Malware keeps evolving. Your defenses can’t afford to stand still.
Stairwell Founder & CTO Mike Wiacek reveals why legacy tools are missing thousands of malware variants hiding in plain sight. He unpacks how behavior-based detection falls short, why unseen variants pose the greatest danger, and how treating malware like searchable data flips the advantage back to defenders.
The message is clear: continuous, variant-aware detection is the difference between being blindsided and staying ahead.
Because they’re stuck looking in the rearview mirror. Most tools focus on behavior, but malware can shift its behavior depending on the environment. Stuxnet, for example, only activated on systems with specialized hardware. You could have had it on your machine without seeing anything malicious until it was too late. Behavioral detection is useful, but it’s only one piece of the puzzle. I’d rather spot cancerous cells before you feel sick—when treatment is easier—than bet everything on recovering after the illness takes hold.
A variant is just the same bad stuff wearing a different outfit. The core behavior is still there. It’s still doing malicious things, but it looks different enough that traditional tools don’t recognize it. They may be searching for an exact match or a file that shares a specific sequence of bytes. Variant Discovery works differently; it compares thousands of features across a file, and only a handful need to overlap to flag a relationship. Think of it like DNA: all humans share a percentage in common, but the real question is how much overlap is needed to identify siblings versus just proving someone is human.
It is huge. For every piece of malware you think you caught, there is another one and a half hiding that you probably missed. And those missed variants are not sitting quietly. They are working toward the attacker’s goals. This is not a theory. This is live code hiding in your systems.
The other factor is time. Variant 1 lands on one machine, then morphs into Variant 2 and spreads. Your legacy tools might eventually spot it on the second machine, but by then the first is already compromised. You have already lost ground.
Variant Discovery changes the game. It looks across the entire history of every file in your environment. Suddenly, the invisible becomes visible. You get coverage that was once unimaginable. That is the difference between fighting blind and fighting with the lights on.
Don’t treat threat reports like they’re the final word. Use them for what they are, a good starting point. The real value is in figuring out what else is out there that wasn’t mentioned. Variant-aware detection, reanalyzing your files, going beyond what’s already published. That’s where the big wins are. Static IOCs are fine, but they are representative samples, not exhaustive catalogs.
It means you can actually ask questions about your environment and get real answers in seconds. Like, have we seen this malware before? How many machines have seen that file? Where is this vulnerable file in my environment? Are there any other files related to this malware campaign? Or, is there anything else like this hiding in our files? You don’t have to wait for a threat feed update or chase down logs for hours. You just search, and Stairwell shows you everything connected to that threat, including the stuff no one told you about. It’s like having Google search for your malware problems.
It’s tough to measure what you can’t see. But here’s the reality. It’s all too common to find malware that traditional tools, like EDRs, miss. The longer something goes undetected, the worse the damage. We’ve encountered malware sitting in orgs for months, just quietly waiting to do its thing. That could be exfiltrating data, creating backdoors, whatever. That’s a nightmare for the business. And the scary part? Most teams think they’re clean because they caught the original threat. But if they’re missing the variants, they’re not even close to done.
Keep looking. Don’t just scan once and call it good. Malware evolves. Your defenses should, too. If you’re not continuously reanalyzing what’s in your environment, you’re leaving the door open. The one thing I’d push every org to do is stop thinking of detection as a one-time event. Make it an ongoing process. That’s how you actually get ahead of attackers.
Download the full report here.
Mike Wiacek is the CTO of Stairwell, which he founded in 2019. Prior to Stairwell, he founded Google’s Threat Analysis Group and was Co-founder and Chief Security Officer of Alphabet’s Chronicle. During his 13 years at Google, he worked on Operation Aurora and led the acquisition of VirusTotal. Before that, he worked for the US Government.
More about Mike Wiacek: 
Stairwell solves the problem of detecting malware hiding in an enterprise by bringing a signal intelligence approach to gathering data that determines the connections from threat intelligence, malware libraries, threat report IOCs, to the actual files in your enterprise. Unlike log-centric solutions that are easily evaded, require costly and unsustainable storage, and take too long to search, Stairwell finds more malware by continuously analyzing your most important data set–your files. With Stairwell, you have a cost-effective platform that answers any question from your threat intelligence, SOC analysts, and incident response experts–in seconds. Stairwell is a search engine for malware and vulnerable or non-compliant files within your enterprise.
Stairwell was founded by Mike Wiacek, the founder of both Google Threat Analysis Group and Alphabet’s Chronicle, and is backed by Sequoia, Accel, and s32. With enterprise customers from financial services, healthcare, fintech, AI, media, and gaming, Stairwell brings the ease, scale, and speed of web search to modern security.
Learn more at stairwell.com
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.