In software, many vulnerabilities are due to bugs that allow remote code execution or privilege escalation. One of the worst vulnerabilities is the advanced persistent threat (APT). An APT occurs when an attacker gains access to a network, installs software on one or more systems, then uses that software to retrieve data from the network, such as passwords, financial information, and so on. While most APTs attempt to hide their activity, ransomware and hardware attacks are notable for being very loud and proud in announcing that they are on the network.

The systems that are infected first are often not the end targets; they are simply the most accessible. However, these infected systems act as pivot points to greater prizes within the network. For example, a developer's computer, connected to the internet as well as internal networks, may provide direct access for an attacker to get into production systems. As many low-grade systems as possible may be infected, just to make complete eradication more difficult.

The biggest problem with detecting such malware is an inability to see exactly what is happening to systems on the network. While most systems have logging capabilities, capturing everything overloads system administrators with data, trying to find the needles in a progressively larger haystack. In addition, logs take up space very quickly, and there is only so much space that can be allocated to log files.

Not only that, but logs are frequently filtered to display only errors and similar problems, not minor discrepancies. A properly written APT program shouldn't be causing such errors, so they wouldn't be detected by a normal log review. One possible way to do this is to write the malware to use the tools that are already installed on the target system, so malware use will be hidden within the normal, expected traffic.