剣 KENSAI
← All posts · security · 2026-03-29 · 4 min

SentinelOne Maps 8-Phase Intrusion Kill Chain, SANS Reports AI Reshaping Cyber Workforce, Kaspersky Links Coruna to Triangulation Framework

SentinelOne's 2026 Annual Threat Report documents a new 8-phase intrusion kill chain where attackers bypass MFA, weaponize cloud automation, and complete full campaigns in under 4 hours. The SANS Institute's 2026 Cyber Workforce report reveals AI is fundamentally reshaping required skills and widening the talent gap. Kaspersky researchers confirm Coruna iOS exploits share code lineage with the infamous Operation Triangulation framework. Sansec uncovers a novel WebRTC-based payment skimmer that evades traditional security controls.


1. SentinelOne 2026 Annual Threat Report — The 8-Phase Intrusion Kill Chain

SentinelOne has released its 2026 Annual Threat Report, subtitled "A Defender's Playbook From the Front Lines," and the headline finding is a newly documented intrusion model: modern threat actors are executing attacks through an 8-phase kill chain that compresses what used to be weeks of activity into a single coordinated campaign lasting under 4 hours.

The traditional Lockheed Martin kill chain (reconnaissance → weaponization → delivery → exploitation → installation → command & control → actions on objectives) has been the standard model since 2011. SentinelOne's research shows that real-world attacks have evolved far beyond this linear framework.

The 8 Phases

Based on analysis of thousands of incidents across enterprise, cloud, and hybrid environments throughout 2025, SentinelOne identifies:

  1. Reconnaissance & Targeting: Automated scanning combined with dark web intelligence to identify high-value targets with known vulnerable services
  2. Initial Access: Primarily through stolen credentials, MFA bypass techniques (adversary-in-the-middle proxies, SIM swaps, and push fatigue), and supply chain compromise
  3. MFA Bypass & Session Hijacking: A distinct phase — not merely part of initial access — where attackers specifically defeat multi-factor authentication, often through real-time phishing proxy tools like Evilginx3 or custom AiTM frameworks
  4. Cloud Pivot: Immediate lateral movement from compromised identity into cloud services (Azure AD, AWS IAM, Google Workspace), leveraging SSO trust relationships to expand access without triggering endpoint detections
  5. Automation Weaponization: Using the victim's own automation tools — CI/CD pipelines, Infrastructure-as-Code, orchestration platforms — to deploy malicious payloads across the environment at machine speed
  6. Data Staging & Exfiltration: Selective data collection optimized for extortion value, exfiltrated through legitimate cloud storage services to avoid network-level detection
  7. Persistence & Insurance: Establishing multiple persistence mechanisms across identity, cloud, and endpoint layers to survive partial remediation — including creating new admin accounts, deploying backup C2 channels, and implanting dormant malware
  8. Monetization: Simultaneous execution of ransomware deployment and extortion demands, often combined with threats to release stolen data (double extortion) or contact customers/partners directly (triple extortion)

Key Statistics From the Report

KENSAI Perspective

The 8-phase model confirms what defenders have suspected: attacks no longer follow a linear path. They're parallel, automated, and designed to outpace human response. KENSAI's continuous penetration testing specifically targets the vulnerabilities attackers exploit in phases 1-4 — exposed services, misconfigured authentication, weak SSO trust chains, and cloud misconfigurations. When attackers compress their kill chain to under 4 hours, only continuous automated scanning provides the proactive defense needed to eliminate vulnerabilities before they're weaponized.


2. SANS Institute 2026 Cyber Workforce Report — AI Reshapes the Security Profession

The SANS Institute has published its 2026 Cyber Workforce: Skills, Shortages, and Shifts in the Age of AI report, providing the most comprehensive analysis yet of how artificial intelligence is transforming the cybersecurity labor market. The findings are simultaneously alarming and hopeful — depending on where you sit.

The Skills Gap Is Widening, Not Shrinking

Despite years of investment in cybersecurity education, the global workforce gap continues to expand. SANS estimates 4.7 million unfilled cybersecurity positions worldwide — up from 3.9 million in 2024. But the nature of the gap has fundamentally changed:

How AI Is Changing Day-to-Day Security Work

The report surveyed over 8,500 cybersecurity professionals across 142 countries. Key findings on AI's impact:

The Emerging Role: AI Security Operator

SANS identifies a new role emerging across organizations: the AI Security Operator — someone who doesn't just use security tools but manages, tunes, and validates the AI systems that are increasingly making security decisions. This role requires a unique blend of traditional security knowledge, data science literacy, and the judgment to know when AI recommendations should be trusted versus overridden.

KENSAI Perspective

KENSAI is built for the workforce reality SANS describes. Rather than requiring teams of penetration testers running manual assessments, KENSAI provides autonomous security scanning that operates continuously — augmenting smaller security teams with machine-speed coverage. The platform handles the repetitive, scalable work (continuous vulnerability scanning, attack surface monitoring) while human experts focus on the strategic decisions that AI cannot make: risk prioritization, business context, and remediation strategy.


3. Kaspersky Links Coruna iOS Exploits to Operation Triangulation Framework

🔬 RESEARCH — Coruna Exploit Kit Shares Code Lineage With Triangulation

Kaspersky researchers have confirmed that the Coruna iOS exploit kit — recently added to CISA's KEV catalog — contains updated code components directly descended from the Operation Triangulation attack framework discovered in 2023. This suggests a sophisticated, well-resourced threat actor continues to evolve and deploy iOS exploitation capabilities.

In 2023, Kaspersky discovered Operation Triangulation — one of the most sophisticated iOS attack chains ever documented. The attack exploited four zero-day vulnerabilities in sequence, including a hardware-level exploit targeting an undocumented feature in Apple's custom chips. The sophistication was so extreme that it raised questions about whether the attackers had access to Apple's internal documentation.

Now, Kaspersky's latest research reveals that the Coruna iOS exploit kit, which CISA added to its Known Exploited Vulnerabilities (KEV) catalog on March 8, shares significant code with Triangulation:

Attribution Implications

Kaspersky stops short of definitive attribution but notes that the code lineage, combined with the resources required to develop and maintain a multi-vulnerability iOS exploit chain, narrows the field to a small number of state-level actors. The evolution from Triangulation to Coruna represents years of continuous development — this is not opportunistic exploitation but a sustained, well-funded program.

What Organizations Should Do

KENSAI Perspective

While KENSAI focuses on web application and infrastructure security rather than mobile endpoints, the Coruna-Triangulation connection illustrates a critical principle: sophisticated attackers iterate and evolve their tools continuously. The same pattern applies to web-facing attack infrastructure. KENSAI's continuous scanning ensures that as attackers update their techniques, your defenses are tested against the latest vulnerability landscape — not last quarter's snapshot.


4. Sansec Discovers WebRTC-Based Payment Skimmer — A New Evasion Frontier

🔬 RESEARCH — WebRTC Data Channels Used to Exfiltrate Payment Data

Sansec researchers have discovered a novel payment card skimmer that uses WebRTC data channels to exfiltrate stolen payment information, completely bypassing Content Security Policy (CSP) restrictions and traditional network monitoring tools that inspect HTTP/HTTPS traffic.

Payment card skimmers (Magecart-style attacks) typically work by injecting malicious JavaScript into e-commerce checkout pages. The injected script captures payment card details as customers type them, then exfiltrates the data to attacker-controlled servers — usually via standard HTTP requests or by embedding data in image URLs.

The newly discovered skimmer breaks this pattern entirely by using WebRTC peer-to-peer data channels for exfiltration:

How It Works

  1. Initial injection: The skimmer is injected into the checkout page through a compromised third-party JavaScript library — a common Magecart vector
  2. Data capture: Standard keystroke logging captures payment card numbers, CVVs, and billing information as customers enter them
  3. WebRTC channel establishment: Instead of making HTTP requests, the skimmer establishes a WebRTC peer connection using a STUN/TURN server as an intermediary
  4. Data exfiltration: Captured payment data is transmitted through the WebRTC data channel — a binary, encrypted, peer-to-peer connection that most security tools do not inspect

Why This Matters

Detection and Mitigation

KENSAI Perspective

The WebRTC skimmer represents the kind of evolving web threat that makes continuous security scanning essential. KENSAI's automated penetration testing examines web applications for injection vulnerabilities, compromised third-party resources, and anomalous client-side behavior. As attackers develop new exfiltration techniques that bypass traditional controls, only comprehensive, regularly updated scanning can identify the underlying vulnerabilities that enable these attacks.


5. Push Security — State of Browser-Based Attacks in 2026

Push Security has launched a State of Browser Security research series, featuring contributions from notable security researchers including John Hammond, Troy Hunt, and Matt Johansen. The research focuses on a reality that many organizations still underestimate: the browser has become the primary attack surface for enterprise compromise.

Key findings from the initial research installments:

The Browser Security Gap

The research highlights a fundamental disconnect: organizations invest heavily in network security, endpoint detection, and cloud security — but the browser, which is where employees actually interact with SaaS applications, enter credentials, and process sensitive data, receives comparatively little security investment. Push Security describes this as the "last mile" problem — securing everything except the point where humans and applications actually meet.

KENSAI Perspective

Browser-based attacks ultimately rely on the web applications and authentication systems they target. KENSAI's security scanning evaluates web applications for the kinds of vulnerabilities that enable AiTM attacks, OAuth misconfiguration, and session management weaknesses. By continuously testing your web-facing applications, KENSAI helps ensure that even as browser-based attack techniques evolve, the underlying applications don't provide the footholds attackers need.


6. Agentic GRC — The Industry's Governance Growing Pains

Anecdotes' analysis of Agentic GRC (Governance, Risk, and Compliance) adoption reveals that while AI-powered GRC tools are being widely deployed, the primary challenge isn't technology — it's organizational mindset.

The research identifies a pattern across organizations adopting AI agents for compliance and risk management:

This mirrors the broader theme across the week's research: AI is changing what security professionals do, not replacing them. The value shifts from execution to judgment, from repetitive tasks to strategic oversight.


Research & Industry Summary

ResearchImpactTypeKey Takeaway
SentinelOne 2026 Annual Threat ReportCRITICALThreat Intelligence8-phase attacks complete in <4 hours
SANS 2026 Cyber Workforce ReportHIGHIndustry Research4.7M unfilled positions; AI reshaping skills
Kaspersky: Coruna ↔ Triangulation LinkHIGHThreat ResearchState-level iOS exploit evolution confirmed
Sansec: WebRTC Payment SkimmerHIGHThreat DiscoveryNew evasion technique bypasses CSP & WAFs
Push Security: Browser Attack StateSTRATEGICSecurity ResearchBrowser is the primary enterprise attack surface
Anecdotes: Agentic GRC AdoptionINFOIndustry AnalysisMindset shift > technology for AI governance