Endpoint Capability Risk: Why Approved Software is Your Biggest Security Blind Spot

The most common objection I come up against when discussing the idea of LARCK and Endpoint Capability Risk (ECR) is that attackers don't use what's on the box - they use their own tools, dropping custom toolkits and not caring about what is installed. This was true a few years ago, but nowadays. attacks have become more sophisticated... flying below the radar by using existing tools already on the machine.

In a Bitdefender analysis of 700,000 security incidents, 84% of high-severity attacks involved Living Off the Land techniques. CrowdStrike puts the malware-free attack rate at 79% of all detections in 2025, up from 40% in 2019. The shift has been consistent, directional, and accelerating. (Source: https://www.bitdefender.com/en-us/blog/businessinsights/700000-security-incidents-analyzed-living-off-land-tactics, https://www.crowdstrike.com/en-us/global-threat-report/)

Data Suggests That The Attackers are Only Getting Smarter

When the attacker is not bringing anything new, your software inventory is their starting point. The chart below shows both trends at once: malware-free attacks climbing, and average breakout time collapsing:

The average breakout time fell to 29 minutes in 2025, a 65% increase in speed over the prior year. The fastest observed breakout took 27 seconds. In one documented case, data exfiltration began within four minutes of initial access.

At that speed, detecting and responding after the fact is not a realistic strategy in isolation. What the machine had installed at the moment of compromise determines how much damage is possible before anyone knows something is wrong.

Existing tools show up in real attacks

Black Basta, one of the more prolific ransomware operations before its collapse in early 2025, relied on SoftPerfect network scanner, PsExec for lateral movement, Mimikatz (Security Tool) for privilege escalation, and RClone for data exfiltration. Every tool in that list has a legitimate IT use case. True, not every environment has those pieces of software, but you can bet that future AI-backed attacks will be much more adept at utilizing whatever software you have - be it Veeam, Wireshark, and Nodejs for examples. (Source: https://www.security.com/threat-intelligence/ransomware-extortion-epidemic)

PowerShell alone appears in 71% of LOTL attacks, with the LOLBAS project documenting over 200 Windows binaries that can be weaponized. The tools are not the problem by themselves.... the combination of them is.

The overlap is the problem

A single dual-use tool on a machine is something to pay attention to. What Endpoint Capability Risk looks for is what is the combination of that tool with other, normally benign, software that could open the door for something bad to happen.

Take a machine with three things on it: Angry IP Scanner, PuTTY with saved sessions, and local admin rights. None of those individually would get a second look from most teams., if they were installed on admin boxes or a jump box. Together, they map across three distinct MITRE ATT&CK techniques and cover every phase of an attack from reconnaissance through exfiltration - no kits or extra tools necessary.

An attacker who lands on that machine through a phishing email doesn't have to install something that will most likely trigger real-time protection... they can just open PuTTY, load a saved session, run a scan, and they are moving laterally while your SOC sees only a minor blip on the radar, if they see it at all... it's an admin box in IT Infrastructure, after all.

Where LARCK Comes In

Larck sits alongside Lansweeper and reads the asset data your team already collects.

It cross-references that inventory against CVE records, uses AI to categorize software by what it enables from an attacker's perspective, and then calculates risk based on what is co-located on each machine.

The goal is to surface those machines before an attacker does, and know which endpoints represent a contained problem and which ones represent a blast radius.

That answer is already in your Lansweeper data. Larck just tells you where to look.

Jacob Hughes