Home
Blog
AI SOC
March 4, 2026
5
min read

The Blind Spot at the Front Door: Why Identity-Hopping Attackers Are Invisible to Legacy SOCs

We are seeing a massive shift: instead of hacking into your networks, intruders simply log in. You should note that identity weaknesses now drive nearly 90% of our investigations. Furthermore, you will face multi-surface intrusions 87% of the time, demanding constant vigilance. Your legacy security architectures simply cannot connect these dots fast enough because you suffer from visibility gaps and ingestion delays. Meanwhile, exfiltration now happens in just 72 minutes. To defend your infrastructure, we engineered our federated platform to investigate exactly where your data already lives. You no longer need to centralize telemetry or wait on slow data lakes. Instead, you can ask natural-language questions, and our AI orchestrates the queries across your environment. We empower your analysts to track these cross-surface threats at machine speed, turning hours of manual correlation into just minutes.

AI
AI security
identity investigations
Microsoft EntraID
Okta
Security Operations
James Therrien
Lead Content Strategist
In this article
H2 Title
H3 Title

Attackers aren’t hacking in anymore—they’re logging in. And the investigation architecture most SOCs rely on was never built to follow them across the surfaces they traverse.

The Numbers That Should Alarm Every SOC Leader

The Global Incident Response Report 2026 from Palo Alto Networks Unit 42 identified two critical patterns:

  • Identity weaknesses played a material role in nearly 90% of all investigations  
  • Two or more attack surfaces were involved in 87% of intrusions

Taken together, these describe an attacker playbook that legacy SIEM and SOAR architectures were never engineered to counter.  

Threat actors are bypassing exploit chains in favor of stolen credentials, hijacked sessions, and over-scoped privileges—then hopping across endpoints, cloud infrastructure, SaaS applications, and identity planes in a single intrusion.  

To a traditional security stack, each hop looks like a discrete, low-severity event. In reality, it’s one coordinated attack.

The Front Door Is Wide Open

For years, defenders focused on patching vulnerabilities to keep adversaries out. But as Unit 42’s data makes clear, attackers are pragmatic: 65% of initial access in 2025 was identity-driven.  Phishing (22%) and vulnerability exploitation (22%) tied as the leading vectors, but the identity-based techniques create the connective tissue behind them: including;  

  • credential theft,  
  • session hijacking,  
  • MFA bypass, and  
  • OAuth misuse

Once inside, the crisis compounds. Unit 42’s analysis of more than 680,000 identities across cloud accounts found that 99% had excessive permissions, some unused for 60 or more days. That means an attacker who compromises a single identity often inherits far more privilege than they need. They escalate through over-scoped roles and unretired legacy grants, move laterally by testing stolen credentials across systems, and persist by stealing session tokens and misusing OAuth grants that bypass interactive authentication—including MFA.

The report describes this as “authenticated access changing the dynamics of an intrusion.” To a legacy security tool, this lateral movement looks exactly like routine automation. And that’s the problem.

The 87% Multi-Surface Problem

If an attacker compromises an endpoint and stays on that endpoint, traditional EDR is highly effective. But modern intrusions don’t stay in one lane.

The Unit 42 data reveals that 87% of incidents spanned two or more attack surfaces, and 67% spanned three or more. Forty-three percent touched four or more surfaces, with some cases reaching as many as eight. Identity was involved in nearly 90% of all incidents, and browser-based activity appeared in 48%—reflecting how often attacks intersect with routine workflows like email, web access, and SaaS usage.

This multi-surface reality creates a specific, measurable investigation bottleneck. The report notes that in 87% of incidents, Unit 42 investigators reviewed evidence from two or more distinct data sources to establish what happened—with complex cases drawing on as many as ten. That fragmentation “consistently slowed detection, allowing adversaries to begin lateral movement before defenders could see the full picture.”

The core finding: In more than 90% of breaches, preventable gaps—limited visibility, inconsistently applied controls, or excessive identity trust—materially enabled the intrusion. The issue isn’t attacker sophistication. It’s fragmented defense.

The Shrinking Window: 72 Minutes to Exfiltration

Attack velocity is accelerating, and the fastest operators are pulling away from the pack. The quickest 25% of intrusions reached exfiltration in just 72 minutes in 2025—down from 285 minutes in 2024, a nearly 4x acceleration. The share of incidents that reached exfiltration in under one hour rose from 19% to 22%.

AI is a significant driver. The report documents how threat actors have moved from experimentation to routine operational use of AI-assisted tooling—automating reconnaissance, scripting deployment, parallelizing initial access attempts, and even running concurrent ransom negotiations with AI-generated messaging. The result is a compressed attack lifecycle where, as Unit 42 puts it, “what happens in the first minutes after initial access can determine whether an incident becomes a breach.”

For SOC teams still relying on manual investigation workflows—querying one tool at a time, waiting on data lake ingestion latency, and hand-correlating signals across consoles—this timeline is existentially challenging. You can’t stitch together a cross-surface attack narrative in 72 minutes when your investigation tools require an hour just to pull and normalize the telemetry.

Why Legacy SOC Architecture Can’t Keep Up

The Unit 42 report diagnoses three systemic contributing factors that enable attacker success. Each one maps directly to an architectural limitation in traditional SIEM/SOAR investigation workflows:

  1. Visibility gaps. Critical telemetry often exists but remains trapped in disparate systems, preventing defenders from correlating identity shifts with endpoint behavior or SaaS activity. The report notes that visibility gaps—particularly across SaaS, cloud identity, and automation layers—were a primary driver of attacker success in 2025. The traditional approach of centralizing everything into a data lake before analysis introduces ingestion latency and normalization overhead that attackers exploit.
  1. Environmental complexity. Security baselines are rarely applied universally. Environmental drift from legacy systems, M&A activity, and technology adoption creates inconsistencies that attackers use as the path of least resistance. Over 90% of breaches were enabled by misconfigurations or coverage gaps, not novel exploits. When investigation tools can only query what’s been pre-indexed in a centralized platform, the gaps in that index become blind spots in the investigation.
  1. Excessive identity trust. Permissions accumulate faster than governance can track them. Attackers escalate through unretired legacy roles and over-provisioned service accounts without deploying novel tooling. When identity data lives in fragmented systems—Active Directory here, Okta there, cloud-native IAM elsewhere—investigators lose end-to-end visibility into how a single compromised identity expanded into broad access.

These aren’t point failures. They’re architectural ones. And they demand an architectural response.

How Command Zero Is Engineered for This Reality

Command Zero was built from the ground up for the investigation challenge the Unit 42 report describes: multi-surface, identity-driven intrusions that span fragmented tooling and demand speed. Three architectural decisions are directly responsive to the failure modes documented in the report.

Federated Data: Investigate Where the Data Lives

The report’s finding that 87% of investigations required evidence from two or more distinct sources—and complex cases required as many as ten—describes a problem that centralized data lakes are fundamentally ill-suited to solve. Ingestion delays, normalization overhead, and schema mismatches mean that by the time all the relevant telemetry is queryable in a single pane, the attacker has already moved.

Command Zero takes a federated approach: it queries your existing security tools in place, correlating signals across EDR, SIEM, identity providers, cloud platforms, and SaaS applications without requiring you to centralize everything first. When a Tier-2 analyst needs to trace how a compromised identity pivoted from an endpoint to a cloud workload to a SaaS application, they ask the question and Command Zero retrieves the answer from each source in parallel. No data lake latency. No gaps from tools that weren’t indexed.

Questions Before Tokens: Human-Guided, AI-Accelerated Investigation

The report emphasizes that most breaches are enabled by “preventable gaps”—not attacker novelty. The critical capability gap isn’t generating more alerts. It’s the ability to quickly answer investigative questions across fragmented data: Where else did this identity authenticate in the last 48 hours? What permissions does this service account actually hold? Did this OAuth token grant propagate downstream?

Command Zero’s question-and-answer methodology puts the analyst’s investigative instinct at the center. Rather than replacing human judgment with a black-box agent that triages alerts autonomously, Command Zero empowers the analyst to ask natural-language investigation questions and get structured, cross-platform answers in seconds. The AI handles the query orchestration, tool integration, and data correlation. The analyst retains full visibility into what was queried, what was returned, and how the conclusions were derived.

This “glass box” transparency matters operationally: when the Unit 42 report calls for response that follows “an auditable sequence,” it’s describing exactly the kind of explainable, reviewable investigation workflow that Command Zero produces by design.

Cross-Surface Investigation at Machine Speed

When the fastest attackers are exfiltrating data in 72 minutes and traversing three or more attack surfaces in 67% of intrusions, investigation workflows must operate at a speed and breadth that manual processes cannot achieve.

Command Zero collapses the multi-tool, multi-tab investigation workflow into a single conversational interface. An analyst investigating a suspicious identity event doesn’t need to separately query Active Directory, then Okta, then CrowdStrike, then AWS CloudTrail, then Salesforce audit logs. They describe the investigation question, and Command Zero orchestrates the cross-platform query, synthesizes the results, and surfaces the attack narrative—with full provenance for every data point.

The result: investigations that previously required hours of manual correlation across multiple consoles can be conducted in minutes. That’s not a workflow improvement. It’s the difference between detecting an active intrusion and performing post-breach forensics.

What This Means for Security Leaders

The Unit 42 report concludes with a statement that should resonate with every SOC leader: “Security is solvable.” The overwhelming majority of breaches are enabled by known, preventable gaps. But closing those gaps requires more than better controls at the perimeter—it requires fundamentally rethinking how the SOC investigates threats that cross surfaces, exploit identities, and move at machine speed.

The report’s own recommendations align closely with Command Zero’s architecture: ingest all relevant security data, use AI-driven capabilities to correlate signals across identity, endpoint, cloud, and network layers, and enable real-time response with automation. The difference is that Command Zero delivers these capabilities through a federated investigation model that doesn’t require ripping out your existing stack or waiting for a multi-year data consolidation project.

Attackers have adapted their playbook. Identity is the new perimeter, multi-surface movement is the norm, and speed is the differentiator. The SOC’s investigation architecture needs to adapt, too.

James Therrien
Lead Content Strategist

Continue reading

AI SOC
Highlight

The Backwards Promise of Agentic AI for Alert Fatigue

Relying on AI solely to speed up alert triage is a flawed approach to solving alert fatigue. While AI-assisted triage provides genuine relief to exhausted analysts, it merely treats the symptom rather than the underlying disease. The core issue in most security environments is not the raw volume of alerts, but the overwhelming noise generated by poorly designed and outdated detection rules. Organizations frequently add new rules without ever retiring old ones, resulting in a system where alerts constantly fire without actionable value. Using AI to automatically close these low-priority alerts creates a "treadmill" effect; the AI works faster, but the fundamental detection posture never actually improves. To truly solve alert fatigue, organizations must turn triage into a feedback loop, using investigation context to tune, fix, or permanently retire noisy detections at their source.
Eric Hulse
Feb 27, 2026
5
min read
AI SOC
Highlight

Your SOC Is Still Fighting Like a Roman Legion — And That’s the Problem

The modern Security Operations Center is built like a tiered Roman military doctrine that actively works in the adversary's favor. The Roman three-line defense was highly effective because it relied on the enemy experiencing physical exhaustion. Today's SOCs inherited this playbook, using Tier 1 analysts for initial triage and escalating complex issues to Tier 3 experts. However, threat actors don't get tired while your alerts wait in escalation queues. Every hour an alert spends moving from Tier 1 to Tier 3 is an hour the attacker spends moving laterally and establishing persistence. In cybersecurity, successive escalation degrades the defender, giving attackers a massive head start. To evolve, SOCs must stop using this tiered structure as an investigative bottleneck. By encoding senior analyst methodologies into automated sequences, investigations can start at the right depth immediately.
Alfred Huger
Feb 25, 2026
5
min read
AI SOC
Highlight

The Hidden Cost of DIY Security Investigation Agents: Why Token Efficiency Determines Success

Many security teams are tempted to build in-house AI investigation agents using accessible LLMs and frameworks. However, these DIY projects often hit a wall at production scale due to immense token consumption and architectural complexity. Processing large security logs with a naive LLM approach can consume millions of tokens, costing hundreds of dollars per single investigation and making it financially unsustainable. Command Zero solves this through a purpose-built, question-based platform designed for ultimate token efficiency. By leveraging embedded investigative knowledge, upfront planning, and targeted facet-based playbooks, the platform processes massive datasets using just a fraction of the tokens. This architectural advantage reduces a 50-minute analyst investigation to just 4-5 minutes, proving that specialized platforms are the sustainable future of AI-augmented security operations.
Dean De Beer
Feb 19, 2026
6
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All