Detection that occurs at the earliest delivery point of an attack, before payload execution or endpoint compromise. In practice, this means spotting malicious email, web delivery, or other entry vectors early enough to stop exploitation before it turns into access or persistence.
Expanded Definition
First-mile Detection describes the point where malicious activity is identified at the earliest practical delivery stage, such as email, web, messaging, or another ingress channel, before the attacker’s payload is executed. For NHI Management Group, the key distinction is that this is not a general detection outcome and it is not equivalent to endpoint-only alerting. It is a control emphasis on intercepting threats before they gain a foothold, which often means inspecting content, links, attachments, sender behavior, and delivery context rather than waiting for host telemetry.
Definitions vary across vendors because some tools label any pre-execution alert as first-mile detection, while others reserve the term for controls that stop delivery entirely. In practice, the term sits between preventive filtering and downstream detection, and it is most useful when describing security layers that reduce the chance of endpoint compromise. The NIST Cybersecurity Framework 2.0 does not define the phrase directly, but it provides the governance language for identifying, protecting, and detecting risk at the earliest feasible stage.
The most common misapplication is calling endpoint malware alerts “first-mile detection” when the malicious content was only discovered after execution or user compromise.
Examples and Use Cases
Implementing first-mile Detection rigorously often introduces inspection overhead and tuning complexity, requiring organisations to weigh faster threat interception against the risk of blocking legitimate business traffic.
- Email security gateway flags a phishing message before the recipient opens the attachment, preventing the payload from reaching the workstation.
- Secure web gateway blocks a malicious download chain at the URL or reputation layer before the browser fetches the final payload.
- Messaging platform monitoring detects a weaponised link in a collaboration channel and quarantines the message before a user interacts with it.
- Identity-aware mail and link analysis correlates sender anomalies with domain spoofing to stop delivery early, especially where executives, finance teams, or contractors are targeted.
- For agent-driven environments, pre-execution review of files or prompts may be used to stop an early delivery-path risk before an AI agent or user workflow processes it.
These use cases are strongest when telemetry arrives before the attacker has durable access, because first-mile Detection is measured by how early it interrupts the chain, not by how loudly it reports afterward.
Why It Matters for Security Teams
First-mile Detection matters because every successful compromise tends to get cheaper for the attacker after the initial delivery succeeds. If security teams focus too heavily on endpoint response, they may miss the opportunity to stop phishing, malware delivery, credential harvesting, or malicious file transfer at the boundary where the defender still has the advantage. That matters for identity security as well, because the first-mile is often where credentials, tokens, and login flows are targeted before any endpoint compromise occurs.
For organisations managing NHI and agentic systems, the same logic applies to service accounts, secrets, API keys, and tool-enabled workflows. A malicious payload that reaches an automated process can trigger downstream actions faster than a human analyst can intervene, which makes early interception especially valuable. Governance frameworks such as NIST CSF encourage detection and response capabilities that reduce exposure before impact spreads, even when they do not use the same phrase.
Organisations typically encounter first-mile failures only after a phishing or delivery event becomes an access incident, at which point first-mile Detection becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM | First-mile detection supports continuous monitoring and early anomaly identification before compromise. |
| NIST SP 800-53 Rev 5 | SI-4 | System monitoring controls align with inspecting inbound content and delivery paths for malicious activity. |
| ISO/IEC 27001:2022 | A.8.16 | Monitoring activities require detection mechanisms that can surface threats early in the attack path. |
| NIST AI RMF | AI RMF emphasizes managing risks across the full lifecycle, including early-stage delivery risks. | |
| OWASP Non-Human Identity Top 10 | NHI security relies on stopping malicious delivery before secrets, tokens, or service accounts are exposed. |
Place email, web, and ingress telemetry into continuous monitoring so early delivery threats are detected before execution.
Related resources from NHI Mgmt Group
- Should organisations prioritise token rotation or behavioural detection first?
- Why do AD security tools often leave governance gaps when teams buy for detection first?
- Who should own identity-first threat detection in an enterprise?
- How do identity teams decide whether runtime detection or posture management should come first?