Attacks 4 times faster in 2026: how to defend companies with a modern SOC

Cybercriminals four times faster in data exfiltration

The 2026 Unit 42 Global Incident Response Report by Palo Alto Networks represents a concrete alarm for companies: threat actors now act four times faster than in 2025 in reaching data exfiltration. This drastic increase in speed is made possible by simultaneously attacking three or more surfaces, exploiting blind spots created by an excessive dependence on endpoint data.

Expanding attack surface

Although the endpoint remains a crucial line of defense, the rapid proliferation of cloud services, microservices, and remote users has expanded the attack surface beyond the monitoring capabilities of any single tool. In 75% of the incidents analyzed by Unit 42, critical evidence of the initial intrusion was present in the logs. However, due to complex and fragmented systems, this information was not easily accessible or usable, allowing attackers to exploit the gaps without being detected. To keep up, SOCs must evolve to collect and correlate telemetry from across the organizational landscape.

The invisible zones of the attack

IT environments are generally composed of distinct zones: identity and access management (IAM), cloud assets, operational technology (OT), Internet of Things (IoT), and artificial intelligence workloads, each with its own logging and security needs. Although there are specific tools to protect assets in each zone, SOCs must be able to holistically analyze logs and alerts from these zones and use the corresponding security tools to counter threats.

The limits of the endpoint-based approach

Unit 42 has identified three specific scenarios in which an approach based exclusively on endpoints fails to provide a comprehensive view:

• Cloud-to-endpoint pivoting: When attackers gain access through a misconfigured cloud service access key, they can pivot to endpoints hiding their tracks from EDR agents. From the cloud console, they can pivot to a cloud-hosted server to begin discovery. For a SOC that monitors only endpoints, the initial entry and console manipulation are invisible, and the attacker's activity may appear as a legitimate login, increasing the likelihood of a false negative during the triage of this event.
• Covert C2 and identity theft: Imagine an attacker using DNS tunneling to a cloud storage location to control a compromised device. To use legitimate applications to mask their activity, they must steal credentials and can trigger impossible travel alarms in multiple software-as-a-service (SaaS) applications. If the SOC only looks for malware on the device, it will miss the identity-level compromise that occurs in the network and cloud providers.
• The threat of rogue assets: Shadow IT and unmanaged devices are inherently opaque. Since these devices often lack security agents, they are frequently invisible to traditional endpoint detection and response and security information and event management tools. Attackers often introduce their own rogue devices to maintain persistence. Without continuous network monitoring and external attack surface management, these assets remain open doors for covert movement.

A multi-surface defense strategy

To counter these threats, Unit 42 recommends a "single-pane-of-glass" strategy powered by an AI-based SOC platform like Cortex XSIAM. This approach is based on two fundamental principles: all security logs must reside in a single repository and all alerts must be processed in a centralized workbench.

By integrating data from all 10 IT zones - including code, communications, and AI - the SOC can leverage machine learning to:

• Alarm stitching: Automatically connect events from different zones into a coherent timeline
• ML-based incident scoring: Prioritize threats based on business impact and user risk
• Identify suspicious patterns: Reduce the number of false positives

Conclusions and recommendations

The Unit 42 2026 report underscores the importance of an AI-enabled multi-surface defense to effectively counter modern threats. For organizations looking to enhance their security capabilities, it is recommended to:

• Conduct a formal assessment of the current SOC visibility
• Invest in an integrated security platform that supports multi-surface analysis
• Promote collaboration between security teams and other business functions
• Adopt advanced security frameworks like MITRE ATT&CK
• Implement continuous training programs for security personnel

In a rapidly evolving threat landscape, adopting a proactive, AI-based defense strategy is the only way to maintain a competitive advantage and effectively protect the organization's critical resources.

Additional resources

To further explore the topics covered in this report, it is recommended to consult:

• The Unit 42 Global Incident Response Report 2026
• The guide to migrating to a modern SIEM based on Cortex XSIAM
• The educational resources on MITRE ATT&CK available on the official website
• The white papers and technical articles published by Palo Alto Networks