Inside the Modern SOC: The 72-Minute Race

2026-06-15 · Source: Unit 42 · Field: Technology & Digital — Cybersecurity & Data Privacy, IT Infrastructure · Depth: Intermediate, medium

Summary

Modern Security Operations Centers (SOCs) face a critical "speed gap" where adversaries, increasingly leveraging AI, accelerate attacks dramatically. The 2026 Unit 42 Global Incident Response Report indicates attackers can move from initial access to data exfiltration in as little as 72 minutes, a 4X year-over-year acceleration. Identity-driven attacks are prevalent, with 65% of initial access stemming from identity-based techniques like compromised credentials and MFA manipulation. Attackers rapidly escalate privileges and move laterally across identity, endpoint, cloud, and SaaS environments, often exfiltrating hundreds of gigabytes within hours. While security alerts often exist, manual correlation of fragmented signals across up to 10 distinct sources delays response. Unit 42 Managed Services utilizes the Cortex SecOps platform and Managed XSIAM for AI-driven correlation and integrated workflows to accelerate detection and containment.

Key takeaway

For SOC leaders modernizing security operations, you must re-engineer workflows to match attacker velocity. Shift from sequential triage to automated, parallel enrichment and ensure related signals across identity, endpoint, and cloud are automatically correlated into unified incidents. Predefine containment actions for common attack scenarios, like compromised accounts, to enable rapid response. Prioritize detecting attacker behaviors, such as rapid privilege escalation, over static indicators to identify threats earlier and close the critical speed gap.

Key insights

The "speed gap" in SOCs, driven by rapid identity-based attacks, necessitates automated correlation and accelerated response to keep pace.

Principles

• Attack timelines have compressed dramatically.
• Identity-based techniques drive 65% of initial access.
• Fragmented workflows create a critical "speed gap."

Method

Unit 42 analysts use Cortex SecOps to correlate unusual privileged account activity, PowerShell execution, abnormal authentication, privilege escalation, and lateral movement, integrating device history, process activity, and behavioral analytics for high-confidence incident identification.

In practice

• Shift to parallel, automated enrichment workflows.
• Automatically group related signals into unified incidents.
• Predefine containment actions for common scenarios.

Topics

• Security Operations Center
• Identity-Driven Attacks
• Incident Response
• Attack Timelines
• Cortex SecOps
• Managed XSIAM

Best for: CTO, VP of Engineering/Data, Executive, Security Engineer, IT Professional, Consultant

Related on AIssential

• 5 ways to fortify your network against the new speed of AI attacks — Despite increasing automation in cyberattacks, human and systemic failures remain the primary cause of successful intrusions.
• Essential Data Sources for Detection Beyond the Endpoint — Over-reliance on endpoint security creates critical blind spots, necessitating holistic telemetry correlation across all IT zones.
• AI Has Turned Cloud Risk Into a Race and Human Defenders are Losing — AI accelerates cloud attackers, creating a speed asymmetry that human defenders cannot match with traditional security models.
• CrowdStrike, Cisco and Palo Alto Networks all shipped agentic SOC tools at RSAC 2026 — the agent behavioral baseline gap survived all three — The rise of AI agents creates a security complexity gap, as current SOC tools lack agent behavioral baselining.
• SE Radio 722: Dwayne McDaniel on the Engineering Challenges of Secrets Management — Modern systems face escalating "secret sprawl" due to expanded definitions of secrets and rapid development, demanding a shift to identity-based, just-in-time access.
• Preparing your security program for AI-accelerated offense — AI accelerates both offensive and defensive cybersecurity, demanding rapid adaptation of security programs.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Unit 42.