To be effective, the attacker must be able to maintain interactive persistence; they must have a two-way communication channel with the exploited system (interactive) that remains on the compromised system for a long period of time without being discovered (persistence). This type of connectivity is a requirement for the following reasons:

• Network intrusions may be detected, and the compromised systems may be identified and patched
• Some exploits only work once because the vulnerability is intermittent, or because exploitation causes the system to fail or to change, rendering the vulnerability unusable
• Attackers may need to return multiple times to the same target for various reasons
• The target's usefulness is not always immediately known at the time it is compromised

The tool used to maintain interactive persistence is usually referred to by classic terms such as backdoor or rootkit. However, the trend toward long-term persistence by both automated malware and human attacks has blurred the meaning of traditional labels, so instead we will refer to malicious software that is intended to stay on the compromised system for a long period of time as a persistent agent.

These persistent agents perform many functions for attackers and penetration testers, including the following:

• Allowing additional tools to be uploaded to support new attacks, especially against systems located on the same network.
• Facilitating the exfiltration of data from compromised systems and networks.
• Allowing attackers to reconnect to a compromised system, usually via an encrypted channel to avoid detection. Persistent agents have been known to remain on systems for more than a year.
• Employing antiforensic techniques to avoid being detected, including hiding in the target's filesystem or system memory, using strong authentication, and using encryption.