Most company leaders still think of virus protection the same way they think of a deadbolt on the front door. You lock it and you are safe. The problem is that modern attackers do not go through the door. They come in through the window you forgot was open, or they already have a key, or they are quietly living in your basement before you ever notice.
What Signature-Based Detection Actually Catches (And What It Does Not)
Traditional antivirus works by comparing files against a database of known malware signatures. It is effective against the threats it recognizes. It is nearly useless against everything else. The reason comes down to the economics of attack. Modern threat actors build custom malware for each target. They test their payloads against every major detection product before deploying them. By the time a signature exists for a new attack variant, the damage is already done.1
Consider the volume. According to AV-TEST, security researchers register over 450,000 new malware variants every single day. No human team can write signatures fast enough to keep up with that volume in real time. The game is mathematically rigged against signature-based defenses.2
Fileless malware is a concrete example. It lives in memory, never writes a file to disk, and uses legitimate system tools like PowerShell or Windows Management Instrumentation to do its work. No file means no signature to match. No signature means traditional AV does not see it. The 2025 Data Breach Investigations Report from Verizon found that 43% of breaches involved some form of pretexting and social engineering rather than pure malware delivery, which means the attacker talked their way in rather than breaking a digital lock.3
Ransomware changed the timeline too. In the early days, encrypting malware hit fast and loud. Modern ransomware operators function as businesses with development teams, quality assurance departments, and customer service support lines for victims. They test their payloads against AV, EDR, and sandbox products before sending them out. IBM’s 2025 Cost of a Data Breach report found that the global average cost of a data breach reached $4.88 million, a 10% increase over the prior year and the highest total ever recorded. For a small or mid-sized business, a single breach of that magnitude is an existential event, not just a costly inconvenience.4
The Threat Categories Your Antivirus Was Not Built to Stop
There are four categories of modern threats that traditional antivirus does not address on its own. Understanding them helps you ask better questions of any IT provider you hire.
Living-off-the-land attacks. These use tools already installed on your system. PowerShell, WMI, and even Microsoft Office macros become the weapon. The attacker does not install anything malicious. They misuse what is already there. The SentinelOne threat report documented a 140% increase in living-off-the-land techniques over the past 18 months, driven in part by generative attackers using AI to craft commands that blend with normal admin activity.5
Identity-based attacks. Attackers steal credentials through phishing, credential stuffing, or purchasing them on dark web marketplaces. From there they log in through the front door with a valid username and password. Your antivirus does not stop someone who has the correct login. Verizon’s data shows that compromised credentials were involved in 22% of breaches studied, and that credential theft remains the most common starting point for lateral movement inside a network.3
Supply chain compromise. Instead of attacking you directly, threat actors compromise a vendor or software provider you trust. The MOVEit breach in 2023 exposed data from over 2,700 organizations because of a single vulnerability in a widely-used file transfer tool. No antivirus on the downstream side could have caught that. The attack came from inside a trusted application. The same pattern played out in the 2020 SolarWinds breach, where attackers compromised the software build process itself and gained access to thousands of downstream clients before anyone detected it.
Insider threats. Not every danger comes from outside. Disgruntled employees, careless staff, or contractors with excessive access can do damage that signature-based detection was never designed to prevent. IBM’s research indicates that breaches involving insiders took an average of 292 days to identify and contain, far longer than the average breach lifecycle.4
What Competent Providers Do Instead
Antivirus still has a role in a layered security approach. It catches known threats that have not been updated against. It is one layer among many. But if your IT provider is still pointing to your antivirus subscription as the primary evidence that you are protected, that is worth pushing back on.
A competent provider should have these pieces in place beyond signature-based antivirus.
- Endpoint Detection and Response (EDR). Instead of matching file signatures, EDR monitors endpoint behavior in real time. It looks for the patterns that indicate compromise, such as a Word document suddenly spawning a PowerShell script that starts encrypting files. Products in this space include CrowdStrike Falcon, SentinelOne Singularity, and Microsoft Defender for Endpoint.
- 24/7 Security Operations Center (SOC). EDR is only as good as the people watching the alerts. Managed Detection and Response (MDR) services provide around-the-clock monitoring by security analysts who can investigate, contain, and respond to threats while you sleep.
- Network-level monitoring. Firewalls and DNS filtering stop threats before they reach the endpoint. DNS-layer security alone can block connections to known malicious domains before a download ever starts.
- Identity and access management. Multi-factor authentication, conditional access policies, and regular access reviews address the credential theft problem that antivirus cannot touch.
- User awareness training. Since most attacks start with a phishing email, trained users serve as a frontline defense. Regular simulated phishing campaigns give your provider data on who needs additional coaching.
The National Institute of Standards and Technology published its NIST CSF 2.0 guidance in February 2024, shifting the emphasis toward continuous monitoring and real-time detection as core functions. The old model of installing antivirus and checking the logs once a month does not meet the current standard.6
Questions Worth Asking Your Provider
You should not need to understand the technical differences between signature detection and behavioral analytics. What you need is confidence that your IT provider has moved past the antivirus-only model. Here is how to evaluate that.
Ask what endpoint protection they use and whether it includes behavioral detection or only signature matching. The answer tells you where they stand. If they name a product and it is a legacy antivirus vendor that has rebranded without real EDR capability, that flags a gap worth investigating.
Ask about monitoring hours and response time. When did their team last detect and stop a threat that traditional antivirus missed? A provider with a real security operation will have documented examples. If they cannot give you one, they may not be catching anything you would not catch on your own.
Check whether they conduct security assessments on a regular basis. A competent provider tests your environment independently, recognizes gaps, and recommends improvements without waiting for an incident to reveal the weakness.
Ask who handles your security after hours. The reality is that many serious attacks occur overnight and on weekends when offices are empty and IT teams are off the clock. Ransomware operators specifically time their deployments for Friday evening and Saturday morning for this exact reason. If your provider only covers security operations from Monday to Friday, 8 to 5, you are unmonitored for the 117 remaining hours each week. The average dwell time for a threat actor inside a compromised network before detection is 10 days, according to Sophos incident response data.7
Ask about their own internal security. If the MSP protecting you has suffered a breach, they should be transparent about it. The ConnectWise ScreenConnect incident in February 2024 is a case study in what can go wrong: a trusted tool used by thousands of MSPs was compromised, and every client of every affected MSP was exposed. The attackers did not break in through the door. They used the key that had already been handed out.8
Where This Leaves You
Antivirus software is not worthless. It is incomplete. The threats facing a company in 2026 do not behave like the threats of 2015, but many IT providers are still selling and managing security the same way they did ten years ago.
If your provider still treats antivirus as the cornerstone of your security posture, it is time for a direct conversation. Ask them what they use for endpoint detection, who monitors it after hours, and what their measured response time is for a confirmed threat. If those answers are vague or missing, your front door may look locked while the windows are wide open.
Sources
1 CrowdStrike, “What is Malware? Types of Malware Explained,” crowdstrike.com.
2 AV-TEST Institute, “Malware Statistics and Trends,” av-test.org.
3 Verizon, “2025 Data Breach Investigations Report (DBIR),” verizon.com.
4 IBM, “Cost of a Data Breach Report 2025,” ibm.com.
5 SentinelOne, “Labs Research: Living-off-the-Land Attack Trends,” sentinelone.com.
6 National Institute of Standards and Technology, “NIST Cybersecurity Guidance (CSF 2.0),” nist.gov.
7 Sophos, “The State of Ransomware 2025,” sophos.com.
8 CISA, “Cybersecurity Advisory AA24-060a: Threat Actors Exploit ConnectWise ScreenConnect,” cisa.gov.
About Brent Lacy: Brent Lacy has been in the IT industry since 1997. He moved into the managed services world around 2015 and was doing vCIO work before the title even existed. He writes about the operational discipline, trust-based relationships, and strategic thinking that separate MSPs built to last from those built to bill. He is the author of Rewired MSP: Mastery, Scalability and Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business Security.