SentinelOne's 2026 Annual Threat Report documents a new 8-phase intrusion kill chain where attackers bypass MFA, weaponize cloud automation, and complete full campaigns in under 4 hours. The SANS Institute's 2026 Cyber Workforce report reveals AI is fundamentally reshaping required skills and widening the talent gap. Kaspersky researchers confirm Coruna iOS exploits share code lineage with the infamous Operation Triangulation framework. Sansec uncovers a novel WebRTC-based payment skimmer that evades traditional security controls.
SentinelOne has released its 2026 Annual Threat Report, subtitled "A Defender's Playbook From the Front Lines," and the headline finding is a newly documented intrusion model: modern threat actors are executing attacks through an 8-phase kill chain that compresses what used to be weeks of activity into a single coordinated campaign lasting under 4 hours.
The traditional Lockheed Martin kill chain (reconnaissance → weaponization → delivery → exploitation → installation → command & control → actions on objectives) has been the standard model since 2011. SentinelOne's research shows that real-world attacks have evolved far beyond this linear framework.
Based on analysis of thousands of incidents across enterprise, cloud, and hybrid environments throughout 2025, SentinelOne identifies:
The 8-phase model confirms what defenders have suspected: attacks no longer follow a linear path. They're parallel, automated, and designed to outpace human response. KENSAI's continuous penetration testing specifically targets the vulnerabilities attackers exploit in phases 1-4 — exposed services, misconfigured authentication, weak SSO trust chains, and cloud misconfigurations. When attackers compress their kill chain to under 4 hours, only continuous automated scanning provides the proactive defense needed to eliminate vulnerabilities before they're weaponized.
The SANS Institute has published its 2026 Cyber Workforce: Skills, Shortages, and Shifts in the Age of AI report, providing the most comprehensive analysis yet of how artificial intelligence is transforming the cybersecurity labor market. The findings are simultaneously alarming and hopeful — depending on where you sit.
Despite years of investment in cybersecurity education, the global workforce gap continues to expand. SANS estimates 4.7 million unfilled cybersecurity positions worldwide — up from 3.9 million in 2024. But the nature of the gap has fundamentally changed:
The report surveyed over 8,500 cybersecurity professionals across 142 countries. Key findings on AI's impact:
SANS identifies a new role emerging across organizations: the AI Security Operator — someone who doesn't just use security tools but manages, tunes, and validates the AI systems that are increasingly making security decisions. This role requires a unique blend of traditional security knowledge, data science literacy, and the judgment to know when AI recommendations should be trusted versus overridden.
KENSAI is built for the workforce reality SANS describes. Rather than requiring teams of penetration testers running manual assessments, KENSAI provides autonomous security scanning that operates continuously — augmenting smaller security teams with machine-speed coverage. The platform handles the repetitive, scalable work (continuous vulnerability scanning, attack surface monitoring) while human experts focus on the strategic decisions that AI cannot make: risk prioritization, business context, and remediation strategy.
Kaspersky researchers have confirmed that the Coruna iOS exploit kit — recently added to CISA's KEV catalog — contains updated code components directly descended from the Operation Triangulation attack framework discovered in 2023. This suggests a sophisticated, well-resourced threat actor continues to evolve and deploy iOS exploitation capabilities.
In 2023, Kaspersky discovered Operation Triangulation — one of the most sophisticated iOS attack chains ever documented. The attack exploited four zero-day vulnerabilities in sequence, including a hardware-level exploit targeting an undocumented feature in Apple's custom chips. The sophistication was so extreme that it raised questions about whether the attackers had access to Apple's internal documentation.
Now, Kaspersky's latest research reveals that the Coruna iOS exploit kit, which CISA added to its Known Exploited Vulnerabilities (KEV) catalog on March 8, shares significant code with Triangulation:
Kaspersky stops short of definitive attribution but notes that the code lineage, combined with the resources required to develop and maintain a multi-vulnerability iOS exploit chain, narrows the field to a small number of state-level actors. The evolution from Triangulation to Coruna represents years of continuous development — this is not opportunistic exploitation but a sustained, well-funded program.
While KENSAI focuses on web application and infrastructure security rather than mobile endpoints, the Coruna-Triangulation connection illustrates a critical principle: sophisticated attackers iterate and evolve their tools continuously. The same pattern applies to web-facing attack infrastructure. KENSAI's continuous scanning ensures that as attackers update their techniques, your defenses are tested against the latest vulnerability landscape — not last quarter's snapshot.
Sansec researchers have discovered a novel payment card skimmer that uses WebRTC data channels to exfiltrate stolen payment information, completely bypassing Content Security Policy (CSP) restrictions and traditional network monitoring tools that inspect HTTP/HTTPS traffic.
Payment card skimmers (Magecart-style attacks) typically work by injecting malicious JavaScript into e-commerce checkout pages. The injected script captures payment card details as customers type them, then exfiltrates the data to attacker-controlled servers — usually via standard HTTP requests or by embedding data in image URLs.
The newly discovered skimmer breaks this pattern entirely by using WebRTC peer-to-peer data channels for exfiltration:
RTCPeerConnection on payment pagesThe WebRTC skimmer represents the kind of evolving web threat that makes continuous security scanning essential. KENSAI's automated penetration testing examines web applications for injection vulnerabilities, compromised third-party resources, and anomalous client-side behavior. As attackers develop new exfiltration techniques that bypass traditional controls, only comprehensive, regularly updated scanning can identify the underlying vulnerabilities that enable these attacks.
Push Security has launched a State of Browser Security research series, featuring contributions from notable security researchers including John Hammond, Troy Hunt, and Matt Johansen. The research focuses on a reality that many organizations still underestimate: the browser has become the primary attack surface for enterprise compromise.
Key findings from the initial research installments:
The research highlights a fundamental disconnect: organizations invest heavily in network security, endpoint detection, and cloud security — but the browser, which is where employees actually interact with SaaS applications, enter credentials, and process sensitive data, receives comparatively little security investment. Push Security describes this as the "last mile" problem — securing everything except the point where humans and applications actually meet.
Browser-based attacks ultimately rely on the web applications and authentication systems they target. KENSAI's security scanning evaluates web applications for the kinds of vulnerabilities that enable AiTM attacks, OAuth misconfiguration, and session management weaknesses. By continuously testing your web-facing applications, KENSAI helps ensure that even as browser-based attack techniques evolve, the underlying applications don't provide the footholds attackers need.
Anecdotes' analysis of Agentic GRC (Governance, Risk, and Compliance) adoption reveals that while AI-powered GRC tools are being widely deployed, the primary challenge isn't technology — it's organizational mindset.
The research identifies a pattern across organizations adopting AI agents for compliance and risk management:
This mirrors the broader theme across the week's research: AI is changing what security professionals do, not replacing them. The value shifts from execution to judgment, from repetitive tasks to strategic oversight.
| Research | Impact | Type | Key Takeaway |
|---|---|---|---|
| SentinelOne 2026 Annual Threat Report | CRITICAL | Threat Intelligence | 8-phase attacks complete in <4 hours |
| SANS 2026 Cyber Workforce Report | HIGH | Industry Research | 4.7M unfilled positions; AI reshaping skills |
| Kaspersky: Coruna ↔ Triangulation Link | HIGH | Threat Research | State-level iOS exploit evolution confirmed |
| Sansec: WebRTC Payment Skimmer | HIGH | Threat Discovery | New evasion technique bypasses CSP & WAFs |
| Push Security: Browser Attack State | STRATEGIC | Security Research | Browser is the primary enterprise attack surface |
| Anecdotes: Agentic GRC Adoption | INFO | Industry Analysis | Mindset shift > technology for AI governance |
When threat actors complete full intrusion campaigns faster than most organizations can schedule a meeting, periodic security assessments aren't enough. KENSAI's continuous automated scanning runs 24/7 — finding vulnerabilities before the kill chain starts.
Start Your Free Security Scan →Published by the KENSAI Research & Threat Intelligence Team
Research & Industry Intelligence Roundup — March 29, 2026
Read more briefings →