Threat IntelligenceEmerging Threats

Threat Actors Exploit Blind Spots Beyond Endpoint Defenses

Analyst 207||Source: Unit42
Brightly-lit network operations center with multiple workstations and natural light from floor-to-ceiling windows.

"Threat actors are now moving 4x faster to exfiltration than in 2025." That stark finding, from the 2026 Unit 42 Global Incident Response Report, frames a clear warning: attackers are exploiting the gaps created by an over-reliance on endpoint data.

Rapid exfiltration and the limits of endpoint visibility

Unit 42 found that adversaries are accelerating the time from initial access to data exfiltration, and they are doing so by striking across multiple surfaces at once. The report notes that while the endpoint "remains a critical first line of defense," modern environments now include cloud services, microservices and remote users that expand the attack surface beyond what any single tool can monitor. In 75% of incidents Unit 42 investigated, critical evidence of the initial intrusion was present in the logs — yet the information "wasn't readily accessible or effectively operationalized," allowing attackers to move undetected.

Three scenarios where an endpoint-only view fails

Unit 42 identifies three recurring operational patterns that prove how an endpoint-only posture misses the full story:

  • Cloud-to-endpoint pivot: An attacker who gains access via a misconfigured cloud service access key can pivot from the cloud console to cloud-hosted servers and then to endpoints while concealing console manipulation from EDR agents. A SOC focused only on endpoint telemetry may see the activity as a legitimate login and report a false negative. Detection requires stitching together cloud security logs, CASB alerts and EDR telemetry.
  • Covert C2 and identity theft: Attackers using DNS tunneling to a cloud storage location can control a compromised device while hiding their traffic inside legitimate applications. To mask control channels they often steal credentials, triggering "impossible travel" alerts across multiple SaaS apps — activity that an EDR-only hunt for malware on the device will miss.
  • Rogue assets and shadow IT: Unmanaged devices and shadow IT lack security agents and are opaque to traditional EDR and SIEM tools. Attackers frequently introduce rogue devices to maintain persistence; without continuous network monitoring and external attack surface management, these assets remain open doors for covert movement.

All logs, one repository: the single-pane-of-glass prescription

Unit 42 lays out a prescriptive architecture for modern SOCs: a unified, AI-driven data platform that consolidates diverse security logs and automates detection, investigation and response. The core operational rule is explicit — "All security logs must live in a single repository, and all alerts must be processed in a centralized workbench." By integrating data from all 10 IT zones — including code, comms and AI — a SOC can use machine learning to stitch alerts into coherent timelines, apply ML-based incident scoring to prioritize threats by business impact and user risk, and run user and entity behavior analytics to detect credential compromise before it becomes material.

Cortex XSIAM, alert fatigue, and automation

Unit 42 recommends a single-pane-of-glass strategy powered by an AI-driven SOC platform like Cortex XSIAM. Consolidation and automation, the report argues, reduce alert fatigue, eliminate data silos and shift "the heavy lifting to machines," giving human analysts a simplified interface to stop threats "in minutes rather than days." The report also highlights Unit 42 Frontier AI Defense, a service that uses access to frontier models to identify likely attack paths before adversaries weaponize them.

What this means for SOCs and analysts, procurement leaders and enterprise management, and adversaries

  • SOCs and analysts: Expect to prioritize investments in cross-zone telemetry and centralized workbenches; detection work will increasingly depend on correlating cloud security logs, CASB alerts and network monitoring with EDR telemetry.
  • Procurement leaders and enterprise management: The report signals that single-tool contracts centered on EDR are insufficient; leaders should evaluate platform approaches that consolidate logs from the 10 IT zones and support ML-driven alert stitching and incident scoring.
  • Adversaries and threat actors: Unit 42 warns attackers will continue to leverage AI-assisted tools and multi-surface maneuvers that exploit gaps between isolated tools — meaning defenders who retain siloed visibility will face faster, more covert campaigns.

Unit 42's central message is unambiguous: relying solely on the endpoint "is no longer a viable strategy for the modern enterprise." The recommended remedy is concrete — consolidate telemetry, centralize alert processing, and apply AI to stitch disparate events into the full narrative of an attack. For teams that want to measure where they stand, the report concludes with a practical next step: "consider evaluating your current visibility through a formal assessment."

https://unit42.paloaltonetworks.com/detection-beyond-the-endpoint/

Cloud ServicesEmerging ThreatsIncident ResponseThreat ActorsUnit 42ExfiltrationEndpoint DefensesBlind SpotsMicroservicesGlobal Incident Response Report
Related Intelligence

Continue Reading

Dimly lit home network setup with outdated routers, tangled cables, and old equipment.

AryStinger Botnet Exploits Flaws in Thousands of D-Link Routers

Meet AryStinger, a sneaky botnet that's hijacked over 4,000 outdated D-Link routers worldwide, turning them into a powerful tool for hackers to carry out stealthy scans and attacks. This malware mastermind breaks down massive tasks into tiny chunks, distributing them across its zombie network for lightning-fast execution.

Analyst 207
Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207