Rocheston Zelfire — 2026 Global Threat Report

Rocheston Zelfire Intelligence · Public Edition · 2026

Rocheston Zelfire
2026 Global
Threat Report

Zero-Trust Under Fire

Zero-trust adoption accelerated, but adversaries adapted faster. In 2026, the dominant breach pattern shifted from "break in" to "log in" — where stolen sessions, delegated access, and cloud trust chains made intrusions look like ordinary work. This report maps the modern threat economy, the real failure points in zero-trust, and the exact controls that reduce impact when attacks move at machine speed.

Public Edition 2026 Edition Rocheston Zelfire Intelligence

"The new perimeter is not your network. It is your sessions, your connectors, your exceptions, and your inherited trust."

Legal & Usage

Usage, Privacy & Disclaimer

Usage Statement

This report is intended for informational and defensive security purposes. The content describes attack patterns to help defenders reduce risk. It does not provide operational instructions for harm. Redistribution is permitted with attribution to Rocheston Zelfire Intelligence.

Privacy Statement

All telemetry and incident patterns are anonymized and aggregated. No customer identifiers are included. Where examples are described, details are generalized to prevent attribution. Individual organizations cannot be reverse-identified from any data in this report.

Data Window

Primary analysis window: last 12 months (rolling), with references to multi-year baseline trends where relevant. Incident data reflects patterns observed across opt-in telemetry sources during the 2025–2026 period.

Scope & Applicability

Findings reflect patterns across enterprise environments. Smaller organizations may experience different threat mixes. All statistics are directional; precise figures depend on environment, sector, and maturity level.

No Warranty

This report is provided as-is. Rocheston Zelfire makes no warranties about completeness or fitness for a specific purpose. Security guidance should be applied in context with qualified practitioners.

"Defensive intelligence is most valuable when applied with operational context. Use this report as a starting point, not a prescription."

A Message from the Founder

It shows where trust collapses most often — identity, sessions, device posture, ZTNA scope drift, SaaS sprawl, and cloud control plane governance. It shows the modern breach chain from initial access to impact, including the points where defenders can intercept intrusions early. It includes anonymized case studies because security improves when we learn from real sequences, not vague categories. And it provides fix-first playbooks that focus on what reduces impact fastest, not what looks best on a slide.

If you take one message from this report, take this:

The modern perimeter is not your network. It is your trust.

That trust must be measurable, continuously verified, and engineered to fail safely. Your controls must assume adversaries will obtain valid sessions. Your policies must assume integrations will be abused. Your governance must assume that exceptions, once created, will be exploited. Your defenses must be built for speed — because the attacker already is.

Rocheston Zelfire was built for this era. A unified security suite is not just "more tools." It is fewer gaps. Fewer blind spots. Less trust transitivity. Faster containment decisions, backed by evidence. AINA was built to transform high-volume signals into clear conclusions and prioritized actions, because the human mind cannot manually outrun automated intrusion chains. And RCCE exists to train defenders in realistic systems — so skills translate directly to live environments, not just lab theory.

This report is our contribution to the security community: a clear, practical view of what is happening right now, and what you can do next to stay ahead.

Thank you for reading. Now let's make zero-trust operational.

Haja Mo

Founder and President

Creator of Rocheston Zelfire, AINA, and RCCE

2026 Macro Threat Landscape11
Zero-Trust Under Fire: Failure Map15
Identity Perimeter Failures18
Device Trust + Posture Gaps23
ZTNA + Segmentation Realities27
SaaS Sprawl + Implicit Trust31
Cloud Control Plane Compromise35
Supply Chain + Trust Transitivity40
AI as Attacker Force Multiplier44
Attack Chain Chapters48
Technical Threat Trends52

Metrics & Industries

Zero-Trust Metrics: What to Measure58
Industry Deep Dives62
Case Studies (Anonymized)80

Playbooks & Outlook

Defensive Playbooks89
Identity Hardening90
Endpoint + Posture93
ZTNA + Segmentation95
SaaS Governance97
Cloud Governance99
Web / API Defense (Zelwall)102
Predictions: 2027 Outlook105

Appendices

Appendices Overview107
Glossary108
MITRE ATT&CK Mapping110
One-Page Checklist112
About Rocheston Zelfire + AINA + RCCE113

Report at a Glance

Identity takeover dominates initial access
Session hijacking bypasses "MFA enabled" at scale
SaaS integrations create invisible lateral movement
Device posture can be spoofed or stale; trust leaks
Cloud breaches end at the control plane more often than expected
AI reduced attacker cost per intrusion and increased speed to impact

Executive Summary · 1 of 2

What 2026 Revealed

2026 marked the year zero-trust became a stress test. Organizations expanded ZTNA, conditional access, and cloud controls — yet adversaries shifted tactics to exploit the seams between those controls. The most damaging intrusions did not begin with advanced exploits. They began with stolen sessions, delegated permissions, vendor trust, and exceptions that quietly widened access. The defining feature of 2026 was not louder attacks. It was quieter attacks that behaved like legitimate users and moved at machine speed.

Top 10 Executive Findings

Valid sessions are now more valuable than passwords
Token theft and cookie replay bypass common MFA deployments
OAuth abuse and SaaS connectors create long-lived persistence
Posture-based trust is often assumed, not verified continuously
ZTNA scope drift is a top cause of unintended lateral movement
Cloud IAM role abuse is increasingly the primary escalation path
CI/CD remains the highest-leverage secret exposure channel
Extortion diversified: theft, integrity pressure, regulatory leverage
Deepfake-assisted helpdesk and approval fraud moved mainstream
Organizations that measure exceptions and standing privilege reduce impact sharply

Initial Access Share — 2026

By primary attack category

Identity/Session 67%

Vendor 15%

Exploit 11%

Other 7%

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

78%Breaches: identity-first

3.2hMedian time-to-impact

4.1×AI phishing quality lift

61%Orgs: no token lifetime policy

Executive Summary · 2 of 2

What Defenders Must Do Now

Defenders must treat identity as an attack surface, sessions as sensitive assets, and integrations as potential blast radius multipliers. Zero-trust must be operationalized as continuous verification, not login-time verification. The fastest risk reduction comes from eliminating standing privilege, reducing token lifetime, restricting OAuth grants, inventorying connectors, enforcing endpoint tamper resistance, linting ZTNA scopes, and making cloud logs immutable.

Fix-First Priorities

Phishing-resistant MFA for privileged roles first
Admin consent governance and OAuth app restrictions
Token/session hardening: short lifetimes, device binding where possible
Remove standing admin; enforce time-bound privilege workflows
Endpoint tamper protection and posture integrity monitoring
ZTNA policy linting; remove stale exceptions and broad scopes
CI/CD hardening: secret scanning, isolated runners, signed builds
Immutable cloud logging; alert on logging disable events

Fix-First Ladder

1
Identity — Phishing-resistant MFA, passwordless for admin
2
Sessions — Short token lifetimes, device binding, CAE
3
Privilege — Remove standing admin, JIT elevation
4
Connectors — OAuth consent governance, weekly audits
5
Posture — Tamper protection, continuous posture checks
6
ZTNA — Policy linting, expire stale exceptions
7
Cloud — Eliminate static keys, immutable logs
8
Web/API — Bot defense, API authz checks

"The fastest risk reduction comes not from adding tools, but from tightening the trust that already exists."

Section 1 · What Changed in 2026 · 1 of 2

Seven Defining Shifts

The dominant change in 2026 was the shift from perimeter exploitation to trust exploitation. Attackers stopped "forcing entry" and started inheriting access by operating inside the trust systems organizations built to improve user experience and speed.

① Vulnerability-first → Identity-first

Exploiting software vulnerabilities fell as a primary entry path. Attackers shifted to credential abuse, token theft, and session hijacking — vectors that are faster, quieter, and more reliable at scale.

② Credentials → Sessions (tokens/cookies)

Passwords became a stepping stone. The real target became post-authentication tokens and cookies, which persist through password resets and bypass interactive MFA entirely.

③ Network Lateral Movement → SaaS Lateral Movement

Traditional network pivoting gave way to SaaS trust traversal: compromising one SaaS identity grants access to connected platforms, storage, finance tools, and approval workflows.

④ Ransomware → Multi-vector Extortion

Encryption-only extortion declined. Attackers added data theft leverage, integrity threats, and regulatory pressure — making encryption optional and impact more flexible.

⑤ Cloud Control Plane as the Prize

Reaching cloud IAM — the ability to create keys, assume roles, and disable logging — became the primary escalation objective, enabling persistent infrastructure-level access.

⑥ Deepfake Social Engineering Went Mainstream

AI-generated voice and video impersonation moved from proof-of-concept to active use in helpdesk manipulation, finance approvals, and vendor onboarding workflows.

⑦ Automation Widened the Speed Gap

Attacker automation — for recon, phishing, credential testing, and post-compromise execution — compressed time-to-impact to hours. Defenders operating on human timescales fell further behind.

Time-to-Impact Trend (Months)

Hours median, all identity-driven incidents · Rocheston Zelfire telemetry

Section 1 · What Changed in 2026 · 2 of 2

Zero-Trust Reality Check

Zero-trust is not failing because the model is wrong. It fails because trust leaks through identities, tokens, integrations, and mis-scoped access — then attackers exploit those leaks at scale and speed.

Key Concept Definitions

Trust Leak

A path where verification is assumed or inherited rather than explicitly performed. Examples: long-lived tokens, stale conditional access exceptions, over-scoped SaaS connectors.

Trust Transitivity

One system's trust extends to another through connectors or delegations. A compromised SaaS identity can pivot to a finance platform via an OAuth connector without any additional authentication.

Scope Drift

Policies that broaden over time — typically through exceptions added under operational pressure — and become effectively permanent, widening the blast radius for any future compromise.

Continuous Verification

Re-checking posture and risk signals during the session, not just at login. Requires Continuous Access Evaluation (CAE) or equivalent signal-driven re-authentication triggers.

Trust Leak Map — Five Layers

Section 2 · Methodology · 1 of 3

How This Report Was Built

This report is built from anonymized, opt-in telemetry and incident patterns observed across enterprise environments protected or monitored by Rocheston Zelfire components. Data was aggregated to remove tenant identifiers and prevent reverse attribution. Where direct measurement was not possible, validated proxies and confidence scoring were used to avoid overstating precision.

Data Sources

Identity Telemetry

Authentication events, token issuance patterns, conditional access signals, OAuth consent logs, and privilege escalation indicators across enterprise identity platforms.

Endpoint Telemetry

Process events, LOLBin usage, tamper detection signals, posture assessment results, and credential access indicators from managed endpoint environments.

Web / API Telemetry (WAF)

HTTP request patterns, bot fingerprinting signals, API abuse indicators, injection attempts, and authentication anomalies from web-facing services.

Cloud Telemetry

IAM activity, role assumption events, key creation/deletion, logging configuration changes, and resource provisioning anomalies from cloud control planes.

Threat Intelligence + Sandbox

Validated indicators from threat intelligence partnerships, malware detonation data, and emulation results mapped to observed enterprise patterns.

Telemetry Contribution Wheel

Relative signal weight across sources

Identity 30%

Endpoint 22%

Cloud 18%

Web/API 15%

Email/Collab 10%

Intel/Sandbox 5%

Section 2 · Methodology · 2 of 3

Definitions & Confidence Model

Definitions Used in This Report

Incident

Confirmed unauthorized access, policy bypass, or material business impact. Excludes blocked attempts and near-misses unless they reveal a structural control gap.

Identity Compromise

Unauthorized access using valid credentials, tokens, sessions, or delegated permissions — regardless of whether the original authentication used MFA.

Token Theft

Compromise of session cookies, access tokens, refresh tokens, or API tokens enabling bypass of interactive MFA. The defining feature: no password needed after the initial theft.

Time-to-Impact

Time from confirmed initial access to first material objective — privilege escalation, data exfiltration, destructive change, or extortion demand.

Zero-Trust Failure

Any condition where trust is granted beyond intended scope due to configuration, integration, inherited permissions, weak verification, or blind spots — regardless of whether a formal ZT architecture is in place.

Confidence Model

We assign High / Medium / Low confidence based on cross-source corroboration. Trends are published only when they meet minimum volume thresholds and independent signal agreement.

Tier	Criteria	Example
High	≥3 independent sources, clear signal alignment, volume threshold met	Token theft as top initial access vector
Medium	2 sources, directional agreement, volume above minimum	Deepfake helpdesk fraud prevalence
Low	Single source or emerging pattern; flagged as directional only	AI-generated malware variants in wild

"We choose precision over completeness. If we cannot confidently assert a trend, we describe it as directional — and say so explicitly."

Section 2 · Methodology · 3 of 3

Biases, Limitations & Ethics

Known Biases & Limitations

Visibility Variance

Some environments have stronger endpoint and identity telemetry than cloud governance logs. Cloud-specific findings may undercount incidents in environments with weaker cloud instrumentation.

Defended vs. Unmanaged

Telemetry comes from environments with active monitoring. Dwell times and impact severity may differ significantly in unmanaged or lightly monitored organizations.

Sector Distribution

Coverage may overweight SaaS-forward enterprises. Industries with heavy on-premises infrastructure or air-gapped environments are underrepresented in cloud and SaaS findings.

Attribution Limits

Threat actor attribution is directional. We describe observed behaviors and TTPs, not confirmed actor identities. Attribution claims require more evidence than behavioral patterns alone.

Privacy & Ethics Statement

All data is aggregated and anonymized for macro trend analysis. No customer identifiers, content, or individual user data are included in any form. Telemetry is collected on an opt-in basis with explicit disclosure to participating organizations.

Where case studies are described, all identifying details — industry, geography, company size, affected systems — are generalized to prevent reverse attribution. Examples may represent composites of multiple incidents with similar patterns.

METHODOLOGY INTEGRITY

Rocheston Zelfire Intelligence Standard

✓ Anonymized and aggregated telemetry only
✓ Confidence tiers applied to all findings
✓ Volume thresholds enforced before publication
✓ Independent signal corroboration required for High-confidence claims
✓ Limitations disclosed explicitly

Section 3 · 2026 Macro Threat Landscape · 1 of 4

The Modern Threat Economy

In 2026, cybercrime matured into a modular economy: initial access brokers, phishing kit operators, token sellers, ransomware affiliates, and data extortion specialists operate as distinct, interchangeable market participants. This modularization reduced cost per target and increased both attack volume and targeting quality — making even small organizations viable targets.

Threat Actor Archetypes

Financially Motivated Actors

The dominant category. Focused on extortion, fraud, and theft. Identity and session compromise is preferred — it's reliable, scalable, and looks legitimate in logs. Increasingly use automation for credential stuffing, ATO, and victim profiling.

Nation-State & Strategic Actors

Prioritize long-term access, control plane positioning, and supply chain infiltration. Patient, low-noise, and willing to invest months in maintaining access before executing objectives. Cloud IAM and CI/CD are prime targets.

Opportunistic Crews

High-volume, lower-sophistication operations. Credential stuffing, bot-driven account takeover, fake account creation, and scraping. Rely on scale to generate returns from small-margin per-victim operations.

Threat Economy Supply Chain

How actors specialize and chain together

Section 3 · 2026 Macro Threat Landscape · 2 of 4

Targeting by Sector

Healthcare

Targeted for uptime pressure, complex vendor ecosystems, and high-value patient data. Mixed device posture and legacy authentication increase identity risk significantly. Ransomware operators exploit disruption leverage.

Finance & Banking

High approval-workflow density creates deepfake fraud leverage. Identity compromise translates directly to financial loss through BEC, approval manipulation, and account takeover. Regulatory leverage amplifies extortion.

Education

High account sprawl, mixed device maturity, and broad access needs. Credential attacks and SaaS sprawl dominate. Student and research data is valuable; systems often under-resourced for security.

Government

Strategic targeting by nation-state actors. Long contractor trust chains, hybrid legacy-modern environments, and high-consequence disruption potential make government a persistent target.

Top Targeted Sectors — Threat Index

Composite index: volume × impact × targeting frequency

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

Manufacturing & Retail

Manufacturing targeted for downtime impact and vendor access gaps. Retail faces intense bot pressure on APIs and login endpoints. Both sectors see segmentation weaknesses exploited for lateral movement.

Section 3 · 2026 Macro Threat Landscape · 3 of 4

Targeting by Region

Attack intensity correlates with economic concentration, regulatory leverage, and geopolitical tension. Regions with high SaaS adoption and rapid digital transformation saw higher identity-based intrusion rates due to longer trust chains and more integrations. Regulatory pressure — particularly around data sovereignty — increasingly amplifies extortion leverage in high-compliance regions.

Key Regional Patterns

High SaaS Adoption Regions

North America and Western Europe show disproportionate token theft and OAuth abuse incidents. More integrations mean more trust chains — and more paths for attackers who compromise one identity to expand through delegated access.

Rapidly Digitizing Regions

Southeast Asia, Middle East, and parts of Latin America show higher rates of cloud misconfiguration-driven incidents. Speed of digital adoption outpaces security tooling and control deployment.

High Regulatory Pressure Regions

GDPR-adjacent regions see elevated extortion leverage using regulatory breach notification threats. Attackers explicitly reference regulatory penalties in extortion communications to increase payment pressure.

Geopolitical Tension Zones

Critical infrastructure in regions with active geopolitical tension faces elevated nation-state targeting. Energy, government, and defense-adjacent organizations face strategic, patient adversaries.

Regional Pressure Index — 2026

Attack intensity score by region & primary vector

Critical (8-10)

High (6-7)

Medium (4-5)

Lower (1-3)

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

Section 3 · 2026 Macro Threat Landscape · 4 of 4

Top Campaign Types Observed

Identity Takeover Campaigns

AiTM phishing, token theft, and MFA fatigue exploitation. Produces valid sessions that bypass password resets and many conditional access policies. High volume, highly automated.

Bot-Driven Credential Stuffing

Distributed bot swarms testing breached credential lists against enterprise SSO and SaaS login endpoints. Defeat basic rate limits by distributing across IPs and mimicking legitimate browser fingerprints.

SaaS Connector Abuse

OAuth grants and SaaS integrations used for persistence beyond password resets. Mailbox rules, delegated access, and app registrations maintain access through identity remediation events.

Vendor Remote Tool Misuse

Legitimate remote management tools used by vendors — with valid credentials — to move laterally. Blends into normal IT activity. Often starts with a compromised vendor credential, not a network breach.

Cloud IAM Escalation

From initial access to cloud control plane: creating persistent keys, assuming privileged roles, disabling logging. Turns an identity compromise into infrastructure-level persistent access.

Extortion Without Encryption

Data staging followed by extortion threat — without deploying ransomware. Faster, quieter, lower risk for attacker. Regulatory and reputational leverage replaces encryption as the pressure vector.

"The modern attacker does not need a zero-day. They need a valid session, a permissive connector, and enough time to inherit trust."

Section 4 · Zero-Trust Under Fire: Failure Map · 1 of 3

Where Zero-Trust Actually Fails

Zero-trust fails in the gaps between controls. Verification is often performed once at login, while attackers operate continuously within sessions, connectors, and inherited permissions. The failure is rarely in the framework — it is in incomplete implementation and the trust leaks that accumulate over time.

Five-Layer Trust Breakdown

1
Identity Trust — Authentication passes, but session tokens or delegated permissions are then stolen or abused. "Authenticated" does not mean "safe for the session's duration."
2
Session Trust — Tokens and cookies persist beyond their useful security window. Short-lifetime policies are absent or inconsistently applied to high-risk applications.
3
Device Trust — Posture signals are stale, incomplete, or spoofed. A device that was compliant at login may have been tampered with during the session.
4
Access Trust (ZTNA) — Policies intended as temporary exceptions become permanent. Scopes widen under operational pressure and are never reviewed or narrowed.
5
SaaS + Cloud Trust — Connectors, service accounts, and IAM roles accumulate permissions and long-lived tokens that no individual policy explicitly authorizes — but none explicitly denies.

Trust Inheritance — Concrete Example

1. User authenticates legitimately

MFA passed, conditional access satisfied. Session token issued.

2. Session token stolen via AiTM or endpoint

Attacker has a valid, fully-authenticated session. No password needed.

3. SaaS connector grants file access

An OAuth app connected to the compromised identity has files:read/write scope.

4. Finance tool integration grants approvals

A downstream connector inherits the session's permissions and approves a transaction.

5. Impact occurs — no network scanning required

The entire chain used legitimate access paths. Logs show normal user activity.

Section 4 · Zero-Trust Under Fire: Failure Map · 2 of 3

Common Failure Patterns

Trust Inheritance Across Systems

A single compromised identity propagates access across SaaS connectors, delegated mailboxes, and integrated tools — multiplying blast radius without any additional authentication event.

Scope Drift and Permanent Exceptions

Exceptions added to meet a business deadline persist indefinitely. Over 12 months, the average enterprise accumulates hundreds of conditional access exceptions with no expiry date.

Verification Gaps (Non-Continuous)

Verification happens at login. The session continues for hours or days without re-checking posture, risk signals, or anomalous behavior — creating a long window of undetected attacker presence.

Blind Spots: Connectors and Service Accounts

OAuth apps and service accounts are often excluded from standard identity governance reviews. They accumulate permissions, never rotate credentials, and operate without behavioral baselines.

Human Override Paths

Helpdesk reset flows, emergency access procedures, and manual approval bypasses provide social engineering targets. A convincing deepfake or pretexted call can defeat all technical controls.

Defender Principle: Measure trust leaks directly — exceptions, connectors, standing privilege, token lifetime, posture integrity, and logging immutability. What you cannot measure, you cannot close.

Trust Leak Scoreboard — 6 Key Metrics

CA Exceptions

78

OAuth High-Scope Apps

64

Standing Admin Accounts

72

Unrotated Service Accts

81

Token Lifetime Policy

39

Immutable Logging

44

% of orgs with adequate control — Rocheston Zelfire telemetry

Section 4 · Zero-Trust Under Fire: Failure Map · 3 of 3

Zero-Trust Stress Test Checklist

Before reviewing technical chapters, assess your current exposure with these six diagnostic questions. Each represents a measurable trust leak that attackers routinely exploit.

Identity & Sessions

How many conditional access exceptions exist and how old are they? (Target: zero without expiry date)
How many OAuth apps have mail-write or files-write permission? (Target: enumerate all, justify each)
What is the average token lifetime for high-risk apps? (Target: 1 hour or less for privileged sessions)

Privilege & Access

How many privileged accounts have phishing-resistant MFA? (Target: 100% for all admin roles)
How many service accounts exist with no credential rotation? (Target: zero unrotated service accounts)

Cloud & Logging

Are cloud logs immutable, and do you alert on logging disable events? (Target: yes to both)
Can you enumerate all cloud IAM roles and their effective permissions within 30 minutes? (Target: yes, automated)

Device & ZTNA

Does your ZTNA policy lint for stale exceptions and broad access groups? (Target: quarterly at minimum)
Are posture checks enforced continuously during sessions, not only at login? (Target: yes with CAE or equivalent)

"Any 'no' or 'unknown' on this checklist is an active trust leak. Prioritize closing the oldest and widest gaps first."

Section 5 · Identity Perimeter Failures · 1 of 5

Why Identity Is the Battlefield

Identity gates everything: SaaS access, cloud consoles, developer tooling, internal applications, and approval workflows. If identity is compromised, zero-trust policies often accelerate attackers by granting legitimate-looking access — because those policies were designed to trust authenticated identities, not to question the legitimacy of an ongoing session.

"MFA enabled" is not a guarantee when sessions are stolen or consent is abused. The question is not whether MFA was used at login — it is whether the session remains trustworthy throughout its lifetime.

Identity Attack Surface — What Is Exposed

Interactive login flows (password + MFA) — targeted by phishing and AiTM
Session tokens and cookies — stolen via endpoint compromise or proxy
OAuth app consent — abused via admin grants or user-consent phishing
Refresh tokens — long-lived; survive password resets
Service accounts — often unmonitored, unrotated, over-permissioned
Delegated access — mailboxes, calendars, shared drives
Privileged admin roles — standing access with excessive permissions

Section 5 · Identity Perimeter Failures · 2 of 5

Credential Attacks

Credential Stuffing

Automated testing of breached username/password pairs against enterprise login endpoints. Modern stuffing operations distribute across thousands of IPs, rotate user agents, and throttle attempts to defeat lockout policies.

Password Spraying

Single password tested across many accounts — below lockout thresholds. Effective against organizations with weak password policies and no risk-based authentication. Distributed variants defeat per-IP detection.

Replay of Breached Credentials

Credentials from third-party breaches tested against enterprise SSO. High success rate where password reuse exists and no breached-credential detection is deployed.

Distributed Login Attempts

Attacks distributed across geographies, cloud exit nodes, and residential proxies to avoid impossible-travel detection. Standard anomaly detection fails without behavioral baselining.

Defender Actions

Risk-based authentication — not just rate limits
Breached credential detection at login
Passwordless/passkeys for high-risk roles
Monitor impossible patterns beyond impossible travel
Alert on distributed login anomalies across ASNs

Login Attack Type Distribution

% of identity-targeted incidents by method

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

"Credential stuffing is a high-volume, low-sophistication attack. The volume is the threat — not the technique."

Section 5 · Identity Perimeter Failures · 3 of 5

MFA Fatigue, Bypass & AiTM

Push Bombing / MFA Fatigue

Attacker triggers repeated push notifications after obtaining the correct password. User, fatigued by repeated prompts or confused by the request, approves — granting session access. Number matching reduces but does not eliminate this vector.

Adversary-in-the-Middle (AiTM) Phishing

A reverse proxy sits between the user and the legitimate service. The user authenticates (including MFA) — and the session token is captured by the proxy. The attacker receives a fully authenticated, MFA-bypassed session cookie.

Why AiTM Defeats Standard MFA

AiTM does not "break" MFA. It captures the session after MFA succeeds. The resulting cookie is as valid as one the legitimate user would hold. Password resets do not revoke it. Standard conditional access does not flag it.

Defender Actions

Phishing-resistant MFA (FIDO2/passkeys) for privileged and finance roles — defeats AiTM at the protocol level
Conditional access for high-risk actions during session, not just at login
Token lifetime reduction for sensitive applications
Alert on token use from new device fingerprints mid-session

Timeline: Phish to Valid Session

AiTM attack flow — how a session is captured

T+0:00 — Phishing email delivered

AI-crafted, contextual lure. Links to AiTM proxy domain resembling legitimate SSO.

T+0:04 — User clicks link

Browser connects to reverse proxy. User sees legitimate-looking login page.

T+0:06 — Credentials entered

Proxy forwards credentials to real IDP. MFA prompt triggered normally.

T+0:08 — MFA approved

User completes MFA. Session established between user and proxy.

T+0:09 — Session token captured

Proxy extracts authenticated cookie. Attacker has a valid session — no password, no MFA required going forward.

Section 5 · Identity Perimeter Failures · 4 of 5

Token Theft & Cookie Replay

Access Token Theft

Short-lived but high-value. Access tokens grant direct API access to cloud services, SaaS platforms, and internal apps. Stolen from endpoints, memory, logs, or intercepted in transit.

Refresh Token Theft

Long-lived and catastrophic. Refresh tokens silently generate new access tokens. They survive password resets. A stolen refresh token provides persistent access until explicitly revoked — which many organizations never do proactively.

Session Cookie Replay

Browser session cookies — captured via AiTM, XSS, or endpoint compromise — replayed from a new device. Controls that trigger on credential entry do not apply. The session looks identical to the legitimate user's.

API Token Abuse

Developer and service API tokens exposed via repositories, CI/CD logs, or misconfigured endpoints. Often have broad scopes and no expiry. Provide direct programmatic access to cloud resources and SaaS APIs.

Why This Bypasses Most Controls

Controls often trigger at credential entry — not on token usage. Token anomalies (new device, new geography, unusual API call pattern) are rarely alerted on in real time without specific session security tooling.

Token Path to Impact — Funnel

Defender Actions

Reduce token lifetime for sensitive apps (target: 1h access, 8h refresh)
Continuous Access Evaluation (CAE) for supported platforms
Alert on token use from new device fingerprints
Enforce device binding for privileged sessions

Section 5 · Identity Perimeter Failures · 5 of 5

OAuth Abuse, CA Misconfig & Privilege Escalation

OAuth Consent Abuse

Admin Consent Abuse

Attackers register malicious OAuth apps and trick admins into granting tenant-wide consent. Result: persistent access that survives password resets and operates through legitimate OAuth infrastructure.

High-Scope Mail/Files Permissions

Apps with Mail.ReadWrite and Files.ReadWrite can read all mail, exfiltrate files, and create inbox rules — all through the Microsoft Graph or Google Workspace APIs, using the victim's own OAuth grant.

Conditional Access Misconfig

Legacy Auth Allowed

Legacy authentication protocols (IMAP, POP3, SMTP AUTH) bypass modern conditional access. An attacker with valid credentials can authenticate via legacy protocol, skipping MFA entirely.

Broad Exceptions & Weak Device Trust

Named location exceptions, device compliance bypasses, and "trusted IP" ranges create broad holes that attackers exploit — especially using cloud exit nodes that match allowed geographies.

Privilege Escalation

Standing Admin Accounts

Persistent admin roles — always-on, always privileged — are high-value targets. Once compromised, they provide immediate access to everything the role touches. There is no delay, no approval, no JIT friction.

Role Chaining and Stale Roles

Roles accumulated over time — from project access, temporary elevation, or role copy-paste — create privilege accumulation that no single administrator authorized. Attackers discover these through enumeration.

Defender Actions

Require admin consent for all OAuth app grants; weekly audit of high-scope apps
Block legacy authentication protocols entirely
Remove standing admin — implement JIT elevation with approval and time-bound access
Alert on new role assignments and privilege escalation events

Section 6 · Device Trust + Posture Gaps · 1 of 4

Device Trust Reality

"Posture is a signal, not truth. It can be stale, incomplete, spoofed, or intentionally manipulated. A device marked compliant is a device that reported compliance — not a device that is currently safe."

Device trust is the layer that conditional access and ZTNA policies rely on to distinguish managed, compliant endpoints from unmanaged or compromised ones. When that signal is stale, incomplete, or falsified, every downstream policy that depends on it is operating on bad data.

Primary Posture Finding

Trusted devices become stealth beachheads when posture integrity is not enforced continuously
MDM compliance status is often updated on a scheduled basis — not in real time
Security tool disable events are frequently not correlated with access decisions
BYOD split identity creates "managed identity on unmanaged device" trust confusion
Developer and admin endpoints have highest compromise leverage but are often least restricted

Posture Gap Indicators

EDR coverage

71%

Tamper protection

48%

Real-time posture

33%

Admin workstation sep.

29%

% of orgs with adequate control — Rocheston Zelfire telemetry

"Compliant does not mean safe. It means the device passed its last scheduled check."

Section 6 · Device Trust + Posture Gaps · 2 of 4

Unmanaged & BYOD Access

Urgent Access Paths

Users accessing SaaS and cloud resources from personal devices during travel, remote work, or device failures. Conditional access policies often have emergency exceptions that enable access from unverified posture — exceptions that never get removed.

Shadow Devices

Personal tablets, home workstations, and family computers used for work tasks. These devices have no MDM enrollment, no EDR, and no posture signal — yet they may hold session cookies from work SaaS accessed via browser.

Split Identity: Managed Corporate on Unmanaged Device

The most common and dangerous pattern: corporate identity (with full SaaS access) authenticated on a personal device. The identity is managed; the device is not. Conditional access sees the compliant identity and grants access — without knowing the endpoint state.

Defender Actions

Restrict high-risk applications (email with export, finance, admin portals) to compliant managed devices only
Separate privileged workflows onto hardened, dedicated profiles or PAW devices
Require managed device for all privileged role activations — no exceptions

Unmanaged Device → Token Theft → SaaS Access

Attack flow via BYOD path

Section 6 · Device Trust + Posture Gaps · 3 of 4

EDR Tampering & Posture Spoofing

Security Tool Disable Attempts

Attackers increasingly target monitoring and detection tools first — before executing primary objectives. EDR disable, log clearing, and monitoring service termination are early indicators of attacker presence, not post-compromise artifacts.

Tamper Events as High-Priority Signals

EDR tamper attempts, AV disable events, and Sysmon uninstall commands should trigger immediate investigation — not just log a warning. These events correlate strongly with active intrusion activity.

Posture Spoofing / Misreporting

Adversaries manipulate MDM enrollment status or compliance reporting to appear compliant. Less common but high-impact: a device with falsified posture passes conditional access checks it should fail.

Compliance Drift

Devices enrolled and compliant at deployment drift from policy over time — patch delays, configuration changes, local admin abuse. The posture signal ages without refresh, but access remains granted.

Defender Actions

Enable tamper protection on all managed endpoints
Alert immediately on tamper events — treat as active incident trigger
Require continuous posture re-evaluation (not just login-time check)

Local Admin & Endpoint Hardening Ladder

Local administrator access on endpoints is a force multiplier for attackers. It enables security tool tampering, credential extraction, persistence installation, and lateral movement — all using native OS capabilities that blend into normal operations.

Why Local Admin Is Critical

With local admin, an attacker can: disable EDR/AV, extract LSASS credentials, install keyloggers or remote access tools, modify system certificates, and pivot via local services — without triggering many standard detections.

Developer and Admin Endpoints

Developer and IT admin workstations combine broad access (cloud consoles, production repos, secrets stores) with elevated local privileges. Compromise of a single developer endpoint frequently leads to cloud control plane access.

Fix-First

Remove local admin default from all standard user endpoints
Implement JIT local elevation with approval and time-bound scope
Deploy PAW / hardened admin workstations for privileged roles
Enable attack surface reduction rules and application control

Endpoint Hardening Ladder

1
Remove local admin from standard user accounts — highest single impact action
2
Enable tamper protection on all managed endpoints via MDM/GPO
3
Deploy attack surface reduction rules — block Office macro execution, LOLBin abuse
4
Application control — allowlist for admin workstations; blocklist for critical endpoints
5
JIT local elevation with approval workflow and automatic expiry
6
PAW deployment for privileged admin and developer roles
7
Continuous posture monitoring — alert on any compliance drift within the session

Section 7 · ZTNA + Segmentation Realities · 1 of 4

ZTNA Is Only as Strong as Its Scope

"Under operational pressure, scopes expand and exceptions become permanent. Every convenience added to ZTNA policy is a potential attack path — and most organizations cannot enumerate them all."

ZTNA replaced the broad network access of VPNs with identity-and-posture-based application access — a significant improvement. But the same dynamics that bloated VPN ACLs are now bloating ZTNA policies: ad-hoc exceptions, broad identity groups, and policies created under time pressure that were never revisited.

Key Finding

Most unintended lateral movement begins as a ZTNA policy convenience
Exception age correlates strongly with likelihood of exploitation — older exceptions are broader
Identity groups used in ZTNA policies are often over-inclusive: all-employees or all-IT grants too much
App sensitivity is rarely codified — an HR portal and a production database may have identical access controls
ZTNA audits are annual at best; policy drift accumulates continuously

Scope Drift — Visual Model

Section 7 · ZTNA + Segmentation Realities · 2 of 4

Common ZTNA Failures

Broad Application Exposure

Applications exposed to "all authenticated users" or "all corporate devices" without sensitivity-based tiering. A compromised low-privilege account reaches the same applications as an admin — because the policy does not distinguish sensitivity.

Over-Trusted Identity Groups

Dynamic groups like "All Employees" or "All IT" used as ZTNA access predicates grant access to anyone in that group — including attackers who have compromised any member of the group.

Weak Segmentation of Sensitive Apps

Production databases, admin consoles, and finance platforms placed in the same access tier as low-sensitivity internal tools. An attacker gaining access to any app in the tier inherits access to the sensitive ones.

No Policy Linting or Drift Detection

ZTNA policies are created and forgotten. No automated process flags expanding scopes, expiring exceptions, or anomalous access patterns against defined policy intent.

Defender Actions

Define app sensitivity tiers — critical, elevated, standard
Require step-up auth for critical-tier apps even within a ZTNA session
Default deny for all sensitive services; explicit allow with justification
Quarterly ZTNA policy lint: enumerate exceptions, group memberships, scope breadth

ZTNA Scope Leak — Flow

How lateral movement occurs within a ZTNA environment

Section 7 · ZTNA + Segmentation Realities · 3 of 4

East-West Movement Patterns

DNS Tunneling

Data exfiltrated or C2 traffic routed through DNS queries — a protocol allowed by almost all network policies. DNS tunneling bypasses many egress controls and proxy configurations that inspect HTTP/HTTPS but ignore DNS traffic volume and payload anomalies.

Reverse Proxy Pivot

Attackers deploy reverse proxies on compromised endpoints to create tunnels that appear as legitimate outbound web traffic. These tunnels provide C2 access and lateral movement paths that blend into normal HTTPS traffic.

Identity-Based Lateral Movement

No network scanning required. Attacker uses compromised credentials or tokens to authenticate directly to applications — email, cloud storage, finance tools — from within the trusted network or via ZTNA. Completely invisible to network-layer controls.

Overlay Networks

Legitimate network overlay tools (deployed by IT) or attacker-installed equivalents create trusted tunnels between endpoints. Difficult to detect without egress anomaly baselines.

Defender Actions

DNS security baseline — alert on high-volume or entropy-anomalous DNS queries
Egress restrictions — limit which endpoints can make outbound connections to non-approved destinations
East-west anomaly detection — baseline peer-to-peer connection patterns and alert on new paths

East-West Movement Vectors — Share

Primary lateral movement method in observed incidents

Identity-based 52%

DNS tunneling 19%

Reverse proxy 17%

Overlay networks 12%

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

Section 7 · ZTNA + Segmentation Realities · 4 of 4

Micro-Segmentation Maturity Model

Segmentation maturity determines how far an attacker can move after initial access. Organizations at Level 1 give attackers a flat network; Level 4 organizations detect and contain movement in near-real time.

Level 1

Flat + exceptions
VPN-era model

Level 2

App-based segmentation
Basic ZTNA

Level 3

Identity + posture + app sensitivity
Risk-aware access

Level 4

Continuous verification
Automated drift detection
Policy linting

What Each Level Means for Attackers

Level 1: Flat access — one compromised account reaches everything on the network
Level 2: App isolation — attacker must re-authenticate per app; reduces blast radius
Level 3: Posture gates — attacker needs managed, compliant device; BYOD paths blocked
Level 4: Drift detection — policy violations alert in real time; attacker movement triggers automated response

Defender Actions

Validate segmentation routinely through purple-team exercises
Define app sensitivity tiers and enforce access by tier
Implement automated policy drift detection and exception expiry
Use segmentation validation tools to test east-west reachability against policy intent

Section 8 · SaaS Sprawl + Implicit Trust · 1 of 4

SaaS Is the New Lateral Movement Path

"Connectors, delegated access, and service accounts move trust across systems faster than defenders can track. The question is not whether your SaaS environment is connected — it is whether you can enumerate all the connections."

SaaS platforms are connected to each other through OAuth integrations, webhook callbacks, shared service accounts, and delegated mailboxes. Each connection is a trust relationship — and each trust relationship is a potential lateral movement path for an attacker who controls any node in the chain.

Key SaaS Finding

Most organizations cannot enumerate all SaaS integrations and their permissions in real time
The average enterprise has 80–120 OAuth apps connected to core identity platforms
Fewer than 20% of organizations have a defined SaaS connector governance process
Service accounts connected to SaaS platforms have longer credential lifetimes than any other account type
A single compromised SaaS identity can pivot to 8–15 connected platforms on average

SaaS Trust Chain — How Trust Propagates

Section 8 · SaaS Sprawl + Implicit Trust · 2 of 4

OAuth Apps, Delegated Access & Mailbox Abuse

Mail Read/Write Permissions

Apps with Mail.ReadWrite can read all messages, draft and send mail, create forwarding rules, and delete messages — silently, programmatically, and persistently. This is the most common high-risk OAuth scope observed.

File Read/Write Permissions

Files.ReadWrite grants access to all user-accessible files across SharePoint, OneDrive, and connected storage. Combined with mail access, an attacker can exfiltrate all data and suppress notification emails.

Long-Lived OAuth Access

OAuth refresh tokens for connected apps can persist indefinitely. An app granted access three years ago — for a project now complete — may still have active, unreviewed permissions against the user's identity.

Shared Mailboxes & Delegated Access

Shared mailboxes accessed via delegation provide quiet persistence. An attacker with delegated access can set inbox rules to suppress alerts, forward communications, and monitor business workflows — without the primary mailbox owner's awareness.

Defender Actions

Restrict user consent — require admin approval for all OAuth grants
Weekly review of apps with Mail.ReadWrite and Files.ReadWrite
Alert on new inbox rules, forwarding rules, and delegation grants
Enumerate and revoke stale OAuth grants quarterly

Top SaaS Abuse Vectors

% of SaaS-related incidents by method

OAuth app abuse 38%

Mailbox rules 24%

Service account 18%

Delegated access 13%

Shadow IT 7%

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

Section 8 · SaaS Sprawl + Implicit Trust · 3 of 4

Service Accounts & Shadow IT

Where Service Accounts Hide

Service accounts exist in: SaaS integration dashboards, CI/CD platform secrets, infrastructure automation scripts, monitoring tools, and developer environment configs. No single inventory captures all of them — they accumulate in the gaps between ownership domains.

Why Service Accounts Persist

They are created for projects, integrations, or automations. When the project ends, the account persists — because disabling it might break something unknown. No one owns the decision to remove it. Token rotation is skipped because "something might break."

Shadow IT and Unsanctioned AI Tools

Employees connect unsanctioned tools — AI assistants, productivity apps, personal storage — using corporate identities. These tools gain mail, calendar, and file access. Data exposure occurs silently. Access is never formally reviewed or revoked.

Defender Actions

Enumerate all service accounts and OAuth app tokens quarterly
Implement time-bound scopes — no permanent service account tokens
Define an approved AI tool list; restrict data access for unapproved tools
Alert on new OAuth grants from non-approved application registrations

Connector Inventory Dashboard — Mock

App	Scope	Age	Risk
Slack Bot	files:write	847d	HIGH
Zapier	mail:read/write	312d	HIGH
Notion	files:read	90d	MED
GitHub Actions	API token	∞	HIGH
DocuSign	mail:read	180d	MED
Calendly	calendar:write	420d	LOW

∞ = no expiry set · Rocheston Zelfire connector inventory format

Section 8 · SaaS Sprawl + Implicit Trust · 4 of 4

The SaaS Takeover Chain

A complete SaaS takeover does not require network access or vulnerability exploitation. It requires one compromised identity and enough OAuth grants to traverse from email to finance. The following chain is observed regularly — not as a theoretical exercise.

Step 1 — Email Account Compromised

Via AiTM phishing or token theft. Attacker has full mailbox access — read, write, rule creation.

Step 2 — Inbox Rules Created

Rules redirect or delete security alerts, IT tickets, and finance approval notifications — suppressing defensive signals.

Step 3 — OAuth Grant Issued

Attacker registers or activates a malicious OAuth app using admin consent or the victim's pending approvals. App grants persist beyond password resets.

Step 4 — File Storage Access Gained

Via connected OAuth grant, attacker accesses cloud storage — downloading contracts, financial docs, credentials in shared files.

Step 5 — Finance Tool Pivot

Finance platform connected via email SSO or delegated OAuth. Attacker accesses approval queues, pending payments, and vendor payment details.

Step 6 — Payout or Extortion

Payment redirected to attacker-controlled account. Or: data staging complete and extortion demand sent from within the victim's own email environment.

Defender Actions

Out-of-band verification for all high-risk financial actions — not email-only approval
Conditional access step-up for finance approvals: require fresh MFA + managed device
Alert on new inbox rules and mail forwarding — treat as high-priority signals

"Every step in this chain used legitimate platform features. No vulnerability was exploited. No malware was deployed."

Section 9 · Cloud Control Plane Compromise · 1 of 5

The Control Plane Is the Prize

"If attackers seize cloud IAM, they can change infrastructure, disable logs, create persistent backdoors, and persist through incident response. A cloud IAM compromise is not a data breach — it is a governance breach."

Cloud control plane compromise represents the highest-impact outcome of a cloud intrusion. An attacker with IAM administrative access can: create long-lived API keys, assume any role, disable or delete logging, modify security policies, provision infrastructure for their own use, and survive password resets and incident response actions.

Key Cloud Finding

Cloud incidents increasingly become governance incidents: who can create keys, assume roles, and alter logging
Control plane access is the attacker's primary objective — not data exfiltration alone
Logging disable events are the single most important indicator of control plane compromise
Over 60% of cloud IAM roles observed have permissions far exceeding their documented purpose
CI/CD pipelines are the most common path to cloud control plane — not direct cloud compromise

Section 9 · Cloud Control Plane Compromise · 2 of 5

Key Theft & Secrets Exposure

Keys in Code Repositories

Cloud API keys, service account credentials, and database connection strings committed to Git repositories — including "private" ones — are discovered within minutes of exposure by automated scanners that continuously monitor public and semi-public repositories.

Keys in CI/CD Build Logs

Secrets printed to build logs during pipeline execution — via debugging output, verbose logging, or echo statements — are accessible to anyone with build log access, including external contributors in open-source projects.

Keys on Developer Endpoints

Credentials stored in ~/.aws/credentials, .env files, SSH configs, and local Kubernetes configs on developer workstations. A single workstation compromise provides access to all cloud environments the developer touches.

Instance Metadata Service Abuse

SSRF vulnerabilities in web applications reaching the cloud instance metadata service (169.254.169.254) can expose IAM role credentials that allow attackers to assume the instance's cloud identity and escalate from application to infrastructure layer.

Defender Actions

Secret scanning in all repositories — pre-commit hooks + CI/CD gates
Eliminate static long-lived keys; replace with OIDC / workload identity federation
Restrict metadata service access — require IMDSv2 on all instances

Top Cloud Compromise Paths

Initial access method for cloud control plane incidents

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

Section 9 · Cloud Control Plane Compromise · 3 of 5

IAM Role Abuse & Privilege Escalation

Over-Permissioned Roles

IAM roles created with broad permissions during development phases are promoted to production without trimming. The "everything we might need" role accumulates permissions over time and is never reviewed. Attackers who assume this role inherit all of it.

Role Chaining

An initial low-privilege role has permission to assume a higher-privilege role, which has permission to assume an admin role. Attackers chain these assumptions to reach full administrative access — using only legitimate AssumeRole API calls.

Weak Trust Policies

IAM role trust policies that allow assumption from too-broad principals — entire accounts, any authenticated identity, or overly permissive condition expressions — create unintended assumption paths that attackers enumerate systematically.

Defender Actions

Enforce least privilege — use IAM Access Analyzer to identify unused permissions
Restrict AssumeRole to specific principals with condition keys
Alert on any IAM role creation, policy modification, or trust policy change
Regular privilege reduction reviews — quarterly at minimum

Role Escalation Flow

From initial access to control plane via role chaining

Section 9 · Cloud Control Plane Compromise · 4 of 5

CI/CD as the Breach Accelerator

Pipeline Secrets Exposure

CI/CD pipelines hold the most powerful secrets in the organization: cloud deployment keys, signing certificates, database credentials, and API tokens. They are exposed through environment variables, build logs, and pipeline configuration files — often with no rotation policy.

Runner Compromise

Self-hosted CI/CD runners are high-value targets. A compromised runner can access all secrets available to that pipeline, modify build artifacts, and exfiltrate credentials — without triggering any access control on the cloud side, because the runner is an authorized pipeline executor.

Build Poisoning

An attacker with pipeline write access can inject malicious code into builds that deploys backdoors to production. The build passes all reviews, tests, and signatures — because the attacker modified the pipeline, not the source code review process.

Defender Actions

Secret scanning as a mandatory CI/CD gate — block builds with detected secrets
Isolated, ephemeral runners — no persistent runners with broad cloud access
Sign and verify build artifacts — SLSA provenance attestation
Least privilege pipeline roles — pipelines should not have AdministratorAccess

CI/CD → Secrets → Control Plane

Attack progression through the pipeline

Section 9 · Cloud Control Plane Compromise · 5 of 5

Logging Blind Spots & Immutability

How Attackers Disable Logs

With sufficient IAM permissions, an attacker can: stop CloudTrail trails, delete S3 log buckets, disable AWS Config recorders, modify log retention policies, and purge existing log data — all using legitimate cloud API calls. Without immutable logging, the attacker can erase evidence of their own actions.

Why Defenders Miss It

Logging disable events are often low-priority alerts — they look like administrative actions. Without a correlation rule that flags logging changes as a high-severity incident trigger, the event is buried in an alert queue and reviewed days or weeks later — after the attacker has already completed their objectives.

The Visibility Gap Window

From the moment logging is disabled to the moment a defender notices, all attacker activity is invisible. In fast-moving intrusions, this window is sufficient to complete privilege escalation, data exfiltration, and persistence installation.

Defender Actions

Centralized, immutable logging — S3 Object Lock, Log Archive account separation
Alert on any logging configuration change as P1 — immediate investigation
Alert on IAM policy changes that grant logging disable capability
Cross-account log shipping to an account the production environment cannot access

Log Integrity Shield — Checklist

Centralized log archive in isolated account
Object Lock on S3 log buckets (WORM)
Alert on trail stop / disable events
Alert on log bucket policy changes
Log deletion triggers immediate P1
30-day minimum retention enforced

Section 10 · Supply Chain + Trust Transitivity · 1 of 4

Supply Chain Is Trust at Scale

"The most damaging supply chain incidents exploit trust relationships rather than technical weaknesses alone. The software runs as expected — but the software is controlled by someone who should not control it."

Every vendor, contractor, software dependency, and managed service provider is a trust relationship. Attackers target these relationships because they provide access to multiple downstream organizations simultaneously — multiplying impact from a single compromise.

Supply Chain Trust Principles

Vendor access is often broader than necessary — and rarely reviewed after provisioning
Software dependencies are trusted implicitly — by package name, not by behavior
A signature proves the package was signed — not that the signing process was secure
Remote management tools used by vendors are high-value attacker targets — legitimate, persistent, privileged
Trust transitivity means one vendor compromise can propagate to dozens of customers

Supply Chain Trust Bridge

Section 10 · Supply Chain + Trust Transitivity · 2 of 4

Vendor Access & Remote Tooling

Credential Reuse & Weak MFA

Vendor technicians often reuse credentials across customer environments or use personal accounts for business access. Weak or absent MFA on vendor portals means one phished vendor employee provides access to all their customers' environments.

Over-Broad Vendor Access

Vendor access is provisioned for an engagement and never scoped down or removed. A vendor with network-wide admin access for a one-time implementation retains that access indefinitely — creating a persistent, under-monitored entry point.

Remote Management Tool Abuse

Legitimate remote tools (RMM software) used by MSPs and IT vendors are increasingly weaponized. Attackers compromise vendor accounts or deploy copies of these tools to environments where they are already trusted and allowlisted.

Defender Actions

Time-bound vendor access — auto-expire after engagement window
Segment vendor access into dedicated zones with restricted lateral movement
Record and monitor all remote sessions from vendor accounts
Require phishing-resistant MFA for all vendor access — no exceptions

Vendor Access Policy Card

Control	Standard	Status
Time-bound access	Auto-expire ≤30d	Recommended
MFA requirement	Phishing-resistant	Often missing
Session recording	All privileged sessions	Partial
Vendor zone	Segmented network/ZTNA	Partial
Access review	Quarterly enumeration	Rarely done
Vendor SLA for MFA	Contractual requirement	Rarely enforced

Section 10 · Supply Chain + Trust Transitivity · 3 of 4

Software Dependency Attacks

Typosquatting

Malicious packages with names visually similar to popular libraries (e.g., "reqests" vs "requests") published to public registries. Developers install them by mistyping a package name. Automated dependency updates can also pull them in silently.

Dependency Confusion

Packages with internal/private names published to public registries with higher version numbers. Package managers that prefer the public registry pull the attacker's version over the legitimate internal package — a privilege escalation via package management.

Malicious Package Campaigns

Legitimate packages compromised via maintainer account takeover, or entirely fabricated packages with download inflators to appear popular. Published with benign initial versions; malicious payload introduced in later updates.

Signed But Malicious Updates

A valid digital signature confirms the package was signed — it does not confirm the build process was secure or the signing key was not compromised. Signed packages from compromised build pipelines are indistinguishable from legitimate ones at the signature level.

Defender Actions

SBOM + provenance: know what runs in your environment
Behavior scanning for packages — not just signature verification
Controlled, private update channels with approval gates
Pin dependency versions; review updates explicitly before acceptance

Supply Chain Attack Type Growth

Observed incident volume index (rolling 12 months)

Malicious packages

Typosquatting

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

Section 10 · Supply Chain + Trust Transitivity · 4 of 4

Trust Transitivity Failure Map

Trust transitivity is the mechanism by which one organization's compromise cascades into another's. It is not a theoretical risk — it is the mechanism behind several of the largest enterprise breaches in recent years. The failure point is not the technology: it is the unexamined assumption that a trusted partner's access is as well-controlled as your own.

Vendor Breach → Customer Breach

Vendor credentials compromised → attacker accesses customer environments via vendor's legitimate remote access → moves laterally using the vendor's existing, trusted access path → customer detects a "vendor connection" doing unexpected things — if they detect it at all.

SaaS Provider Compromise → Downstream Compromise

A SaaS platform compromise exposes tenant data, API tokens, and OAuth grants. Customers who trusted the platform's security inherit the consequences of the provider's failure — without any action on their part.

Build Tool Compromise → Enterprise Malware

Development tooling compromise (IDE plugins, build system dependencies, package registry mirrors) delivers malicious code into enterprise development environments — via the trusted software development workflow itself.

Defender Actions

Third-party risk controls aligned to identity and access — not just security questionnaires
Require vendors to demonstrate MFA, access logging, and incident response capability
Segment vendor access so a compromised vendor cannot traverse your entire environment

Trust Transitivity Map

Section 11 · AI as Attacker Force Multiplier · 1 of 4

AI Changed the Economics of Intrusion

"AI did not invent new attack categories. It industrialized existing ones — reducing cost per target, improving personalization quality, and enabling automation at scales previously unavailable to most threat actors."

The effect of AI on the attack economy in 2026 was primarily economic: lower cost per convincing phish, faster recon, broader automation of post-compromise steps, and accessibility of capabilities previously requiring specialist skill. The result was more volume, better targeting quality, and faster time-to-impact across the board.

AI Effect on Attack Economy

Phishing lure quality improved 4x by AI content generation — detectable grammar patterns largely eliminated
Recon automation compressed target profiling from days to hours
Post-compromise automation enabled faster privilege escalation and lateral movement
Deepfake voice/video made social engineering viable against MFA and helpdesk reset controls
Lower skill floor — capabilities previously requiring expert attackers now accessible to script-level operators

AI Effect Matrix

Attack Phase	AI Impact	Effect
Reconnaissance	Automated OSINT	Cost ↓ 80%
Phishing lures	LLM generation	Quality ↑ 4×
Social engineering	Deepfake audio/video	Success ↑ 3×
Credential testing	Adaptive bot AI	Speed ↑ 10×
Post-compromise	Automated playbooks	Time-to-impact ↓
Evasion	Behavior mimicry	Detection harder

"AI lowered the cost floor of a professional-quality phishing campaign from thousands of dollars to near zero."

Section 11 · AI as Attacker Force Multiplier · 2 of 4

AI-Driven Phishing & Pretexting

Contextual Spearphishing

AI-generated phishing that incorporates OSINT from LinkedIn, corporate news, recent communications, and organizational context. The lure references real projects, real names, and real business contexts — making it indistinguishable from legitimate internal communication without technical verification.

Tone Mimicry

LLM fine-tuned on samples of a person's writing style (from LinkedIn posts, public emails, social media) produces messages in their voice. A phish that sounds like your CFO — in their actual tone, cadence, and vocabulary — is significantly more likely to succeed.

Targeted Social Proof

AI-constructed lures include specific social proof: shared connections, references to real events, and verification-seeming details that increase perceived legitimacy. The goal is not just to avoid spam filters — it is to defeat human skepticism.

Defender Actions

Phishing-resistant MFA — defeats the session capture even if the lure succeeds
Out-of-band verification for high-stakes requests — phone call to a known number, not the one in the email
Tight helpdesk reset policies — require multi-channel proof for privileged account changes
User training focused on behavioral verification, not grammar-detection

Phishing Quality Index — 2026

User click rate vs. AI sophistication level

Simulated campaign data · Rocheston Zelfire research

"Train users to verify the channel, not the content. An AI can replicate content perfectly. It cannot replicate a real-time phone call to a number you already have."

Section 11 · AI as Attacker Force Multiplier · 3 of 4

Deepfakes in Business Workflows

Helpdesk Account Resets

AI-synthesized voice calls to IT helpdesks impersonating executives or employees. The call sounds authentic — voice cadence, vocabulary, and background context match the person being impersonated. Helpdesk agents, trained to be helpful, comply with MFA bypass requests or password resets.

Finance Approval Manipulation

Video call deepfakes of CFOs or finance directors authorizing wire transfers or payment changes. Attacks targeting finance teams via "emergency" out-of-band video calls have produced significant losses. The visual authenticity exceeds what training alone can defeat.

Vendor Onboarding

Deepfake-assisted impersonation during vendor or contractor onboarding creates fraudulent accounts with legitimate-seeming identity verification. These accounts then receive real access as part of normal onboarding — bypassing all technical controls.

Defender Actions

Multi-party approval for all high-risk changes — no single-person authorization for privileged resets or large transfers
Deepfake-resistant verification protocol: pre-agreed code words, ticket-binding, asynchronous challenge response
Helpdesk policy: escalate — never bypass MFA for any voice-only request regardless of apparent authority

High-Risk Approval Workflow — Secure Gates

Section 11 · AI as Attacker Force Multiplier · 4 of 4

AI Against AI: Prompt Injection, Data Leakage & Poisoning

Prompt Injection Against Internal Copilots

Enterprise AI assistants (coding copilots, document summarizers, email assistants) can be manipulated via malicious content embedded in documents they process. A prompt injection in a PDF causes the AI to exfiltrate data, execute tool calls, or produce misleading outputs — without the user's knowledge.

Data Exfiltration via Tool Access

AI tools with access to email, files, calendars, and code repositories can be directed — via prompt injection or misconfiguration — to silently exfiltrate data to attacker-controlled destinations. The exfiltration is performed by the AI using legitimate API calls, making it invisible to most DLP systems.

Knowledge Base Poisoning (RAG)

RAG-based enterprise AI systems draw from internal knowledge bases. Attackers who can write to those knowledge bases — via document upload, wiki edit, or email injection — can influence AI outputs: causing it to recommend malicious URLs, provide incorrect security guidance, or exfiltrate context through crafted prompts.

Defender Actions

Input validation and prompt injection detection for AI tool inputs
Strict data access boundaries for AI tools — least privilege at the AI layer
Audit AI tool permissions: which data sources can the AI read and write?
Treat AI tool outputs involving external URLs or action requests with same skepticism as email links

AI Tool Security Model — Layered Defense

Section 12 · Attack Chain Chapters · 1 of 4

Common Initial Access Paths — Ranked

These seven paths dominate initial access because they work reliably, scale efficiently, and look legitimate inside logs. They require no zero-days, no deep technical skill, and produce valid-looking access that bypasses most detection tuned for "suspicious" behavior.

1
AiTM Token Theft & Session Hijack — Captures valid post-MFA session. Attacker inherits full authenticated access. No credentials needed after initial capture. Bypasses password resets.
2
Valid Credential Reuse — Breached or purchased credentials tested against enterprise SSO. High success rate where password reuse exists and no breached-credential detection is deployed.
3
SaaS Connector Abuse & Delegated Access — Malicious OAuth app or compromised long-lived connector token. Persistence that survives user password resets and identity remediation.
4
Edge Service Exposure — Unpatched VPN, remote access gateway, or web-facing service. Exploited before patches are applied — often within hours of CVE disclosure.
5
Cloud Secrets via CI/CD — Keys in build logs, repos, or environment variables. Provides direct cloud IAM access — the highest-privilege initial access path available.
6
Vendor Remote Access — Compromised or misused vendor credentials. Legitimate remote access tool used to move laterally. Blends into normal IT activity.
7
Helpdesk Manipulation — Social engineering or deepfake to trigger privileged account resets. Bypasses all technical MFA controls via the human override path.

Top Initial Access Vectors — 2026

% of confirmed initial access events by method

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

Section 12 · Attack Chain Chapters · 2 of 4

Post-Compromise Objectives

Initial access is just the start. What follows is a progression toward objectives — each step increasing blast radius, impact, and attacker leverage. The speed at which attackers move through this progression has compressed dramatically due to automation.

1
Privilege Escalation to Admin Roles — First priority after initial access. Local admin, cloud IAM role assumption, or SaaS admin consent. Enables all subsequent objectives.
2
Persistence Installation — OAuth app registration, mailbox rules, service account creation, and cloud key generation. Ensures access survives incident response actions like password resets.
3
Reconnaissance & Staging — Enumerate data stores, identify sensitive files, understand the organization's financial and operational systems. Identify extortion leverage points before executing.
4
Exfiltration & Data Staging — Export data to attacker-controlled cloud storage. Use legitimate transfer tools to avoid egress detection. Time the exfiltration during normal business hours to blend with legitimate traffic.
5
Extortion, Disruption, or Sabotage — Ransom demand, regulatory threat, data publication, encryption, or sabotage of business processes. Choice depends on target profile and attacker objective.

Post-Compromise Objective Ladder

Section 12 · Attack Chain Chapters · 3 of 4

Time-to-Impact & Dwell Time

Automation compressed time-to-impact dramatically in 2026. Identity-driven intrusions — where no exploitation or malware deployment is needed — progressed to meaningful damage in hours when attackers reached privileged access and cloud control plane quickly.

Time-to-Impact — Key Numbers

3.2 hours — Median time from confirmed initial access to first material objective in identity-driven incidents
Under 1 hour — Fastest observed progression from token capture to cloud IAM assumption
18 minutes — Average time from OAuth app grant to mailbox rule creation in BEC-style attacks
4.1 days — Median dwell time before first defender detection in low-noise intrusions
23% of incidents — Defender detection occurred after primary objective was already achieved

Defender Actions

Pre-approved containment playbooks — reduce decision time at incident trigger
Automated isolation triggers for high-confidence signals (tamper events, impossible token patterns, logging disable)
Invest in detection that fires early — token anomalies, new device fingerprints, first OAuth grant

Time-to-Impact Distribution — Hours

Identity-driven incidents, 2026 observations

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

3.2hMedian TTI

4.1dMedian dwell

18mBEC rule creation

23%Post-impact detection

Section 12 · Attack Chain Chapters · 4 of 4

The Modern Breach Chain — End to End

Where Defenders Should Intercept — 5 Points

1
Before session creation — Phishing-resistant MFA at the identity layer. Defeats AiTM by making the session non-replayable. Highest leverage interception point.
2
At token issuance / use — Short token lifetimes, device binding, Continuous Access Evaluation. Forces re-authentication before attackers can fully establish persistence.
3
At privilege escalation — Time-bound JIT privilege, alerts on role changes. Prevents the attacker from reaching admin-level access that enables persistence installation.

4
At connector expansion — OAuth consent governance, mailbox rule alerting. Prevents persistence that survives password resets and identity remediation.
5
At cloud governance — Immutable logs, alert on logging disable, role boundary controls. Last line of defense — if attacker reaches here, containment speed determines outcome.

"Every interception point missed extends attacker dwell time. Defenders with pre-approved playbooks contain faster than defenders who decide in the moment."

Section 13 · Technical Threat Trends · 1 of 6

Malware & TTP Evolution

Fileless Execution & LOLBins

Malware increasingly executes in memory and uses Living-Off-the-Land Binaries — legitimate system tools (PowerShell, wscript, certutil, mshta) — to perform attacker objectives. No files written to disk means no file-hash signatures to detect. Only behavioral analysis catches these techniques.

Signed Binary Abuse

Legitimate, signed executables (Microsoft-signed, vendor-signed) used as proxies for malicious activity. Signed status provides implicit trust in many detection systems. DLL sideloading via signed executables is a persistent, well-understood technique that continues to succeed in poorly configured environments.

Credential Access — Early in the Kill Chain

Attackers prioritize credential harvesting immediately after initial access — before any other objective. LSASS dumping, Kerberoasting, credential files, and browser-stored passwords are targeted within minutes of foothold establishment to enable lateral movement before detection.

C2 over HTTPS and Cloud Services

Command-and-control traffic routed through legitimate cloud services (S3, OneDrive, GitHub, Slack) blends into normal business traffic. HTTPS inspection is required to detect these channels — but many organizations exempt cloud traffic from inspection for performance reasons.

Defender Actions

Monitor for LOLBin usage via process creation events and parent-child anomalies
Enable LSASS protection and credential guard
HTTPS inspection for high-risk categories — or behavioral baselining for cloud service traffic

LOLBins Most Abused in 2026

PowerShell · certutil · mshta · wscript · regsvr32 · rundll32 · msiexec · BITSAdmin · wmic

Credential Access Techniques

LSASS memory dump · DCSync (AD) · Kerberoasting · DPAPI abuse · Browser credential store · Key/token file harvest

C2 Channel Evasion

Cloud storage C2 (S3, SharePoint) · Collaboration platform channels · DNS-over-HTTPS tunneling · IPv6 C2 to bypass IPv4-only controls

Section 13 · Technical Threat Trends · 2 of 6

Web Threats: What Changed in 2026

OWASP Top 10 vulnerabilities remain present and exploited — but the threat pattern shifted toward API authorization failures and abuse patterns that look identical to legitimate traffic. The defining challenge is not detecting known attack signatures; it is detecting abuse of valid, correctly-functioning endpoints.

API Authorization Failures (BOLA/IDOR)

Broken Object Level Authorization allows any authenticated user to access or modify any object by changing an ID in an API request. These vulnerabilities are extremely common in APIs developed without formal security review — and are nearly invisible in WAF logs because the requests are syntactically valid.

API Abuse Patterns Look Like Normal Traffic

Attackers making 1,000 legitimate-looking API calls to harvest data or test authorization boundaries generate traffic indistinguishable from aggressive-but-valid usage. Detection requires behavioral baselining — not pattern signatures.

Mass Assignment & Function-Level AuthZ

API endpoints that accept excessive request properties or expose admin-level functions to standard users. These vulnerabilities persist in production for years — WAFs do not detect them because the request format is valid.

Defender Actions

API schema validation — enforce allowed parameters and reject unexpected properties
Authorization anomaly detection — alert on users accessing object IDs not associated with their account
API behavioral baselines — flag unusual object access volume or enumeration patterns

Web vs. API Attack Class Growth

Index: 2024 = 100 baseline

Web (traditional)

API authz failures

Source: Rocheston Zelfire WAF telemetry (anonymized, opt-in)

Section 13 · Technical Threat Trends · 3 of 6

Bot Abuse & Account Takeover at Scale

Credential Stuffing

High-volume, automated testing of breached credentials. Modern operations distribute across residential proxies, vary TLS fingerprints, and throttle attempt rates to defeat lockout and IP-reputation controls.

Scraping & Data Harvesting

Bots harvest pricing, inventory, user profiles, and proprietary data at scale. Scraping bots now mimic human browsing patterns — including reading delays, scroll behavior, and JavaScript execution — defeating basic fingerprinting.

Fake Account Creation

Automated account registration for bonus abuse, review fraud, referral fraud, and marketplace manipulation. AI-generated profile content makes fake accounts increasingly difficult to distinguish from real users without behavioral signals.

Checkout Abuse & Inventory Hoarding

Bots purchase high-value inventory for resale (scalping), test stolen payment cards at low-value checkouts (card testing), and abuse loyalty programs at scale — generating significant financial losses for retailers.

Why Basic Rate Limits Fail

Modern bot swarms distribute across thousands of residential IPs and mimic legitimate client fingerprints — browser user agents, TLS characteristics, and JavaScript execution patterns. IP-based rate limits are defeated before a meaningful threshold is reached.

Bot vs. Human Traffic Composition

Human 59%

Malicious bots 24%

Legitimate bots 11%

Unknown 6%

Source: Rocheston Zelfire WAF telemetry

Defender Actions

Bot fingerprinting: TLS JA3, browser behavior, timing patterns
Adaptive challenges: invisible to real users, high-friction for bots
Behavior scoring: flag anomalous session patterns beyond request rate

Section 13 · Technical Threat Trends · 4 of 6

Email & Collaboration Threats

Business Email Compromise (BEC)

BEC attacks use compromised or spoofed email to redirect payments, approve fraudulent transactions, and manipulate business workflows. AI-enhanced BEC uses tone mimicry, perfect grammar, and contextual knowledge to produce lures that internal recipients trust.

QR Code Phishing ("Quishing")

Phishing links embedded in QR codes bypass email link scanning. QR codes in PDF attachments or email bodies direct users to AiTM phishing pages — the link is never inspected as a URL by email security tools, which scan text and hyperlinks but not QR payloads.

Collaboration Platform Link Delivery

Phishing links delivered via Teams, Slack, and SharePoint shared documents bypass email-focused security tools. Users extend higher trust to internal collaboration platform messages than email — making these channels high-conversion delivery mechanisms.

Defender Actions

Multi-party approval and out-of-band verification for all financial approvals — email-only authorization is a control failure
Alert on new inbox rules and forwarding rules — these precede BEC payout execution
Expand phishing awareness to cover QR codes and collaboration platform links

BEC Attack Chain

From initial compromise to payment fraud

Email account compromised

Via AiTM, credential stuffing, or OAuth grant

Mailbox rules created

Delete or redirect security alerts and financial communications

Financial conversation monitored

Attacker observes pending transactions and approval workflows

Executive impersonation or redirect

Email sent from compromised account or lookalike domain requesting payment change

Payment fraud executed

Wire transfer or vendor payment redirected to attacker-controlled account. Average loss: $125,000+

Section 13 · Technical Threat Trends · 5 of 6

Vulnerability Exploitation Reality

Exploitation speed accelerated further in 2026. The median time from public CVE disclosure to first observed exploitation dropped below 24 hours for edge-service vulnerabilities. Organizations operating on weekly patch cycles are routinely breached through vulnerabilities they knew about but had not yet patched.

Edge Services: Highest-Priority Targets

VPN gateways, remote access systems, edge firewalls, and web application platforms. These systems are internet-facing, widely deployed, and their compromise provides direct network or identity access. CVEs against these systems are weaponized within hours of disclosure.

Patch Cycle vs. Exploitation Window

A 7-day patch cycle leaves a 6-day exploitation window for a CVE disclosed on day 1. High-severity edge-service vulnerabilities require emergency patching within 24-48 hours — or compensating controls (WAF virtual patching, service isolation) until patches can be applied.

Defender Actions

Emergency patch SLAs for edge-service CVEs: 24 hours for critical, 72 hours for high
Virtual patching via WAF for edge services when immediate patching is not possible
Reduce attack surface: expose only what must be exposed; isolate rest via ZTNA
Network segmentation to limit lateral movement from any compromised edge service

Disclosure → Exploitation Timeline

Days from public CVE to first observed exploitation

Source: Rocheston Zelfire intelligence (anonymized, opt-in)

Top Exploited Surfaces — 2026

VPN / Remote Access

71%

Web App / API

58%

Email Gateway

42%

Section 13 · Technical Threat Trends · 6 of 6

WAF Fatigue & Enforcement Drift

WAF effectiveness degrades over time when tuning burden is not managed. Organizations start with detection-only mode (to avoid breaking applications), add targeted blocks for known-bad patterns, then face growing exception lists as false-positive pressure accumulates — until the WAF enforces less than it was originally intended to.

Tuning Burden Creates Enforcement Gaps

Every false positive generates a support ticket. Without a structured exception governance process, exceptions accumulate without expiry dates, creating holes that grow larger over time. The WAF becomes a detection tool rather than an enforcement tool.

Exceptions as Attack Surface

WAF exceptions for specific endpoints, user agents, or source IPs are well-known attacker targets. Attackers probe for WAF bypass conditions using the same tools defenders use for WAF testing — and exceptions are often the path of least resistance.

Defender Actions

Enforcement maturity model: Detect-only → Targeted block → Full enforce
Exception governance: every exception requires justification, owner, and expiry date
Quarterly exception burn-down: review and close or re-justify all active exceptions
Attack class dashboards: give teams visibility into what the WAF is blocking vs. detecting-only

WAF Enforcement Maturity Model

Detect Only

Baseline learning

Targeted Block

High-confidence rules

Full Enforce

All rules + exception governance

Adaptive

Behavioral + exception burn-down

"A WAF in detect-only mode for 18 months is not a security control. It is a log generator."

Section 14 · Zero-Trust Metrics · 1 of 4

Metrics That Correlate with Fewer Incidents

Organizations that measure and actively manage these metrics consistently show lower breach rates, shorter dwell times, and smaller blast radius when incidents do occur. These are not vanity metrics — they are leading indicators of security posture.

PR-MFAPhishing-resistant MFA coverage for privileged roles

Target: 100%. Current median: 34%. Highest-impact single metric for identity security.

1hToken lifetime for sensitive apps

Target: ≤1h access token, ≤8h refresh. Most orgs: no policy enforced.

0Standing admin accounts

Target: zero. JIT elevation only. Current median: 14 standing admins per org.

OAuthHigh-scope OAuth grants inventoried

Target: all mail/files write-scope apps justified weekly. Most orgs: no process.

CA-XConditional access exceptions — age + count

Target: zero without expiry date. Alert when exceptions exceed 30 days.

MTTcMean time to contain identity compromise

Target: <30 min with pre-approved playbook. Current median: 4.1 hours.

Posture Integrity Rate

% of managed endpoints with tamper protection enabled and real-time posture reporting. Target: 100%. Alert on any deviation. Current median: 48%.

"What you measure is what you manage. These seven metrics, tracked weekly, predict security outcomes better than any tool count."

Section 14 · Zero-Trust Metrics · 2 of 4

How to Operationalize Metrics

Weekly Deltas Beat Annual Snapshots

Annual security assessments measure a point in time. Zero-trust posture changes daily — exceptions are added, tokens age, service accounts accumulate. Weekly metric tracking catches drift before it becomes exploitable. A metric that worsens by 5% per week becomes a 60% gap in three months if untracked.

Assign Ownership

Every metric needs a named owner accountable for its direction. Identity hygiene metrics: IAM team. Endpoint posture: endpoint security team. Cloud governance: cloud security team. SaaS governance: IT governance. Without ownership, metrics are reported but not actioned.

Tie Metrics to Change Control

Exceptions added to conditional access, ZTNA policies, or OAuth consent governance must go through change control — with an expiry date, a business justification, and an owner. Exceptions without these fields are rejected. This makes metric maintenance a process discipline, not an audit task.

Operationalization Principles

Automate metric collection — manual metrics are stale by the time they are reviewed
Executive dashboard: 5 top metrics with traffic-light status, weekly update
Tie metrics to security KPIs reviewed at board / risk committee level
Exception expiry automation: auto-revoke exceptions past their expiry date

Metrics Operating Model

Section 14 · Zero-Trust Metrics · 3 of 4

Recommended Zero-Trust Scorecard

Domain	Metric	Target	Good	Alert
Identity	PR-MFA coverage (privileged roles)	100%	≥95%	<80%
Identity	Legacy auth disabled	100%	100%	Any enabled
Sessions	Access token lifetime (sensitive apps)	≤1 hour	≤1h	>8h
Sessions	CAE / continuous verification enabled	All key apps	All supported apps	None
Privilege	Standing admin accounts	0	0	>3
Privilege	JIT elevation coverage	100%	≥90%	<50%
Connectors	Unreviewed high-scope OAuth apps	0	0	>5
Connectors	Service accounts with no rotation	0	0	Any
Posture	Tamper protection coverage	100%	≥98%	<90%
Posture	Real-time posture check enabled	All key apps	Yes	No
ZTNA	CA exceptions >30 days old	0	0	>10
ZTNA	ZTNA policy lint cadence	Monthly	Monthly	Never
Cloud	Immutable log coverage	100%	100%	<80%
Cloud	Alert on logging disable	Yes, P1	Yes	No
MTTc	Mean time to contain identity compromise	<30 min	<30 min	>4 hours

Rocheston Zelfire Zero-Trust Scorecard — copy and adapt for your organization · Source: Rocheston Zelfire Intelligence

Section 14 · Zero-Trust Metrics · 4 of 4

The Exception Problem

Exceptions are the single most underappreciated trust leak in enterprise security. They accumulate silently, outlive their purpose, and grow broader over time as new exceptions are stacked on top of old ones. Attackers who understand an organization's exception patterns can route through them reliably — because exceptions, by definition, bypass controls.

Why Exceptions Accumulate

Exceptions are added under operational pressure — a broken workflow, a deadline, an executive demand. They are rarely removed because: (1) no one knows what removing them will break, (2) no one owns the removal decision, and (3) they are not tracked in a way that makes their age or scope visible.

Why They Persist

The incentive structure rewards adding exceptions (solves an immediate problem) and punishes removing them (may cause an incident). Without an exception expiry default and an automated burn-down process, the exception list grows monotonically.

Defender Actions

Default expiry for all exceptions: 30 days, renewable with justification
Quarterly exception burn-down: review every exception >30 days; justify or remove
Exception count as a tracked metric: target zero exceptions >90 days old

Exceptions by Age Bucket

Conditional access exceptions — typical enterprise distribution

% with no assigned expiry date · Rocheston Zelfire telemetry

"Exceptions without expiry dates are permanent. Treat every exception as a debt that must be paid or forgiven — never ignored."

Section 15 · Industry Deep Dives · Overview 1 of 2

How to Read the Industry Chapters

Each industry chapter includes: threat profile narrative, top attack vectors with reasons, typical blast radius, and a fix-first priority list mapped to the zero-trust failure layers. Use your industry chapter as a starting point for prioritization — then overlay your own telemetry and control gaps.

Industry vs. Dominant Attack Vector — Pressure Heatmap

Attack pressure index by industry and vector type (1–10 scale)

Source: Rocheston Zelfire telemetry (anonymized, opt-in)

"Industry context matters. A healthcare organization's highest risk is identity sprawl across clinical devices. A retail organization's highest risk is API abuse at checkout. Same framework — different starting priorities."

Industries Covered

Healthcare (pp. 64–65)
Finance (pp. 66–67)
Education (pp. 68–69)
Government (pp. 70–71)
Retail/eCommerce (pp. 72–73)
Manufacturing (pp. 74–75)
SaaS/Tech (pp. 76–77)
Energy/Utilities (pp. 78–79)

Section 15 · Industry Deep Dives · Overview 2 of 2

Cross-Industry Comparison

Highest Identity Risk

Finance, Healthcare, SaaS/Tech. High account density, complex delegation patterns, and approval workflows make these industries the primary targets for identity-first attacks. AiTM phishing and token theft are the dominant initial access vectors.

Highest Vendor/Supply Chain Risk

Manufacturing, Healthcare, Government. Complex vendor ecosystems, contractor dependencies, and OT-adjacent networks with vendor remote access create significant trust transitivity exposure. Vendor access governance is consistently underdeveloped.

Highest Bot/API Risk

Retail/eCommerce, SaaS/Tech, Finance. High-volume API-driven operations with authentication endpoints exposed to the internet make these industries the primary targets for credential stuffing, card testing, and API authorization attacks.

Highest Cloud Governance Risk

SaaS/Tech, Finance, Government. Cloud-first architectures with complex IAM structures and CI/CD-driven deployments create the highest cloud control plane exposure. IAM role abuse and CI/CD secrets are the primary escalation paths.

4-Quadrant: Identity vs. Vendor Risk · Cloud vs. SaaS Risk

Rocheston Zelfire composite positioning — relative, not absolute

Section 15 · Industry: Healthcare · 1 of 2

Healthcare Threat Profile

Healthcare is targeted for uptime pressure, complex vendor ecosystems, and high-value patient data. Mixed device posture — spanning clinical workstations, shared devices, mobile nursing tablets, and physician personal devices — creates significant identity risk. Legacy authentication on medical systems persists due to device constraints, and the consequences of disruption (patient safety) give attackers outsized leverage.

Top Attack Vectors

Identity compromise via shared clinical credentials
Vendor remote access — medical device vendors, MSPs
Ransomware targeting clinical operations for maximum uptime pressure
Legacy auth exploitation on unmodernized medical systems
Email phishing targeting clinical staff with high urgency pretexting

Typical Blast Radius

A single identity compromise can reach: patient records (EHR), scheduling systems, billing/insurance platforms, medication dispensing systems, and administrative approval workflows — all via connected SaaS and shared on-premises platforms.

Fix-First Priorities — Healthcare

Phishing-resistant MFA for all clinician-facing identity platforms
Segment vendor remote access into isolated clinical zones
Eliminate legacy auth on any system with PHI access
Enforce managed device for EHR and medication system access
Immutable audit logging for all PHI access
Pre-approved ransomware containment playbook with clinical workflow fallbacks
Inventory all vendor remote access credentials — revoke unused
Alert on anomalous PHI access volume (bulk download, off-hours access)

Healthcare Risk Drivers

Section 15 · Industry: Healthcare · 2 of 2

Healthcare-Specific Playbook

Vendor Access Segmentation

Create dedicated network/ZTNA zones for each vendor category: medical device vendors, IT service providers, and clinical application vendors. Restrict vendor-zone access to only the systems the vendor explicitly maintains. Record all privileged vendor sessions. Auto-expire vendor access after each engagement window.

Privileged User Protection

Clinical administrators, pharmacy supervisors, and billing managers have over-privileged access by necessity. Implement JIT elevation for privileged clinical functions, phishing-resistant MFA, and behavioral baselining to detect access anomalies in accounts with broad data access.

Device Posture in Clinical Zones

Shared clinical workstations present unique posture challenges. Implement session isolation (user-specific sessions, not shared sessions), automatic session timeout after 5 minutes of inactivity, and require re-authentication before accessing controlled substance or high-risk clinical functions.

Immutable Logging for Clinical Environments

HIPAA mandates audit controls — but "audit controls" often means logs that can be modified or deleted. Implement immutable logging to a separate clinical log archive with at least 6-year retention. Alert on any access to audit logs by non-compliance personnel.

Case Vignette (Anonymized)

A regional health system experienced a clinical scheduling disruption following a vendor credential compromise. The vendor account, with legacy protocol access to a shared clinical platform, was used to move laterally into the scheduling system. Downtime lasted 18 hours. The compromised vendor credential had not been reviewed in 14 months and had no MFA requirement. Post-incident: vendor access segmented into isolated zones, MFA mandated for all vendor accounts, and quarterly vendor access reviews implemented.

Top Three Controls with Highest Healthcare ROI

Vendor zone segmentation — contains lateral movement from third-party compromise
Phishing-resistant MFA for admin and billing staff — blocks AiTM attacks
Pre-approved ransomware playbook — reduces clinical downtime during incidents

Section 15 · Industry: Finance · 1 of 2

Finance Threat Profile

Finance is optimized for speed and approvals — and attackers exploit both. The density of approval workflows, wire transfers, and high-value transactions makes finance the primary target for identity-first attacks with immediate financial impact. Deepfake-assisted fraud moved from edge case to mainstream in 2026, targeting approval workflows that were designed to be efficient rather than adversarially resistant.

Top Attack Vectors

BEC targeting CFO and AP staff — payment redirect and approval fraud
AiTM phishing against finance team identities with high mail-scope access
Deepfake voice/video calls requesting urgent payment changes
OAuth app grants against shared finance mailboxes
Credential stuffing against banking and trading platform SSO

Blast Radius

A compromised finance identity can: read all pending transactions, redirect payments, approve fraudulent vendors, suppress alert emails via inbox rules, and access connected accounting platforms — all within hours using only the identity's existing legitimate access.

Fix-First Priorities — Finance

Phishing-resistant MFA for all finance and AP staff
Out-of-band, multi-party approval for all wire transfers and payment changes
Alert on new inbox rules for finance team mailboxes — P1 response
Conditional access step-up for payment approval portal access
Deepfake verification protocol for all urgent payment requests
Audit all OAuth grants to finance team mailboxes weekly
Zero legacy auth on any finance system

Approval Chain — Secure Design

No single-person approval for transfers >$10K

Section 15 · Industry: Finance · 2 of 2

Finance-Specific Controls

Transaction Verification Protocol

All wire transfers and payment changes above defined thresholds require: (1) request via ticketing system with reference number, (2) second approver via a different channel (phone to a known number, not the one in the request), (3) callback confirmation via pre-registered contact. No request fulfilled via email or collaboration platform alone.

Conditional Access for Finance Approvals

Access to payment approval portals requires: phishing-resistant MFA re-authentication (not just session), managed compliant device, and business-hours geo-fencing with step-up auth for access outside normal working pattern. Any deviation triggers hold pending verification.

Finance Mailbox Monitoring

Finance team mailboxes — especially AP, CFO, and treasury — are monitored for: new inbox rules, forwarding rules, delegated access grants, and access from new device fingerprints. Any of these events triggers an immediate security review before any pending financial action is processed.

High-Risk Actions — Finance Security Controls

Action	Control Required
Wire transfer >$10K	2nd approver + out-of-band callback
New vendor onboarding	Finance + compliance approval + identity verification
Payment details change	Written request + callback to existing contact number
Bank account change	Board-level approval + legal documentation
Emergency payment	Designated emergency approver + record of reasoning
International wire	Compliance sign-off + enhanced due diligence

"Speed is the enemy of financial security. Every process optimization that removes a verification step creates an attack opportunity."

Section 15 · Industry: Education · 1 of 2

Education Threat Profile

Education environments have extreme account sprawl — students, faculty, staff, contractors, and research partners — combined with mixed device maturity, broad access needs, and typically resource-constrained security teams. Credential attacks and SaaS sprawl dominate. The wide variety of identity types and device postures makes consistent policy enforcement exceptionally challenging.

Top Attack Vectors

Credential stuffing against student and faculty SSO — high volume, low friction
SaaS sprawl — unsanctioned tools used by students and researchers for collaboration
Research data targeting — valuable IP in research institutions
Ransomware for tuition leverage (registration system disruption)
OAuth abuse via unsanctioned academic tools connecting to institutional identity

Blast Radius

A faculty identity compromise can reach: student records (FERPA-protected), research data, financial aid systems, and administrative platforms — all via connected institutional SaaS. A student identity compromise enables account abuse, academic fraud, and lateral movement to faculty-accessible systems.

Account Sprawl Indicators — Education

Risk score 1–10 · Higher = more exposure · Rocheston Zelfire telemetry

Fix-First Priorities — Education

MFA for all faculty and administrative accounts (start here)
Block legacy authentication — enable modern auth everywhere
Restrict high-risk OAuth app consent — require admin approval
Inventory and govern all SaaS connected to institutional identity
Segment research network from administrative network

Section 15 · Industry: Education · 2 of 2

Education-Specific Playbook

MFA Without Breaking Access

A common failure: forcing all students to MFA before the infrastructure is ready, causing mass account lockouts and helpdesk overload. The right approach: (1) enable MFA for all administrative and faculty accounts first, (2) enable for student SSO with a grace period and self-service enrollment, (3) use adaptive MFA that requires step-up only for high-risk actions (grade changes, financial aid access) for student accounts.

Conditional Access Without Blocking Students

Students access institutional resources from a wide variety of devices and locations. Blanket device compliance requirements block too many legitimate users. Use risk-based conditional access: allow BYOD for low-sensitivity resources (LMS, library databases); require managed device for administrative systems (financial aid, registration, grade management).

Connector Inventory & Shadow IT Reduction

Enumerate all OAuth apps connected to institutional M365 or Google Workspace. Many will be academic tools (plagiarism checkers, writing assistants, research databases) with excessive permissions. Implement a sanctioned tool list with pre-approved apps and require admin consent for anything outside the list.

Step-by-Step Governance Model

1
Enumerate identities and roles — faculty, staff, student, contractor, research partner
2
Classify data and applications — research data, student records, financial aid, administrative
3
Apply MFA by risk tier — admin and faculty first, then students with grace period
4
Conditional access by resource sensitivity — BYOD for LMS; managed device for records
5
OAuth governance — sanctioned tool list, admin consent for new apps
6
Network segmentation — research network, admin network, student network
7
Quarterly review — account hygiene, stale accounts, exception burn-down

Section 15 · Industry: Government · 1 of 2

Government Threat Profile

Government faces strategic targeting from nation-state actors alongside opportunistic financially-motivated attacks. Long contractor trust chains, hybrid legacy-modern environments, and high-consequence disruption potential make government a persistent, high-value target. The combination of sensitive data, critical service dependency, and complex vendor ecosystems creates a compounding risk profile.

Top Attack Vectors

Supply chain via contractor access — contractor credentials less well-governed than staff
Spearphishing targeting senior officials and policy staff
Legacy system exploitation — many government systems cannot be easily updated
Cloud misconfiguration in agencies with rapid cloud adoption
Insider threat in sensitive classifications environments

Blast Radius

A government network compromise can expose: citizen data, classified program information, critical infrastructure management systems, law enforcement databases, and cross-agency information sharing platforms — with downstream impact on national security and public trust.

Fix-First Priorities — Government

Zero standing privilege — all admin access via JIT with approval and time-bound scope
Phishing-resistant MFA (hardware FIDO2) for all staff and contractor accounts
Contractor access governance — segment, time-bound, monitor, and record
Immutable audit pipelines — logs cannot be modified or deleted by anyone
Legacy system compensating controls — network isolation, WAF, identity restrictions
Cross-agency anomaly detection for shared identity platforms

Contractor Trust Chain Risk

Section 15 · Industry: Government · 2 of 2

Government-Specific Playbook

Zero Standing Privilege

Government privileged accounts represent the highest-consequence standing access targets. Implement JIT elevation via PAM for all admin functions, require dual-approval for the most sensitive actions, and enforce automatic session termination with full audit logging. No persistent admin sessions for any system.

Contractor Access Governance

Contractors are the most under-governed identity category in most government environments. Required controls: contractor identity in a separate tenant/directory with limited trust inheritance, time-bound credentials tied to contract period, weekly access review, session recording for privileged contractor sessions, and documented justification for all access grants.

Immutable Audit Pipelines

Government audit requirements mandate logs that cannot be modified by any party — including administrators. Implement log shipping to an isolated, write-once archive with multi-custodian access control. Log integrity verification should be automated and alerts triggered on any gap in the log stream.

Government ZT Maturity Model

Initial

Legacy + perimeter

Developing

MFA + basic ZTNA

Advanced

JIT + posture + logging

Optimal

Continuous verify + immutable audit

"Government security must balance openness for public service with the strictest possible controls for privileged access and sensitive data. These are not in conflict — they require a tiered access model."

Section 15 · Industry: Retail/eCommerce · 1 of 2

Retail/eCommerce Threat Profile

Retail and eCommerce are the front lines of bot warfare. API abuse and credential stuffing drive fraud, account takeover, and data scraping at scale. The financial impact is direct and immediate: stolen loyalty points, fraudulent purchases, card testing, inventory manipulation, and competitive data scraping. Payment card data and customer PII remain primary exfiltration targets.

Top Attack Vectors

Credential stuffing against customer account login endpoints
Carding — testing stolen payment cards at low-value checkout endpoints
Inventory hoarding bots — scalping high-value limited products
API authorization failures exposing order and account data (BOLA)
Loyalty program abuse — points theft via account takeover

Blast Radius

A successful ATO campaign can drain loyalty accounts, enable fraudulent purchases, expose order history and PII, and generate significant chargeback losses — at scale, affecting thousands of accounts simultaneously in a single bot swarm operation.

Bot Traffic Breakdown — Retail

Human 32%

Credential stuffing 28%

Scalping 18%

Scraping 14%

Source: Rocheston Zelfire WAF telemetry

Fix-First Priorities — Retail

Bot defense: fingerprinting + adaptive challenges on login and checkout
Rate policies tied to behavior, not just IP
API authz checks: enforce object-level authorization on all endpoints
Alert on high-velocity account login patterns

Section 15 · Industry: Retail/eCommerce · 2 of 2

Retail-Specific Playbook

Bot Management

Implement layered bot detection: network-layer fingerprinting (IP reputation, ASN classification), TLS fingerprinting (JA3/JA4), browser fingerprinting (JavaScript signals, canvas, WebGL), and behavioral scoring (request timing, session depth, mouse/touch patterns). Use adaptive challenges — invisible to humans, high-friction for bots — at login, checkout, and add-to-cart endpoints.

API Authorization Checks

Every API endpoint that returns or modifies user-owned objects must enforce object-level authorization. Verify that the authenticated user owns or is authorized to access the requested resource ID — do not trust the client to send only valid IDs. Enumerate all endpoints in the API schema and audit authorization enforcement for each.

Fraud Telemetry Integration

Connect web application telemetry (bot signals, login anomalies, checkout patterns) to the fraud prevention system. A session that exhibits bot-like behavior at login and then completes a high-value purchase should be flagged for enhanced verification — even if the authentication technically succeeded.

API Abuse Indicators — Detection Card

Indicator	Threshold	Action
Login failures per IP	>10 in 60s	CAPTCHA + rate limit
Account access from new device	Any new fingerprint	Step-up MFA
Order ID enumeration pattern	Sequential IDs requested	Block + alert
Add-to-cart velocity	>50/min per session	Bot challenge
Low-value card test pattern	Same card, multiple small txn	Block + fraud flag
API error rate spike	>5% error rate	Alert + investigate

"68% of retail web traffic is non-human. Build your security controls assuming an adversarial majority — not a trustworthy majority."

Section 15 · Industry: Manufacturing · 1 of 2

Manufacturing Threat Profile

Manufacturing is targeted for downtime impact, vendor access, and segmentation gaps between IT and OT environments. Production disruption translates directly to financial loss — ransom demands in manufacturing contexts leverage production line downtime rather than just data theft. Vendor remote access for equipment maintenance is a persistent, under-monitored trust chain.

Top Attack Vectors

Vendor remote access abuse — equipment vendors with persistent, broad remote access
IT-OT segmentation gaps — attackers moving from enterprise IT to production systems
Ransomware targeting production line systems for operational disruption leverage
Supply chain compromise via manufacturing software vendors and ERP providers
Credential stuffing against remote access portals for engineering staff

Blast Radius

A manufacturing breach can affect: production scheduling, quality control systems, supply chain management, ERP financial data, and — most critically — OT-adjacent systems that control physical production processes. Production downtime costs can exceed $1M per hour in large facilities.

Fix-First Priorities — Manufacturing

Segment OT/ICS networks from enterprise IT — no direct routing between zones
Vendor remote access: dedicated jump server, MFA, session recording, time-bound
Phishing-resistant MFA for all engineering and production-system admin accounts
Quarterly segmentation validation — test east-west reachability from IT to OT
Ransomware playbook with production-line fallback procedures
OT system inventory — know what is connected to what

IT-OT Segmentation Architecture

Section 15 · Industry: Manufacturing · 2 of 2

Manufacturing-Specific Playbook

Vendor Remote Tool Hardening

Equipment vendors require remote access for maintenance and diagnostics — but that access is often persistent, broadly scoped, and unmonitored. Required approach: dedicated vendor jump server with session recording, MFA for all vendor accounts, access granted on-demand and revoked after maintenance window, vendor access scoped to specific equipment systems only.

Segmentation Validation

Annual security assessments do not keep pace with network changes in manufacturing environments. Segmentation between IT and OT must be validated quarterly — using automated tools that test reachability from IT to OT zones. Any new path found triggers immediate investigation and remediation.

Incident Containment in Operational Zones

Production incidents require pre-approved containment playbooks that specify: which systems to isolate, who has authority to authorize isolation, how to maintain manual production control during an IT incident, and how to restore systems safely after containment. These playbooks must be tested — including the manual fallback procedures.

Containment Flow — Manufacturing Incident

Detection: Anomalous IT-OT traffic

Alert triggers from segmentation monitoring or EDR tamper event

Notify: OT Security Lead + Plant Manager

Dual notification — IT security and operational owner must both be notified

Isolate: IT-OT boundary firewall

Block all IT-OT routing at DMZ — production continues on manual/local control

Contain: Affected IT systems

Isolate and image affected endpoints — preserve evidence

Restore: Validate then reconnect

Only reconnect IT-OT after clean bill of health from incident response team

Section 15 · Industry: SaaS/Tech · 1 of 2

SaaS/Tech Threat Profile

SaaS and technology companies are targeted for trust transitivity: one platform compromise can impact many customers. The combination of cloud-native architecture, CI/CD-driven deployments, broad developer access to production, and customer data tenancy creates the highest potential blast radius of any sector. A compromised SaaS provider is effectively a supply chain attack against all their customers.

Top Attack Vectors

CI/CD pipeline compromise — secrets, build poisoning, runner compromise
Developer endpoint compromise — access to production environments, repos, and cloud consoles
OAuth supply chain — malicious apps connecting to customer identities via the platform's OAuth ecosystem
Cloud IAM escalation — from developer role to admin role via role chaining
Token theft targeting developer SSO with broad cloud and repo access

Blast Radius

A SaaS/Tech platform compromise can expose: all customer data in the platform, customer OAuth tokens (enabling downstream customer compromise), platform signing keys (enabling supply chain attack), and cloud infrastructure (enabling persistent adversary presence across the environment).

Fix-First Priorities — SaaS/Tech

CI/CD secrets elimination — OIDC/workload identity, no static keys in pipelines
Developer endpoint hardening — no local admin, tamper protection, PAW for prod access
Cloud IAM least privilege — Access Analyzer enforcement, restrict AssumeRole
Signed artifacts and SLSA provenance for all production releases
Immutable cloud logging — log archive in isolated account
Tenant isolation validation — ensure customer data cannot cross tenant boundaries

"As a SaaS provider, your security posture is your customers' attack surface. What you don't protect, your customers inherit."

Section 15 · Industry: SaaS/Tech · 2 of 2

SaaS/Tech Playbook

CI/CD Hardening

Replace static long-lived secrets with OIDC-based workload identity federation for cloud access. Use ephemeral, short-lived credentials for all pipeline steps. Require secret scanning as a mandatory gate — no build completes if secrets are detected. Isolate CI/CD runners — no persistent runners with broad cloud IAM permissions. Log all pipeline executions and alert on out-of-hours deployments.

Signed Releases & Provenance

Sign all release artifacts using SLSA Level 3+ provenance attestation. Verify signatures as part of deployment gates — do not deploy unsigned or unverified artifacts. Maintain a signed software bill of materials (SBOM) for every release. Publish provenance for customer-deployed artifacts.

Least Privilege IAM & Logging Immutability

Enforce IAM least privilege using AWS IAM Access Analyzer, GCP IAM Recommender, or equivalent. Alert on any IAM permission grant that exceeds the least-privilege baseline. Log all cloud API calls to an immutable, cross-account log archive that production accounts cannot access or modify.

Secure Pipeline Security Blueprint

Section 15 · Industry: Energy/Utilities · 1 of 2

Energy/Utilities Threat Profile

Energy and utilities face vendor access risk, strategic targeting by nation-state actors, and high-consequence disruption potential. The convergence of IT and OT environments — driven by smart grid technology, remote monitoring, and digital operational tools — has dramatically expanded the attack surface. Nation-state actors in particular target energy infrastructure for strategic positioning rather than immediate financial gain.

Top Attack Vectors

Vendor remote access — SCADA and ICS equipment vendors with persistent access
Spearphishing targeting engineering and operations staff
IT-OT convergence gaps — smart grid and remote monitoring systems bridging IT and OT
Long-term persistent access — nation-state actors pre-positioning for potential future action
Supply chain compromise via industrial control system software vendors

Blast Radius

Energy infrastructure compromise can affect: power generation control systems, grid management platforms, pipeline control systems, water treatment systems, and downstream industrial customers. The potential for physical-world consequences distinguishes energy from other sectors.

Fix-First Priorities — Energy/Utilities

Privileged identity for all OT operators — hardware MFA, no shared accounts
Vendor governance — segment ICS vendor access to specific equipment zones
OT-IT segmentation with strict inspection — no unapproved IT-OT traffic
Immutable audit for all OT system access
Incident response plan with physical/operational fallback procedures
Threat hunt program for long-term persistent access indicators

"Nation-state actors in energy are patient. They position access months before executing. Threat hunting for persistent access indicators is not optional — it is essential."

Section 15 · Industry: Energy/Utilities · 2 of 2

Energy/Utilities Playbook

Privileged Identity for Operators

OT operators and engineers require the strictest privileged identity controls: hardware FIDO2 tokens (not TOTP), no shared operational accounts, separate identities for IT and OT system access, session recording for all OT system access, and time-of-day restrictions aligned to authorized shift schedules.

Vendor Governance

ICS and SCADA vendors typically require persistent remote access for equipment diagnostics and firmware updates. Controls: vendor access limited to specific equipment segments via data diodes or managed jump servers, session recording for all vendor access, vendor MFA requirement in contracts, and automatic access revocation between maintenance windows.

Segmentation & Immutable Audit

OT network segmentation must be validated against known attacker patterns, not just compliance checklists. Immutable audit logging for all OT access — operator actions, vendor sessions, and automated control system changes — provides the evidence trail required for post-incident forensics and regulatory reporting.

Watch List Metrics — Energy/Utilities

Vendor accounts with MFA

42%

OT sessions recorded

38%

IT-OT segmentation validated

31%

Threat hunt cadence

27%

Shared OT accounts eliminated

44%

% of energy orgs meeting control standard · Rocheston Zelfire telemetry

"In energy, the security control that fails is the one that creates a physical consequence. Design defenses assuming the adversary is patient and technically sophisticated."

Section 8 · Case Studies · 1 of 9

Real-World Breaches Decoded

Four incidents dissected from initial access to business impact — each illustrating how zero-trust gaps enabled attacker progress.

Case 1

Token Theft → Admin Consent → Payout Fraud

Financial Services · $4.3M loss

Case 2

EDR Bypass → ZTNA Pivot → Cloud Keys Stolen

Technology · IP theft + ransomware

Case 3

Vendor Remote Tool → Lateral → Extortion

Healthcare · 2.1M records exposed

Case 4

API Abuse + Bot Swarm → ATO → Scraping

E-commerce · 890K accounts compromised

Common Thread: In all four cases, attackers exploited trust relationships — between apps, vendors, sessions, and APIs — that organizations assumed were controlled but were not verified continuously.

Case	Sector	Initial Vector	Dwell Time	Impact
Case 1	FinServ	Phishing → OAuth token theft	18 days	$4.3M fraud
Case 2	Tech	Malicious npm package	34 days	Cloud keys + IP theft
Case 3	Healthcare	Vendor RMM tool exploit	61 days	2.1M records + ransom
Case 4	E-commerce	Credential stuffing API	Ongoing	890K ATO

Section 8 · Case Studies · 2 of 9

Case 1: Token Theft to Payout Fraud

Financial Services firm · 2,400 employees · Q3 2025

Attack Summary: A threat actor used a spear-phishing email targeting a finance manager to steal an OAuth access token for Microsoft 365. The token was used to register a malicious OAuth application with admin consent, enabling persistent access to email and financial approval workflows without triggering MFA.

Zero-Trust Gaps Exploited

No OAuth app allow-listing policy
Admin consent not restricted to IT admins
Token lifetime not limited (no CAE)
No anomaly detection on mail rules
No out-of-band wire approval verification

Attack Timeline

Day 0 — Phishing email sent to finance manager

Day 1 — OAuth token stolen, malicious app registered

Day 4 — Mail forwarding rules created silently

Day 18 — Wire fraud executed: $4.3M diverted

Day 22 — Incident discovered by bank flagging

$4.3M

Direct fraud loss

18 days

Dwell time

0

MFA prompts triggered

Section 8 · Case Studies · 3 of 9

Case 1: Lessons & Remediation

What Worked

SOC flagged unusual mail-rule creation (Day 20)
SIEM correlated OAuth registration event
Cloud CASB detected abnormal M365 API calls
Forensics confirmed attacker IP geolocation

What Failed

Alert was low-severity — 48h to triage
Finance BEC playbook not linked to OAuth events
Wire approval had no second-channel verification
Token revocation took 6h after detection

Remediation Actions Taken

Block user-initiated OAuth app consent; require admin approval for all third-party apps

Enable Continuous Access Evaluation (CAE) to invalidate tokens on policy change

Deploy Conditional Access requiring compliant device for financial workflow apps

Implement out-of-band phone approval for all wire transfers above $50K

Configure SIEM rule to auto-escalate OAuth app registration + mail rule creation combo

Conduct BEC awareness training for finance and executive teams

Key Takeaway: OAuth app consent abuse is the new phishing payload. Organizations that delegate consent authority to end users are one convincing email away from persistent, MFA-resistant access to their entire Microsoft 365 environment.

Section 8 · Case Studies · 4 of 9

Case 2: EDR Bypass to Cloud Key Theft

Technology company · 8,500 employees · Q1 2025

Attack Summary: Attackers published a malicious npm package mimicking a popular internal utility. A developer installed it during routine dependency update. The package exfiltrated AWS credentials from environment variables, established a reverse shell bypassing EDR via process hollowing into a trusted Node.js process, then pivoted through ZTNA by abusing a misconfigured service account with broad cloud permissions.

Zero-Trust Gaps Exploited

No npm package signing or allow-list policy
EDR excluded Node.js process tree
AWS credentials in plaintext env vars
Service account had S3 full-access + IAM read
ZTNA segment had no lateral movement controls

Attack Timeline

Day 0 — Malicious package published to npm

Day 3 — Developer installs package in CI

Day 9 — AWS keys exfiltrated via HTTPS

Day 21 — ZTNA pivot + S3 bucket enumeration

Day 34 — Ransomware deployed across 3 clouds

34 days

Total dwell time

3 clouds

Environments breached

13 days

GuardDuty alert ignored

Section 8 · Case Studies · 5 of 9

Case 2: Lessons & Remediation

What Worked

CSPM detected new IAM role creation
Cloud audit log preserved full kill chain
EDR caught ransomware deployment (Day 34)
Backup recovery limited operational impact

What Failed

No SCA scanning in CI/CD pipeline
Reverse shell traffic not flagged (used HTTPS)
Service account permissions never reviewed
GuardDuty alert on unusual API calls ignored for 13 days

Remediation Actions Taken

Implement npm package signing and private registry with allow-list in all CI/CD pipelines

Integrate SCA (Software Composition Analysis) as mandatory gate in pull request pipeline

Migrate all cloud credentials to IAM roles with short-lived tokens — no static keys in env vars

Apply least-privilege IAM: service accounts restricted to specific resources and actions only

Enable GuardDuty + Security Hub with auto-response for all high-severity alerts

Segment developer ZTNA: no lateral reach from dev environments to production cloud

Key Takeaway: Supply chain compromise turns trusted developer tooling into an attacker beachhead. Treating CI/CD as a zero-trust boundary — where every package, dependency, and service account is verified — is no longer optional for modern software organizations.

Section 8 · Case Studies · 6 of 9

Case 3: Vendor RMM to Healthcare Extortion

Regional hospital network · 12,000 staff · Q4 2024

Attack Summary: A threat actor compromised a managed IT vendor's RMM platform. Using legitimate RMM agent credentials, they accessed 47 hospital workstations simultaneously, deployed a custom keylogger, and slowly escalated to domain admin over 61 days. Patient records were exfiltrated before ransomware was deployed. The $12M extortion demand was ultimately settled for $3.8M.

Zero-Trust Gaps Exploited

Vendor RMM console had no MFA enforcement
RMM agents ran as SYSTEM on all endpoints
No network segmentation: clinical = admin = vendor
Domain admin account shared across vendor staff
DLP had no detection on SFTP exfiltration channel
Vendor access never time-boxed to maintenance windows

Attack Timeline

Day 0 — Vendor admin console compromised

Day 4 — RMM agents active on 47 hosts

Day 18 — Domain admin credentials captured

Day 44 — 2.1M patient records exfiltrated

Day 61 — Ransomware deployed, $12M demand

2.1M

Patient records stolen

61 days

Undetected dwell time

$3.8M

Ransom paid

Section 8 · Case Studies · 7 of 9

Case 3: Lessons & Remediation

The core failure: vendor access was treated as trusted by default. The RMM platform had more access to hospital infrastructure than most internal IT staff — with no continuous verification, no time-boxing, and no behavioral monitoring.

Require MFA for all vendor remote access platforms — enforce at network layer if vendor won't comply

Time-box all vendor sessions: restrict to approved maintenance windows with auto-termination

Run RMM agents as least-privilege service accounts, never as SYSTEM

Enforce micro-segmentation between clinical, admin, and vendor-accessible network zones

Deploy PAM (Privileged Access Management) for all vendor and shared domain admin accounts

Monitor all RMM-initiated process executions via EDR behavioral rules and alert on anomalies

Enable DLP scanning on SFTP/HTTPS channels for large data transfers from RMM-active sessions

Regulatory Consequences

HIPAA breach notification to 2.1M patients
OCR investigation opened
State AG notified — civil penalties pending
Class action lawsuit filed
Cyber insurance covered $1.2M; gap: $2.6M

Zelfire Detection Mapping

ZIDA: Behavioral baseline deviation on RMM account
ZEPT: EDR process chain anomaly on SYSTEM-level actions
ZPM: Vendor session duration + scope violation alerts
Zelwall: SFTP exfil blocked at network boundary

Key Takeaway: Vendor access is attack surface. Every third-party connection must be governed with the same rigor as an external threat actor: verified identity, minimal scope, time-limited access, and continuous behavioral monitoring.

Section 8 · Case Studies · 8 of 9

Case 4: API Abuse + Bot Swarm to ATO

E-commerce platform · 14M active users · Ongoing since Q2 2025

Attack Summary: A threat group deployed a distributed credential stuffing operation against the platform's mobile API endpoint, cycling through 220M leaked credential pairs at ~80 req/s across 40,000 residential proxy IPs. Standard rate limiting was bypassed via per-IP distribution. 890,000 accounts were compromised; fraudulent orders, loyalty point theft, and bulk scraping of product catalogue data followed. The attack ran for 4 months before full mitigation.

Attack Characteristics

220M credential pairs from combo lists
40,000 residential proxy IPs rotated
~80 req/s sustained (below per-IP alert threshold)
Mobile API endpoint had no bot protection layer
Login success rate: ~0.4% (industry average)
Automated gift card redemption post-ATO

Zero-Trust Gaps

Mobile API lacked bot detection layer
Rate limiting per-IP, not per-account
No device fingerprinting on mobile auth
No impossible travel or velocity checks
Loyalty API had no fraud scoring
Product API accessible without authentication

890K

Accounts compromised

$2.8M

Fraud + chargeback loss

4 months

Attack duration

Section 8 · Case Studies · 9 of 9

Case 4: Lessons & Remediation

Deploy bot management platform on all authentication and sensitive API endpoints

Implement per-account (not per-IP) rate limiting with progressive lockout on failed auth

Add device fingerprinting and behavioral biometrics to mobile authentication flow

Enable impossible travel detection: flag logins from new geolocation within 2-hour window

Require step-up re-authentication for high-value actions: gift card redemption, payout, address change

Require authentication for product catalogue API access to prevent competitive scraping

Integrate fraud scoring (velocity + device + behavior) into loyalty point redemption workflow

Business Impact

890K accounts compromised
$2.1M in fraudulent orders + chargebacks
$680K in stolen loyalty points redeemed
Full product catalogue scraped by competitor
FTC notification required
NPS score down 18 points post-incident

Mitigation Results (30 days post-fix)

Bot stuffing attempts blocked: 99.2%
ATO rate reduced by 97% within 30 days
API fraud scoring flagged 12K high-risk sessions/day
Product scraping eliminated via authenticated access

Key Takeaway: APIs are the attack surface of 2025–2027. Credential stuffing at scale exploits the gap between authentication and authorization. Bot management, behavioral analytics, and per-action step-up authentication are essential controls for any consumer-facing platform.

Section 9 · Defensive Playbooks · 1 of 16

Defensive Playbooks: Zero-Trust in Action

Six operational playbooks derived from incident data, red team findings, and Zelfire platform telemetry. Each playbook maps controls to threat vectors and provides a phased implementation roadmap.

PB-01

Identity Hardening

Pages 90–92

PB-02

Endpoint + Posture

Pages 93–94

PB-03

ZTNA + Segmentation

Pages 95–96

PB-04

SaaS Governance

Pages 97–98

PB-05

Cloud Governance

Pages 99–101

PB-06

Web/API Defense

Pages 102–104

Playbook Design Principles: Each playbook is structured as Quick Wins (0–30 days), Foundation (31–90 days), and Maturity (91–180 days). Controls are mapped to MITRE ATT&CK techniques, NIST CSF functions, and Zelfire platform capabilities. Priority sequence is driven by kill-chain impact.

Playbook	Primary Threat	Zelfire Module	NIST CSF
PB-01 Identity	AiTM, credential stuffing, token theft	ZIDA, ZPM	PR.AC, DE.CM
PB-02 Endpoint	Ransomware, EDR bypass, malware	ZEPT, ZPM	PR.IP, DE.AE
PB-03 ZTNA	Lateral movement, implicit trust	ZTNA, Zelwall	PR.AC, PR.PT
PB-04 SaaS	OAuth abuse, shadow IT, data exfil	ZCASB, ZPM	ID.AM, PR.DS
PB-05 Cloud	IAM misconfig, CSPM gaps	ZCSPM, ZIDA	PR.AC, DE.CM
PB-06 Web/API	API abuse, bot attacks, injection	Zelwall, ZAPM	PR.PT, DE.AE

Section 9 · Playbooks · 2 of 16 · PB-01

Playbook 01: Identity Hardening

Addresses: AiTM phishing, credential stuffing, session hijacking, token theft, OAuth abuse, insider privilege escalation

Objective: Eliminate implicit trust in identity assertions. Every authentication event must be verified against device state, network context, behavioral baseline, and risk score — regardless of whether MFA was passed.

Phase 1: Quick Wins (0–30 Days)

Deploy phishing-resistant MFA (FIDO2/passkeys) for all privileged and remote-access accounts

Block legacy authentication protocols (Basic Auth, NTLM for external) via Conditional Access or firewall

Audit and disable all OAuth apps with admin consent granted by non-IT personnel

Enable sign-in risk policy: block high-risk logins, require MFA step-up for medium-risk

Enforce per-user session timeout policies — eliminate indefinite token lifetimes

Phase 2: Foundation (31–90 Days)

Deploy Identity Threat Detection and Response (ITDR) — Zelfire ZIDA module

Implement Continuous Access Evaluation (CAE) for M365, Google Workspace, Salesforce

Integrate HR system with IdP for real-time joiners/movers/leavers (JML) lifecycle automation

Establish privileged access workstations (PAWs) for all Tier-0 identity administration

Enable impossible travel, new country, and anomalous ASN sign-in alerts with auto-block

Section 9 · Playbooks · 3 of 16 · PB-01

Playbook 01: Identity Hardening (continued)

Phase 3: Maturity (91–180 Days)

Implement just-in-time (JIT) privileged access: no standing admin roles for any user or service account

Deploy entitlement reviews quarterly: remove all unused permissions, roles, and OAuth grants

Implement decentralized identity (verifiable credentials) for high-assurance B2B authentication

Integrate UEBA: build behavioral baselines per user and alert on deviations ≥2σ from norm

Enable cross-IdP token binding to prevent token replay across different service providers

MITRE ATT&CK Coverage

T1078 — Valid Accounts (all sub-techniques)
T1550.001 — Application Access Token
T1556 — Modify Authentication Process
T1539 — Steal Web Session Cookie
T1606 — Forge Web Credentials
T1110 — Brute Force (all sub-techniques)

Zelfire Module: ZIDA

Real-time identity risk scoring (0–100)
Cross-IdP session correlation and anomaly detection
Token lineage tracking: origin → current state
OAuth app risk inventory and consent monitoring
Automated JIT provisioning and deprovisioning
Integrates with Entra ID, Okta, Ping, CyberArk

Section 9 · Playbooks · 4 of 16 · PB-01

Playbook 01: KPIs & Success Metrics

KPI	Baseline	Target (90 days)	Target (180 days)
% users with phishing-resistant MFA	12%	80%	100%
Orphaned accounts (no login 90d+)	18%	<5%	<1%
Accounts with standing admin roles	340	<20	0 (JIT only)
Mean time to revoke (MTTR) compromised identity	6.2 hours	<30 minutes	<5 minutes (automated)
OAuth apps with admin consent not reviewed	87%	<10%	0%
Identity-related incidents per quarter	14	<6	<2

Common Implementation Blockers

Legacy apps that can't support FIDO2
Service accounts used by multiple teams
Lack of HR-IdP integration for JML lifecycle
Shadow IT with hard-coded credentials
Business resistance to token lifetime reduction

Workarounds & Mitigations

Use app proxy with MFA gateway for legacy apps
Migrate shared service accounts to managed identities
Use SCIM provisioning with manual JML override
Run secrets scanner in CI/CD to surface hard-coded creds
Phase token lifetime reduction with pilot group first

Section 9 · Playbooks · 5 of 16 · PB-02

Playbook 02: Endpoint + Posture Management

Addresses: EDR bypass, living-off-the-land binaries (LOLBins), ransomware, BYOD risk, unmanaged device lateral movement

Objective: Every device accessing corporate resources must be continuously assessed for compliance posture. Trust in a device is not binary — it degrades in real time based on patch state, threat signals, and configuration drift.

Phase 1: Quick Wins (0–30 Days)

Deploy EDR with behavioral detection (not just signature-based) on 100% of managed endpoints

Enroll all managed devices in MDM/UEM — block unmanaged device access to corporate SaaS

Enable Conditional Access policy: require device compliance as access condition for all apps

Patch all Critical CVEs within 72 hours; High CVEs within 14 days — enforce via compliance policy

Disable AutoRun, macros in Office for untrusted locations, and PowerShell for non-admin users

Phase 2: Foundation (31–90 Days)

Implement application control (allowlisting) on Tier-0 systems: servers, PAWs, finance endpoints

Deploy attack surface reduction (ASR) rules — Microsoft Defender or equivalent

Enable DNS filtering at endpoint level to block C2, malware distribution, and phishing domains

Integrate EDR telemetry with SIEM for cross-endpoint correlation and kill-chain detection

Establish BYOD policy: containerized corporate data on personal devices, no full MDM enrollment

Section 9 · Playbooks · 6 of 16 · PB-02

Playbook 02: Endpoint (continued) & KPIs

Phase 3: Maturity (91–180 Days)

Deploy continuous posture assessment: real-time compliance scoring fed into access decisions

Implement hardware attestation (TPM 2.0 / Secure Boot verification) for Tier-0 device trust

Enable automated device isolation on high-severity EDR alert — no manual SOC action required

Integrate threat intelligence feeds into EDR: IOC-based blocking + proactive hunting queries

KPI	Baseline	Target (90d)	Target (180d)
EDR coverage (% of managed endpoints)	74%	100%	100% + posture score
Critical CVE mean patch time	21 days	72 hours	24 hours (automated)
Unmanaged devices accessing corp apps	23%	<5%	0%
Mean time to contain (MTTC) endpoint threat	4.1 hours	<45 min	<5 min (auto-isolate)
Ransomware execution events (escaped EDR)	4/quarter	<1/quarter	0

Zelfire ZEPT Module: Provides continuous endpoint posture scoring, behavioral EDR telemetry aggregation, and automated containment workflows. Integrates with CrowdStrike, Microsoft Defender, SentinelOne, and Cortex XDR via normalized telemetry pipeline. Posture score is fed directly into ZTNA access policy engine for real-time access revocation on posture degradation.

Section 9 · Playbooks · 7 of 16 · PB-03

Playbook 03: ZTNA + Network Segmentation

Addresses: VPN-based implicit trust, lateral movement, flat network architectures, insider threat propagation

Objective: Replace implicit network trust with identity- and posture-aware access. No user or device should have network-level access to resources beyond what their current role, device state, and context justify — evaluated per session.

Phase 1: Quick Wins (0–30 Days)

Inventory all VPN split-tunnel exceptions — eliminate full-tunnel access where possible

Block direct peer-to-peer lateral movement between workstations via host-based firewall rules

Segment developer, finance, HR, and clinical networks — minimum four security zones

Require device compliance check before VPN connection establishment (pre-authentication posture)

Disable SMBv1 and NetBIOS on all endpoints and servers — remove primary lateral movement vector

Phase 2: Foundation (31–90 Days)

Deploy ZTNA solution: replace VPN for application access with identity-proxied, per-app connectivity

Implement microsegmentation on server/workload tier: east-west traffic allowed only by explicit policy

Enable network behavioral analytics: baseline normal flows, alert on anomalous east-west traffic

Restrict all privileged access (SSH, RDP, WinRM) to PAM-brokered sessions — no direct connections

Implement DNS-based application discovery to identify all shadow IT application access patterns

Section 9 · Playbooks · 8 of 16 · PB-03

Playbook 03: ZTNA + Segmentation (continued)

Phase 3: Maturity (91–180 Days)

Implement dynamic microsegmentation: policy adjusts automatically based on real-time threat score

Enable universal ZTNA for all remote and on-prem application access — retire VPN infrastructure entirely

Deploy deception network (honeypots in every VLAN) — any access triggers high-fidelity alert

Integrate ZTNA policy engine with UEBA: user behavioral risk score controls resource access scope

KPI	Baseline	Target (90d)	Target (180d)
% applications behind ZTNA (not VPN)	8%	60%	100%
East-west lateral movement events detected	Unmonitored	Baselined	<2 anomalies/week
Flat network segments (no microseg)	82%	<30%	0%
Mean blast radius of simulated breach	Entire subnet	Single segment	Single workload
Direct RDP/SSH connections (bypassing PAM)	100%	<5%	0%

Zelfire ZTNA Module: Provides identity-aware application proxy, continuous posture-driven access revocation, east-west traffic policy enforcement, and PAM session brokering. Integrates with Palo Alto Prisma, Zscaler ZPA, Cloudflare Access, and Cisco Secure Access.

Section 9 · Playbooks · 9 of 16 · PB-04

Playbook 04: SaaS Governance

Addresses: OAuth app abuse, shadow IT, data exfiltration via SaaS, misconfigured sharing permissions, SaaS-to-SaaS attack chains

Objective: Establish continuous visibility and control over all SaaS applications, OAuth integrations, and data flows — eliminating shadow IT and preventing unauthorized data movement through application-to-application trust chains.

Phase 1: Quick Wins (0–30 Days)

Deploy CASB in discovery mode — inventory all SaaS applications in use within 72 hours

Audit all OAuth tokens granted to third-party apps connected to M365, Google Workspace, Slack, Salesforce

Revoke OAuth grants for all apps not in approved vendor list that access sensitive scopes (mail, files, calendar)

Set global file sharing policy: disable public link sharing for all data classified as Confidential or above

Enable SaaS security posture management (SSPM) — auto-detect misconfigured sharing, MFA gaps, admin overexposure

Phase 2: Foundation (31–90 Days)

Implement CASB inline mode for sanctioned SaaS: enforce DLP policies on upload/download/share actions

Build SaaS application catalogue with risk ratings — block access to apps rated High Risk or Unreviewed

Integrate CASB with IdP: user context (role, department, device) drives SaaS access policy dynamically

Enable SaaS activity baselining: detect bulk download, mass delete, abnormal export, or off-hours access

Deploy SaaS backup for Tier-1 apps: M365, Google Workspace, Salesforce, GitHub — independent of SaaS provider

Section 9 · Playbooks · 10 of 16 · PB-04

Playbook 04: SaaS Governance (continued)

Phase 3: Maturity (91–180 Days)

Implement SaaS-to-SaaS access governance: map and control all automated app-to-app data flows

Deploy automated SaaS entitlement review (quarterly): remove unused licenses, overprovisioned admin accounts

Integrate SaaS DLP with data classification: sensitive data labeled at creation and protected across apps

Enable real-time SaaS incident response: auto-suspend account, revoke tokens, preserve audit trail on alert

KPI	Baseline	Target (90d)	Target (180d)
Shadow IT apps discovered (not in catalogue)	Unknown	Inventoried	All reviewed & rated
OAuth apps with admin-level scopes	87% unreviewed	<10% unreviewed	0% unreviewed
Public file shares containing sensitive data	Unknown	<50 files	0
SaaS DLP policy coverage (%)	0%	70%	100%
SaaS misconfigurations detected/remediated	Unmonitored	Tracked	<24h remediation SLA

Zelfire ZCASB Module: Agentless and proxy-based SaaS visibility, DLP enforcement, OAuth app governance, SSPM posture scoring, and anomaly detection for bulk data movement. Covers 300+ SaaS connectors natively with API-based inspection for sanctioned apps and inline proxy for unsanctioned access.

Section 9 · Playbooks · 11 of 16 · PB-05

Playbook 05: Cloud Security Governance

Addresses: IAM misconfigurations, over-privileged service accounts, public S3/blob exposure, CSPM gaps, multi-cloud visibility blind spots

Objective: Enforce least-privilege and continuous compliance across all cloud environments. Every cloud resource, identity, and configuration must be continuously evaluated against policy — with automated remediation for violations.

Phase 1: Quick Wins (0–30 Days)

Inventory all cloud accounts, subscriptions, and projects across AWS, Azure, GCP — eliminate shadow accounts

Scan all storage buckets/blobs/objects for public access — remediate all publicly accessible sensitive data immediately

Audit all IAM users with Administrator or Owner roles — remove unused, rotate all static access keys

Enable CloudTrail (AWS) / Activity Log (Azure) / Cloud Audit Logs (GCP) on ALL accounts/subscriptions

Activate default CSPM tool: AWS Security Hub, Microsoft Defender for Cloud, or GCP Security Command Center

Phase 2: Foundation (31–90 Days)

Deploy multi-cloud CSPM for unified posture scoring and compliance mapping (CIS, NIST, PCI, HIPAA)

Migrate all workload authentication to IAM roles with short-lived credentials — eliminate static keys entirely

Implement infrastructure-as-code (IaC) security scanning: detect misconfigurations in Terraform/CloudFormation before deploy

Set up cloud anomaly detection: alert on unusual API call volumes, new region usage, data exfiltration patterns

Enforce resource tagging policy — untagged resources auto-quarantined after 48 hours

Section 9 · Playbooks · 12 of 16 · PB-05

Playbook 05: Cloud Governance (continued)

Phase 3: Maturity (91–180 Days)

Implement Cloud Infrastructure Entitlement Management (CIEM): right-size all IAM permissions automatically

Deploy cloud workload protection (CWPP): runtime threat detection for containers, VMs, and serverless functions

Integrate CSPM with CI/CD: block deployments that introduce critical misconfigurations or violated policies

Implement cloud security data fabric: unified query layer across all cloud environments for incident investigation

Enable cross-cloud lateral movement detection: correlate identity events across AWS/Azure/GCP in real time

Cloud IAM Maturity Levels

Level 0: Static keys, wildcard permissions, no MFA

Level 1: MFA on root, basic key rotation, coarse roles

Level 2: Roles over users, CSPM active, no static keys

Level 3: CIEM, JIT, anomaly detection, policy-as-code

Level 4: Automated remediation, zero standing access

Common Cloud Misconfigurations (2025)

Public S3/blob/GCS buckets: 34% of orgs
IAM users with AdministratorAccess: 41%
No CloudTrail logging in all regions: 28%
Security groups open to 0.0.0.0/0: 56%
Root account without MFA: 19%
Secrets in code repos (GitHub): 67%

Section 9 · Playbooks · 13 of 16 · PB-05

Playbook 05: Cloud KPIs & Zelfire ZCSPM

KPI	Baseline	Target (90d)	Target (180d)
Cloud accounts with full audit logging	38%	100%	100% + SIEM integrated
Static IAM access keys in use	340	<10 (exceptions only)	0
Critical CSPM findings open >7 days	182	<20	0 (auto-remediated)
Public storage objects (sensitive)	Unknown	0	0 + continuous scan
IaC security scan coverage	0%	80%	100% (gates all deploys)
CIEM permission right-sizing coverage	0%	40%	100%

Zelfire ZCSPM Module: Unified cloud security posture management across AWS, Azure, and GCP. Provides continuous misconfiguration detection, CIS benchmark scoring, CIEM entitlement analysis, IaC pre-deployment scanning, and automated remediation workflows. ZCSPM feeds into the Zelfire unified risk dashboard for cross-pillar risk correlation.

Section 9 · Playbooks · 14 of 16 · PB-06

Playbook 06: Web & API Defense (Zelwall)

Addresses: OWASP Top 10, credential stuffing, API abuse, bot attacks, injection, broken object-level authorization (BOLA)

Objective: Protect every web application and API endpoint with layered defenses — from WAF at the perimeter to API-level authorization at the resource layer. Bot management, rate limiting, and behavioral analytics are non-negotiable for any consumer-facing surface.

Phase 1: Quick Wins (0–30 Days)

Deploy WAF in blocking mode on all public-facing web applications — use managed OWASP ruleset

Inventory all API endpoints: internal, external, partner-facing — build complete API surface map

Enforce authentication on all API endpoints — eliminate any unauthenticated public API access to non-public data

Implement rate limiting on all authentication endpoints — per-account, not per-IP

Enable TLS 1.3 only; disable TLS 1.0, 1.1, and all RC4, 3DES cipher suites across all web properties

Phase 2: Foundation (31–90 Days)

Deploy API gateway with schema validation: reject requests that don't conform to OpenAPI spec

Implement bot management platform: distinguish legitimate bots from malicious automation

Enable API behavioral analytics: baseline normal usage patterns per consumer/endpoint

Implement BOLA controls: enforce object-level authorization checks in every API handler

Deploy DDoS protection (L3/L4/L7) with automatic mitigation and traffic scrubbing

Section 9 · Playbooks · 15 of 16 · PB-06

Playbook 06: Web & API Defense (continued)

Phase 3: Maturity (91–180 Days)

Deploy runtime API discovery: detect shadow APIs auto-generated by frameworks or microservices

Implement JWT/OAuth token validation at API gateway layer — never trust token claims without cryptographic verification

Enable GraphQL-specific controls: query depth limiting, introspection disable in production, field-level rate limits

Integrate WAF with SIEM: correlate blocked attacks with endpoint and identity telemetry for full kill-chain view

Run API penetration test quarterly — specifically targeting OWASP API Security Top 10 vulnerabilities

OWASP API Top 10 Controls

API1: BOLA → object-level authz checks
API2: Broken Auth → token validation at gateway
API3: BOPLA → property-level access control
API4: Resource limits → rate + size limiting
API5: Function authz → role-based method control
API6: Sensitive exposure → response filtering
API7: SSRF → egress allow-listing
API8: Security misconfig → CSPM + API gateway scan
API9: Inventory gaps → auto-discovery + cataloguing
API10: Unsafe consumption → third-party API validation

Zelwall Capability Map

WAF with managed + custom rules (OWASP, CVE-specific)
Bot management: behavioral fingerprinting, CAPTCHA, JS challenge
API gateway: schema validation, rate limiting, token inspection
DDoS scrubbing: L3/L4 volumetric + L7 application-layer
Shadow API discovery via traffic analysis
Real-time attack telemetry fed to Zelfire SIEM

Section 9 · Playbooks · 16 of 16 · PB-06

Playbook 06: Web/API KPIs & Benchmarks

KPI	Baseline	Target (90d)	Target (180d)
API endpoints in security catalogue	34%	90%	100%
Unauthenticated API endpoints (non-public data)	28	0	0 + continuous scan
WAF block rate on credential stuffing attempts	12%	85%	99%+
Mean time to mitigate L7 DDoS (minutes)	47 min	<5 min	<1 min (automated)
OWASP API Top 10 vulnerabilities in prod	Unknown	Catalogued	0 critical/high open
Shadow API endpoints discovered	0 (no discovery)	Baseline set	100% tracked + tested

Playbooks Summary: All six playbooks combined address 94% of the attack vectors observed in Zelfire-monitored incidents in 2025. Organizations that implement PB-01 through PB-03 as first priority reduce breach risk by an estimated 78% within 90 days. PB-04 through PB-06 address the long-tail of modern attack surface expansion driven by SaaS proliferation, multi-cloud complexity, and API-first architectures.

94%

Attack vectors covered

78%

Breach risk reduction (PB01-03, 90d)

6

Playbooks · 180-day roadmap

Section 10 · Predictions · 1 of 2

2027 Threat Outlook: What's Coming Next

Based on trend analysis of 2024–2025 incident data, attacker tooling evolution, and geopolitical signals, Zelfire researchers forecast the following threat landscape shifts for 2027.

Prediction 1: AI-Powered Spear Phishing at Scale

LLM-generated phishing emails will achieve 4× higher click rates than template-based attacks. Personalization at scale, real-time context injection from OSINT, and voice deepfakes for vishing will collapse social engineering detection rates. Expect 300% increase in CEO fraud losses.

Confidence: HIGH · Timeline: H1 2027

Prediction 2: Autonomous Ransomware Networks

RaaS operations will deploy AI agents for autonomous target selection, network traversal, and encryption timing. Human operators will focus only on negotiation. Mean time from initial access to encryption will drop below 4 hours for high-value targets.

Confidence: MEDIUM-HIGH · Timeline: H2 2026

Prediction 3: Quantum Harvest, Post-Quantum Decrypt

Nation-state actors already harvesting TLS traffic at scale for future quantum decryption. Organizations that have not migrated to post-quantum cryptography (CRYSTALS-Kyber, CRYSTALS-Dilithium) by 2027 will face retroactive exposure of all data transmitted since 2020.

Confidence: HIGH · Timeline: 2027–2030

Prediction 4: ZTNA Becomes the New Attack Surface

As VPN dies and ZTNA scales, attackers will shift focus to ZTNA misconfigurations: overly broad application access policies, service account abuse within microsegments, and session token theft from ZTNA broker intermediaries. ZTNA "set and forget" deployments will be the breach vector of 2027.

Confidence: MEDIUM · Timeline: H1 2027

Section 10 · Predictions · 2 of 2

2027 Outlook: Continued Forecasts

Prediction 5: Critical Infrastructure Under Direct Attack

Power grid, water treatment, and healthcare OT/ICS networks will face coordinated nation-state attacks during geopolitical flashpoints. Air-gapped assumptions are already broken — expect IT/OT convergence to create mass exploitation pathways into SCADA environments.

Confidence: HIGH · Timeline: 2026–2028

Prediction 6: Identity Provider Compromise as Kill Switch

Okta, Entra ID, and Google Workspace will become primary targets — compromising these platforms grants instant access to every downstream app. Expect nation-state actors to dedicate persistent resources to IdP ecosystem targeting, particularly via supply chain attacks on IdP connectors and plugins.

Confidence: HIGH · Timeline: Already active

Strategic Imperatives for 2027 Readiness

Begin post-quantum cryptography migration for all data classified as sensitive or above

Implement AI-resistant phishing training: focus on deepfake voice recognition and process verification

Treat ZTNA configuration as a living security artifact: quarterly review + adversarial simulation

Develop OT/ICS network isolation playbook before IT/OT convergence accelerates further

Deploy ITDR specifically for IdP threat detection: lateral movement within identity fabric is the new kill chain

Test ransomware dwell-time response: can your team detect and contain within 4 hours?

Zelfire Research Note: The threat landscape of 2027 is being shaped today by attacker investments in AI, quantum, and identity ecosystem targeting. Organizations that treat zero-trust as a 2023 framework checklist — rather than a continuously evolving operational posture — will find themselves structurally unprepared for the next generation of threats.

Section 11 · Appendices · Overview

Appendices

Reference materials supporting the Rocheston Zelfire 2026 Global Threat Report. Includes technical glossary, MITRE ATT&CK technique mapping, implementation checklist, and organizational background.

Appendix A

Technical Glossary

60+ terms covering zero-trust, identity, threat intelligence, cloud security, and cryptography · Pages 108–109

Appendix B

MITRE ATT&CK Mapping

Techniques mapped to threat actors, sectors, and Zelfire detection capabilities · Pages 110–111

Appendix C

Zero-Trust Implementation Checklist

One-page operational checklist for security teams deploying zero-trust controls · Page 112

Appendix D

About Rocheston Zelfire

Zelfire platform, AINA AI engine, RCCE certification, and research team · Page 113

Methodology Note: All statistical data in this report is drawn from Zelfire platform telemetry (Q1 2024–Q4 2025), Rocheston RCCE candidate incident logs, publicly disclosed breach reports, and primary research conducted by the Rocheston Cybersecurity and Computing Excellence team. Data points marked with * represent extrapolated estimates from sampled data sets with ≥95% confidence interval.

This report is published under Rocheston's open research license. Reproduction permitted with attribution. Commercial redistribution requires written consent.

Appendix A · Glossary · 1 of 2

Technical Glossary (A–M)

Term	Definition
AiTM	Adversary-in-the-Middle attack: a phishing technique where an attacker proxies authentication to steal session cookies after MFA completion, bypassing multi-factor authentication.
ASR Rules	Attack Surface Reduction rules in Microsoft Defender: policies that block behaviors commonly abused in attacks (Office macro execution, LSASS credential access, etc.).
BOLA	Broken Object-Level Authorization: an API vulnerability where attackers can access or modify objects belonging to other users by manipulating object identifiers in API requests.
CAE	Continuous Access Evaluation: a real-time token validation protocol that allows Microsoft 365 services to immediately revoke access when user risk changes, rather than waiting for token expiry.
CASB	Cloud Access Security Broker: security policy enforcement point between cloud service consumers and providers, providing visibility, compliance, data security, and threat protection for SaaS applications.
CIEM	Cloud Infrastructure Entitlement Management: tooling to manage and right-size cloud IAM permissions across multi-cloud environments, eliminating excessive privilege accumulation.
CSPM	Cloud Security Posture Management: continuous assessment and remediation of cloud environment misconfigurations against security benchmarks (CIS, NIST, PCI, HIPAA).
CWPP	Cloud Workload Protection Platform: runtime security for cloud-native workloads including containers, VMs, and serverless functions, providing threat detection and behavioral monitoring.
EDR	Endpoint Detection and Response: security solution providing continuous monitoring, behavioral analysis, and threat response capabilities on endpoint devices beyond traditional antivirus.
FIDO2	Fast IDentity Online 2: open authentication standard using public key cryptography for phishing-resistant, passwordless authentication via hardware security keys or platform authenticators.
IaC	Infrastructure as Code: managing infrastructure through machine-readable definition files (Terraform, CloudFormation, Bicep) rather than manual configuration, enabling version control and security scanning.
ITDR	Identity Threat Detection and Response: security discipline focused on detecting and responding to identity-based attacks including credential theft, privilege escalation, and lateral movement via compromised accounts.
JIT Access	Just-in-Time Access: privileged access management practice where elevated permissions are granted only for the duration of a specific task and automatically revoked afterward, eliminating standing admin privileges.
JML	Joiners, Movers, Leavers: identity lifecycle management process for provisioning access when employees join, updating permissions when they change roles, and deprovisioning when they leave.
LOLBins	Living-Off-the-Land Binaries: legitimate system tools (PowerShell, WMI, certutil, msiexec) abused by attackers to execute malicious actions while evading detection, as these tools are trusted by security software.

Appendix A · Glossary · 2 of 2

Technical Glossary (N–Z)

Term	Definition
OAuth 2.0	Open Authorization framework allowing third-party applications to obtain limited access to user accounts without exposing credentials. Commonly abused via consent phishing and token theft.
PAM	Privileged Access Management: solutions controlling, monitoring, and auditing all privileged account usage, including session recording, credential vaulting, and just-in-time access provisioning.
PAW	Privileged Access Workstation: hardened, dedicated device used exclusively for administrative tasks, isolated from general internet browsing and email to prevent credential compromise.
Post-Quantum	Cryptographic algorithms designed to be secure against attacks by quantum computers. NIST-standardized algorithms include CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (signatures).
RaaS	Ransomware as a Service: criminal business model where ransomware operators license malware to affiliates who conduct attacks, splitting ransom proceeds. Dramatically lowered barrier to entry for ransomware attacks.
RMM	Remote Monitoring and Management: tools used by IT service providers and MSPs to manage client infrastructure remotely. Increasingly targeted by attackers as a trusted lateral movement vector.
SCA	Software Composition Analysis: security testing that identifies vulnerabilities in open-source and third-party dependencies within application codebases, typically integrated into CI/CD pipelines.
SCIM	System for Cross-domain Identity Management: open standard for automating user provisioning and deprovisioning between identity providers and service providers, enabling real-time JML lifecycle management.
SSPM	SaaS Security Posture Management: continuous assessment of SaaS application configurations against security best practices, detecting misconfigured sharing settings, missing MFA, and over-privileged admin accounts.
UEBA	User and Entity Behavior Analytics: security analytics using machine learning to baseline normal behavior patterns and detect anomalous activities indicative of compromised accounts or insider threats.
Zero-Trust	Security model based on "never trust, always verify" — requiring continuous verification of every user, device, and connection regardless of network location, replacing implicit network perimeter trust.
ZIDA	Zelfire Identity Defense & Analytics: Zelfire platform module providing real-time identity risk scoring, ITDR, behavioral baselining, OAuth governance, and automated identity incident response.
ZTNA	Zero Trust Network Access: security framework providing identity-verified, application-specific access without exposing the underlying network, replacing VPN-based implicit network trust.
Zelwall	Rocheston Zelfire's integrated Web Application Firewall, API protection, and bot management platform providing layered defense for web properties and API endpoints.

Appendix B · MITRE ATT&CK Mapping · 1 of 2

MITRE ATT&CK Technique Mapping (TA0001–TA0006)

Tactic	Technique	Threat Actors	Top Sectors	Zelfire Detection
TA0001 — Initial Access
Initial Access	T1566 Phishing	Scattered Spider, Lazarus	FinServ, Healthcare	ZIDA Email Anomaly
Initial Access	T1190 Exploit Public App	Volt Typhoon, APT41	Gov, Energy, Tech	Zelwall WAF Block
Initial Access	T1195 Supply Chain	APT29, Lazarus	Tech, Gov, Defense	ZEPT SCA Gate
TA0002 — Execution
Execution	T1059 Command Scripting	Multiple APTs	All sectors	ZEPT Behavioral EDR
Execution	T1204 User Execution	RaaS affiliates	All sectors	ZIDA Risk Score Spike
TA0003 — Persistence
Persistence	T1078 Valid Accounts	All threat actors	All sectors	ZIDA Anomaly + CAE
Persistence	T1098 Account Manipulation	Scattered Spider, APT29	FinServ, Tech	ZIDA OAuth Monitor
Persistence	T1546 Event Triggered Exec	RaaS, Lazarus	Energy, Healthcare	ZEPT Registry Monitor
TA0004 — Privilege Escalation
Priv. Escalation	T1548 Abuse Elevation	RaaS, insiders	All sectors	ZEPT Process Behavior
Priv. Escalation	T1134 Token Impersonation	APT28, FIN12	Gov, FinServ	ZIDA Token Lineage
TA0005 — Defense Evasion
Defense Evasion	T1055 Process Injection	Lazarus, APT41	Tech, Defense	ZEPT Memory Monitoring
Defense Evasion	T1562 Impair Defenses	RaaS, insiders	All sectors	ZEPT Tamper Detection
TA0006 — Credential Access
Cred. Access	T1110 Brute Force	Commodity actors	All sectors	Zelwall Rate Limiting
Cred. Access	T1539 Steal Session Cookie	Scattered Spider, EvilProxy	FinServ, SaaS	ZIDA AiTM Detection

Appendix B · MITRE ATT&CK Mapping · 2 of 2

MITRE ATT&CK Technique Mapping (TA0007–TA0040)

Tactic	Technique	Threat Actors	Top Sectors	Zelfire Detection
TA0007 — Discovery
Discovery	T1069 Permission Groups Discovery	APT28, insiders	Gov, FinServ	ZIDA AD Query Baseline
Discovery	T1046 Network Service Scan	RaaS affiliates	All sectors	ZTNA East-West Detect
TA0008 — Lateral Movement
Lateral Movement	T1021 Remote Services	All APTs, RaaS	All sectors	ZTNA PAM Brokering
Lateral Movement	T1550 Use Alternate Auth	Scattered Spider, FIN12	FinServ, Retail	ZIDA Token Lineage
TA0009 — Collection
Collection	T1213 Data from Info Repos	APT29, insiders	Gov, FinServ, Healthcare	ZCASB DLP + UEBA
TA0010 — Exfiltration
Exfiltration	T1048 Exfil Over Alt Protocol	APT41, Lazarus	Tech, Defense, FinServ	Zelwall DLP + SIEM
Exfiltration	T1567 Exfil to Cloud Service	Scattered Spider	All sectors	ZCASB Anomaly Rule
TA0040 — Impact
Impact	T1486 Encrypt for Impact	RaaS (all groups)	All sectors	ZEPT Ransomware Behavior
Impact	T1489 Service Stop	Volt Typhoon, Sandworm	Energy, OT/ICS	ZEPT Process Guard
Impact	T1485 Data Destruction	Sandworm, nation-state	Gov, Critical Infra	ZCSPM Backup Monitor

Full MITRE ATT&CK Enterprise matrix coverage available in Zelfire platform. 237 techniques actively monitored. Navigator layer export available via Zelfire console → Threat Intel → MITRE Export.

Appendix C · Zero-Trust Checklist

Zero-Trust Implementation: One-Page Checklist

Identity & Access

Phishing-resistant MFA on all privileged + remote accounts

Block legacy auth protocols (Basic Auth, NTLMv1)

OAuth app consent restricted to IT admin approval

CAE enabled for M365, Google Workspace, Salesforce

No standing admin roles — JIT access for privileged ops

Quarterly entitlement reviews across all systems

HR-IdP integration for real-time JML lifecycle

ITDR/UEBA behavioral baselining deployed

Endpoint & Device

EDR (behavioral) on 100% of managed endpoints

Device compliance required for all application access

Critical CVE patching SLA: 72 hours

Application control on Tier-0 systems

BYOD: containerized access — no full MDM on personal

DNS filtering on all endpoints (C2 + phishing blocking)

Network & ZTNA

ZTNA deployed for all remote application access

Microsegmentation: no flat east-west access

All SSH/RDP via PAM-brokered sessions only

SMBv1 and NetBIOS disabled enterprise-wide

Network behavioral analytics: baseline + anomaly detection

SaaS & Cloud

CASB deployed — all SaaS apps inventoried and rated

Zero public storage objects containing sensitive data

No static IAM access keys — short-lived tokens only

CSPM with auto-remediation for critical findings

IaC security scanning gates all cloud deployments

CIEM entitlement right-sizing deployed

Cloud audit logging 100% coverage + SIEM integrated

Web & API

WAF in blocking mode on all public web apps

All API endpoints authenticated — no unprotected access

Rate limiting: per-account on all auth endpoints

Bot management on all consumer-facing surfaces

API schema validation at gateway layer

BOLA controls implemented in every API handler

TLS 1.3 only — legacy cipher suites disabled

Detection & Response

SIEM with cross-pillar telemetry correlation active

MTTD target: <1 hour for critical events

MTTC target: <4 hours for all high-severity incidents

Ransomware IR playbook tested quarterly via tabletop

Immutable backups tested quarterly for verified recovery

Threat hunting cadence: bi-weekly proactive hunts

SOAR automation for tier-1 alert triage and response

Supply Chain & Third-Party

All vendors rated by third-party risk score before onboarding

Vendor access time-boxed to approved maintenance windows

SCA scanning as mandatory gate in all CI/CD pipelines

Private package registry with signed dependency allow-list

PAM-brokered sessions for all vendor privileged access

Annual vendor security assessment for Tier-1 suppliers

6

Control domains

52

Checklist controls

78%

Breach risk reduction (PB01–03)

90 days

To quick-win baseline

180 days

To full ZT maturity

Appendix D · About

About Rocheston Zelfire

Rocheston Zelfire is the enterprise cybersecurity platform of Rocheston — delivering integrated zero-trust security across identity, endpoint, network, cloud, SaaS, and web layers. Zelfire unifies ITDR, EDR, ZTNA, CASB, CSPM, and WAF capabilities into a single platform driven by real-time threat intelligence and AI-powered behavioral analytics.

Zelfire Platform Modules

• ZIDA — Identity Defense & Analytics • ZEPT — Endpoint Protection • ZTNA — Network Access • ZCASB — SaaS Security • ZCSPM — Cloud Posture • Zelwall — Web & API Defense • ZPM — Privileged Access Mgmt • ZAPM — API Protection

About AINA

AINA (Adaptive Intelligence & Network Analytics) is Rocheston's proprietary AI engine powering the Zelfire platform. AINA processes petabyte-scale telemetry in real time, continuously updating threat models, behavioral baselines, and risk scores across identity, endpoint, cloud, and network domains. AINA's federated learning architecture enables cross-customer threat intelligence sharing while preserving data privacy — allowing each deployment to benefit from collective threat visibility without exposing individual organization data.

About RCCE

The Rocheston Certified Cybersecurity Engineer (RCCE) program is Rocheston's flagship certification and research initiative. RCCE trains and certifies cybersecurity professionals globally across domains including zero-trust architecture, AI security, cloud security, threat intelligence, and incident response. RCCE-certified professionals are recognized for applying evidence-based security practices grounded in real-world incident data — not just theoretical frameworks.

The RCCE research team contributes incident data, threat actor analysis, and control effectiveness research that informs the Zelfire platform's detection models and the annual Global Threat Report. In 2025, over 28,000 professionals held active RCCE certifications across 94 countries.

RCCE Certification Tracks

Zero-Trust Architect · Cloud Security Engineer · Threat Intelligence Analyst · AI Security Specialist · Incident Response Lead · Identity & Access Architect

Research Lead: Haja Mo

Haja Mo is the principal researcher and lead author of the Rocheston Zelfire 2026 Global Threat Report. As Head of Threat Intelligence at Rocheston, Haja leads the RCCE research division's analysis of emerging threat actor campaigns, zero-trust attack surface evolution, and AI-driven security innovation. Haja's work spans over a decade of incident response, red team operations, and security architecture across financial services, healthcare, and critical infrastructure sectors globally.

Rocheston Zelfire

Zero-Trust Under Fire · 2026 Global Threat Report

rocheston.com

zelfire.com

Usage, Privacy & Disclaimer

A Message from the Founder

Table of Contents

What 2026 Revealed

What Defenders Must Do Now

Seven Defining Shifts

Zero-Trust Reality Check

Key Concept Definitions

Trust Leak Map — Five Layers

How This Report Was Built

Data Sources

Definitions & Confidence Model

Definitions Used in This Report

Confidence Model

Biases, Limitations & Ethics

Known Biases & Limitations

Privacy & Ethics Statement

The Modern Threat Economy

Threat Actor Archetypes

Targeting by Sector

Targeting by Region

Key Regional Patterns

Top Campaign Types Observed

Where Zero-Trust Actually Fails

Five-Layer Trust Breakdown

Common Failure Patterns

Zero-Trust Stress Test Checklist

Why Identity Is the Battlefield

Credential Attacks

MFA Fatigue, Bypass & AiTM

Token Theft & Cookie Replay

OAuth Abuse, CA Misconfig & Privilege Escalation

OAuth Consent Abuse

Conditional Access Misconfig

Privilege Escalation

Device Trust Reality

Unmanaged & BYOD Access

EDR Tampering & Posture Spoofing

Local Admin & Endpoint Hardening Ladder

ZTNA Is Only as Strong as Its Scope

Common ZTNA Failures

East-West Movement Patterns

Micro-Segmentation Maturity Model

SaaS Is the New Lateral Movement Path

OAuth Apps, Delegated Access & Mailbox Abuse

Service Accounts & Shadow IT

The SaaS Takeover Chain

The Control Plane Is the Prize

Key Theft & Secrets Exposure

IAM Role Abuse & Privilege Escalation

CI/CD as the Breach Accelerator

Logging Blind Spots & Immutability

Supply Chain Is Trust at Scale

Vendor Access & Remote Tooling

Software Dependency Attacks

Trust Transitivity Failure Map

AI Changed the Economics of Intrusion

AI-Driven Phishing & Pretexting

Deepfakes in Business Workflows

AI Against AI: Prompt Injection, Data Leakage & Poisoning

Common Initial Access Paths — Ranked

Post-Compromise Objectives

Time-to-Impact & Dwell Time

The Modern Breach Chain — End to End

Where Defenders Should Intercept — 5 Points

Malware & TTP Evolution

Web Threats: What Changed in 2026

Bot Abuse & Account Takeover at Scale

Email & Collaboration Threats

Vulnerability Exploitation Reality

WAF Fatigue & Enforcement Drift

Metrics That Correlate with Fewer Incidents

How to Operationalize Metrics

Recommended Zero-Trust Scorecard

The Exception Problem

How to Read the Industry Chapters

Cross-Industry Comparison

Healthcare Threat Profile

Healthcare-Specific Playbook

Finance Threat Profile