Why "We Have Antivirus" No Longer Means "We're Protected"

Your antivirus renewed last month. Your IT manager ticked the compliance checkbox. You feel covered. That feeling is the problem.

Antivirus was built for a specific era of attack. A piece of malware arrives, the software checks its fingerprint against a database of known threats, finds a match, blocks it. For twenty years, this worked well enough. The attacks that software was designed to stop are no longer the attacks your business faces.

The Signature Problem

Signature-based detection depends on a simple premise: the threat has been seen before, catalogued, and added to a database your software can query. Attackers understood this long ago and built around it.

By 2024, an estimated 86% of new malware employed evasion techniques specifically designed to bypass signature detection. Attackers mutate code, use legitimate system tools as weapons, and operate entirely in memory, leaving nothing on disk for antivirus to scan.

That last technique—fileless malware—deserves attention. According to ReliaQuest's 2024 Annual Threat Report, 86.2% of detections associated with critical incidents involved fileless attacks. Antivirus cannot scan a file that does not exist. The attack runs in memory, exploits a legitimate process, and leaves the endpoint looking clean.

They Stopped Bringing Malware

The bigger shift is more fundamental. Attackers have moved away from malware altogether.

CrowdStrike's 2026 Global Threat Report found that 82% of detections in 2025 were malware-free—up from 79% the year before. Attackers log in with stolen credentials. They use built-in Windows tools like PowerShell and WMI to move laterally. They blend into normal administrative activity. From a signature-scanning perspective, nothing unusual is happening. A legitimate user is doing legitimate things. Antivirus has nothing to flag.

This is not a gap in one vendor's database. No signature database can fix it. Signature-based detection is structurally blind to this class of attack.

Speed Has Changed the Calculus

Even if your antivirus catches initial access, attackers now move through networks faster than most security teams can respond.

The average eCrime breakout time—the time between gaining initial access and moving laterally to another system—fell to 29 minutes in 2025, down from 48 minutes the year before. The fastest recorded breach? 27 seconds. In one documented intrusion, data exfiltration began within four minutes of first access.

A security model that relies on humans reviewing alerts, escalating tickets, and responding manually cannot operate in that window. By the time your team opens the alert, the attacker has already reached adjacent systems and established persistence.

What EDR Actually Does

Endpoint Detection and Response was built for this environment. Where antivirus checks files against known signatures, EDR watches behaviour continuously.

An EDR agent monitors every process running on a machine: what it spawns, what files it touches, what network connections it opens, what registry keys it modifies. It builds a baseline of normal behaviour for that endpoint, and it flags deviations—regardless of whether the underlying technique has a known signature. A legitimate admin tool behaving in an unusual way still triggers scrutiny. A process with no file-on-disk signature still leaves behavioural traces that EDR captures.

When something suspicious surfaces, EDR does not just alert. It can isolate the endpoint from the network automatically, terminate the offending process, and preserve a forensic timeline so your team understands exactly what happened, in what order, from which starting point. That forensic trail is something antivirus cannot provide—even after a breach, AV leaves you largely blind to how the attacker moved and what they touched.

EDR platforms also align detections to the MITRE ATT&CK framework, a publicly maintained catalogue of attacker tactics and techniques. This means alerts arrive with context: not just "suspicious process," but "this matches lateral movement technique T1021, commonly used in ransomware pre-deployment." Your analysts spend less time guessing and more time acting.

The Dwell Time Gap

Dwell time—how long an attacker sits undetected inside your environment—is one of the clearest indicators of how well your defences are working. Organisations using AI-driven EDR solutions reduced dwell time by 63%, according to Proficio's 2024 report. Shorter dwell time means attackers have less opportunity to map your environment, escalate privileges, exfiltrate data, or deploy ransomware.

Antivirus, by design, offers no visibility into what happens after a file executes. An attacker who gets past the initial scan can operate freely for days or weeks. EDR watches continuously, so the window closes much faster.

What Antivirus Still Does Well

Antivirus is not useless. It handles high-volume, commodity threats—the constant background noise of known malware circulating across the internet—quickly and cheaply. For an individual or a very small business with limited budget and a low threat profile, antivirus covers the most common risks at the lowest cost.

Modern antivirus has also evolved. Next-generation AV now incorporates machine learning and heuristic analysis, catching some unknown threats by examining behaviour at the point of execution rather than relying purely on signature matching. Some vendors blur the line between AV and EDR considerably.

But heuristic scanning at execution is not the same as continuous behavioural monitoring across the full attack lifecycle. The fundamental limitation stands: antivirus watches for malicious files. EDR watches for malicious behaviour, whether or not a file is involved.

The Compliance Gap

Many businesses run antivirus because a policy, an insurer, or a framework audit requires it. Tick the box, pass the assessment. This creates a specific and dangerous blind spot: security posture measured by tool presence rather than threat coverage.

Cyber insurers have noticed. Underwriters are increasingly asking not just whether endpoint protection is in place, but what kind—and whether it includes behavioural detection, automated response, and forensic logging. Antivirus alone no longer satisfies many insurers' requirements for larger policies, and businesses that suffer a breach without EDR-level controls are finding their claims scrutinised accordingly.

Putting It Together

Antivirus answers the question: is this file malicious? EDR answers a much broader set of questions: is anything on this endpoint behaving in a way consistent with an attack, regardless of whether a file is involved, regardless of whether the technique has been seen before, and regardless of how fast the attacker is moving?

Given that 82% of current attacks involve no traditional malware at all, the second question is the one that matters. Antivirus cannot ask it.

If your security conversation still starts and ends with "we have antivirus," the conversation needs to change.

To get a free, personalised overview of your security posture in less than 15 minutes, take our Technology Resilience Assessment. Rather have a brief call to see if we can help? Schedule a time by clicking here.