The Eternal Cybersecurity Pendulum: Why Prevention Is Back
For years cybersecurity has focused on detecting attacks after they start. But the data shows the same techniques year after year. The industry is starting to rediscover prevention. It's time to stop detecting attacks and start preventing them.
The Era of Prevention
About twenty years ago, when I started my career in cybersecurity, the world looked a lot different. Security teams lived and died by prevention. You had your Norton Antivirus or McAfee sitting on every endpoint, and your Sourcefire IDS/IPS appliances watching the wire. The tooling was isolated, disconnected, and pretty primitive by today's standards. But the mindset was clear: stop bad things from happening in the first place. In many ways, it was an early version of what we now call prevention-first cybersecurity.
That was the era of prevention.
When Detection Took Over
Somewhere along the way, the pendulum swung. Hard. The industry collectively decided that prevention alone wasn't enough, that we needed visibility, telemetry, and the ability to detect threats that slipped past our defenses. And honestly, that wasn't wrong. Signature-based AV was getting demolished by polymorphic malware and fileless attacks. We needed a better lens.
But here's what actually happened. We didn't just add detection as a complement to prevention. We replaced prevention with detection. The entire industry pivoted to building, selling, and operationalizing the ability to find bad things after they were already running in your environment.
SIEMs became the center of the security universe. Detection engineering became its own discipline. Companies like Splunk, Elastic, and a wave of SIEM vendors turned detections into a commodity, something you could download, tune, and deploy like firmware updates.
Today, the detection side of the pendulum is fully extended. We have SOAR platforms that ingest an alert, enrich it, route it through a playbook, and maybe, hours later, take an automated action to contain something. We have SOC teams running 24/7 shifts staring at dashboards, triaging the same alerts they triaged yesterday and the day before that, struggling to reduce alert fatigue in environments that generate more detections than teams can realistically process.
And ransomware operators are laughing all the way to the Bitcoin wallet.
The Alert Fatigue Problem
The math just doesn't work. The DFIR Report has documented case after case where ransomware groups go from initial access to full domain encryption in under 45 minutes. Ransomware groups like Akira and Lynx are moving through environments at machine speed, leveraging legitimate tools and living-off-the-land techniques that blend right into normal operations, exactly why Living off the Land attack prevention has become a critical focus for modern defenders.
Meanwhile, the average SOC takes hours to even surface the initial alert. By the time your SOAR playbook fires and someone picks up the ticket, the damage is done. The files are encrypted. The exfiltration is complete. You're negotiating with a Telegram bot.
Why Living-off-the-Land Attacks Keep Winning
This is the uncomfortable truth the industry doesn't want to talk about. We've spent the last decade building increasingly sophisticated systems to tell us about attacks that already happened. We built faster dashboards to watch ourselves lose in real time.
Here's the part that really gets me though. Every year, the same reports come out and tell us the same story.
Look at Red Canary's annual Threat Detection Report or CrowdStrike's Global Threat Report. Year after year, the same living-off-the-land techniques dominate the charts. Red Canary's 2024 data lays it out clearly. The most prevalent techniques in confirmed threats across their entire customer base were Windows Command Shell, PowerShell, Service Execution, Registry Modification, Windows Management Instrumentation, Mshta abuse, and Ingress Tool Transfer. These are primitives. These are things that have been showing up in incident reports for years.
Threat-Driven Application Control
And here's the kicker. Almost every single one of those techniques can be prevented. Not detected. Prevented. Stopped from ever executing. This is the core idea behind threat-driven application control: building prevention policies around the techniques attackers actually abuse instead of trying to detect every variation of malware.
The only exceptions in that top ten are the cloud-related techniques like Cloud Accounts and Email Forwarding Rules, which live outside the endpoint. Everything else? Windows Command Shell, PowerShell, WMI, Mshta, Service Execution? These are all things that application control and strong execution control policies can block outright.
We're watching the same movie every year. The same techniques, the same compromises, the same incident reports. And we keep responding by writing more detections instead of asking the obvious question: why are we letting these things run in the first place?
The Return of Prevention
But I think the tide is turning. Preventing these tools from executing is one of the most effective forms of endpoint attack surface reduction.
If you spend enough time talking to SOC analysts and security leaders, you start hearing the same frustration. "We keep detecting the same things." "We write the same incident reports every quarter." "Why is this thing even running in our environment?" That last question is the one that matters. It's a prevention question, not a detection question. And more people are asking it every day.
We're starting to see the early signals of the pendulum swinging back. Technologies like Windows Defender Application Control (WDAC) and Microsoft's broader Windows Resiliency Initiative represent a fundamental shift in how the platform is thinking about endpoint security. Microsoft is investing heavily in making Windows a platform leaders can count on for reliability, productivity, and protection without disruption. These aren't detection tools. They're prevention tools. They let you define what should run in your environment and block everything else using application control allowlisting.
It's a simple concept that's been technically possible for a while but operationally painful to implement at scale. That's changing.
AI and the Next Generation of Endpoint Security
I believe we're on the cusp of a new prevention boom, and this time it's going to look nothing like Norton Antivirus circa 2005. The next wave of prevention will be powered by AI. Not in the hand-wavy marketing sense where every vendor slaps "AI-powered" on their landing page, but in a real, operational sense.
Agents that continuously analyze your environment, understand what software is legitimate, map trust relationships, and automatically build and maintain prevention policies that adapt as your environment changes. No more manually curating allow lists. No more six-month WDAC deployment projects that stall because nobody wants to break production.
Think about what CrowdStrike did in the last pendulum cycle. They built one of the best EDR security platforms the market had ever seen and rode the detection wave to a $70B+ market cap. The next CrowdStrike won't be built on better detections. It'll be built on smarter prevention. On the ability to tell customers not just what happened, but to ensure it never happens in the first place through strong execution control security.
The pattern is clear if you zoom out far enough. Prevention dominated, then detection took over, and now the pain of pure detection is becoming too obvious to ignore. SOC teams are drowning in alerts. Mean time to respond still can't keep up with mean time to encrypt. And every ransomware headline is a reminder that detecting an attack isn't the same as stopping one.
At some point, customers are going to stop asking "what happened?" and start asking "why was that allowed to run?" When that shift reaches critical mass, and I think it's already underway, the companies that have been building real prevention technology will be the ones that define the next era of cybersecurity.
The pendulum always swings. This time, it's swinging back toward prevention. And this time, we have the AI to actually make it work.
It's time to stop watching attacks unfold and start ending them before they begin. The fight needs to go back to the attackers.
Want to see how prevention changes the equation? Book a demo and we’ll walk through how MagicSword blocks real-world attack techniques at execution time.
Keep up with how modern attacks actually work and how to prevent them. Subscribe to the MagicSword newsletter for practical research, real-world attack tradecraft, and prevention-focused intelligence.
Written by
Jose Hernandez
Threat Researcher
Jose Enrique Hernandez formed and served as the Director of Threat Research at Splunk. Jose is known for creating several security-related projects, including: Splunk Attack Range, Splunk Security Content, Git-Wild-Hunt, Melting-Cobalt, lolrmm.io and loldrivers.io. He also works as a maintainer to security industry critical repositories such as Atomic Red Team and lolbas-project.github.io.
