New research from SentinelLABs and Wayfinder teams detail how adversaries exploit the friction between security and operations

SAN FRANCISCO--(BUSINESS WIRE)--Mar. 24, 2026-- (RSAC 2026) – SentinelOne® (NYSE: S), today released its Annual Threat Report, revealing a critical shift in the cyber battlefield: threat actors are no longer simply focused on gaining access. They are moving beyond initial breaches to systematically abuse the trusted identity systems, infrastructure, and automation systems that power the modern enterprise.

In an era of industrialized attacks, security teams are inundated with vast amounts of telemetry but often lack the context required to distinguish a genuine intrusion from a harmless anomaly. While organizations have more access to detailed threat intelligence than ever before, the challenge lies in translating those high-level insights into the specific, grounded posture needed to manage a local environment.

Designed to help organizations preserve their operational continuity against today's industrial-scale attacks, this report offers a strategic "Defender's Playbook," connecting global threat intelligence with practical behavioral findings. By dissecting the eight strategic phases of modern intrusions, the report enables security teams to shift from a reactive defense posture to proactive, context-aware resilience.

SentinelLABS Annual Threat Report Key Takeaways:

• Defusing the Identity Paradox: Identity now spans SaaS, cloud infrastructure, and autonomous agents. A single account can access dozens of systems. Organizations collect more identity data than ever, yet identity-based intrusions remain among the hardest to detect. Attackers exploit stolen tokens, phishing, and compromised accounts to operate with valid credentials. Defenders must shift focus from authentication alone to continuous monitoring of behavior after login.
• Living off the Pipeline: Attackers are increasingly targeting CI and CD pipelines and development workflows rather than production environments. By compromising build systems, adversaries can introduce malicious code and extract secrets before software reaches production, allowing them to operate within trusted development processes and bypass hardened runtime defenses. Detection requires visibility across the software development lifecycle and the ability to correlate activity over extended periods of time.
• Securing the Vanishing Perimeter against Edge Decay: Edge devices are now primary attack surfaces, with nearly 46% of recent zero-days targeting them. These systems often represent unmanaged blind spots and are frequently the first step toward broader compromise. A return to fundamentals is essential: decommission end-of-life hardware, centralize logs to a SIEM for gateway monitoring, implement tiered network segmentation for Tier 0 assets (like Domain Controllers), and mandate MFA across all remote access points, treating the edge as high-risk.
• Countering the Automation Multiplier: The true "Machine Multiplier" is not just agentic AI, but also mature, high-fidelity automation, which forms the operational backbone that enables AI insights to achieve defensive outcomes. After years of false starts, this technology is finally outpacing adversaries who are leveraging automated workflows to accelerate tasks like vulnerability scanning, credential harvesting, and lateral movement, often in milliseconds. Defense requires strengthening automated response policies that prioritize blocking high-confidence threats over generating alerts.

“The threat landscape is always evolving, but the underlying lessons remain,” said Steve Stone, Chief Customer Officer. “Attackers are relying less on single exploits or malware families and more on the gaps between security and operations, on blind spots in trusted systems, and on defenders being slower to adopt the same machine multipliers that adversaries now use as standard. Closing the gap is not about chasing every new tool threat actors deploy, but about continuously testing whether the controls can withstand the kinds of pressure of modern attacks.”

To learn more about the Annual Threat Report, head to our website.

About SentinelOne

SentinelOne (NYSE: S) is the leader in AI security, setting the standard for using AI and automation to give defenders a decisive operating advantage. Built for those who secure our world, its platform delivers unified coverage across endpoints, identity, cloud, and AI. Powered by Autonomous Security Intelligence, SentinelOne stops attacks at machine speed, reducing risk and delivering clarity and control to stay one step ahead. Headquartered in Mountain View with teams worldwide, SentinelOne protects nearly one-fifth of the Fortune 500 and hundreds of Global 2000 enterprises. From Main Street to Wall Street, the world’s most critical organizations trust SentinelOne with their security.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260324960213/en/

Media Contact:
Regan DePinto
press@sentinelone.com

Source: SentinelOne