Attack Progression Analysis

This section displays comparative line graphs for four attack phases that precede command-and-control communication.

The graphs provide the following information:

  • How suspicious event counts from the last 14 days compare to your organization's baseline

  • Notable short-term or persistent changes to suspicious event counts (in the form of spikes or steps)



Elevated suspicious event counts in Initial Access and/or Persistence

Attackers are attempting to gain or maintain their foothold on your network. If successful, they may steal account credentials and access remote systems.

Elevated suspicious event counts in Credential Access and/or Lateral Movement

Data exfiltration or some form of system impact may soon occur. Attackers may interrupt, manipulate, steal, or destroy your critical assets.

Negligible suspicious event counts in any attack phase

The numbers are lower than the baseline for your organization and therefore do not require your attention.


Graphs are based on Smart Protection Network data that was scanned within a specific period. The data may change when any of the following events occurs.

  • You connected more management servers to Trend Micro Vision One and enabled the required security features.
  • You installed and enabled XDR sensors.

  • Trend Micro added indicators or attack campaigns to the scan scope.

To detect more suspicious events, enable the recommended security features on all endpoints.