As modern environments become more distributed, many organizations lean heavily on security service edge (SSE) tools to secure access and network detection and response (NDR) to monitor internal behavior.
But when these powerful platforms operate in silos, they create an operational crisis.
While cloud proxies do an excellent job of shielding applications from the open internet, they inadvertently mask critical telemetry from your internal sensors.
The real-world impact?
🔍 Your network sensors see anomalous behavior, but lose the identity of who is doing it.
⏳ Analysts are forced to spend hours manually stitching cloud logs together with network packet streams.
😩 Alert fatigue skyrockets, leaving critical warnings uninvestigated and giving adversaries more dwell time.
Security teams don’t need more disconnected dashboards. They need undeniable, unified evidence: https://t.co/rQX4t9nLWA
Research from SpecterOps found attackers are now using automated LLM loops to reverse-engineer and bypass major EDR platforms at machine speed.
If an adversary can use AI to mute your endpoint agents from the inside, a quiet SOC dashboard no longer means you're secure.
How do you defend against a threat that blinds your primary safety net? https://t.co/HrQFvquuF5
Threat actors like UNC6692 are evolving their social engineering tactics. Instead of relying solely on email phishing, they are chaining communication channels to weaponize the enterprise tools we trust every day.
By manufacturing an operational crisis (like an email-bombing campaign) and stepping in with a fake solution via Teams, adversaries are easily bypassing traditional email security perimeters.
The ultimate payload?
The SNOW Malware Ecosystem: a pipeline designed to quietly tunnel through networks, dump credentials, and compromise domain controllers.
Security teams need to understand how these multi-stage campaigns operate across endpoints, networks, and identity infrastructure to stop them before lateral movement occurs.
We just published a comprehensive breakdown of the UNC6692 campaign to help you defend against these tactics, including:
🔹 A breakdown on how the SNOW toolkit works
🔹 A deep dive into the legitimate cloud services and forensic tools used extract Active Directory data
🔹 The full MITRE ATT&CK mappings to help your SOC detect these behaviors early
Read it on the blog: https://t.co/TgatXZm4UJ
⭐️⭐️⭐️⭐️⭐️ Engineer in the Education Industry gives RevealX 5/5 Rating in Gartner Peer Insights™ Network Detection and Response Market.
Read the full review here: https://t.co/7xU0w3IAd7
Every security leader is being told they need to move to an "agentic SOC," but behind closed doors, a lot of their expensive AI investments are failing.
The hype cycle has made it incredibly difficult to separate real defensive capability from clever marketing. Meanwhile, adversaries aren’t waiting around... They’re already using automation to outpace traditional detection.
That’s why we built Beyond the Hype: A SOC Leader's Guide to the Agentic Era, a 3-part series designed to help you navigate the real impact of AI on cybersecurity.
We’re diving deep into:
1️⃣ How adversaries use AI to outpace defenders
2️⃣ Why agentic SOC tools have traditionally underperformed
3️⃣ How to build a realistic roadmap for agentic operations
🔗 Register here: https://t.co/IF1JsGMKFM
On June 22, 2026, the Five Eyes cybersecurity agencies dropped a major joint advisory: “The AI Shift in Cyber Risk: Why Leaders Must Act Now” ⤵️
The warning is blunt. Adversaries are actively weaponizing AI to collapse exploit timelines from years to months. Traditional, siloed defenses are scrambling to keep up, and the threat has officially been reframed from a technical issue to a core business risk.
Having security controls in place is no longer the benchmark. The real question boards are asking is: Do you know how those controls will hold when an attacker is already inside?
When threats move at machine speed, they immediately target the foundational gaps every security team struggles to manage:
➡️ Unmanaged assets: The legacy, IoT, or shadow systems that cannot support endpoint agents.
➡️ Compromised identities: Stolen credentials that look entirely legitimate to standard access controls.
➡️ Vanishing logs: Host data that sophisticated attackers immediately delete or disable to blind your incident response.
True defense-in-depth isn't about collecting more tools... it's about ensuring your security layers cover each other's blind spots.
When an agent can't be installed, a credential is weaponized, or a log is wiped, independent network visibility is the safety net that prevents a total outage.
Stop guessing if your defenses will hold under fire.
🔗 Read our full analysis of the Five Eyes warning to audit your strategy against the AI threat landscape today: https://t.co/KFyfz1aSsJ
VIPERTUNNEL is a stark reminder of why relying solely on file-scanning endpoint tools is a dangerous gamble for modern security teams ⤵️
Discovered as a post-compromise backdoor linked to sophisticated threat actors like UNC2165/EvilCorp, it is designed specifically to evade traditional detection by leaving virtually no footprint.
Instead, it relies on Living-off-the-Land (LOLBAS) tactics to slip under the radar:
🔹 Hidden Persistence: It abuses a legitimate Python interpreter and startup scripts to run silently without obvious command-line arguments.
🔹 File Masquerading: It disguises its script as a .dll file, exploiting common triage blind spots to trick automated analysis pipelines.
🔹 In-Memory Execution: It uses multi-layer obfuscation to execute its payload directly in memory, leaving static endpoint scanners completely blind.
🔹 Stealthy Egress: It routes malicious command-and-control traffic over TCP port 443, blending into routine web browsing.
Taken in isolation, these signals look like normal background noise. Read the full technical breakdown, campaign phases, and MITRE ATT&CK mapping on the blog: https://t.co/I8i0PYw9yn
An agentic SOC isn't just an LLM with API access. It’s an interconnected ecosystem that must run as a continuous loop from detection to response.
To move autonomous security from an experimental proof-of-concept to a safe production deployment, security architects must map operational responsibilities across four distinct layers.
1️⃣ The Context Layer: The data fabric that serves as a living model of the enterprise environment.
2️⃣ The Reasoning Layer: The AI models responsible for analyzing anomalies and determining the next steps.
3️⃣ The Tooling Layer: The integration and execution mechanisms that allow agents to interact with and query infrastructure.
4️⃣ Human Oversight: The ultimate guardrails separating low-risk tasks that can run at machine speed from critical assets that strictly require human authorization.
Read the full breakdown to learn how these four pillars work together to transform AI into a reliable, functional SOC ecosystem: https://t.co/Hyz316v0gN
Everyone's racing to put AI agents on the front lines of security defense. Far fewer people are talking about what those agents actually need to do the job well.
To make fast, accurate decisions, an autonomous agent needs the full picture of what's happening across your network.
The instinct often is to give it everything: raw packet captures, unfiltered logs, the works.
That backfires immediately.
Raw data overwhelms token budgets, saturates context windows, and buries signal in noise. Instead of reasoning at machine speed, the agent slows down, gets less accurate, and makes worse calls.
The fix isn't less data. It's better-structured data.
When raw network telemetry is transformed into structured, pre-enriched context before it ever reaches the model, agents get a foundation they can actually reason over — accurately, efficiently, and at the speed the threat demands.
That's the difference between an AI agent that defends your network and one that drowns in it 👉 https://t.co/gWKkcDkPTd
⭐️⭐️⭐️⭐️⭐️ Engineer in the Education Industry gives RevealX 5/5 Rating in Gartner Peer Insights™ Network Detection and Response Market.
Read the full review here: https://t.co/UDjreKIkB0
Is AI actually making your security team’s job harder?
In the mad dash to adopt AI, we were promised enhanced security and instant relief for burnt-out analysts.
Instead, our newly released 2026 Global Threat Landscape Report found that AI-generated alerts led to false positives that negatively impacted investigations nearly 30% of the time.
Meanwhile, the data found that attackers are actively using the AI boom to their advantage.
➡️ 55% of respondents cited AI agents and generative AI as their riskiest attack surface.
➡️ 40% identified AI-enhanced external attacks as the primary source of security incidents, data exposures, or near-misses over the last year.
➡️ And another 38% pointed to compromised AI identity or session theft.
We broke down the full findings from the 2026 Global Threat Landscape Report to help you cut through the noise and recalibrate your defense strategy: https://t.co/AsjS7H6Uss
Recent high-profile breaches are following a highly repeatable playbook that starts deep inside the Kubernetes (K8s) cluster.
Because workloads, identities, and control planes converge onto a single operational layer, a single container exploit can quickly serve as a strategic bridge into your broader cloud IAM, storage, and critical backend systems.
In our latest blog, ExtraHop Chief Evangelist Heath Mullins breaks down the real-world architectural challenges that security teams are actively battling.
⚠️ Stolen Service Account Tokens: A minor application exploit exposes identity tokens, turning a compromised app into a trusted tool for running unauthorized administrative commands.
⚠️ Excessive Permissions: Accounts are given more access than they actually need, giving attackers the ability to easily jump across security boundaries and plant silent backdoors.
⚠️ Camouflaged Traffic: Malicious API commands blend perfectly into high-volume administrative noise, leaving static, log-based tools completely blind.
Read the full breakdown of these real-world attack paths and how to strengthen your cluster defenses: https://t.co/S0m4WBSrKB
🏆 ExtraHop just won AI-based Cybersecurity Solution of the Year at the AI Breakthrough Awards for the second year in a row, and we're doing a little victory lap.
Here's why.
In the post-mythos era, attacks move at machine speed. The thing that hurts security teams most isn't spotting the threat, it's the clock. Every minute spent guessing is a minute the attacker keeps moving.
So we built our AI to close the gap.
The ExtraHop RevealX NDR platform is powered by cloud-scale machine learning that analyzes network activity across the entire connected enterprise in real time, learns what normal looks like, and decrypts the traffic attackers hide in, catching the behavioral anomalies that signal a threat the moment they happen instead of weeks later in a breach report.
We keep security teams ahead with:
▪️ Triage that instantly separates the real threat from the noise
▪️ Investigations that auto-assemble the full attack story instead of making analysts piece it together
▪️ An AI search assistant that turns a threat hunt into a single question and an instant answer.
That shift shows up in the numbers.
In a recent study, customers using ExtraHop cut investigation times by 63%.
See the rest of the findings here: https://t.co/RyEnSb4d5m
🚨 JUST RELEASED: The 2026 ExtraHop Global Threat Landscape Report is out now!
Attackers and defenders are now reaching for the same weapon: AI. The difference? Attackers are using it better.
❓ We asked 1,800+ security and IT leaders worldwide where the real risk lives now. Their answers mark a turning point.
⏵ AI agents and gen AI apps are the #1 cybersecurity risk, outranking public cloud and every legacy attack surface.
⏵ 40% were hit by AI-enhanced attacks automating recon, phishing, and lateral movement at machine speed.
⏵ 38% had AI identities or sessions hijacked.
💸 The cost of falling behind? Attackers are hiding longer and hitting harder.
⏵ Dwell time has increased YoY -- up to 2.4 weeks.
⏵ Almost half of respondents didn't catch ransomware until the data was already gone.
And the AI rushing into the SOC to fix all of this? It's not as effective as you may think.
Get the details here: https://t.co/Y5NFmgbbPW
A government order can take your AI model offline overnight. It can't make your enterprise secure.
That's the real lesson in the suspension of two Anthropic frontier models this month. Regulators didn't fix the flaw that triggered it...
They exposed how little stands between a jailbroken model and your environment.
And the flaw isn't Anthropic's alone. It's how LLMs work.
Front-end filters bend to the right phrasing. "Graceful degradation" doesn't stop a threat, it reroutes it to another capable model. And an agent, once compromised, can just keep going.
So the question isn't "which vendor's guardrails can I trust?" It's "what holds when those guardrails fail?"
Jamie Moles breaks it down on the blog: https://t.co/GkplGzQ0mY
🚗 Think of AI in the SOC like self-driving cars.
Most security teams are currently using AI copilots. This is Level 1 autonomy, like cruise control. The AI assists by summarizing alerts and writing queries, but a human driver still has their hands firmly on the wheel to validate and execute every action.
The shift to an agentic SOC represents true autonomous driving. Here, AI agents are given the keys to independently chain tasks together and execute multi-step workflows at machine speed.
But scaling defenses requires a rock-solid foundation. If your data architecture forces AI to make probabilistic guesses instead of evidence-based decisions, autonomy becomes a liability.
Is your organization ready for autonomous agents? Check out our latest blog for:
▪️ The real difference between AI assistants and autonomous agents
▪️ The critical data flaw that triggers costly AI hallucinations
▪️How to safely automate defenses at machine speed
🔗 https://t.co/K5kP1uijA0
⭐️⭐️⭐️⭐️⭐️ IT Security & Risk Management Associate in the Services (non-Government) Industry gives RevealX 5/5 Rating in Gartner Peer Insights™ Network Detection and Response Market.
Read the full review here: https://t.co/U6sJ0RZx4x
As security teams race to adopt AI in the SOC, one truth remains absolute: AI is only as smart as the data you feed it.
That’s where network context comes in.
⭐️ What is network context?
It’s the ground truth of your enterprise. It’s not just knowing that IP Address A talked to IP Address B. It’s the deep, behavioral understanding of the transaction:
→ What protocol was used?
→ What data was exchanged?
→ Is this behavior normal?
→ What identity was behind it?
→ How does this interact with the rest of the environment?
⭐️ Network context is critical for the agentic SOC.
Without deep context, AI agents fill in the blanks with assumptions. Network context transforms AI from a guessing tool into a precision weapon.
▪️ Fewer false positives: Eliminates AI hallucinations with high-fidelity insights.
▪️ Better detection: Spots stealthy behavioral anomalies that bypass standard logs.
▪️ Faster resolution: Stitches together entire attack timelines in seconds for instant root-cause analysis.
Discover how ExtraHop delivers the real-time network context required to fuel the future of AI-driven security 👉 https://t.co/XZz1hjquo7
We stripped out security data to save our analysts from burnout. Now, it’s crippling our AI.
For years, security teams have aggressively suppressed "noisy" background telemetry. It was a necessary survival tactic. Human capacity is finite, and shielding analysts from alert fatigue and burnout was the priority.
But as we pivot to the agentic SOC, this strategy backfires.
AI agents don't get fatigued, and they don't suffer from cognitive overload. They thrive on the baseline noise humans hate.
When we slice up our data streams to keep human workloads manageable, we inadvertently starve our LLMs of the context they need to operate autonomously.
By stripping away the background data, we force AI agents to:
➡️ Rely on guesswork
➡️ Waste capacity
➡️ Keep humans in the loop
True autonomy requires feeding the machine the whole story, not just the highly edited highlights.
Read our latest breakdown on how filtering your data caps your AI’s performance ceiling: https://t.co/LM2URiJT3y
🆕 Threat deep dive: How the Interlock ransomware group evades detection
Key evasion and attack tactics include:
▪️ Memory-Resident Webshells: Dropping Java class files directly into memory on vulnerable Cisco Secure FMC devices to intercept commands and completely evade traditional antivirus disk scans.
▪️ Hotta Killer: Deploying a custom defense-evasion utility designed to blind security tools before their ransomware encryptors are ever launched.
▪️ Advanced Proxying: Configuring compromised Linux servers with HAProxy to obscure data exfiltration, while using cron jobs to automatically wipe system logs every 5 minutes.
Get the full attack chain breakdown on the ExtraHop blog 🔗 https://t.co/6noPmKKlrS