43% of internal authentication traffic still relies on NTLM, a legacy protocol frequently abused for credential replay and privilege escalation attacks.