The Next Move Problem: Why Detection Alone Isn’t Enough Anymore

• Today’s attack chains are exposing the cracks in traditional defenses.
• To fill these gaps, defenders need to shift to tactics and tools that will actually outpace evolving, persistent threats like LOTL attacks and APTs.
• Get the latest on the industry’s first AI-powered weapon that’s helping security teams stay ahead of attackers—and break the chain. 

Today’s ransomware operators are increasingly turning to living-off-the-land (LOTL) tactics—easily blending into legitimate system activity, dumping credentials and evading shortsighted defenses. Each year, more attackers are chaining together sophisticated tactics, techniques and procedures (TTPs) to infiltrate networks and hit as many systems as possible. 

When one tactic fails, they pivot fast, pulling from step-by-step playbooks shared among seasoned operators and affiliates to keep their attack chains moving. In 2024, this kind of persistent agility cost organizations $4.88 million in breaches, a 10% increase from the previous year. 

Some attacks unfold in just 74 minutes. Other attackers lurk undetected for a mean time of 258 days. Defenders aren't just up against the clock, they're also facing well-practiced attack chains with interchangeable strategies. Even though cutting a single choke point can sever 17,000 potential paths, most traditional methods only flag isolated alerts (disconnected signals that fail to reveal the full scope of an attack in progress), leaving defenders vulnerable to the next move problem. 

Let’s face it, detecting one stage of an attack isn’t enough to stop attack progression anymore. Security teams need to shift to proactive strategies that anticipate beyond single steps and deliver the whole picture—only then will they be able to stay steps ahead of multi-stage attack sequences and shut them down.

The next move problem: Why detection-only strategies are a major miss

Relying on traditional detection methods is like trying to best a chess grandmaster using checkers rules—you’re outmatched and you’re straight up playing the wrong game. 

Here’s how today’s threats expose the faults in single-shot defenses: 

One detection can’t stop a chain reaction

Multi-stage phishing and malware attacks surged 175% in 2023 and continue to be a formidable threat in 2025. With AI powering some of these campaigns, bad actors are free to scale attacks from email phishing to privilege escalation and data exfiltration. They can also easily shift tactics based on a network’s response, bypassing most detection systems that can’t connect the dots in time. 

LOTL attacks go unnoticed until it's too late

LOTL attacks exploit trusted tools like Powershell to blend into normal system activity, giving hackers a stealthy way to move laterally across networks and wreak havoc. Because they leave little to no forensic traces behind, detecting them is like finding a needle in a haystack. The longer they stay hidden, the more access they gain. 

Nearly half of ransomware attacks from 2021 to 2023 used LOTL tactics—a trend that won’t slow down unless defenders start adopting tools that can track every step of an attacker’s campaign.

Alert fatigue leads to missing bigger, sustained attacks 

Advanced persistent threats (APTs) are patient and stealthy. When SOC analysts are drowning in alerts, it’s these sustained attacks that slip by unnoticed. Reports show 83% of SOC analysts are overwhelmed by alert volumes and false positives with a staggering 84% unknowingly re-investigating the same incidents multiple times a month. When teams are stuck chasing low-risk or fragmented signals, burnout builds and darker threats go unchecked. 

To win, defenders need more than traditional detection. They need tactical foresight across the kill chain. 

5 Ways to spot the pattern–and stop the threats 

In an ideal world, we’d wipe out ransomware. But with better context and a deeper understanding, teams can fight smarter, not just harder. 

To outpace threats and break attack chains, defenders need: 

1. Sequence awareness. This means seeing attacks as timelines, not snapshots.
2. Attacker behavior modeling. Predicting the next step isn’t enough either; teams need to be able see the likely moves across the board to really stay ahead of attackers.
3. Contextual detection. With the whole picture in view, teams can distinguish high-risk from background noise.
4. Proactive strategy. Rather than just detecting the attack, their goal should be to disrupt the most likely sequences and block attackers from their endgame.
5. Quick recovery. Automatically reverting policies after disruption keeps business operations running as usual, and gives teams one less thing to worry about.

It may sound too good to be true, but we know a tool that offers it all.

The next move solution: AI-powered prediction

Symantec’s Incident Prediction garnered a lot of buzz at this year’s RSAC 2025™ Conference. As a newly launched addition to Symantec Endpoint Security Complete, it’s reshaping threat detection as the industry’s first AI-powered feature to predict an attacker’s next four to five moves with up to 100% confidence.  

Incident Prediction helps security teams break the attack chain and stop bad actors in their tracks by:

• Predicting high-confidence sequences in 80% of real-world incidents.
• Using behavior modeling and probability scores to interrupt attacks before they escalate.
• Enforcing protective policies before damage occurs, then reverting back to baseline once a threat is neutralized.

Trained on 500,000 attack chains by the elite Symantec and Carbon Black Threat Hunters, it’s especially effective against sneaky LOTL attacks. Leveraging AI alongside Adaptive Protection, Incident Prediction allows trustworthy systems and operations to stay online while it shuts down the bad stuff. That means your analysts are provided with high-fidelity information that drives efficient, effective and faster action, ultimately helping to curb business impact. 

Ready for what’s next? 

Backed by the intel and hard work of our Threat Hunters, Symantec and Carbon Black are leading the charge against sophisticated cyberthreats with future-ready innovations like Incident Prediction, redefining what it means to stay ahead. 

Catch the latest webinar, AI's Tactical Edge: Predicting Your Attacker's Next Moves, on demand to see how Incident Prediction eliminates the guesswork—giving you clarity, confidence and control in the face of sophisticated attack sequences.