Cybersecurity is going through a delicate phase: the traditional perimeter has become blurry, companies are increasingly reliant on cloud services and SaaS, and the actual inventory of assets exposed to the internet changes almost daily. In this context, Kaspersky has announced a major update to Kaspersky Anti Targeted Attack 8.0 (KATA 8.0), aimed at improving traffic observability, detecting advanced threats more accurately and early, and speeding up investigations through tighter integrations within its own ecosystem—and with third-party solutions.
The core message is clear: defense no longer relies solely on blocking, but on seeing, interpreting, and acting promptly. And that window is shrinking. As attack surfaces expand due to diversified providers, outsourcing, shadow IT, and legacy systems, security teams may find themselves blind at the very moment attackers seek advantage: untracked assets, forgotten configurations, exposed services, and data flows that no one is continuously monitoring.
Protocol Anomaly Detection: Spotting Deviations Where It Matters Most
One significant change in KATA 8.0 is the addition of anomaly detection focused on protocols often targeted in intrusions: DNS, HTTP, and Kerberos, among others. This isn’t about “inspecting everything,” but about identifying specific deviations in each protocol, considering the context and usage patterns within the organization.
This approach addresses a common issue faced by many monitoring platforms: alert overload. The promise here is to enhance precision and reduce false positives by concentrating on anomalous behaviors that, in practice, tend to correlate with malicious activity (lateral movement, persistence, credential abuse, covert communications).
Shadow IT Under the Radar: Over 5,000 External Services
Another notable new feature is shadow IT detection, supporting more than 5,000 external services. The goal is to identify the use of unauthorized public services—such as storage or collaboration tools—and regain control over corporate data flows that often escape via operational “shortcuts”: personal accounts, free tools, SaaS applications activated without IT involvement.
From a security standpoint, this isn’t just internal governance; it’s also about preventing data leaks, reducing the risk from accounts without MFA, and gaining visibility over dependencies that could become attack or exfiltration vectors.
Retrospective Analysis with PCAP: Reopening Cases with New Rules
KATA 8.0 introduces the capability for retrospective traffic analysis using PCAP files uploaded by analysts (manually or automatically from other systems). It’s a technical detail with practical implications: when engines, signatures, or rules are updated, traffic that seemed “clean” at the time of an incident might reveal previously unnoticed signals.
This is especially useful in post-incident investigations, forensic audits, and reviews after a sector-wide campaign. Instead of relying solely on real-time telemetry, it allows reanalyzing evidence with the latest intelligence.
Not Just Malicious IoCs: Also Observing “Clean” Traffic
Aligning with this, Kaspersky states that KATA can now collect traffic observables—file names, URLs, and hashes—not only from malicious objects but also from those initially deemed safe. For SOC teams, this expands context: enabling correlation of “normal-looking” activity with suspicious patterns, potentially compromised users, or early intrusion phases that haven’t yet “triggered” malware alerts.
In other words: less reliance on a binary “malicious/non-malicious” verdict and greater capacity to investigate signals.
Integrations: From Email to Endpoint and Firewall, with Less Friction
Beyond detection, KATA 8.0 emphasizes better integration for investigation and response:
- Email: integration with Kaspersky Security for Mail Server (KSMS) to dynamically scan password-protected email attachments in sandbox environments. Enriched alerts also show actions taken by KSMS (block, delete, etc.).
- MDR: for organizations with Managed Detection and Response, KATA 8.0 acts as a network sensor, sending telemetry to the MDR cloud. MDR analysts can request additional context directly from the interface, streamlining investigations without back-and-forth with the client.
- Endpoint: support for automatically sending suspicious files from Kaspersky Endpoint Security (KES) to the KATA Sandbox, enhancing analysis of detected suspicious files on endpoints.
- Network Response: new connectors with Check Point NGFW enable generating threat-based blocking rules and applying them almost in real-time on firewalls.
This last element is especially crucial in high-pressure environments: detection is vital, but containing threats quickly is what minimizes impact. Automating blocks while maintaining traceability helps close the gap between detection and mitigation.
The Path to a Unified Console: OSMP on the Horizon
Kaspersky also indicates that as part of its long-term strategy, future versions will migrate KATA to the Open Single Management Platform (OSMP). This will enable smoother integration with proprietary and third-party solutions from a single web interface, covering NDR, EDR, SIEM, XDR, and more.
Ilya Markelov, head of the unified platform product line at Kaspersky, frames this update in terms of enhanced visibility and proactive capacity, highlighting how combining advanced analytics and integrations will lead to more reliable response decisions.
Frequently Asked Questions
What is NDR, and why is it key in 2026?
NDR (Network Detection and Response) focuses on detecting and responding to threats by analyzing network traffic. In a world of SaaS, remote work, and perimeter ambiguity, the network becomes a critical point for uncovering intrusions, lateral movement, and data exfiltration.
What value does protocol-based anomaly detection (DNS, HTTP, Kerberos) provide?
It offers protocol-specific context: instead of alerting on volume, it searches for deviations that are common in real intrusions (authentication abuse, covert communications, anomalous queries). The goal is earlier detection with fewer false positives.
How does retrospective PCAP analysis benefit a SOC?
It allows reexamining historical traffic with updated rules and engines, uncovering indicators that previously went unnoticed. This is especially useful in digital forensics, post-incident reviews, and threat hunting.
How does integration with firewalls like Check Point NGFW help?
It turns detection into containment: when malicious activity is identified, blocking rules can be generated and deployed rapidly, reducing exposure time and operational effort compared to manual responses.
via: kaspersky