detection excels at answering what happened. It struggles to answer what this enables.
A Common Failure Pattern
An attacker compromises a low-privilege identity through phishing or credential reuse. The account has no obvious administrative rights. Detection tools log the login and move on.
The attacker explores internal systems the account is legitimately allowed to access. They discover inherited permissions that allow access to a shared resource containing credentials, API tokens, or CI/CD secrets for a service account. The service account has broader privileges across the environment.
No exploit was required; no malware was deployed. Every step follows documented access rules. By the time detection triggers—often during data exfiltration or operational disruption—the attacker has already achieved their objective.
How Scapien Complements Detection
Scapien focuses on preconditions, not alerts.
By mapping identities, assets, permissions, misconfigurations, and workflows into validated attack paths, Scapien identifies where compromise is possible before an attacker acts. It exposes the combinations of "legitimate" actions that detection tools will never flag as suspicious on their own.
Detection sees activity. Scapien identifies Security Risk and drives Security Risk Closure (SRC). Together, they close the gap between visibility and prevention.
Security improves not when alerts fire faster, but when exposure is reduced and Security Risk Closure becomes routine—so detection is needed less often and matters more when it does.