Antivirus has been the default endpoint security tool for decades. It works by maintaining a list of known malicious files and blocking anything that matches. For a long time, that was sufficient. Attackers wrote malware, security vendors identified it, added it to their signature databases, and antivirus blocked it.
That model broke down as attackers got more sophisticated. Modern attacks increasingly rely on techniques that do not involve traditional malware files at all. They use tools that are already present on your system — legitimate Windows utilities, scripting languages, remote management software — and weaponize them to do malicious things. Because these tools are not malicious themselves, antivirus has nothing to match against. The attack proceeds undetected.
Living Off the Land
This category of attack is often called living-off-the-land. An attacker who gains access to a credential does not need to install anything. They can use PowerShell to execute commands, leverage built-in remote management tools to move laterally across your network, and use native scripting capabilities to exfiltrate data. All of it looks, at the file-signature level, completely clean.
Huntress is built specifically for this threat model. Rather than relying on file signatures, it monitors behavior — what processes are running, what they are doing, what they are connecting to, and whether the pattern of activity looks like something a legitimate user or application would do. When a script runs that mimics the behavior of a known attack technique, Huntress flags it regardless of whether that specific script has ever been seen before.
Persistence Mechanisms
Huntress also monitors persistence mechanisms — the ways attackers make sure they maintain access even after a reboot or password reset. Registry run keys, scheduled tasks, startup folder modifications, malicious services. These are the hiding spots that traditional antivirus ignores entirely because they do not involve malicious files, just malicious configurations.
When we respond to an incident, persistence mechanisms are often the most important thing to find. An attacker who has been in an environment for weeks has almost certainly installed multiple persistence mechanisms to ensure they can get back in even after the obvious entry point is closed. Missing one of these during remediation means the attacker returns.
Identity Threat Detection
For businesses operating in Microsoft 365 environments, Huntress also provides identity threat detection — monitoring Entra ID and Microsoft 365 for signs of account compromise, inbox rule creation, suspicious authentication patterns, and other indicators that an attacker has gotten into your cloud environment even if they never touched an endpoint directly.
This is the layer that catches BEC attacks in progress. The attacker never installed anything on any endpoint. They authenticated using stolen credentials and created a mail forwarding rule. Traditional antivirus has no visibility into this at all. Huntress does.
The Honest Assessment
Antivirus is not worthless. But it is not enough. The attacks that cost businesses real money are not the kind that antivirus catches. Living-off-the-land techniques, persistence mechanisms, and cloud identity attacks are the real threat surface for professional services firms in 2025. Huntress is built to cover that surface — and Tower Zero provides the human layer to respond when it detects something.