Essential Data Sources for Detection Beyond the Endpoint Threat Research Center Insights General General min read Related Products Cortex Cortex XDR Cortex XSIAM Unit 42 Frontier AI Defense Unit 42 Incident Response By: Corey Berman Matt Gayford Published: May 1, 2026 Categories: General Insights Tags: Cloud Security IAM Incident response Threat detection 2026 Unit 42 Global Incident Response Report delivers a sharp wake-up call: Threat actors are now moving 4x faster to exfiltration than in 2025.
By striking across three or more surfaces simultaneously, adversaries are intentionally exploiting the blind spots created by an over-reliance on endpoint data. While the endpoint remains a critical first line of defense, the rapid proliferation of cloud services, microservices and remote users has expanded the attack surface beyond what any single tool can monitor. In 75% of incidents Unit 42 investigated, critical evidence of the initial intrusion was present in the logs.
Yet, due to complex, disjointed systems, that information wasn't readily accessible or effectively operationalized, allowing attackers to exploit the gaps undetected. To stay ahead, SOCs must evolve to ingest and correlate telemetry across the entire organizational landscape. The Invisible Pivot Figure 1. IT zones available to SOCs for ingesting telemetry. Generally, IT environments are composed of distinct zones.
These include identity and access management (IAM), cloud assets and operational technology (OT), internet of things (IoT) and AI workloads, each with its own built-in logging and security needs. Specific security tools are produced to protect the assets in each of these zones. Therefore, SOCs should be able to holistically analyze the logs and alerts from each of these zones and utilize the corresponding security tools to take action against threats.
While an endpoint detection and response (EDR) centric approach is a foundational element of, relying on any EDR alone creates gaps that attackers use to move invisibly. These zones are visualized in Figure 1. Unit 42 research has identified three specific scenarios where an endpoint-only view consistently fails to tell the full story: The cloud-to-endpoint pivot : In scenarios when attackers gain access via a misconfigured cloud service access key, they may be able to pivot to endpoints while hiding their tracks from EDR agents.
From the cloud console, they could pivot to a cloud-hosted server to begin discovery. To a SOC only watching the endpoint, the initial entry and console manipulation are invisible, and the attacker’s activity may appear as a legitimate login, increasing the chance of the SOC reporting a false negative when triaging this event. Detection requires stitching together cloud security logs, CASB alerts and EDR telemetry to reveal the full narrative of the breach.
Covert C2 and identity theft: Imagine an attacker using DNS tunneling to a cloud storage location to control a compromised device. To use legitimate applications to mask their activity, they must steal credentials and may trigger impossible travel alerts across multiple software-as-a-service (SaaS) apps. If the SOC is only looking for malware on the device, they will miss the identity-level compromise happening across the network and cloud providers.
The threat of rogue assets: Shadow IT and unmanaged devices are inherently opaque. Because these devices often lack security agents, they are frequently invisible to traditional EDR and security information and event management tools. Attackers often introduce their own rogue devices to maintain persistence. Without continuous network monitoring and external attack surface management, these assets remain open doors for covert movement.
Building a Single Pane of Glass: Unit 42’s View of a Modern SOC Figure 2 illustrates Palo Alto Networks' vision for a SOC built on a unified, AI-driven data platform. Figure 2. Workflow of an AI-driven SOC. By consolidating diverse security data and using AI to automate detection, investigation and response, the platform significantly reduces alert fatigue and eliminates data silos. Ultimately, this shifts the heavy lifting to machines, empowering human analysts with a single, simplified interface to proactively stop threats in minutes rather than days.
To combat these threats, Unit 42 recommends a single-pane-of-glass strategy powered by an AI-driven SOC platform like Cortex XSIAM . This approach is built on two core principles: All security logs must live in a single repository, and all alerts must be processed in a centralized workbench. By integrating data from all 10 IT zones — including code, comms and AI — the SOC can leverage machine learning for: Alert stitching: Automatically connecting events from different zones into a cohesive timeline ML-based incident scoring: Prioritizing threats based on business impact and user risk User and entity behavior analytics: Detecting anomalous behavior that signals compromised credentials before they result in a material impact This integration improves the lives of analysts by reducing alert fatigue and providing management with clear visibility into workloads and performance metrics.
Final Thoughts As we expect attackers to continue to use AI-assisted tools to increase the speed of attacks; relying solely on the endpoint is no longer a viable strategy for the modern enterprise. By embracing a unified platform that ingests and correlates telemetry from every IT zone, organizations can gain the holistic visibility needed to stop sophisticated threats in their tracks. The transition to an AI-enabled, multi-surface defense is the only way to turn the tide against attackers who thrive in the gaps between isolated tools.
To ensure your SOC is optimally equipped for this challenge, consider evaluating your current visibility through a formal assessment. Unit 42 Frontier AI Defense an elite service that uses access to frontier models to identify your organization's likely attack paths before attackers can weaponize them. Additional Resources Know Ourselves Before Knowing Our Enemies: Threat Intelligence at the Expense of Asset Management – Unit 42, Palo Alto Networks When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability Cloud Logging for Security and Beyond 2025 Unit 42 Global Incident Response Report Tags Cloud Security IAM Incident response Threat detection Threat Research Center Next: That AI Extension Helping You Write Emails?
It’s Reading Them First Cracks in the Bedrock: Agent God Mode Bring the Fight to the Edge: Turning Time Into an Advantage in OT Security Novel Technique to Detect Cloud Threat Actor Operations Related General Resources Insights April 24, 2026 TGR-STA-1030: New Activity in Central and South America TGR-STA-1030 Read now April 23, 2026 Frontier AI and the Future of Defense: Your Top Questions Answered GenAI N-day April 20, 2026 Fracturing Software Security With Frontier AI Models Attack path Data exfiltration March 18, 2026 Navigating Security Tradeoffs of AI Agents Agentic AI Privilege escalation Unit 42 Incident Response Report March 16, 2026 Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization Agonizing Serpens Agrius Curious Serpens March 12, 2026 Insights: Increased Risk of Wiper Attacks Hacktivism Wiper February 24, 2026 Defense Operational Technology Threat detection January 23, 2026 Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense Cyber Threat Alliance Unit 42 January 8, 2026 Securing Vibe Coding Tools: Scaling Productivity Without Scaling Risk Get updates from Unit 42 Peace of mind comes from staying ahead of threats.
Subscribe today. Your Email Subscribe for email updates to all Unit 42 threat research. By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. This site is protected by reCAPTCHA and the Google Privacy Policy Terms of Service apply. Invalid captcha! Subscribe Get the latest news, invites to events, and threat alerts Enter your email now to subscribe! Sign up By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Statement Terms of Use.
Products and Services AI-Powered Network Security Platform Secure AI by Design Prisma AIRS AI Access Security Cloud Delivered Security Services Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Advanced DNS Security Enterprise Data Loss Prevention Enterprise IoT Security Medical IoT Security Industrial OT Security SaaS Security Next-Generation Firewalls Hardware Firewalls Software Firewalls Strata Cloud Manager SD-WAN for NGFW PAN-OS Panorama Secure Access Service Edge Prisma SASE Application Acceleration Autonomous Digital Experience Management Enterprise DLP Prisma Access Prisma Browser Prisma SD-WAN Remote Browser Isolation AI-Driven Security Operations Platform Cloud Security Cortex Cloud Application Security Cloud Posture Security Cloud Runtime Security Prisma Cloud AI-Driven SOC Cortex XSIAM Cortex XDR Cortex XSOAR Cortex Xpanse Unit 42 Managed Detection & Response Managed XSIAM Next-Generation Identity Security Privileged Access Management Identity and Access Management Endpoint Privilege Manager Identity Governance Workforce Password Management Agentic Identities Secrets Management Unified Secrets Governance Application Credentials Delivery Vendor Privileged Access Threat Intel and Incident Response Services Proactive Assessments Incident Response Transform Your Security Strategy Discover Threat Intelligence Company About Us Careers Contact Us Corporate Responsibility Customers Investor Relations Location Newsroom Popular Links Blog Communities Content Library Cyberpedia Event Center Manage Email Preferences Products A-Z Product Certifications Report a Vulnerability Sitemap Tech Docs Do Not Sell or Share My Personal Information Your browser does not support the video tag.
Default Heading Read the article Seekbar Volume