Across the incidents we investigated this year, social engineering and identity abuse repeatedly bypassed technical defenses, from ClickFix-style user coaching to vishing help desks into issuing valid access. When a real user or support process is tricked into doing the attacker’s work, perimeter controls and “don’t click the link” guidance can’t keep up.

In a significant portion of incidents, attackers gained access with elevated privileges, letting them skip noisy escalation and move straight to persistence, lateral movement, and data theft. In a year where breakout happened in under 4 minutes and exfiltration in less than 6, the difference between “detected” and “contained” became the difference between a short-lived intrusion and a company-wide disruption.

Speed alone wasn't the only challenge. This year’s incidents were marked by LotL tradecraft and valid sessions, which allowed attackers to blend into normal tools, protocols, and cloud services. The most effective defense was visibility plus correlation—linking identity, endpoint, network, cloud, and exposure telemetry to detect post-entry behavior and respond fast enough to break the chain.

Based on everything we observed last year, we’ve compiled the most important actions a CISO can take to protect their organizations against the threats ahead.

To Respond at Top Speed, Automate

  • Automate containment to reduce manual delay and stay ahead of attackers. ReliaQuest customers can use GreyMatter Automated Response Playbooks to automatically initiate rapid actions like disabling users or isolating hosts when high-confidence threats appear.
  • Automate investigations to remove Tier 1 and Tier 2 bottlenecks and keep decisions consistent. Build investigation plans for signals like MFA resets, privileged group additions, VPN account creation, EDR tampering, and registry persistence by pulling and enriching the right telemetry automatically.
  • Scale detection, hunting, and analysis without adding headcount or tool sprawl. Use agentic AI to augment threat intelligence analysis, detection engineering, and threat hunting—work that would traditionally require multiple analysts working around the clock.

Secure Trust and Identity to Block Initial Access

  • Enforce Tier 0 separation and least privilege by restricting where admin credentials can be used, eliminate standing privileges where possible, and use PAM or just-in-time access for sensitive actions to limit impact when privileged access is compromised.
  • Make privileged access phishing-resistant by moving high-value users and IT staff to FIDO2/WebAuthn hardware security keys. This reduces exposure to credential theft and mobile MFA bypass.
  • Strengthen identity verification by requiring multifactor verification for password resets, MFA changes, or account modifications. Use out-of-band callbacks to pre-registered numbers and secondary authentication challenges that can't be satisfied with publicly available information.

Detect Post-Entry Behavior with Visibility and Correlation

  • Treat M&A as a day-one attack surface. Inventory inherited internet-facing devices immediately, prioritize patching, reset credentials, and integrate monitoring before expanding connectivity.
  • Detect exploitation and session hijacking by monitoring for exploit primitives and session anomalies (e.g., impossible travel, concurrent token use across IP addresses, and abnormal session reuse), even when the specific exploit isn’t yet known.
  • Prioritize behavior-based detection and cross-tool correlation by focusing on post-compromise actions like persistence, defense impairment, lateral movement, and exfiltration, correlated across identity, endpoint, network, cloud, and virtualization telemetry.

Our Threat Forecast for 2026

Looking ahead to 2026, we expect threat actors to operationalize AI-powered pen-testing tools, further target open-source maintainers, and adopt contrasting strategies against brazen ransomware groups and stealthy established actors.

We also expect continued industrialization of social engineering and identity abuse, with AI accelerating reconnaissance, producing more convincing vishing and enabling deepfake interviews at scale. This makes identity verification the most critical control point for organizations to harden.

More intrusions will likely start with elevated privileges, as threat actors invest in targeted credential theft and help-desk manipulation to bypass the noisy privilege-escalation phase entirely. This would make breakout windows even shorter and force defenders to assume “elevated privileges on entry” as the new baseline.

Finally, LotL techniques and valid-session abuse are likely to become the dominant post-compromise playbooks. Security programs must therefore prioritize behavioral analytics, cross-tool telemetry correlation, and AI-driven investigation to catch intent within legitimate activity, before lurkers can exfiltrate data or deploy ransomware.

ReliaQuest Exists to Make
Security Possible

GreyMatter is built for a threat landscape where minutes matter and “valid” access is the new perimeter. With breakout happening in as little as 4 minutes and exfiltration in 6, SOCs can’t rely on manual triage or disconnected tools. GreyMatter embeds into the fabric of the SOC—across tools, environments, and entities to accelerate the shift from reactive to proactive to predictive operations.

Correlating Malicious Activity Disguised as Legitimate

GreyMatter helps organizations defend against identity- and deception-led intrusions by turning trust signals into machine-speed investigation and response. As social engineering tactics drive valid-account abuse, the earliest indicators are behavioral (e.g., anomalous authentication patterns, MFA changes, suspicious user-initiated execution, or sudden shifts in account/device context) rather than a single, reliable IOC. GreyMatter’s agentic AI investigates these signals across identity, endpoint, cloud, email/SaaS, and network telemetry with transparent reasoning, then orchestrates consistent, repeatable response actions through workflows—enabling rapid scoping, campaign-level containment, and reduced dwell time even when activity appears “legitimate” in isolated logs.

Tackling Attackers’ Head Start to Contain and Disrupt

GreyMatter also addresses the growing reality that attackers increasingly arrive with elevated privileges and move immediately to persistence, lateral movement, and data theft. By automating Tier 1/2 investigative workload and correlating high-impact post-entry behaviors across tools and environments, GreyMatter allows SOCs to treat privileged activity as suspicious until proven otherwise and act within compressed timelines. Its cross-environment orchestration supports rapid containment and disruption of attack progression (session termination, account disablement, host isolation, and coordinated actions across the security stack), while its unified visibility and correlation enable behavior-based detection across multi-cloud, hybrid, and multi-entity estates—reducing dependence on brittle IOCs and improving resilience against LotL tradecraft and fast exfiltration workflows.

Go Beyond the Report
Annual Threat Report Webinar:
Proactive Defense from 2025's Key Cyber Threats


Get customer lessons learned and perspectives, expert walkthroughs, and live Q&A—plus a practical action plan to inform your strategy and safeguard your business as threats evolve.

Register Now