Compromise Assessments Reveal Missed High‑Severity Threats Persisting Months in Enterprise Environments
What Happened – Kaspersky’s 2025 compromise‑assessment engagements uncovered that ≈ 60 % of high‑severity incidents went undetected because existing tools failed to generate high‑confidence alerts. Nearly one‑third of the discovered compromises persisted for more than three months, including long‑standing crypto‑mining on domain controllers and in‑memory malware that evaded conventional endpoint protection.
Why It Matters for Compliance & Audit Readiness
- Missed detections indicate gaps in the continuous‑monitoring controls required by SOC 2 CC6.1 (Security) and CC7.1 (System Operations).
- Prolonged, undetected compromise erodes the evidentiary trail auditors expect for “monitoring and response” controls, making it harder to demonstrate reasonable assurance.
- Mapping detection tools and threat‑hunting activities to a verifiable control framework (e.g., Verisq’s Control‑Mapping capability) provides the audit‑ready evidence needed to close these gaps.
Who Is Affected – Large‑scale enterprises across technology/SaaS, financial services, healthcare, and manufacturing that rely on legacy detection stacks or ad‑hoc audits.
Recommended Actions
- Conduct a formal compromise‑assessment or continuous threat‑hunting program to surface hidden artifacts.
- Map each detection control (EDR alerts, log‑aggregation rules, GPO configurations) to the relevant SOC 2 criteria and capture evidence in a centralized Trust Center.
- Integrate automated evidence collection for alerts, containment actions, and forensic artifacts to maintain a defensible audit trail.
Source: Kaspersky – Compromise Assessment Findings 2025
Technical Notes – The report highlights root causes such as overly permissive GPO‑based software distribution, lack of high‑confidence alerting logic, and absence of continuous monitoring. No specific CVEs are cited; the issue is systemic detection and configuration weakness. Source: same as above