Large enterprises face a cybersecurity mismatch: rising AI-powered attacks and Advanced Persistent Threats (APTs) outpace understaffed teams. Fragmented tools create visibility gaps and alert fatigue. To build resilience, organisations should consolidate platforms, automate responses and embed AI-driven detection, shifting from reactive firefighting to intelligence-led protection at scale.
In the space of a few short years, the cybersecurity environment at large enterprises has evolved dramatically. Hybrid workforces, multi-cloud architectures, AI-driven operations and complex third-party supply chains have expanded the attack surface beyond what traditional security models were designed to protect. Meanwhile, the threat actors targeting these environments have grown more capable, more organised and more persistent. The result is a structural mismatch: the scale and sophistication of threats is outpacing the capacity of many security teams to detect, investigate and respond effectively.
For security leaders the challenge is managing the intersection of accelerating threats, workforce constraints and fragmented security architectures, all while justifying investment to the board and maintaining operational resilience. Three interconnected challenges define this landscape today.
Challenge 1: Rising volume and speed of attacks
The pace of modern cyberattacks is straining enterprise security operations. Threat actors are moving faster, from initial compromise to lateral movement to data exfiltration and the window available to detect and contain an incident is shrinking.
APTs remain the most consequential risk for large organisations. These groups, well-funded, disciplined and operating with nation-state backing or organised criminal infrastructure, were detected in 21% of customers in 2025 and accounted for 23% of all high-severity incidents, according to a Global Report by Kaspersky Security Services.
What makes APTs particularly dangerous is their operational discipline. Rather than relying on a single exploit, these actors combine credential theft, living-off-the-land techniques, lateral movement and stealthy persistence to remain undetected for extended periods.
What security teams should focus on:
- Establish real-time endpoint visibility to detect anomalous behaviour and early indicators of compromise
- Correlate telemetry across endpoints, identity, email and cloud to uncover multi-stage and lateral attacks
- Automate triage and containment to reduce dwell time
- Embed proactive threat hunting to identify stealthy persistence and advanced adversary activity
- Accelerate critical response times with pre-built response scenarios that can be launched in a single click
The goal is to shift security operations from reactive firefighting to sustained, intelligence-driven defence where threats are identified early, contained swiftly and investigated with sufficient context to prevent recurrence.
Challenge 2: Defending against AI-powered threats amid talent shortages
AI enables attackers to automate reconnaissance, generate convincing phishing content at scale and adapt techniques in real time, making campaigns faster to execute and harder to detect. Kaspersky research into the RevengeHotels campaign illustrates the trend: threat actors leveraged AI-generated code to enhance malware development and delivery, improving both the effectiveness of phishing lures and the evasiveness of payloads, reflecting a broader shift in how sophisticated adversaries operate.
At the same time, enterprises face a persistent shortage of qualified cybersecurity professionals. The global cybersecurity workforce gap runs into the millions and 41% of information security professionals report that their organisations are somewhat or significantly understaffed. Security operations centers are absorbing growing alert volumes with teams that are not growing at the same rate. Burnout and high turnover compound the problem. The strategic response is not simply to hire more analysts, hiring pipelines cannot keep pace with demand.
Instead, organisations need to embed AI-assisted automation directly into security workflows: automating alert triage, accelerating investigation through contextual summarisation, standardising response through pre-built playbooks and enabling smaller teams to operate with the effectiveness of larger ones. Consolidating tooling further reduces the cognitive load on analysts who currently switch between multiple dashboards to reconstruct a single incident timeline.
Challenge 3: Tool sprawl is causing drag and weakening visibility
Enterprise security stacks have grown organically over years, with solutions added in response to specific threats or compliance requirements. The result, in many organisations, is a fragmented architecture with dozens of standalone tools across endpoints, networks, cloud environments, identity and data protection, each generating alerts, each requiring management and each operating largely in isolation.
The operational consequences are significant. Security teams spend substantial time integrating tools, reconciling telemetry and switching between consoles to piece together the scope of an incident. Alert fatigue sets in. Investigation timelines lengthen. Skilled analysts, already scarce, are absorbed by manual correlation tasks rather than focused on proactive risk reduction. Over half of security experts globally report feeling overwhelmed by managing cybersecurity tools from multiple vendors.
The business consequences are equally problematic. Fragmented stacks create visibility gaps at the endpoint level, still the primary enterprise network entry point for cyberattacks and make it difficult to demonstrate measurable security ROI to the board. Total cost of ownership extends far beyond licence fees: integration complexity, infrastructure requirements and ongoing tuning can multiply initial investments by three to five times.
Addressing tool sprawl requires deliberate consolidation. Organisations should:
- Consolidate overlapping tools into integrated EDR and XDR platforms
- Centralise telemetry collection and incident management to close visibility gaps
- Automate correlation and response workflows to reduce manual effort and context switching
- Implement pre-defined investigation workflows and response playbooks to enforce consistent handling
- Align tooling decisions to measurable operational outcomes and demonstrable ROI
The objectives are cost reduction and operational clarity. A unified security operations foundation turns tool reduction into stronger visibility, faster response and sustainable efficiency that scales without requiring proportional increases in headcount or infrastructure.
Building resilience at scale
The challenges of accelerating attack volume, AI-enabled adversary activity and the operational drag of fragmented security architectures do not exist in isolation. And addressing any one of these challenges in isolation is no longer sufficient. Solutions from the Kaspersky Next Expert product line are designed to address these challenges directly, providing continuous AI-driven protection, as well as detection and response across endpoints and beyond, real-time cross-domain correlation, and a unified management platform that reduces tool fragmentation and lowers total cost of ownership.
Enterprises can discover how to improve their security posture through Kaspersky’s expert guidance customised to fit their specific environment.