Why Low-And-Slow Attacks Look Normal
- Jul 01, 2026
- Heidi Willbanks
- 3 minutes to read
Table of Contents
Low and slow attacks look normal because they are intentionally distributed into small, permissible actions that avoid detection thresholds. Each step appears legitimate on its own, which prevents detection systems from recognizing the overall progression.
The issue is not that security teams lack telemetry. The issue is that traditional detection often evaluates activity in fragments. When each action stays below a rule or threshold, the broader pattern can remain invisible.
What Makes Gradual Misuse Difficult to Detect
Many detection strategies assume malicious activity shows up as a sudden deviation from normal behavior. That assumption works for some external attacks, but it breaks down when the user already has valid credentials, approved access, and a business reason to interact with sensitive systems.

Insider misuse often develops differently. Access expands gradually. Data usage increases in small increments. The user doesn’t need to break the rules to create risk. They only need to change how, when, where, and why legitimate access is used. Actions remain aligned with approved roles and tools, even as behavior shifts without triggering threshold-based detection. For example, a user may increase access to sensitive files or expand data downloads in ways that remain within allowed limits.
Why Individual Actions Appear Legitimate
Low-and-slow activity is designed to avoid attention. Each action stays within expected thresholds and doesn’t trigger rules or alerts. This is what makes insider risk different from many external threats. The activity may come from a known user, a managed device, an approved application, and a valid session.
When detection focuses on individual events, this activity looks indistinguishable from routine work. The signal appears only when actions are evaluated in sequence rather than isolation.
This is where behavioral analytics becomes necessary. User and entity behavior analytics (UEBA) evaluates activity in context, including user history, peer behavior, role expectations, timing, and access patterns.
How Behavioral Drift Accumulates Over Time
Insider risk often emerges through behavioral drift rather than violation.
Behavioral drift happens when a user’s activity gradually moves away from their established baseline. The change may be small in isolation, but meaningful when viewed as a sequence.
Without continuity and historical context, detection systems can’t reliably separate gradual misuse from normal variation. Small changes remain below detection thresholds, preventing escalation. Risk often surfaces only after the impact becomes visible.
What Detection Assumptions Allow Low-and-Slow Activity to Persist
Detection logic that prioritizes sudden deviation over progression limits visibility into gradual misuse.
When continuity is missing, systems reset context instead of tracking drift. As a result, repeated low-risk actions remain below prioritization thresholds, even when the pattern they create deserves investigation.
What Security Leaders Should Reevaluate
Security leaders should examine how gradual activity is evaluated by asking:
- How are small changes in behavior tracked over time?
- Which thresholds allow repeated low-risk actions to accumulate?
- Where does detection rely on sudden deviation rather than progression?
- How is behavioral drift identified today?
- Can risk increase as activity accumulates, even when no single action violates a policy/static rule?
- Can analysts see the timeline that explains why the behavior is risky?
These questions help reveal gaps where low-and-slow activity can persist unnoticed.
This is where combining behavioral analytics, dynamic risk scoring, and automated timelines becomes important. Risk is not treated as a single event. It accumulates as behavior changes. Analysts can see how activity developed, why it matters, and where it differs from expected behavior.
This same issue becomes more important in the agentic enterprise. AI agents can perform small, authorized actions across applications, repositories, APIs, and data sources. Each action remains individually acceptable. Agent Behavior Analytics extends behavioral context to autonomous activity so teams can identify drift before it becomes impact.
See the Full Framework
This pattern reflects another shift in how insider risk develops.
The guide, Six Shifts in Insider Risk for the Agentic Enterprise, explains why identifying gradual activity requires behavioral context over time to surface risk earlier.
Heidi Willbanks
Heidi Willbanks | Senior Product Marketing Manager, Content | Exabeam | Heidi Willbanks leads content strategy and go-to-market execution at Exabeam, focusing on product launches, cybersecurity solutions marketing, and technical alliances. She has 20+ years of marketing experience, including over a decade in information security and data privacy, and holds a Level IV certification from Pragmatic Institute. Heidi specializes in creating clear, technically accurate content for security practitioners and decision-makers.
More posts by Heidi WillbanksLearn More About Exabeam
Learn about the Exabeam platform and expand your knowledge of information security with our collection of white papers, podcasts, webinars, and more.