TL;DR: In-memory attacks doubled versus file-based infection rates and only 20% of threats matched existing AV signatures, according to SentinelOne’s Enterprise Risk Index, based on filtered telemetry from more than one million deployed agents in the second half of 2016. The result is a reminder that detection and response models need to move beyond static file inspection and signature dependence.
At a glance
What this is: SentinelOne’s Enterprise Risk Index argues that modern attack methods are outpacing static antivirus, with in-memory attacks rising and signature coverage lagging badly.
Why it matters: For IAM, PAM, and NHI teams, the message is that security controls must account for runtime abuse, stolen credentials, and post-compromise activity, not just file-based malware.
By the numbers:
- In the second half of 2016, in-memory attacks doubled in comparison to the infection rates of file based vectors.
- Only 20% of threats had corresponding signatures from existing AV engines.
👉 Read SentinelOne's Enterprise Risk Index analysis of in-memory attacks and AV blind spots
Context
Traditional antivirus is built to recognise known files and signatures after they arrive on disk. That model struggles when attackers execute in memory, chain multiple stages quickly, or use living-off-the-land techniques that leave little or no file artefact behind. The result is a control gap, not just a tooling gap, because the assumption that inspection of files equals effective prevention no longer holds.
This matters to identity security because once execution moves beyond the file, attackers often pivot to credentials, tokens, service accounts, and privileged sessions. In practice, runtime controls, access governance, and behavioural detection become part of the same defence problem. For NHI and human identity programmes, this is a typical pattern rather than an edge case.
Key questions
Q: What breaks when security teams rely on antivirus alone for endpoint protection?
A: Antivirus breaks down when attacks do not present as stable files on disk. Polymorphic malware changes its appearance, and fileless attacks use scripts or memory instead of obvious binaries. That leaves defenders with weak visibility into what actually happened on the host, which is why behavioural telemetry and runtime response are now essential.
Q: Why do in-memory attacks matter for IAM and NHI programmes?
A: In-memory attacks often become an identity problem after execution starts, because attackers use the foothold to steal credentials, abuse tokens, or move through privileged sessions. That means IAM and NHI teams need telemetry that shows which identities were touched during suspicious runtime activity, not just which files were blocked.
Q: How can security teams know whether endpoint policy enforcement is actually working?
A: They should test whether policy holds without custom scripts, local workarounds, or manual exceptions. If users can still install unmanaged applications, retain excessive rights, or move data through removable media, then the policy exists on paper but not in practice.
Q: Who should own response when runtime attacks reach privileged access?
A: Accountability should sit across endpoint security, IAM, and PAM, because runtime attacks often cross those boundaries in minutes. The right owner is the team that can contain execution, revoke access, and investigate identity activity together before lateral movement completes.
Technical breakdown
Why in-memory attacks bypass file-based inspection
In-memory attacks execute code directly in RAM or through process injection, script engines, or reflective loading, which means there may be no malicious file for an antivirus engine to hash and compare. Static inspection depends on artefacts at rest, but memory-resident execution is often transient and tied to trusted processes. That makes the defensive window shorter and the detection logic harder, especially when the attacker uses legitimate system tooling to blend in. Practical implication: complement file scanning with runtime telemetry that can observe process behaviour, script execution, and memory manipulation.
Practical implication: add runtime detection for process and memory abuse where static file inspection has no visibility.
Why signature coverage fails against modern threat variation
Signature-based controls are effective only when the malicious pattern is already known and encoded. The report’s 20% figure reflects a broader problem: attackers frequently modify payloads, repackage tools, or shift to behaviour that does not match existing hashes or known indicators. Once adversaries operate at speed and scale, defenders are forced into a reactive loop. Practical implication: use signatures as one signal among several, not as the primary control for prevention or trust decisions.
Practical implication: treat signatures as a secondary signal and rely on behavioural correlation for primary detection.
What endpoint protection needs to observe beyond the file
Endpoint protection now has to correlate process lineage, command execution, network connections, privilege changes, and persistence attempts. That is especially important in identity-heavy attacks, where the objective is not just malware execution but credential theft, session abuse, or lateral movement. This shifts endpoint security toward control-plane visibility, where the question is what the process is doing, not whether the file is known. Practical implication: integrate endpoint telemetry with IAM and PAM signals so suspicious execution can be evaluated alongside privilege and authentication context.
Practical implication: integrate endpoint telemetry with IAM and PAM signals to spot identity abuse after execution begins.
Threat narrative
Attacker objective: The attacker objective is to maintain stealth long enough to expand access, harvest identity material, and reach higher-value systems without triggering file-based controls.
- Entry begins with a malicious payload or script that is executed without a durable file footprint, often through in-memory or trusted-process techniques.
- Escalation occurs when the attacker uses that runtime foothold to harvest credentials, abuse privileged sessions, or move laterally with living-off-the-land tooling.
- Impact follows when detection is delayed long enough for persistence, data theft, or broader compromise across enterprise systems.
NHI Mgmt Group analysis
Static inspection is no longer a defensible security boundary. The ERI reinforces a structural problem in endpoint defence: if a control only sees files, it will miss a growing share of attacks that execute in memory or mutate before on-disk detection is possible. That is not an edge-case weakness, it is a category limitation. Practitioners should treat file inspection as one layer inside a broader runtime detection model.
Identity abuse becomes the real prize once execution succeeds. In-memory attack trends matter to NHIs because the purpose of many modern intrusions is to reach credentials, tokens, and privileged sessions after the initial payload lands. That means endpoint controls, PAM, and NHI governance can no longer be treated as separate problem sets. The governance conclusion is simple: runtime execution events must be correlated with identity context.
Detection quality has to be measured by coverage of behaviour, not signature count. A control stack can appear mature while still missing most threats if it measures the wrong thing. The report’s signature gap shows why operational metrics should focus on process behaviour, privilege escalation attempts, and lateral movement signals. The practitioner conclusion is to replace comfort metrics with evidence of real attack-path visibility.
Behaviour-first security creates a more realistic board metric. SentinelOne’s framing of board-level cyber metrics points to a useful shift, but the metric that matters is not how much malware is blocked on arrival. It is how much malicious runtime activity is observed, contained, and correlated with identity abuse before impact. The practitioner conclusion is to report on control efficacy across execution, identity, and response rather than file detections alone.
Runtime telemetry should become the bridge between endpoint and identity governance. The article’s core lesson is that defenders need a control model that can follow an attack after the file has disappeared. That is where endpoint, IAM, and PAM oversight converge: suspicious execution is often only the first visible symptom of a wider identity compromise. The practitioner conclusion is to design for cross-domain correlation, not siloed alerting.
What this signals
Static controls are becoming a weaker signal for both security operations and identity governance. As attack execution shifts into memory and away from durable files, programmes need stronger correlation between endpoint activity, privileged access, and identity context, especially where service accounts or tokens can be abused after the first foothold.
Runtime visibility gap: this is the point where organisations stop treating endpoint protection as a malware-only problem and start treating it as an identity and privilege problem as well. The practical next step is to connect detection telemetry with privilege controls and response playbooks so that one team can see the full attack path.
The governance implication is straightforward: if a control cannot observe behaviour at runtime, it cannot credibly claim coverage against modern attacks. Boards and security leaders should ask whether their metrics describe real attack containment or only file-based detection volume.
For practitioners
- Correlate endpoint telemetry with identity events Join process execution, privilege changes, and authentication logs so that suspicious runtime behaviour can be evaluated alongside account, token, and session activity.
- Measure control coverage by behaviour, not signatures Track how many detections come from process lineage, command execution, and memory anomalies rather than signature matches, then use that ratio to identify blind spots in your stack.
- Harden privileged sessions against post-execution abuse Shorten standing privilege exposure, require just-in-time elevation where possible, and make sure privileged access monitoring can see suspicious child processes or script execution.
- Use runtime threats to reassess endpoint assumptions Review which security decisions still depend on a file being present on disk, then move those decisions to controls that can observe memory-resident execution and rapid attacker tradecraft.
Key takeaways
- The report shows a control gap between what attackers are doing at runtime and what static antivirus can still see.
- The 20% signature match rate highlights why file-based detection alone is not a reliable defence against modern threats.
- Security programmes should measure behavioural coverage, identity correlation, and containment speed instead of relying on file inspection metrics.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0002 , Execution; TA0006 , Credential Access; TA0008 , Lateral Movement | The article focuses on runtime attack behaviour and post-execution movement. |
| NIST CSF 2.0 | DE.CM-7 | Continuous monitoring is central to detecting memory-resident and behaviour-based threats. |
| NIST SP 800-53 Rev 5 | SI-4 | System monitoring is the core control for observing malicious runtime activity. |
| CIS Controls v8 | CIS-8 , Audit Log Management | Log coverage is necessary to correlate endpoint activity with identity and response events. |
Map detections to execution, credential access, and lateral movement to see where static controls fail.
Key terms
- In-Memory Attack: An attack that executes primarily in memory rather than leaving a durable malicious file on disk. This reduces the value of traditional file scanning and forces defenders to detect process behaviour, memory manipulation, and abnormal runtime activity instead of relying on hashes and signatures alone.
- Signature-Based Detection: Signature-based detection identifies malware by comparing files or patterns against known malicious indicators. It is effective for previously seen threats but weak against polymorphic malware, fileless execution, and attacks that reuse legitimate tools, because the malicious behaviour may never match a stable signature.
- Runtime telemetry: Observation of what a system actually does while it is executing. In agentic CI/CD, this means seeing which commands, files, tools, and credentials an agent touched so security teams can detect misuse that static workflow review will miss.
What's in the full report
SentinelOne's full research covers the operational detail this post intentionally leaves for the source:
- Agent telemetry and threat mix breakdowns from the second half of 2016 across more than one million deployed agents.
- The specific in-memory attack patterns observed in production environments and how they differed from file-based vectors.
- Board-level metrics framing and the benchmark model the report proposes for cyber security investment decisions.
- The full discussion of why agnostic endpoint protection is positioned as necessary for mainstream attack methods.
Deepen your knowledge
NHI Mgmt Group’s NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It is designed for practitioners who need to connect identity controls to the wider security programme.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org