SentinelOne Maps 8-Phase Intrusion Kill Chain, SANS Reports AI Reshaping Cyber Workforce, Kaspersky Links Coruna to Triangulation Framework
SentinelOne's 2026 Annual Threat Report documents a new 8-phase intrusion kill chain where attackers bypass MFA, weaponize cloud automation, and complete full campaigns in under 4 hours. The SANS Institute's 2026 Cyber Workforce report reveals AI is fundamentally reshaping required skills and widening the talent gap. Kaspersky researchers confirm Coruna iOS exploits share code lineage with the infamous Operation Triangulation framework. Sansec uncovers a novel WebRTC-based payment skimmer that evades traditional security controls.
1. SentinelOne 2026 Annual Threat Report — The 8-Phase Intrusion Kill Chain
SentinelOne has released its 2026 Annual Threat Report, subtitled "A Defender's Playbook From the Front Lines," and the headline finding is a newly documented intrusion model: modern threat actors are executing attacks through an 8-phase kill chain that compresses what used to be weeks of activity into a single coordinated campaign lasting under 4 hours.
The traditional Lockheed Martin kill chain (reconnaissance → weaponization → delivery → exploitation → installation → command & control → actions on objectives) has been the standard model since 2011. SentinelOne's research shows that real-world attacks have evolved far beyond this linear framework.
The 8 Phases
Based on analysis of thousands of incidents across enterprise, cloud, and hybrid environments throughout 2025, SentinelOne identifies:
- Reconnaissance & Targeting: Automated scanning combined with dark web intelligence to identify high-value targets with known vulnerable services
- Initial Access: Primarily through stolen credentials, MFA bypass techniques (adversary-in-the-middle proxies, SIM swaps, and push fatigue), and supply chain compromise
- MFA Bypass & Session Hijacking: A distinct phase — not merely part of initial access — where attackers specifically defeat multi-factor authentication, often through real-time phishing proxy tools like Evilginx3 or custom AiTM frameworks
- Cloud Pivot: Immediate lateral movement from compromised identity into cloud services (Azure AD, AWS IAM, Google Workspace), leveraging SSO trust relationships to expand access without triggering endpoint detections
- Automation Weaponization: Using the victim's own automation tools — CI/CD pipelines, Infrastructure-as-Code, orchestration platforms — to deploy malicious payloads across the environment at machine speed
- Data Staging & Exfiltration: Selective data collection optimized for extortion value, exfiltrated through legitimate cloud storage services to avoid network-level detection
- Persistence & Insurance: Establishing multiple persistence mechanisms across identity, cloud, and endpoint layers to survive partial remediation — including creating new admin accounts, deploying backup C2 channels, and implanting dormant malware
- Monetization: Simultaneous execution of ransomware deployment and extortion demands, often combined with threats to release stolen data (double extortion) or contact customers/partners directly (triple extortion)
Key Statistics From the Report
- MFA bypass was present in 73% of enterprise intrusions — up from 41% in 2024
- Cloud-to-ground attacks (starting in cloud, pivoting to on-premises) increased 340% year-over-year
- Average dwell time decreased to 3.8 hours for financially motivated attackers, versus 11 days in 2023
- Automation abuse — using victim's own CI/CD and IaC tools — appeared in 58% of cloud-originating incidents
- 8-phase campaigns showed a 92% success rate in achieving at least partial data exfiltration before containment
KENSAI Perspective
The 8-phase model confirms what defenders have suspected: attacks no longer follow a linear path. They're parallel, automated, and designed to outpace human response. KENSAI's continuous penetration testing specifically targets the vulnerabilities attackers exploit in phases 1-4 — exposed services, misconfigured authentication, weak SSO trust chains, and cloud misconfigurations. When attackers compress their kill chain to under 4 hours, only continuous automated scanning provides the proactive defense needed to eliminate vulnerabilities before they're weaponized.
2. SANS Institute 2026 Cyber Workforce Report — AI Reshapes the Security Profession
The SANS Institute has published its 2026 Cyber Workforce: Skills, Shortages, and Shifts in the Age of AI report, providing the most comprehensive analysis yet of how artificial intelligence is transforming the cybersecurity labor market. The findings are simultaneously alarming and hopeful — depending on where you sit.
The Skills Gap Is Widening, Not Shrinking
Despite years of investment in cybersecurity education, the global workforce gap continues to expand. SANS estimates 4.7 million unfilled cybersecurity positions worldwide — up from 3.9 million in 2024. But the nature of the gap has fundamentally changed:
- Traditional skills (firewall management, signature-based detection, manual log analysis) are being automated faster than the workforce can retrain
- New skills in demand: AI/ML security, prompt engineering for security tools, autonomous system oversight, cloud-native security architecture, and identity fabric management
- The "middle" is disappearing: Junior analysts doing repetitive tasks are being replaced by AI, while demand for senior architects who can design and oversee AI-driven security systems has doubled
How AI Is Changing Day-to-Day Security Work
The report surveyed over 8,500 cybersecurity professionals across 142 countries. Key findings on AI's impact:
- 67% of SOC analysts report that AI tools handle their initial alert triage — up from 23% in 2024
- 41% of penetration testers use AI-assisted vulnerability discovery tools as part of their standard workflow
- AI-generated reports now account for the majority of first-draft incident reports and compliance documentation
- However: 78% of respondents say AI tools frequently produce false confidence — generating plausible-sounding but incorrect analysis that requires experienced human review to catch
The Emerging Role: AI Security Operator
SANS identifies a new role emerging across organizations: the AI Security Operator — someone who doesn't just use security tools but manages, tunes, and validates the AI systems that are increasingly making security decisions. This role requires a unique blend of traditional security knowledge, data science literacy, and the judgment to know when AI recommendations should be trusted versus overridden.
KENSAI Perspective
KENSAI is built for the workforce reality SANS describes. Rather than requiring teams of penetration testers running manual assessments, KENSAI provides autonomous security scanning that operates continuously — augmenting smaller security teams with machine-speed coverage. The platform handles the repetitive, scalable work (continuous vulnerability scanning, attack surface monitoring) while human experts focus on the strategic decisions that AI cannot make: risk prioritization, business context, and remediation strategy.
3. Kaspersky Links Coruna iOS Exploits to Operation Triangulation Framework
🔬 RESEARCH — Coruna Exploit Kit Shares Code Lineage With Triangulation
Kaspersky researchers have confirmed that the Coruna iOS exploit kit — recently added to CISA's KEV catalog — contains updated code components directly descended from the Operation Triangulation attack framework discovered in 2023. This suggests a sophisticated, well-resourced threat actor continues to evolve and deploy iOS exploitation capabilities.
In 2023, Kaspersky discovered Operation Triangulation — one of the most sophisticated iOS attack chains ever documented. The attack exploited four zero-day vulnerabilities in sequence, including a hardware-level exploit targeting an undocumented feature in Apple's custom chips. The sophistication was so extreme that it raised questions about whether the attackers had access to Apple's internal documentation.
Now, Kaspersky's latest research reveals that the Coruna iOS exploit kit, which CISA added to its Known Exploited Vulnerabilities (KEV) catalog on March 8, shares significant code with Triangulation:
- Shared exploit primitives: Memory corruption techniques and sandbox escape methods in Coruna reuse refined versions of Triangulation's approach, adapted for newer iOS versions
- Updated but recognizable: While the specific vulnerabilities targeted are different (Coruna targets 23 iOS vulnerabilities versus Triangulation's 4), the exploitation framework — the scaffolding that chains exploits together — shows clear evolutionary lineage
- Expanded targeting: Coruna targets a broader range of iOS versions (iOS 16 through iOS 18.2) and device types, suggesting the developers have invested heavily in expanding their capabilities since Triangulation's exposure
- Persistence evolution: Triangulation was notable for its lack of persistence (it operated entirely in memory). Coruna introduces a novel persistence mechanism that survives reboots through manipulation of iOS system services
Attribution Implications
Kaspersky stops short of definitive attribution but notes that the code lineage, combined with the resources required to develop and maintain a multi-vulnerability iOS exploit chain, narrows the field to a small number of state-level actors. The evolution from Triangulation to Coruna represents years of continuous development — this is not opportunistic exploitation but a sustained, well-funded program.
What Organizations Should Do
- Ensure all iOS devices are updated to iOS 18.4 or later — Apple has patched all 23 vulnerabilities targeted by Coruna
- Organizations in government, defense, and critical infrastructure should consider deploying mobile device management (MDM) solutions with mandatory update policies
- Review Apple's Lockdown Mode for high-risk individuals — while inconvenient, it significantly reduces the iOS attack surface
- Monitor CISA KEV updates for additional iOS-related entries as research into Coruna continues
KENSAI Perspective
While KENSAI focuses on web application and infrastructure security rather than mobile endpoints, the Coruna-Triangulation connection illustrates a critical principle: sophisticated attackers iterate and evolve their tools continuously. The same pattern applies to web-facing attack infrastructure. KENSAI's continuous scanning ensures that as attackers update their techniques, your defenses are tested against the latest vulnerability landscape — not last quarter's snapshot.
4. Sansec Discovers WebRTC-Based Payment Skimmer — A New Evasion Frontier
🔬 RESEARCH — WebRTC Data Channels Used to Exfiltrate Payment Data
Sansec researchers have discovered a novel payment card skimmer that uses WebRTC data channels to exfiltrate stolen payment information, completely bypassing Content Security Policy (CSP) restrictions and traditional network monitoring tools that inspect HTTP/HTTPS traffic.
Payment card skimmers (Magecart-style attacks) typically work by injecting malicious JavaScript into e-commerce checkout pages. The injected script captures payment card details as customers type them, then exfiltrates the data to attacker-controlled servers — usually via standard HTTP requests or by embedding data in image URLs.
The newly discovered skimmer breaks this pattern entirely by using WebRTC peer-to-peer data channels for exfiltration:
How It Works
- Initial injection: The skimmer is injected into the checkout page through a compromised third-party JavaScript library — a common Magecart vector
- Data capture: Standard keystroke logging captures payment card numbers, CVVs, and billing information as customers enter them
- WebRTC channel establishment: Instead of making HTTP requests, the skimmer establishes a WebRTC peer connection using a STUN/TURN server as an intermediary
- Data exfiltration: Captured payment data is transmitted through the WebRTC data channel — a binary, encrypted, peer-to-peer connection that most security tools do not inspect
Why This Matters
- CSP bypass: Content Security Policy headers — one of the primary defenses against Magecart attacks — typically restrict HTTP connections but do not block WebRTC traffic, which uses different browser APIs and protocols (DTLS/SRTP over UDP)
- Invisible to HTTP monitoring: Web application firewalls, proxy servers, and network monitoring tools that inspect HTTP/HTTPS traffic will not see WebRTC data channel traffic
- Encrypted by default: WebRTC connections are encrypted with DTLS, making deep packet inspection ineffective even if the traffic is captured
- No server-side indicators: Traditional skimmer detection relies on identifying unexpected outbound HTTP requests from checkout pages. WebRTC exfiltration leaves no HTTP artifacts
Detection and Mitigation
- Monitor for WebRTC API usage on checkout pages — legitimate e-commerce sites rarely need WebRTC capabilities on payment forms
- Implement Subresource Integrity (SRI) for all third-party scripts to prevent injection through compromised dependencies
- Block WebRTC on sensitive pages: Consider using browser-level WebRTC restrictions for checkout flows, or deploy JavaScript that disables
RTCPeerConnectionon payment pages - Regularly scan third-party scripts for behavioral changes — even if the script URL remains the same, the content may have been modified
KENSAI Perspective
The WebRTC skimmer represents the kind of evolving web threat that makes continuous security scanning essential. KENSAI's automated penetration testing examines web applications for injection vulnerabilities, compromised third-party resources, and anomalous client-side behavior. As attackers develop new exfiltration techniques that bypass traditional controls, only comprehensive, regularly updated scanning can identify the underlying vulnerabilities that enable these attacks.
5. Push Security — State of Browser-Based Attacks in 2026
Push Security has launched a State of Browser Security research series, featuring contributions from notable security researchers including John Hammond, Troy Hunt, and Matt Johansen. The research focuses on a reality that many organizations still underestimate: the browser has become the primary attack surface for enterprise compromise.
Key findings from the initial research installments:
- Adversary-in-the-Middle (AiTM) phishing now accounts for 47% of credential theft attacks against enterprises — up from 12% in 2023. These attacks intercept authentication in real-time, capturing both passwords and session tokens
- ConsentFix attacks — a technique where attackers trick users into granting OAuth consent to malicious applications — have emerged as a major vector for bypassing MFA entirely
- Session hijacking through stolen browser cookies accounts for more initial access than traditional credential stuffing, because session tokens bypass all forms of MFA
- Browser extensions remain a persistent blind spot: the average enterprise employee has 11 browser extensions, and 34% of those extensions request permissions that could enable data exfiltration
The Browser Security Gap
The research highlights a fundamental disconnect: organizations invest heavily in network security, endpoint detection, and cloud security — but the browser, which is where employees actually interact with SaaS applications, enter credentials, and process sensitive data, receives comparatively little security investment. Push Security describes this as the "last mile" problem — securing everything except the point where humans and applications actually meet.
KENSAI Perspective
Browser-based attacks ultimately rely on the web applications and authentication systems they target. KENSAI's security scanning evaluates web applications for the kinds of vulnerabilities that enable AiTM attacks, OAuth misconfiguration, and session management weaknesses. By continuously testing your web-facing applications, KENSAI helps ensure that even as browser-based attack techniques evolve, the underlying applications don't provide the footholds attackers need.
6. Agentic GRC — The Industry's Governance Growing Pains
Anecdotes' analysis of Agentic GRC (Governance, Risk, and Compliance) adoption reveals that while AI-powered GRC tools are being widely deployed, the primary challenge isn't technology — it's organizational mindset.
The research identifies a pattern across organizations adopting AI agents for compliance and risk management:
- Automation works: AI agents can automate evidence collection, policy checking, and compliance documentation with high accuracy
- But teams resist: GRC teams accustomed to manual processes struggle to transition from "doing the work" to "overseeing the AI that does the work"
- The real shift: The role of GRC professionals must evolve from execution (collecting evidence, writing reports) to risk leadership (interpreting results, making strategic decisions, challenging AI assumptions)
- The danger of false automation: Organizations that deploy agentic GRC without restructuring workflows end up with teams that manually verify every AI output — negating the efficiency gains entirely
This mirrors the broader theme across the week's research: AI is changing what security professionals do, not replacing them. The value shifts from execution to judgment, from repetitive tasks to strategic oversight.
Research & Industry Summary
| Research | Impact | Type | Key Takeaway |
|---|---|---|---|
| SentinelOne 2026 Annual Threat Report | CRITICAL | Threat Intelligence | 8-phase attacks complete in <4 hours |
| SANS 2026 Cyber Workforce Report | HIGH | Industry Research | 4.7M unfilled positions; AI reshaping skills |
| Kaspersky: Coruna ↔ Triangulation Link | HIGH | Threat Research | State-level iOS exploit evolution confirmed |
| Sansec: WebRTC Payment Skimmer | HIGH | Threat Discovery | New evasion technique bypasses CSP & WAFs |
| Push Security: Browser Attack State | STRATEGIC | Security Research | Browser is the primary enterprise attack surface |
| Anecdotes: Agentic GRC Adoption | INFO | Industry Analysis | Mindset shift > technology for AI governance |