Cobalt Strike - Detection Rate

Detection rates show how many antivirus engines on VirusTotal identify Cobalt Strike samples as malicious. A high detection rate (30+ engines) means most AV vendors have signatures for the variant. Low or zero detection indicates recently packed or obfuscated samples that may bypass signature-based endpoint protection.

Why Detection Rate Matters

For SOC analysts and threat hunters, detection rate is a key indicator of variant freshness and evasion capability. When Cobalt Strike operators release a new build with updated packing or obfuscation, detection rates drop temporarily until AV vendors update their signatures. This window of low detection is when organizations are most vulnerable. Monitoring this page helps you understand how well your current defenses cover Cobalt Strike variants.

Recommended Actions

If you see undetected or low-detection samples, consider submitting them to your sandbox for behavioral analysis. Update your YARA rules to catch Cobalt Strike patterns that signature-based detection misses. For the latest sample hashes to cross-reference, visit the Cobalt Strike samples page. For network-level indicators, check the IOC page.