The IT environment is evolving. Organizations have embraced hybrid work models, expanded their operations and personnel footprints, and digitalized their processes and capabilities. And those in charge of these now sprawling environments must deal with the increasingly complicated task of keeping endpoints, users, and more both operational and secure.
The marketplace has introduced a variety of tools to help facilitate business transformation, but in some cases the results have created rapidly expanded attack surfaces and revealed new security risks (including identity threats, software vulnerabilities, and more) that were previously unknown.
One such tooling category – remote monitoring and management (RMM) – has found itself in the crosshairs of threat actors. As a result, RMM has become a double-edged sword for security teams that both rely on its functionality and struggle to keep it secure.
What Is Remote Monitoring and Management?
RMM tools are software that enable IT teams and MSPs to oversee, manage, and conduct actions to secure a distributed network of IT systems, networks, and endpoints. These tools have become an essential capability in the modern IT landscape where users can, and often do, work from anywhere, anytime, because they allow administrators to configure and manage IT systems remotely.
These tools have become ubiquitous in IT environments, and include known names such as Microsoft Remote Desktop Protocol, ConnectWise Automate, Kaseya, and TeamViewer.
Key capabilities of RMM tools include remote monitoring, remote management (i.e., system updates, patch management, software installs/uninstalls), automation of maintenance tasks, various security functions including integration with endpoint security solutions and application of security polices, and reporting and auditing capabilities to complete compliance requirements.
Benefits of Remote Monitoring and Management Tools
RMM tools have become widely used in IT environments for multiple reasons, the main one being that they allow IT teams and MSPs to efficiently monitor, manage, and secure remote endpoints from a centralized solution This key capability allows for scalability, better operations, improved automation, and enables organizations embrace hybrid-work models or remote operations more effectively.
Other benefits of RMM tools include:
- Remote support and troubleshooting of endpoints
- 24×7 monitoring of systems, including continuous scanning for anomalies or issues
- Proactive maintenance of endpoints, which reduces downtime or security risks
- Automation of routine security and operations-based tasks such as patch management
- Centralized management of networks, systems, and endpoints
- Enhanced security through integrations with endpoint security tools and access control tools
- MSP enablement to deliver better IT services to clients
While most of these tools are geared toward IT operations and help desk staff, these features can also help security teams better protect their environment. However, the preconfigured settings are often of little practical value to an organization, and optimizing these features takes time and staff power that many organizations simply can’t spare.
And it’s here, when overworked security teams can’t spare the budget, time or staff to optimize and effectively manage RMM tools that the risks begin to rise.
Risks of RMM Tools
At the beginning of 2025, Arctic Wolf Labs observed a cybercrime campaign involving unauthorized access to devices running SimpleHelp RMM software as an initial access vector. This observation was a more high-tech example of threat actors targeting RMM software and involved known vulnerabilities that allowed threat actors to download arbitrary files, upload arbitrary files as an administrative user, and escalate privileges to administrative users.
Unfortunately, this kind of observation is not rare as threat actors have increasingly turned their eyes and skills toward these tools for initial access during an attack. According to the Arctic Wolf 2025 Threat Report, 59.4% of ransomware cases investigated by Arctic Wolf Incident Response (IR) began with external remote access – a category that includes RMM abuse or exploitation. According to that same report, Arctic Wolf observed malicious usage of 32 different RMM tools, with RMM tools involved in 36% of IR cases over a single quarter.
These statistics highlight how RMM tools both open new operational opportunities for organizations and new malicious access opportunities for threat actors looking to launch sophisticated attacks. Understanding the risks of RMM tools, and how they can manifest themselves, puts security teams in a better position to defend against a rising threat.
Risks of RMM tools include:
Security concerns
RMM tools, by their very nature, regularly store or offer access to sensitive systems, data, and user credentials. The problem is that many in-house security teams don’t have the bandwidth or expertise to ensure these tools are continuously properly secured. From a lack of multi-factor authentication (MFA) or other access controls, to insider threats, improper segmentation, and insufficient activity logging or monitoring, there are several security risks that can arise with the use of these tools.
Misconfigurations
RMM tools rarely come fully ready to deploy in an organization’s tech stack, because the factory settings haven’t been fine-tuned for the individual environment. Failure to properly configure an RMM tool, or the accidental misconfiguration of one, can introduce new vulnerabilities into an organization, facilitate known vulnerability exploits due to delayed patching, or provide unauthorized access stemming from overly broad or unrestricted access settings.
Too much automation
The double-edged sword strikes again. RMM tools enable essential automation of routine systems management tasks, but overreliance on this automation can introduce new risk as IT and security teams afford the tools too much trust, leading to a lack of security expert oversight. Automated tasks often go out to hundreds or thousands of endpoints in a large or complex environment, so if a script is run without safeguards or updates are auto- deployed without logging or testing, the impact from one small task can be massive.
Integration challenges
Any new tool or solution needs to be able to play nice with the rest of your tech stack. However, RMM tools can struggle to fully integrate with existing IT infrastructure, leading to incompatibilities that can introduce vulnerabilities, obscured visibility, and improper security measures.
However, every tool can create risk in an IT environment. Just because software comes with risks doesn’t mean it shouldn’t be utilized. It’s a matter of actively reducing some risks, accepting others, and putting in proactive security measures in place to detect and respond to threats, if they occur, early and swiftly.
How To Combat the Risks of RMM Tools
RMM tools have become a vital part of the cybersecurity toolbox. But, as with any tool in an organization’s tech stack, the value they provide can’t be outweighed by the risk they introduce. IT and security teams can combat those risks, as well as reduce or eliminate them, through a series of proactive strategies.
1. Identity and access management (IAM)
The three main tenants of IAM are governance, or the determination of who has access to what, control of that access, and the continuous monitoring of users and their access. Following IAM best practices within the context of RMM tools allows security and IT teams to tightly control access, centralize user management, and employ safeguards such as MFA to prevent credential-related attacks. Additionally, because RMM tools facilitate privileged access, IT teams can integrate RMM with their privileged access management (PAM) systems, further controlling RMM usage.
2. Identity threat detection and response (ITDR)
If IAM implementation is the framework an organization can apply to protect RMM, then ITDR is the second layer of defense that ensures that framework is working, or not. ITDR helps detect, investigate, and respond to identity-based threats, and, subsequently, can detect identity-based anomalies in real time, help security teams respond to compromised credentials, enhance visibility into users’ behaviors in relation to RMM tools, and more.
3. Comprehensive security awareness training
While threat actors can exploit vulnerabilities within RMM tools or run high-tech playbooks for initial access, having credentials or luring credentials away from users through social engineering tactics is often a faster, easier method. So, educating users and reducing human risk is paramount to better security for your RMM tools. Strong security awareness training should include up-to-date content, phishing simulations, and engage users with tactics such as microlearning to increase resilience.
4. Proactive patch management
Keeping your RMM tools and associated systems up to date with the latest patches and security updates is a simple, proactive step to mitigate any known vulnerabilities and prevent their exploitation by threat actors. Security and IT teams should continually monitor the RMM tools themselves for outdated versions, known vulnerabilities, and other security risks, and mitigate them in a timely manner.
5. Incident response planning
The risk of an attack originating with your organization’s RMM tools is, unfortunately, high, as data previously stated shows. Knowing this, organizations should ensure they have an incident response (IR) plan in place and are ready to respond swiftly if an incident occurs. From obtaining a retainer to building out a plan to running tabletop exercises that deal with RMM tool exploitation can help an organization’s team know what to do if a threat turns into a cyber attack.
However, effectively and proactively mitigating and reducing the risks inherent in RMM tools can be a tall order to ask of an in-house security team, which is why many are turning to a third-party solution provider.
How Arctic Wolf Can Help
Because threat actors can attack your organization’s RMM tools from multiple avenues, a multi-faceted security approach – as highlighted above – is needed to keep it secure. Arctic Wolf takes an operations-based approach, providing expertise alongside technology. This powerful combination helps your organization monitor these tools and connected endpoints and systems 24×7, respond to threats swiftly and effectively, practice risk-based vulnerability management, achieve broad visibility, better train your employees to reduce human risk, and offer industry-leading security expertise.
Explore how Arctic Wolf solutions can better secure RMM tools.
Learn more about the risks facing RMM tools and how they can lead to sophisticated attacks in the 2025 Arctic Wolf Threat Report.
