The nature of cyber threats has changed dramatically in recent years. Attackers are no longer relying solely on traditional malware. Instead, they increasingly use subtle, evasive techniques that mimic legitimate activity. One of the most prominent is Living-off-the-Land (LOTL), a tactic where malicious actors abuse built-in OS tools such as PowerShell, WMIC, or rundll32 to carry out attacks without triggering conventional alerts. According to Bitdefender’s internal analysis of over 700,000 incidents, LOTL techniques now feature in 84% of major cyberattacks, making them one of the most pervasive threats in modern cybersecurity.
This evolution in attack methods coincides with a surge in hybrid work and decentralised IT operations, significantly expanding the attack surface. Traditional endpoint defences, once effective in perimeter-based setups, now struggle to cope with the agility and stealth of today’s threat actors. Security solutions must go beyond simple detection and response to proactively reduce exposure before an attack can take root.
Bitdefender’s latest innovation, GravityZone PHASR (Proactive Hardening & Attack Surface Reduction), responds to this challenge. It introduces a dynamic, behaviour-driven approach to endpoint hardening that adapts to user and device behaviour in real-time. Rather than reactively chasing threats, PHASR aims to pre-empt them by closing off the paths attackers depend on.
Why endpoint security must evolve in today’s threat environment
The dominant approach in endpoint security has focused on detection and response for years. Solutions like Endpoint Detection and Response (EDR) and its broader counterpart, Extended Detection and Response (XDR), are designed to identify and contain threats after they have entered the system. While these tools have improved visibility and enabled faster incident response, they are inherently reactive and assume that some level of compromise is unavoidable.
This is especially problematic in the case of LOTL attacks. Because they use legitimate system tools and often mimic standard user behaviour, these attacks are difficult to flag using traditional detection rules. “Discerning intent in the use of legitimate tools is notoriously difficult,” says Cristian Iordache, Director of Product Marketing at Bitdefender. “It gives attackers time while increasing risk and security costs.”
Bitdefender’s threat research indicates that even benign-looking tools, such as netsh.exe, used for network configuration, are frequently exploited. The challenge lies in balancing hardening systems to prevent misuse while avoiding overly restrictive controls that disrupt productivity.
This trade-off has made conventional hardening approaches, such as static allowlists or blanket restrictions, challenging to manage at scale. Organisations either lock down too aggressively and frustrate users, or relax their rules too much and leave critical vulnerabilities exposed. As a result, preventative strategies like attack surface reduction have often been overlooked in favour of reactive monitoring. To meet these modern threats head-on, Bitdefender has introduced a radically different model. This new approach adapts to the user and the environment, rather than relying on static controls.
The PHASR approach to user-specific hardening
GravityZone PHASR marks a significant shift in endpoint defence strategy. It replaces one-size-fits-all hardening policies with a behaviour-specific model powered by artificial intelligence and analytics. The system continuously learns how individual users interact with their devices, builds a baseline of normal behaviour, and uses this context to restrict only the actions or tools that fall outside those norms.
“PHASR enables deep restriction of known attack vectors, without impacting the utilities and applications required by each user,” Iordache explains. This allows legitimate tools like PowerShell to remain available. Still, if a user suddenly executes encrypted or obfuscated commands that are not aligned with their typical behaviour, those commands can be blocked.
This tailored approach solves one of the biggest historical issues with hardening: the trade-off between security and usability. By understanding each user’s habits and needs, PHASR avoids the trap of overclocking. It empowers security teams to apply tighter restrictions where necessary without interfering with daily operations.
In high-trust settings such as healthcare, finance, or enterprise IT, where administrators and developers often require elevated access, PHASR delivers precision. It can isolate risky behaviour within allowed tools, blocking only the suspicious actions while maintaining access to the functionality professionals rely on.
Importantly, PHASR is not static. It evolves alongside user behaviour and changing threat landscapes, which reduces the need for security teams to adjust policies manually. This dynamic adaptability makes PHASR well-suited to modern, decentralised environments where employee roles and requirements frequently change.
AI-driven automation and the shift toward intelligent exposure management
PHASR reflects a broader shift across the security industry, moving away from reactive defences and towards proactive exposure management. As cyberattacks become faster and more precise, security professionals need systems to anticipate risk and act before damage occurs.
Gartner forecasts that by 2030, 60% of exposure management activities will be automated, a dramatic increase from less than 10% in 2022. This trend shows the growing role of AI in helping organisations scale their security capabilities and stay ahead of emerging threats. Bitdefender’s PHASR platform fits this trend squarely. By using AI and behavioural analytics, it constantly monitors user activity, identifies anomalies, and adjusts permissions or enforcement policies in real-time.
This level of automation significantly reduces the workload for IT teams and security operations centres. Instead of continuously configuring and updating rules, teams can focus on more strategic initiatives, confident that the system handles the fundamentals of risk management.
This automated and adaptive enforcement is particularly valuable in sectors such as healthcare and financial services, where regulatory compliance is critical. PHASR helps maintain continuous compliance without slowing down operations or introducing unnecessary friction.
“We’ve built strong EDR, XDR and MDR capabilities while retaining a prevention-first mindset,” says Iordache. PHASR is just one example of AI and behavioural analytics being used to reduce risk proactively. This focus on prevention is becoming increasingly vital as attackers refine their methods and reduce their dwell time inside systems.
What’s next for proactive security solutions?
PHASR is the beginning of a broader evolution in Bitdefender’s approach to cybersecurity. The company sees this behaviour-based, adaptive model as the foundation for expanding protection across other digital domains, including cloud workloads, identity systems, and distributed network environments.
As threats evolve, Bitdefender aims to unify policy enforcement, visibility, and automation across all major attack surfaces. This means extending the same AI-driven logic to cloud and identity infrastructure, areas with increasing levels of attacker activity.
Another key focus is improving the signal-to-noise ratio for security teams. Bitdefender is working to simplify investigation workflows in EDR and XDR systems by reducing false positives and highlighting high-confidence alerts. This effort is already bearing fruit, as seen in the company’s strong performance in the 2024 MITRE ATT&CK Evaluations for Enterprise.
“We plan to continue expanding PHASR and this tailored and dynamic approach beyond endpoints,” says Iordache. “We’ll strengthen our holistic risk management approach and make compliance easier for our customers.”
Organisations that adopt intelligent, behaviour-driven solutions like PHASR will be in a stronger position to manage complexity and minimise risk. These tools are not just about stopping attacks. They offer a more innovative, faster, and more sustainable way to secure systems, maintain compliance, and support business growth in an increasingly unpredictable threat environment.
