Unit 42 reveals how multi-agent AI systems can autonomously attack cloud environments. Learn critical insights and vital lessons for proactive security.
Expand Strategic Collaboration to Secure the AI Enterprise
The transition from generative AI to agentic AI represents one of the most significant shifts in the history of enterprise technology. As organizations move from simple chatbots to autonomous agents that can execute business processes, the attack surface isn't just changing, it's exploding.
At Google Cloud Next 2026 in Las Vegas, Palo Alto Networks is proud to announce a series of groundbreaking integrations with Google Cloud. These innovations are designed to do more than just monitor the new AI-driven landscape; they are built to secure it by design. AI deployment is currently outpacing AI governance. By embedding our security platform into Google Cloud’s infrastructure, we are giving today’s enterprises the foundation to become the autonomous organizations of tomorrow.
Here is a look at the four major milestones of our partnership being unveiled this week.
Secure AI Agents with Google Cloud + Prisma AIRS
As autonomous AI agents become the new enterprise standard, security can no longer be an afterthought; it must be architectural. By integrating Prisma AIRS™ natively with Google Cloud Gemini Enterprise Agent Platform, we provide the proactive defenses required to govern complex agentic workflows. This integration ensures that as you scale your autonomous workforce, your security scales with it, providing comprehensive operational integrity without hindering the speed of innovation.
We are delivering capabilities across three critical pillars:
Protecting Agent-Specific Runtime Risks: In an agentic ecosystem, the primary risk is unauthorized or a destructive action taken by the AI agents themselves. Prisma AIRS secures the "agent-to-tool" interface, preventing poisoned context from triggering malicious scripts or destructive actions. The solution monitors agent execution in real-time, so agents cannot leak sensitive credentials or tool schemas, maintaining the boundary between agents and their access to enterprise data.
Securing the GenAI Application Surface: Modern AI applications and agents require a secure-by-design approach. Prisma AIRS AI Runtime Security™ provides prevention of more than 30 adversarial prompt injection and jailbreak techniques, as well as malicious code and URLs within LLM outputs. Prisma AIRS utilizes over 1,000 predefined patterns out of the box and ML-powered Enterprise DLP to stop sensitive data leakage.
Enforcing Enterprise AI Safety and Grounding: Trust in AI is built on the consistency and safety of its output. Prisma AIRS allows organizations to define safety policies in natural language and filter toxic content across eight distinct categories to protect brand reputation. Using contextual grounding, Prisma AIRS can prevent misleading outputs that contradict internal RAG data, keeping agents tied to real facts.
This integration ensures that as you scale your autonomous workforce, your security posture scales with it, providing operational integrity without hindering the speed of innovation.
Security-as-Code for Prisma AIRS Integration with Application Design Center (ADC)
The traditional bolt-on approach to security is no longer viable in a cloud-first world. Google Cloud’s Application Design Center (ADC) is revolutionizing how applications are built, using an intuitive canvas and natural language via Gemini Code Assist.
Palo Alto Networks is announcing that it will be published as a template within the Application Design Center, providing more capabilities to engineering teams:
Drag-and-Drop Security – Visually "snap" VM-Series firewalls and Prisma AIRS AI protections directly into network flows.
AI-Driven Architecture – Use natural language prompts to generate secure-by-default, multiregion architectures.
Simultaneous Deployment – Deploy entire application stacks and security services in a single, unified workflow, ensuring protection is present from the very first minute of deployment.
Zero-Day Protection at Scale with Advanced Malware Sandboxing for Google Cloud NGFW Enterprise
The battle against malware has shifted to the cloud. Modern attacks are faster, more evasive and capable of bypassing traditional defenses.
That is why we are excited to announce Advanced WildFire®, powered by Palo Alto Networks, natively integrated into Google Cloud NGFW Enterprise, delivering AI-driven malware prevention directly within Google Cloud environments.
This integration embeds inline sandboxing and real-time threat intelligence directly into Google Cloud’s distributed firewall to stop advanced and unknown threats before they impact workloads, enabling:
Secure Detonation – Suspicious files are safely executed in a controlled sandbox environment to uncover hidden and unknown threats.
Inline Traffic Inspection – Inbound and outbound traffic is analyzed in real time to prevent lateral movement of malicious payloads across cloud environments.
AI-Driven Threat Prevention – Leverages global threat intelligence by Palo Alto Networks to block zero-day threats before they compromise workloads.
With Advanced WildFire embedded directly into Google Cloud NGFW Enterprise, organizations can extend consistent protection across their cloud infrastructure while maintaining operational simplicity.
Cloud NGFW Enterprise Advanced Malware Sandboxing will be available in Public Preview soon.
Defining the Future with the Google Cloud Marketplace
Palo Alto Networks has joined the Google Cloud Marketplace Agent-as-a-Service as a launch partner to introduce the Prisma AIRS Model Security agent. Operating as an Agent-as-a-Service, this solution scans AI models for vulnerabilities and policy noncompliance before they reach production.
Available in the Agent Gallery inside Gemini Enterprise, this marketplace offering runs entirely within the customer’s own Google Cloud environment, providing both new and existing Prisma AIRS users a seamless and simple deployment experience inside Gemini Enterprise.
Securing AI Innovation at Scale
The collaboration between Palo Alto Networks and Google Cloud is built on a shared vision: Security should be an accelerator for innovation, not a bottleneck. As we look toward the future of the AI-powered enterprise, our commitment remains to provide the most robust, platform-driven security for every workload, every agent and every interaction.
Want to see these integrations in action? Contact your Palo Alto Networks representative to learn more about how we are securing the future of the cloud together. If you’re attending Google Cloud Next 2026, join us at these sponsored sessions:
Claims like that are bound to create two sides, so we searched for an official rebuttal by Anthropic. But we couldn’t find one. It would surprise me very much if they’d be unaware of the claim, since there’s been some noise about it.
Users on Mastodon, Reddit, and LinkedIn are confirming the researcher’s findings and discussing the subject, so it’s hard to imagine Anthropic missed it.
Let’s look at the claims first.
While looking into another matter, the researcher discovered a Native Messaging host manifest on his Mac that he did not knowingly install. On Chrome and other Chromium-based browsers, extensions can exchange messages with native applications if they register a native messaging host that can communicate with the extension.
By testing on a clean machine, Hanff discovered that Installing Claude Desktop for macOS drops a Native Messaging host manifest into multiple Chromium profiles (Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium), even including for browsers that are not actually installed yet.
The Native Messaging host manifest tells a Chromium‑based browser which local executable to invoke when an extension calls a native host, and those hosts run outside the browser sandbox with current users permissions. Hanff therefore describes this as a “backdoor.” The manifest pre‑authorizes three Chrome extension IDs, so any extension with those IDs can call the helper via connectNative, giving it access to browser automation features.
Another objection is that Claude makes simple deletion futile since the manifest will be recreated the next time the user launches Claude Desktop.
It’s important here to point out that his article is about Claude Desktop, the Electron-based macOS application with bundle identifier com.anthropic.claudefordesktop, distributed as Claude.app. It is not about Claude Code, Anthropic’s command line developer tool. Claude Code is autonomous (“agentic”), allowing you to hand over a task, and it handles the planning and execution until done. So, for Claude Code, it would absolutely make sense to enable communication with browsers, provided they are present on the target system.
So, we have an application that writes into other apps’ profile/support directories (the browsers’ configuration area) and can act as the user, with capabilities like using the logged‑in browser session, DOM inspection, data extraction, form filling, and session recording. This expands the attack surface of every machine this manifest is dropped on, without asking for consent.
Anthropic’s own launch blog on “Claude for Chrome,” which discusses Anthropic’s internal red‑team experiments, explicitly mentions prompt injection as a key risk and reports attack success rates of 23.6% (no mitigations) and 11.2% (with mitigations). Hanff cites this to argue that a pre‑positioned bridge is a non‑trivial risk.
How bad is it?
Native Messaging is a standard Chromium mechanism. Nothing here is an unknown or exotic technique per se. Chrome’s own documentation explains that Native Messaging hosts run at user privilege and are invoked by browser extensions through a manifest file. And as the researcher pointed out, the bridge does nothing. But it could potentially be abused.
I don’t think it’s fair to say that Claude Desktop installs spyware, but it does open a system up by expanding the attack surface.
Anthropic already had a separate, documented Native Messaging manifest for Claude Code that users sometimes manually copied into other Chromium browsers; the new behavior is that Claude Desktop now drops a Claude‑Desktop‑related manifest into multiple browser paths automatically.
It requires a combination of extension and host. Only combined with a matching browser extension, this bridge enables the user-like capabilities we listed earlier.
What we don’t know yet
Anthropic hasn’t published a detailed technical privacy spec for the Claude Desktop–browser bridge, so we don’t know exactly what data flows when the Chrome integration is used, beyond the general capabilities described in their documentation (session access, DOM reading, etc.).
The detailed analysis and most replication so far are on macOS. We’re in the dark about behavior on Windows and Linux, and the same is true across different browser install paths. That behavior has also not been comprehensively documented in public write‑ups.
I did reach out to Anthropic asking for a response. If and when we get an official response from Anthropic, I’ll add it here, so stay tuned.
Conclusion
Anthropic likely wanted “Claude in Chrome”‑style capabilities across Chromium‑based browsers, but that doesn’t excuse doing it silently and preinstalling the manifest into profile directories for multiple browsers, including ones that are not yet installed.
There are better ways to implement changes like these, and users should at least be made aware of them so they can weigh the advantages against the potential risks.
Stop threats before they can do any harm.
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →
Somebody went looking for Google’s new Antigravity coding tool this week, clicked download, ran the installer, and got exactly what they thought they were getting. Antigravity installed cleanly. A shortcut appeared on the desktop. The application opened and worked. Nothing looked or felt wrong.
But behind the scenes, that installer can give your accounts, your data, and even your machine to an attacker, without breaking anything the user can see.
In this article, we’ll break down the technical details of the campaign, how it works under the hood, and what to do if you think you’ve installed it.
The download that actually gave you what you wanted
Google Antigravity launched in November 2025 and has been one of the most searched-for developer tools on the web ever since. The real product lives at antigravity.google. Hardly anyone new to the product has the real URL memorized, so when a user reached a hyphenated lookalike (what we call a typosquat domain) at google-antigravity[.]com it was convincing enough at a glance.
So they went on to download the file, called Antigravity_v1.22.2.0.exe.
The installer isn’t simply named to look like the real one from Google. It’s 138 MB: large enough to carry the entire Antigravity application, its Electron runtime, its Vulkan graphics libraries, its updater, all of it. Because that is what is actually inside.
The attacker didn’t build a convincing fake; they took the genuine Antigravity installer, added one additional step to run their PowerShell script during setup, and repackaged the result. The malicious step is one extra line in a sequence that runs dozens of legitimate ones. Here’s what the Setup looked like:
How do we know it’s one line? Because you can see it.
The MSI’s custom-action table (the list of every step the installer takes during install) contains 11 rows that are standard, boilerplate entries the installer tool generates automatically: extract files, check the Windows version, elevate to admin, write a log, clean up afterwards. Each of those has a name that starts with AI_ followed by a description of what it does. And then, sitting at the bottom of the same list, there is one more row, named wefasgsdfg — a keyboard mash the attacker typed in when the installer tool prompted them for a name, and the one that runs their PowerShell script.
Antigravity installs properly into C:\Program Files (x86)\Google LLC\Antigravity\. A Start Menu entry appears, a desktop shortcut is placed, and everything works. The user opens the app, tries it, closes it, and goes on with their day. It all seems fine, because they actually installed the thing they wanted to install. The malicious part is happening quietly, in a folder they’ll never open.
Two small scripts, and a phone call
Somewhere in the middle of the install, the MSI runs a small helper script that drops two PowerShell files into the user’s temporary folder: scr5020.ps1 and pss5032.ps1. The filenames look like specifics but aren’t: the four characters after each prefix are generated fresh every time the installer runs.
What stays constant is the prefix: scr for the user script, pss for the PowerShell wrapper, because those come from the installer tool’s standard naming pattern for custom-action scripts.
Of the two files, the second is an unaltered Advanced Installer utility. It’s genuinely innocent and present in many real products. The first was added by the attacker, and it has one job: open an HTTPS connection to https://opus-dsn[.]com/login/, download whatever code the server sends back, and run it. To blend in, it spoofs a Microsoft referrer header and routes through the system’s default web proxy, so it inherits whatever corporate proxy configuration and authentication IT has set up, without the user noticing. It also saves and restores the parent PowerShell’s TLS setting, leaving that one global unchanged after it exits. That’s the entire script.
Researchers call this pattern a downloader cradle, and its advantage to the attacker is flexibility. The real payload lives on their server, not inside the installer out in the wild, so they can swap it out, change targeting, or turn the operation off without touching the file users are downloading.
In this case, the cradle did exactly what it was built to do and no more: a DNS query for opus-dsn[.]com, a single TCP connection on port 443 to 89[.]124[.]96[.]27 with a quiet HTTPS GET to /login/, and then the PowerShell process exited.
Nothing else happened. No second-stage script was fetched. No file was dropped. No scheduled task was created. No changes were made to Windows Defender. Most automated security tools would shrug and move on.
But the malware hadn’t failed. It had introduced itself to the attacker’s server and asked for code to run next—and whether the answer comes back is a decision the operator gets to make later, on their own time, one victim at a time. You cannot tell, from the victim’s side, what was returned. For analysis, we retrieved what the server sends when the answer is yes.
What arrives when the answer is yes
When the server decides a target is worth attacking, the follow-on script does its work in three movements.
First, it makes Defender look the other way. It calls Add-MpPreference (with the cmdlet name split by a backtick, a small obfuscation to dodge naïve string-matching detections) to exclude %ProgramData% and %APPDATA% from scanning, exclude .exe, .msi, and .dll files from scanning, and exclude PowerShell, regasm.exe, rundll32.exe,msedge.exe, and chrome.exe from scanning. Only after that does it phone home—collecting a profile of the machine (Windows version, Active Directory domain, installed antivirus product), RSA-encrypting it with a public key embedded in the script, and sending it to opus-dsn[.]com inside a utm_content query parameter that looks, in any access log, like ordinary marketing tracking. This is the profile the operator uses to decide whether this particular machine is worth the next stage.
Second, it widens the gap. A second Add-MpPreference block extends the exclusion list to include the .png file extension and the conhost.exe process—the exact two additions the next stage will need. It then writes AmsiEnable=0 into HKLM\Software\Policies\Microsoft\Windows Script\Settings, disabling Windows’ Antimalware Scan Interface—the layer that normally lets Defender read scripts before they execute. After this point, the malicious activity is being conducted in folders, with file types, and through processes that Defender has been instructed to ignore.
Third, it stages persistence. It downloads a file called secret.png from https://captr.b-cdn[.]net/secret.png (a BunnyCDN URL that looks at a glance like any other content-delivery link) and saves it to C:\ProgramData\MicrosoftEdgeUpdate.png, a path chosen to sit beside Microsoft’s real browser-update folders. The file is not an image. It is an AES-256-CBC ciphertext (key and IV both derived via PBKDF2 with 10,000 iterations from a hardcoded passphrase) wrapping a .NET assembly. A scheduled task is then registered with the name MicrosoftEdgeUpdateTaskMachineCore{JBNEN-NQVNZJ-KJAN323-111}, which is all but indistinguishable at a glance from the real Microsoft Edge update task and set to fire at every logon, running unprivileged so it never produces a UAC prompt. The action it executes is conhost.exe --headless launching a hidden PowerShell, which decrypts the fake PNG in memory and reflectively loads the resulting .NET assembly into its own address space. Nothing lands on disk as an ordinary executable. All that persists is the encrypted image, in a folder Defender has been asked to ignore.
And then a second payload, that doesn’t persist at all. The script doesn’t stop there. After registering and starting the scheduled task, it sends a second beacon to confirm install, then runs an entirely separate block that downloads a second encrypted file (GGn.xml) from the same BunnyCDN host, decrypts it with a different, hardcoded AES key, and reflectively loads that assembly into the running PowerShell process too. The first payload survives reboots; this one runs once, in memory, and is gone. Two .NET assemblies, one campaign, on the victim.
What the payload is built to do
The decrypted assembly is a .NET stealer. We can characterize it from its own class and method names, which describe its job in plain English: it scans browsers, messaging apps, gaming platforms, FTP clients, and crypto wallets, collecting data labeled Logins, Cookies, Autofills, and FtpConnections.
In practice, that means every Chromium- and Firefox-based browser on the machine (Chrome, Edge, Brave, and others) gets stripped of saved passwords, autofill data (including saved credit cards), and the cookies that keep users signed in. Discord tokens, Telegram sessions, Steam logins, FTP credentials, and cryptocurrency wallet files are taken as well.
(Most of the exact target paths are obfuscated and only decrypted at runtime, so the specific apps aren’t all visible from a static analysis, but the categories of theft are clear from the class names.)
Session cookies are the part that should alarm most people, because they work faster than anything else. A stolen login cookie lets an attacker walk straight into a Gmail inbox or banking portal without needing a password or triggering two-factor authentication. As far as the website is concerned, the user is already signed in. The gap between infection and account takeover can be minutes.
Beyond data theft, the malware also imports Windows APIs used for clipboard hijacking and keystroke logging, tools that can capture what you type or swap a cryptocurrency wallet address at the exact moment you send funds.
It also includes the building blocks for “hidden desktop” tradecraft: creating a second, invisible Windows desktop that the attacker can capture and potentially control. In its most advanced form, this lets an attacker operate inside that hidden environment—logging in to accounts, approving transactions, or sending messages—while the victim’s real screen shows nothing unusual. For the duration of the infection, the attacker is, effectively, a second presence on the computer.
A new tool, a new lookalike, the same trap
The reason this campaign matters beyond the single installer is that its shape isn’t new. It’s a refined version of a pattern we’ve been watching for months: new AI products launch with huge attention, and within weeks, lookalike domains and trojanized installers appear alongside them. Antigravity is the latest example, but it won’t be the last.
The incentive for attackers is obvious. Every high-profile AI launch creates a surge of users who want to try it immediately, before they’ve had time to memorize the real URL, or might fail to double-check it against trusted sources.
What makes this style of campaign hard to spot is that most victims never know they were targeted. Those who escaped, because the operator chose not to escalate on their machine, have no reason to think anything happened.
The ones who didn’t escape usually find out later: a password reset they didn’t request, a friend asking about a strange message, or a bank balance that suddenly looks wrong. By then, the decision to target them was made days earlier.
What to do if you may have been affected
If you or anyone who shares your computer recently installed something calling itself Google Antigravity from anywhere other than antigravity.google, start by checking the network indicators. Look in firewall logs, EDR alerts, or your router logs for connections to opus-dsn[.]com, captr.b-cdn[.]net, or 89[.]124[.]96[.]27. A single connection from a PowerShell process is enough to confirm the check-in happened.
From a different, clean device, sign out of every active session on your important accounts: Google, Microsoft 365, any banking portal, GitHub, Discord, Telegram, Steam, and your crypto exchange. Most services have a “sign out everywhere” option under security settings.
Change passwords on those accounts, starting with your email. If your email is compromised, an attacker can reset almost anything else.
Rotate any API keys, SSH keys, or cloud credentials that were on the affected computer, not just the passwords attached to them.
If you have cryptocurrency wallets on the machine, move the funds from a clean device immediately. This is what these operators monetize first.
Watch your bank and credit card statements for unfamiliar charges, and consider placing a fraud alert with your bank.
Wipe and reinstall Windows. A machine that has run this class of malware should not be trusted.
If the machine is a work laptop, tell your IT or security team today. The beacon collects the machine’s Active Directory domain, so on a domain-joined corporate laptop, the attacker now knows which company’s network this victim belongs to, which means this isn’t just a personal problem.
We are living through a moment that will be defined not only by advanced technology and AI, but by the real-world infrastructure that makes it possible. And that infrastructure will be built the way critical infrastructure has always been built—by electricians, ironworkers, pipefitters, operating engineers, laborers, and the many other skilled professionals who turn plans into places and progress.
In a world that can feel increasingly virtual, there are millions of skilled trade professionals who remind us of a simple truth: what happens next still depends on uniquely human skills and what we can create, build, wire, weld, install, and maintain.
At Microsoft, we are honored to partner with North America’s Building Trades Unions (NABTU) to invest in the people who build with us. Today we are announcing an expanded partnership to support a strong, skilled workforce pipeline and help workers across North America build the skills needed to succeed in an AI-powered economy.
We believe that the North American skilled trades workforce is one of the most talented workforce systems. This week, thousands of these talented workers from across North America gather in Washington, DC for their annual Legislative Conference, an annual convening that reflects both the enduring strength of the trades and the country’s need for what they do.
As part of our Community-First approach to AI infrastructure we committed to investing in the places where we build, in the people who build with us, and in the long-term capacity of local economies. AI is a tool we will use, and I believe it will help in ways we plan and manage work, but it will not replace the experience, judgment, and craft that define the trades. Instead, it can amplify those human skills: helping people work more safely, learning more quickly, and delivering higher-quality outcomes on increasingly complex job sites.
Bringing AI literacy to millions of trades professionals
Our collaboration with NABTU is built on a simple but powerful idea: the people building the future should also be equipped to thrive in it.
Over the past year, we have worked together to bring AI literacy directly into the apprenticeship and training infrastructure that NABTU operates across all 50 states and Canada. More than 1,500 instructors in hands-on training centers nationwide have already participated. That early momentum confirmed that when you meet workers where they are, with content designed for how they actually work, the true benefit of AI can be felt.
Today, we are expanding that effort significantly. Beginning now, no-cost AI literacy courses tailored specifically for the skilled trades are available on LinkedIn Learning, open to instructors, apprentices, and journey-level workers across North America. One course is designed for faculty and staff in apprenticeship training environments. The other is built for apprentices and journey-level professionals who are on job sites every day. Upon completion, participants earn an industry-recognized AI literacy credential—a tangible marker of readiness that travels with them throughout their careers.
We are also extending our partnership to TradesFutures, NABTU’s affiliated nonprofit that recruits, prepares, and connects people to union construction apprenticeship programs across 34 states. Through TradesFutures, we will expand awareness of careers in data center construction alongside AI literacy and link opportunity with infrastructure being built today with the skills that will define tomorrow. The training will be available to all TradesFutures Apprenticeship Readiness Programs, which operate in community-based workforce development settings, high schools, correctional facilities, and labor organizations.
Building on a foundation of partnership with labor unions
There is a question at the center of every conversation about AI and work: who gets to participate?
For too long, the answer has defaulted to those already inside the technology sector or sitting behind desks. But the reality of the AI economy is far broader than any single industry.
At Microsoft, we believe that AI literacy should be as foundational as safety training on a job site. It is not about turning electricians into software engineers. It is about ensuring that an apprentice learning to install electrical systems in a data center also understands the technology those systems support and can use AI tools to work more safely, more efficiently, and with greater confidence.
That philosophy aligns directly with how we think about jobs and skills at Microsoft Elevate—not as a one-time event but as an ongoing investment in human potential that increases the opportunity for all.
This work with NABTU is part of a broader pattern of partnership between Microsoft and the labor community. In December 2023, Microsoft and the AFL-CIO announced a first-of-its-kind partnership between a technology company and a national labor organization focused on AI. That agreement established a framework for sharing AI insights with labor leaders, incorporating worker perspectives into technology development, and shaping public policy that supports frontline workers.
Since then, through our Microsoft Elevate initiative, we have continued to deepen our engagement with workforce organizations, educators, and community institutions. From partnerships with the American Federation of Teachers on the National Academy for AI Instruction to the National Education Association and National Association of Workforce Boards, our work with community colleges across the country, the thread that connects all of this work is a commitment to meeting people where they are—and making sure they have the skills and credentials to move forward.
The road ahead
Technology only fulfills its promise when it lifts people up, and the opportunity here is enormous. For this sector, for every industry that depends on it, for organizations of every size, and for individual workers and entrepreneurs. But it will only be realized if AI is designed and deployed around the realities of the work. In the trades, that means tools that are practical, trusted, and tailored so that AI can help more people stay in the field doing what they love, while opening doors to new kinds of growth.
Think about what that can mean for a contractor who’s running a small shop after a full day on the job: AI that helps draft and send invoices faster, reconcile receipts, and keep paperwork from piling up late at night. Or AI that can sift through public records—permits, zoning updates, capital plans, and procurement notices—to spot building trends in a community and flag where demand is headed next. Or tools that help identify bid opportunities and assemble first-draft scopes and materials lists based on prior jobs. On the job site itself, we believe AI can support safer work, such as summarizing daily plans, translating instructions, and surfacing the right checklist or standard, so people can focus on the work that requires human judgment.
There remain big questions about the impact of AI, and while we do not yet have all the answers, we do know that the future will not be built by technology alone. It will be built by the people who show up every day with skill and purpose to construct the world we all want to live in. If we continue to work together, AI can help expand opportunities: stronger businesses, safer job sites, better projects, and more people able to earn a great living in the communities they call home.
The SOC is broken. Not because of a lack of talent or effort, but because human capacity does not scale. Alert volumes keep rising. Attacks move faster. And the operating model still assumes analysts will investigate most of what comes in, which means the vast majority of alerts never get looked at.
Our AI SOC Report 2026, based on analysis of 25 million alerts across our global customer base, put a sharp number on the problem. Over 60% of alerts are never reviewed by SOC and MDR teams. Nearly 1% of all incidents trace back to alerts classified at the lowest severity levels, signals most teams never touch. With average enterprises generating around 450,000 alerts annually, that equates to roughly one real threat per week hiding in the backlog, undetected.
That is not a tool problem. It is an operating model problem.
On April 27, we are bringing together the security leaders who are doing something about it.
AI SOC Live is a monthly, online event where security leaders discuss the latest issues facing the cyber industry. This month, AI SOC Live will be a full-day, invitation-only event at the Nasdaq in New York City. It is designed for CISOs, security directors, SOC managers, and MSSPs who are not just watching AI transform security operations from the sidelines, but are in the middle of it, making decisions about how their teams operate, what they invest in, and where the humans actually need to be.
This event is a full day of sessions, panels, and conversations built around the people, processes, and technology required to run a world-class SOC in 2026.
Who you will hear from at AI SOC Live Nasdaq
The speaker lineup reflects how seriously we have curated this event.
Itai Tevet, CEO and Founder of Intezer, will open the day with a session on the new SOC operating model, what it means when AI executes investigation and humans supervise outcomes, and why that shift changes security results structurally, not incrementally.
Alon Cohen, Founder and Executive Chairman of both Intezer and CyberArk, will speak to the broader impact of AI on security, drawing on decades of experience building foundational security companies.
Pavi Ramamurthy, Global CISO & CIO at Blackhawk Network as well as a founding member of the Professional Association of CISOs, and a venture advisor at YL Ventures. She will be speaking about the role of humans in the SOC.
David Spark, Founder and Executive Producer of the CISO Series Podcast, will host a live recording of the show featuring Nick Vigier, CISO at Oscar Health, digging into AI SOC beyond the hype.
You will also hear from CISOs at WCG Clinical, and ION Group, alongside practitioners from Realm Security, Legato Security, Upwind Security, and Monad. Sessions cover cloud security for the AI era, the blueprint for AI SOC success, and what every CISO needs to manage not only their security, but their executive board as well.
And Mitchem Boles, Field CISO at Intezer, and Marcus Mingo, Detection Engineer at Intezer, will be there all day, available for the kind of real, technical conversations that rarely happen at larger conferences. See the full list of speakers.
What the day looks like
The agenda moves quickly and stays practical.
The morning opens with sessions on the new operating model and AI’s impact on security, followed by a CISO panel on the role of humans in the SOC and a session from Realm Security on building a data-first AI SOC. After a working lunch with interactive product demos, the afternoon covers cloud security, a live CISO Series recording, and a panel on advancing SOC outcomes at the C-suite level.
The day closes with a photo opportunity in front of the iconic Nasdaq billboard, followed by a cocktail reception overlooking New York City.
Attendees also earn CPE credits through the event’s partnership with ISC2.
Why this conversation matters now
The 2026 data makes the stakes clear. Our report found that more than half of confirmed compromised endpoints had been marked as “mitigated” by the EDR vendor, meaning teams believed those machines were clean when they were not.
The gap between what organizations believe is covered and what is actually investigated is where real risk lives. Closing that gap requires a different operating model, one where AI investigates every alert, including the low-severity signals that human teams deprioritize, and humans supervise outcomes instead of grinding through queues.
That is the conversation happening at AI SOC Live.
Who should attend
This event is designed for CISOs, VPs and Directors of Information Security, SOC managers, and MSSPs from large enterprises who are responsible for security strategy, risk decisions, and operational outcomes. Whether you are evaluating AI for the first time or scaling capabilities you already have deployed, the sessions and conversations are built for leaders making real decisions, not attendees collecting swag.
Anthropic’s most capable model to date, Claude Mythos Preview (aka Mythos), has been described as a “step change” in AI performance, especially on cybersecurity tasks.
Anthropic tried to keep Mythos a secret until a few weeks ago, when a data leak revealed the existence of what the company said was its most powerful artificial intelligence to date. The models is seen as both a powerful defensive tool, and, potentially, a serious offensive cyberweapon.
For that reason, the company is sharply limiting access and signaling it does not plan to release it broadly to the market right now. Its reported ability to autonomously find and even chain software vulnerabilities at scale sit at the core of both the hype and the danger.
Imagine a tool that can independently find new vulnerabilities in software, systems, and platforms, then turn them into exploits, even if that requires chaining them with other vulnerabilities.
In the wrong hands, that could be a major threat to our cyber safety. So Anthropic has limited access to a small number of organizations worldwide, including major tech firms and a select group of government or security bodies. The NSA is reportedly already using Mythos Preview, apparently to stress‑test and harden sensitive systems, despite the Pentagon labelling Anthropic as a supply chain risk.
Mythos can discover vulnerabilities across large codebases more quickly and reliably than existing tools, and can look for multiple flaws in one system and combine them into multi‑step exploit chains to complete a compromise (for example, going from a simple web bug to a full domain takeover). It would take a bug bounty hunter months to find another vulnerability, let alone one chainable with the one(s) already discovered. Accomplishing that before the first one would be highly unlikely.
In practical terms, that could mean faster attacks, more complex breaches, and less time for companies to fix weaknesses before they’re exploited.
Anthropic itself has highlighted that Mythos can work with minimal supervision for extended periods, meaning it could run systematic attack campaigns at a scale no human team could accomplish.
AI lowers the skill floor for offensive operations. Less-skilled actors could get access to very effective tools, significantly increasing the number of advanced attacks.
Techniques like fuzzing, dictionary attacks, and other brute force methods become much more effective when sped up by automation. AI-assisted iteration can provide an attacker with a lot more tries before an attack gets noticed.
But the most concerning conclusion was that the offensive side is iterating faster in the current phase of AI development, and security teams are generally later adopters of AI tooling than their adversaries.
As we know, AI in cybersecurity works both ways. It helps us defend against new threats, but it can also be used to create them. Which is why, in the wrong hands, Mythos can turn out to be a formidable adversary.
The goal stays the same, but the way to get there is paved by tools like Mythos. From the attacker’s seat, nothing about the destination is new. The novelty is that Mythos now automates the map, the vehicle, and most of the driving.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Unit 42 finds frontier AI models enhance vulnerability discovery, acting as full-spectrum security researchers. They enable autonomous zero-day discovery and faster N-day patching.
In 2023, Tim Utzig, a blind student from Baltimore, lost a thousand dollars to a laptop scam on X. Tim had been a long-time follower of a well-known sports journalist. When that journalist’s account started posting about a “charity sale” of brand-new MacBook Pros, Tim jumped at the chance to get a deal on a laptop he needed for his studies. After a few quick messages, he sent over the money.
Unfortunately, the journalist’s account had been hacked, and Tim’s cash went straight to scammers. The red flags were strictly visual: the page had been flagged as “temporarily restricted”, and both the bio and the Following list had changed. However, Tim’s screen reader — the software that converts on-screen text and graphics into speech — didn’t announce any of those warnings.
Screen readers allow blind users to navigate the digital world like everyone else. However, this community remains uniquely vulnerable. Even for sighted users, spotting a fake website is a challenge; for someone with a visual impairment, it’s an even steeper uphill battle.
Beyond screen readers, there are specialized mobile apps and services designed to assist the blind and low-vision community, with Be My Eyes being one of the most popular. The app connects users with sighted volunteers via a live video call to tackle everyday tasks — like setting an oven dial or locating an object on a desk. Be My Eyes also features integrated AI that can scan and narrate text or identify objects in the user’s environment.
But can these tools go beyond daily chores? Can they actually flag a phishing attempt or catch the hidden fine print when someone is opening a bank account?
Today we explore the specific online hurdles visually impaired users face, when it makes sense to lean on human or virtual assistants, and how to stay secure when using these types of services.
Common cyberthreats facing the blind and low-vision community
To start, let’s clarify the difference between these two groups. Low-vision users still rely on their remaining sight, even though their visual function is significantly reduced. To navigate digital interfaces, they often use screen magnifiers, extra-large fonts, and high-contrast settings. For them, phishing sites and emails are particularly dangerous. It’s easy to miss intentional typos — known as typosquatting — in a domain name or email address, such as the recent example of rnicrosoft{.}com.
Blind users navigate primarily by sound, using screen readers and specific touch gestures. Interestingly, though, unlike those with low vision, blind users are more likely to spot a phishing site using a screen reader: as the software reads the URL aloud, the user will hear that something is off. However, if a service — whether legitimate or malicious — isn’t fully compatible with screen readers, the risk of falling victim to a scam increases. This is exactly what happened to Tim Utzig.
It’s important to remember that screen magnifiers and readers are basic accessibility tools. They’re designed to enlarge or narrate an interface — not act as a security suite. They can’t warn the user of a threat on their own. That’s where more advanced software — tools that can analyze images and files, flag suspicious language, and describe the broader context of what’s happening on-screen — comes into play.
When to lean on an assistant
Be My Eyes is a major player in the accessibility space, boasting around 900 000 users and over nine million volunteers. Available on Windows, Android, and iOS, it bridges the gap by connecting blind and low-vision users with sighted volunteers via video calls for help with everyday tasks. For example, if someone wants to run a Synthetics cycle on their washing machine but can’t find the right button, they can hop into the app. It connects them with the first available volunteer speaking their language, who then uses the smartphone’s camera to guide them. The service is currently available in 32 languages.
In 2023, the app expanded its capabilities with the release of Be My AI — a virtual assistant powered by OpenAI’s GPT-4. Users take a photo, and the AI analyzes the image to provide a detailed text description, which it also reads aloud. Users can even open a chat window to ask follow-up questions. This got us thinking: could this AI actually spot a phishing site?
As an experiment, we uploaded a screenshot of a fake social media sign-in page to Be My Eyes. On a phone, you can do this by selecting a photo in your gallery or files, hitting Share, and choosing Describe with Be My Eyes. In Windows, you can upload a screenshot directly.
An example of a phishing page that mimics the Facebook sign-in form. Note the incorrect domain in the address bar
At first, the AI gave us a detailed description of the page. We then followed up in the chat: “Can I trust this page?” The AI flagged the domain name error immediately, advised us to close the fake login page, and suggested typing the official URL directly into the browser, or to use the official Facebook app.
Be My AI explains why the page looks sketchy: the domain doesn’t match the official site. The app suggests typing the official URL directly into the browser, or using the official Facebook app
We saw the same positive results when testing a phishing email. In fact, the AI flagged the scam during its initial description of the message. It wrapped up with a warning: “This looks like a suspicious email. It’s best not to open any attachments or click any links. Instead, navigate to the official website or app manually, or call the number listed on their official site”.
Beyond just spotting cyberthreats, Be My AI is a solid sidekick for navigating online stores, banking apps, and digital services. For instance, the AI can help you to:
Read descriptions, names, and prices when a store’s website or app doesn’t support screen readers or large fonts
Scan those tricky terms and conditions — often buried in tiny text or otherwise inaccessible to a screen reader — when you’re signing up for a subscription or opening a bank account
Pull key info directly from product cards or instruction manuals
The risks of relying on Be My AI
The most common hiccup with AI is hallucinations, where the language model distorts text, skips crucial details, or invents words out of thin air. When it comes to cyberthreats, an AI’s misplaced confidence in a malicious site or email can be dangerous. Furthermore, AI isn’t immune to prompt injection attacks, which scammers use to trick AI agents beyond just Be My AI.
Even though the AI passed our test, you shouldn’t rely on it unquestioningly. There’s no guarantee it’ll get it right every time. This is a vital point for the blind and low-vision community, as a neural network can often feel like the only eyes available.
At the end of every response, Be My AI suggests checking in with a volunteer if you’re still unsure. However, when you’re trying to spot a fake webpage, we advise against this. You have no way of knowing how tech-savvy or trustworthy a random volunteer might be. Besides, you risk accidentally exposing sensitive data like your email address or password. Before connecting with a stranger, make sure they won’t see anything confidential on your screen. Better yet, use the app’s dedicated feature to create a private group of family, friends, or trusted contacts. This ensures your video call goes to people you actually know, rather than a random volunteer.
To stay safe, we recommend installing a trusted security tool on all your devices. These programs are designed to block phishing attempts and prevent you from landing on malicious sites. Another practical recommendation for visually impaired users is to use a password manager. These apps will only auto-fill credentials on the legitimate, saved website; they won’t be fooled by a clever domain spoof.
How Be My AI handles and stores your data
According to the Be My Eyes privacy policy, video calls with volunteers may be recorded and stored to provide the service, ensure safety, enforce the terms of service, and improve the products. When you use Be My AI, your images and text prompts are sent to OpenAI to generate a response. This data is processed on servers located in the U.S., and OpenAI uses it only to fulfill your specific request. The policy explicitly states that user images and queries aren’t used to train AI models.
Photos and videos are encrypted both in transit and at rest, and the company takes steps to strip away sensitive information. It’s worth noting that video call recordings can be retained indefinitely unless you request their deletion — in which case they’re typically wiped within 30 days. Data from Be My AI interactions is stored for up to 30 days unless you delete it manually within the app. If you decide to close your account, your personal data may be held for up to 90 days. At any time, you can opt out of data sharing, or request the deletion of your existing data by contacting the Be My Eyes support team.
How to use Be My Eyes safely
Despite Be My Eyes’ claims regarding privacy, you should still follow a few ground rules when using the service:
Use Be My AI for a first-pass on suspicious emails or pages, but don’t treat it as the only source of truth. Specialized security software is better at identifying and neutralizing threats.
If a site, email, or message feels off, don’t touch any links or attachments. Instead, manually type the official website address into your browser, or open the official app to verify the info.
Remember: a volunteer sees exactly what your camera sees. Make sure it isn’t capturing things it shouldn’t, like a safe code or an open passport. Avoid sharing your name, showing your face, or revealing too much of your surroundings. Be extra careful about reflections that might show you or your personal details. Only show what is absolutely necessary for the task at hand.
Stick to your inner circle. Create a group in the app and add your friends and family. This ensures your video calls go to people you know — not a random volunteer.
Don’t use Be My AI to read documents that contain confidential info. Remember, your images and text prompts are sent to OpenAI for processing and generating a response.
Remember to delete chats you no longer need. Otherwise, they’ll hang around for 30 days.
If you need to read something personal or confidential, consider apps with real-time reading features like Envision, Seeing AI, or Lookout. These apps process data locally on your device rather than sending it to the cloud.
The question isn’t whether to build. It’s what’s worth building.
Nearly every security organization with strong engineering resources is running some kind of internal AI project right now. That’s not a problem to be solved, it’s a sign of a healthy, capable team. The question worth asking isn’t “build or buy?” It’s a more precise one: which parts of this problem are worth your engineers’ time, and which parts aren’t?
That distinction changes the conversation entirely.
Intezer’s approach isn’t to compete with your internal roadmap. It’s to handle the commodity layer, common alert sources like CrowdStrike for example, so your engineers can focus on the security challenges that are actually unique to your organization. Some companies with very strong engineering teams are getting tremendous value from Intezer, precisely because they understand exactly what they’d rather not build themselves.
One Fortune 100 company started with Intezer for phishing triage, which removed a significant chunk of their internal DIY roadmap and freed their team to focus on their unique, internal use cases. Another F500 company went further as they expanded their Intezer contract while building their own custom internal AI for their own security use cases. Build and buy, working together, each doing what it does best.
So with that framing in mind, here’s an honest look at the parts of the AI SOC problem that are genuinely worth building and the parts that usually aren’t.
The maintenance treadmill nobody talks about
The first thing you encounter when you start building AI-driven alert triage is that the initial integration is only a fraction of the long-term work.
SIEM integrations break when vendors push updates. EDR APIs change without notice. New alert formats appear. Security tools version, deprecate endpoints, and shift data schemas on their own timelines. Keeping those integrations alive requires constant reverse engineering, work that is generic across every security organization in the world, but still consumes real engineering hours every single week.
Intezer already handles all of that. The integrations are built, maintained, and updated as the ecosystem evolves. When you offload the commodity layer, you skip the maintenance treadmill and get straight to what actually requires your organization’s specific knowledge.
Vendor alerts share many similarities even in different customer environments
Every security team knows their environment has its own complexity with unique infrastructure, specific tooling, particular workflows that took years to build. That’s real, and it matters.
But when it comes to the triage logic itself like investigating a suspicious lateral movement event, assessing a phishing alert, working through a cloud misconfiguration, the patterns tend to look remarkably similar across organizations. These are problems the industry has collectively solved thousands of times over.
That doesn’t diminish the work your team has done. It does raise a practical question: is rebuilding that common triage baseline the best use of your most capable engineers? The time spent recreating what already exists everywhere is time not spent on the challenges where your team’s knowledge is genuinely irreplaceable for your specific threat model, your particular infrastructure, and the edge cases no vendor has seen before.
Plugging into Intezer for the common alert sources isn’t a concession. It’s a way to protect your team’s time for the work that only they can do.
The integration challenge
One objection that comes up reliably, “we’ll need to do the integration work regardless”. That’s true. Connecting any automated system to your production security stack is environment-specific work that no vendor can fully do for you.
But here’s the distinction. With Intezer, that integration challenge is the only technically demanding part remaining. You’re not also building the investigation engine, the forensic analysis layer, the case correlation logic, the noise reduction system, and the detection feedback loop from scratch.
Building everything yourself means doing all of that foundational work and the integration. You spend months getting to a starting line that Intezer has already crossed, backed by years of operational learning across more than 150 enterprise deployments.
What the ROI actually looks like
There’s a headcount dimension here that often gets underweighted.
Building and maintaining your own AI SOC automation means dedicating engineering resources to it indefinitely. Those people aren’t available for other priorities. Their output is difficult to measure in security terms. And at the end of it, you’ve built something that performs commodity triage work, the same work Intezer has already productized and is continuously improving.
Buying Intezer converts that into a measurable line item with clear security outcomes attached: investigation accuracy, alert volume handled per analyst, time to resolution, escalation rate. RSM reported saving approximately 21,000 analyst hours per month, the equivalent of around 130 analysts, by running Intezer as their AI SOC layer. That’s not a soft productivity argument. It’s a concrete operational ROI story.
Continuous learning
One more dimension worth considering. What happens after an alert is triaged?
When Intezer investigates an alert, that outcome feeds back into detection engineering at the source, surfacing noisy or broken rules, mapping coverage gaps to MITRE ATT&CK, and generating deployment-ready detection rules informed by actual investigation results. The system gets smarter with every alert it processes. Detection improves based on evidence, not assumptions.
Homegrown automation rarely achieves this systematically. You triage the alert, close the ticket, and move on. The learnings don’t automatically improve your SIEM rules or extend your detection coverage. The system runs, but it doesn’t compound.
The practical frame
Think of it less as build vs. buy and more as what’s the right division of labor?
The commodity layer, common alert sources, standard triage logic, integration maintenance, detection lifecycle management, is worth offloading. That’s where Intezer operates. Your engineers stay focused on what’s actually differentiated: the security challenges that are specific to your environment, your risk profile, your business.
The teams that figure out this division early move faster, cover more, and build the things that actually matter.
At AWS, we’ve spent decades developing processes and tools that enable us to defend millions of customers simultaneously, wherever they operate around the world. AI has been an extremely helpful addition to the automation our security and threat intelligence teams do every day, and we’re still early in this journey. Our AI-powered log analysis system has reduced the time SecOps engineers spend analyzing security logs from an average of six hours to just seven minutes, a 50x productivity increase that lets us detect and respond to threats faster than ever. Across AWS, we analyze over 400 trillion network flows per day to detect patterns that signal emerging threats. In 2025 alone, we blocked over 300 million attempts to maliciously encrypt customer files hosted on Amazon S3. At this scale, every improvement in our operations helps protect all customers. AI is already helping us make our defenses stronger for everyone, and I’m excited to see that improvement continue.
A new class of AI for cybersecurity
Today, Anthropic announced Project Glasswing, a cybersecurity initiative designed to secure the world’s most critical software and advance the cybersecurity practices the industry will need as AI grows more capable. Organizations that build or maintain critical digital infrastructure are getting early access to Claude Mythos Preview, a new class of AI model, to find and patch vulnerabilities in the systems the world depends on. Given our role in securing some of the world’s most essential infrastructure, AWS is playing an integral part in advancing this work.
As part of Project Glasswing, we’ve already applied Claude Mythos Preview to critical AWS codebases that undergo continuous AI-powered security reviews, and even in those well-tested environments, it’s helped us identify additional opportunities to strengthen our code. In our internal testing, Claude Mythos Preview has proven more productive than previous models at surfacing security findings, requiring less manual guidance from our engineers to deliver actionable results. We’ve also given early access to a select group of AWS customers, who are deploying Claude Mythos Preview in their own security workflows and helping shape how the model evolves.
As AI tools grow more powerful in their ability to identify security issues, so must our ability to use them defensively. To that end, we’ve been working closely with Anthropic to help ensure Claude Mythos Preview is ready for enterprise use. AWS is Anthropic’s primary cloud provider for mission-critical workloads, safety research, and foundation model development. More broadly, AWS provides the foundational infrastructure that the world’s leading AI companies rely on to build, train, and deploy their most advanced models. We’re bringing decades of security experience to this partnership, helping to ensure Claude Mythos Preview is ready for even more organizations to build upon and operate securely at scale.
Claude Mythos Preview signals an upcoming wave of models that can find vulnerabilities and build working exploits at a scale and speed we haven’t seen before. Anthropic and AWS are taking a deliberately cautious approach to release. Access begins with a small number of organizations, prioritizing internet-critical companies and open-source maintainers whose software and digital services impact hundreds of millions of users. The goal: find and fix vulnerabilities in the world’s most critical software. Claude Mythos Preview is available in gated research preview through Amazon Bedrock with enterprise-grade security controls, including customer-managed encryption, VPC isolation, and detailed logging, so your team can explore Claude Mythos Preview’s capabilities without exposing production assets to unnecessary risk.
AWS architects services with security at the core
Our work with Project Glasswing is grounded in a philosophy we’ve developed over two decades of securing mission-critical workloads: you can’t wait for threats to materialize before building your defenses. You have to look around corners, adopt new technologies, build protections first, deploy them in your own operations at scale, and refine them based on what you learn.
That’s exactly what we’ve done at AWS with AI and security. Our approach spans the full spectrum: proactive defense through threat hunting and vulnerability research, dynamic response to active campaigns, and third-party certifications that verify our security practices meet the highest industry standards. This operational experience has taught us where AI accelerates security work and where human judgment remains essential. And it’s reinforced that security innovation must be pragmatic: proven in production before we ask you to rely on it.
That’s also why we help define what secure AI looks like. We became the first major cloud provider to achieve ISO 42001 certification for AI services. We’re active participants in OWASP, the Coalition for Secure AI, and the Frontier Model Forum. And we co-founded the Open Cybersecurity Schema Framework (OCSF) to enable better threat intelligence sharing across the ecosystem. The AWS Nitro System provides mathematically proven isolation for workloads. Systems and services like KMS, Nitro, EKS, and Lambda are designed with zero-operator access architectures, meaning AWS personnel can’t access your data. These aren’t aspirational goals. They’re how we operate today, at scale, every day.
Amazon Bedrock is where these principles come to life for AI. Bedrock provides policy-enforced access controls, built-in evaluation tools to measure how effectively models identify and validate vulnerabilities, and the ability to run workloads inside your own virtual private cloud. AWS is also the first cloud provider to achieve FedRAMP High and Department of Defense Security Requirements Guide Impact Level 4 and 5 authorizations for generally available Claude foundation models. Amazon Bedrock is already where the most security-sensitive organizations trust Anthropic’s technology, and it makes perfect sense for Claude Mythos Preview.
How to get started today
The same principles that guide our work at AWS scale apply regardless of which AI tools you’re using: comprehensive observability, defense in depth, automation where it adds value, and human judgment where it’s essential. Here’s how to put them into practice.
Prepare for the next generation of AI security. Claude Mythos Preview signals an upcoming wave of AI models that will transform cybersecurity. Start strengthening your security posture now so your organization is ready as these capabilities become more broadly available. Claude Mythos Preview is available in gated preview through Amazon Bedrock, and access is limited to an initial allow-list of organizations. If your organization has been allow-listed, your AWS account team will reach out directly.
Run on-demand penetration testing with AWS Security Agent. Now generally available,AWS Security Agent delivers autonomous penetration testing that operates 24/7 at a fraction of the cost of manual penetration tests. It transforms penetration testing from a periodic bottleneck into an on-demand capability that scales with your development velocity across AWS, Azure, GCP, other cloud providers, and on-premises. AWS Security Agent represents a new class of frontier agents: autonomous systems that work independently to achieve goals, scale to tackle concurrent tasks, and run persistently without constant human oversight. It deploys specialized AI agents to discover, validate, and report security vulnerabilities through sophisticated multi-step scenarios. Unlike traditional scanners that generate findings without validation, AWS Security Agent identifies potential vulnerabilities, then attempts to exploit them with targeted payloads and attack chains to confirm they are legitimate security risks. Each finding includes CVSS risk scores, application-specific severity ratings, detailed reproduction steps, and remediation suggestions. The result: penetration testing that once took weeks now completes in hours, scales across your entire application portfolio, and helps you get started with remediation instead of leaving you with a report. New customers can explore AWS Security Agent with a 2-month free trial.
Build AI applications you can trust with Amazon Bedrock. For teams building with generative AI, the challenge isn’t just making AI work, it’s making AI work safely. Amazon Bedrock provides the security and safety controls you need to deploy AI responsibly. Its Automated Reasoning capability is the first and only AI safeguard to use formal logic to help prevent factual errors from hallucinations, providing verifiable explanations with 99% accuracy, a capability we’ve refined over more than a decade of applying formal methods across AWS storage, identity, and networking. Amazon Bedrock also provides customizable guardrails that block harmful content and enforce your content policies, along with comprehensive observability to track AI behavior and detect anomalies across your workloads.
The threat landscape isn’t waiting
The threat landscape isn’t waiting for us to catch up. Nation-state actors, ransomware operators, and supply chain attackers are already using AI to scale their operations. Our job is to stay ahead by building defenses first, deploying them at scale, and sharing what we learn so the entire community benefits.
That’s what we do every day at AWS. We build in security from the start, ensuring it works and scales before we ask customers to rely on it. We set standards rather than follow them. And we look around corners to address tomorrow’s challenges today.
As AI capabilities continue to evolve, this approach won’t change. We’ll keep building defenses first, refining them at scale, and working with partners like Anthropic to ensure the next generation of AI security tools meets the real-world needs of enterprises defending at this scale.
For more than 40 years, Microsoft has supported and scaled Canadian innovation. Now, with more than 5,300 employees and 11 offices across Canada, Microsoft Canada’s technology ecosystem is a trusted partner and key driver of economic opportunity across the country, with $60 billion contributed to Canada’s GDP each year through our cloud customers and partner network and more than 426,000 jobs supported—over 2% of Canada’s workforce.
As we look ahead, we are proud to be building the critical infrastructure Canada needs to power its digital future.
In December 2025, Microsoft announced the largest investment in our history in Canada, a $19 billion commitment between 2023 and 2027 to expand cloud and AI infrastructure, strengthen digital sovereignty, advance cybersecurity, and support skills and jobs for Canadians.
Today, as we move from investment to implementation, we want to share how we are putting those commitments into practice through a Community-First approach to AI infrastructure, one that is globally consistent in principle and delivered in ways that reflect Canada’s communities, institutions, and priorities.
CommunityFirst, Built for Canada
AI infrastructure brings enormous opportunity. But we know Canadians also have real questions about affordability, energy and water use, jobs, and the impact large-scale infrastructure has on local communities.
Those questions matter. Technological progress only works when communities see themselves in the benefits.
At Microsoft, we believe communities should share in the benefits of AI infrastructure, and they should not bear the costs. That belief is reflected in five Community–First principles that guide how we build and operate datacentres around the world—and how we partner locally in Canada:
Together, these principles shape how we build and operate our datacentres across Ontario and Québec and how we partner with governments, utilities, educators, community organizations, labour groups, and local nonprofits.
Below, we outline what each principle means in practice and the concrete steps we are taking to put these commitments into action here in Canada.
Paying our way on electricity
As Canada expands AI and cloud capacity, electricity systems are under pressure. Microsoft is committed to ensuring that our datacentres do not increase electricity prices for Canadians. In practical terms, this means that our infrastructure growth must be matched by responsible planning, full cost recovery, and investments that support long-term system reliability.
While electricity systems are provincially governed and solutions vary by region, our commitment is consistent across the country: AI infrastructure growth must support grid resilience and affordability for communities.
To deliver on this principle, Microsoft will:
Work closely with provinces, utilities, system operators, and regulators to plan new supply in advance
Design and operate highly energy-efficient datacentres
Support public policies that advance affordable, reliable, and sustainable power
Pay the full cost of the electricity we use, including the cost of new generation, transmission, and grid upgrades
Our commitment in action
In Ontario and Québec, we are working closely with provincial governments, utilities, system operators, and regulators to align datacentre growth with planned investments in generation and transmission.
We pay the full cost of the electricity we use. We also continue to design and operate next-generation datacentres that are significantly more energy efficient, reducing the amount of energy required for each unit of computing while scaling to meet growing demand.
To date, we have also paid for substations and fully dedicated the substations and land to provincial utilities. By paying our full share and planning ahead, we aim to support Canada’s economic growth without overstressing the electric grid or shifting costs onto households or small businesses.
Managing water responsibly
Canada’s cooler climate is a real advantage when it comes to water stewardship. In Ontario and Québec, our datacentres are designed with a reduction-first approach, relying primarily on outside air and using water for cooling less than 5% of the year. When water is used, it is cycled efficiently through the system multiple times and managed in compliance with local regulations. This results in relatively low projected water withdrawals that reflect both local conditions and responsible designs.
Microsoft’s approach to water in Canada prioritizes:
Minimizing potable water usethrough efficient design and advanced, industry-leading cooling technologies that maximize free air cooling, limiting the use of water
Transparency and early engagementwith provincial and local authorities on water decisions
Where communities identify opportunities to strengthen local water systems, we believe infrastructure investment should contribute to broader watershed health, not compete with it.
Our commitment in action
To bring this principle to life, Microsoft is taking locally grounded steps to strengthen water systems in the Canadian communities where we operate.
In Ontario and Québec, we will partner on region–specific water projects that improve infrastructure resilience, restore watersheds, and support long-term stewardship. These projects, developed with local governments, conservation partners, and research institutions, include:
Rainwater harvesting: We design our facilities to make use of what is already available. We’ve implemented rainwater harvesting that further offsets freshwater demand. Our on‑site systems are projected to capture approximately 1.5 million litres of rainwater per year for use in datacentre operations.
LEED Goldcertificationis incorporated into Canadian datacentre designs. All Canadian datacentres will be monitored throughout the construction lifecycle and will undergo the certification process as they near completion.
Wetland and watershed restoration initiatives that improve water quality and reduce flood risk, including supporting Ducks Unlimited Canada to plant hundreds of trees and shrubs in the Lorette River Watershed.
Projects that strengthen monitoring, conservation, and long-term ecosystemhealth, including a donation toward the preservation of 325 acres of wetland in the Niagara Escarpment.
Together, these efforts reflect a reduction first approach: minimizing reliance on potable water in our datacentres while investing in the resilience of shared water systems communities depend on every day.
Creating jobs and economic opportunity
In Canada, Microsoft’s datacentre construction is delivered through unionized skilled trades labour, supportinghigh quality jobs, strong safety standards, and apprenticeship pathways.Beyond construction, our focus is on building durable pathways into long–term careers connected to AI infrastructure and the digital economy.Through partnerships with educators, workforce organizations, and labour groups, Microsoft is working to ensure that Canadians can access the jobs created by this investment.
Our commitment in action
We are advancing this principle through several concrete steps:
Increasing transparency:We will publish clearer information on the jobs created and local suppliers engaged at our Canadian datacentre sites. This will include aggregated national figures, with local detail available where appropriate, providing communities, governments, and stakeholders with a clearer picture of how AI infrastructure investment supports local economies. Microsoft’s datacentre builds in Canada employ approximately2,000individuals across sites during construction. Additionally, more than 400 Canadian businesses are involved during the construction phase. Once built and operational, Microsoft’s Canadian datacentres will employ approximately 250 FTEs, and approximately400contractorsto maintain and operate its sites.
Deepening labour partnerships:We will continue to work with Canadian trade unions and workforce organizations, leveraging existing North American relationships and Canadian labour expertise to support safe, skilled, and inclusive job creation.
Contributing to local communities
Datacentres are long–term investments. They contribute directly to municipal tax bases, helping fund essential public services, without asking for special tax treatment.
The arrival of a corporate citizen like Microsoft is a real benefit to our community in L’Ancienne-Lorette, particularly through significant contribution to municipal tax revenues. It also points to a positive impact on community engagement, with discussions already underway.”
- Gaétan Pageau, Mayor, City of L’Ancienne-Lorette
Strong communities are essential to sustainable growth. That is why Microsoft invests not only in infrastructure, but also in the social and economic foundations that support it.
Our commitment in action
Across Ontario and Québec, we are continuing to expand partnerships that support:
Workforce training and economic inclusion, including digital skilling for underrepresented groups through NPower Canada
Donations to support environmental conservation, restoration, and climate resilience projects with Ducks Unlimited Canada
Digital access and community led innovation, including support for local community projects through the Microsoft community funds
These investments help ensure that AI infrastructure contributes to the vitality of the communities where it is built.
Investing in skills and what comes next
Infrastructure alone is not enough. The real opportunity comes when its benefits are widely shared. It is the foundation upon which others build: startups launching new ideas, researchers advancing discovery, educators preparing the next generation, and governments and communities solving real challenges.
To fully realize the promise of AI, Canadians must have access to the skills, tools, and opportunities to participate in, and shape the AI economy. That means ensuring AI doesn’t remain concentrated in a few places or organizations, but instead diffuses across our economy and communities, empowering people in every sector to innovate, build, and lead.
Our commitment in action
Microsoft is announcing several new Canada specific actions to expand access to AI and digital skills:
Launching national AI skilling initiatives:Through Microsoft Elevate, we are launching a new National AI Skilling Grant with Digital Moment to expand AI Education Training, delivering free, bilingual AI workshops and classroom ready resources to 20,000 educators and students across the country.
Advancing Indigenous AI fluency: Microsoft Elevate is partnering with Ampere and the Pinnguaq Foundation to further support Indigenous AI Fluency and Workforce Readiness Hubs – a national network of 13 makerspaces supporting AI learning, data privacy, and workforce readiness for youth and communities, including integration supporting teachers and students in Nunavut’s K–12 and post-secondary education system.
Empowering the nonprofit sector: In Canada, we are launching Microsoft Elevate for Changemakers and AI for Nonprofits credential through a community-led approach in partnership with Canadian Centre for Nonprofit Digital Resilience (CCNDR) and Digital Moment. CCNDR anchors the work in nonprofit trust, sector insight, and national reach, while Digital Moment will lead with high quality training and delivery in both official languages. Together, this new credential will equip 5,000 nonprofit professionals and leaders across Canada with practical, responsible AI skills they can apply immediately in their work.
Building the future, together
AI infrastructure is most powerful when it is built with trust, transparency, and partnership. That is why our approach starts and ends with communities. We are committed to building AI infrastructure in Canada in a way that earns trust, supports local priorities, and strengthens long–term prosperity. As this work continues, we will keep listening, learning, and engaging, because building the future of AI means building it with communities, not just in them.
Unit 42 research on multi-agent AI systems on Amazon Bedrock reveals new attack surfaces and prompt injection risks. Learn how to secure your AI applications.
For teams that have outgrown their MDR, the answer isn’t a better MDR. It’s a different operating model.
MDR works. For a lot of teams, it’s the right solution at the right time. It brings experienced analysts, established processes, and investigation capacity that most organizations can’t build internally overnight.
But as environments grow and alert volumes climb, many teams start to feel the limits of the model itself. Investigation quality depends on analyst availability and shift coverage. Low and medium severity alerts get deprioritized because the queue demands it. And the security team watching from the other side can’t always tell whether the backlog is safe to ignore or hiding something real.
That’s not a failure of MDR. It’s a ceiling built into any operating model that scales investigation through human labor.
Today, we’re announcing expanded capabilities in the Intezer AI SOC platform, powered by ForensicAI™. Built for teams who’ve reached that ceiling and are ready for what comes next.
The risk in the backlog
Across enterprise SOC environments, roughly 60% of alerts go unreviewed. Not because teams aren’t working hard. Because there are only so many hours in a day, and the alert stream doesn’t stop.
“Many organizations handle millions of security events per year. There’s no possible way you can go through 100% of your alerts and resolve them completely, unless you rely on an AI platform.” — Cecil Pineda, 4x CISO, Healthcare Industry
Our analysis of more than 25 million alerts found that nearly 1% of real threats originate from low-severity signals, alerts that most teams deprioritize or skip entirely. For a large enterprise, that’s an average of 54 true threat alerts per year. More than one per week. Hiding in the noise tier that nobody gets to.
There’s also a second gap that rarely gets discussed. Because investigation and detection engineering are siloed within most MDRs, real investigation outcomes almost never feed back into SIEM and EDR rule tuning. Noisy detections stay noisy. Coverage gaps stay gaps. The system doesn’t learn from its own work.
What’s new in the Intezer AI SOC
The Intezer AI SOC platform was built on a simple premise. If you can’t investigate every alert, you can’t meaningfully reduce risk. Intezer AI SOC handles the investigative execution (triage, correlation, forensic-depth analysis) across 100% of alerts, regardless of severity. Humans supervise outcomes and engage at the decision point.
With this expansion, we’re adding three capabilities that close the remaining gaps between autonomous AI SOC operations and the full-service coverage teams expect.
AI-driven detection engineering
Investigation outcomes now feed directly into a closed-loop detection engineering process. SIEM and EDR rules are tuned or created, at the source, based on real verdict data, threat intelligence, and observed attacker behavior. Broken detections, noisy rules, and coverage gaps are identified and addressed continuously. This is the connection that siloed MDR roles have historically missed. Triage informs detection, better detection shortens the triage process, and the system gets smarter over time.
On-demand security experts
When the AI surfaces a high-confidence incident and you want a second set of eyes, or you’re mid-response and need expert judgment, Intezer’s security researchers and analysts are available directly through the platform. You can request expert analysis of artifacts, alerts, and logs, get guidance during an active incident, or validate suspicious activity the AI flagged. A dedicated expert is always on call for urgent requests, with Customer Success tracking every engagement through to resolution.
Continuous feedback and model tuning
Every time your team reviews a verdict, marks a false positive, or flags a result that doesn’t fit, that signal improves the system. Intezer’s experts review edge cases, adjust tuning rules, and add custom AI instructions calibrated to your environment and risk profile. Tuning also happens proactively through continuous platform monitoring and improvements, with no periodic review project required.
“Security operations have reached a structural limit. Human teams, whether internal or outsourced to MDR providers, cannot realistically investigate the volume of alerts enterprises now face. Our analysis of more than 25 million alerts makes the risk clear: Real threats are often buried in the low-severity signals that never get investigated. AI SOC changes the model by making full forensic investigation possible across every alert, continuously improving detection based on real outcomes, and allowing human experts to focus on the incidents that truly require judgment and response.” — Itai Tevet, CEO and Co-Founder, Intezer
Together, these capabilities shift security teams away from manual alert processing and toward supervising outcomes. Organizations that have outgrown their MDR can now investigate 100% of alerts at forensic depth, trust the evidence behind every verdict, close the loop between investigation outcomes and detection quality, and bring in expert analysts when it matters most.
The result is stronger security outcomes, broader alert coverage, and the ability to operate at enterprise scale without the constraints of a human-scaled model.
AI executes. Humans supervise.
RSA Conference is where the security industry sets its direction. This year, AI in the SOC is the conversation happening on every floor of Moscone. But there’s a meaningful difference between AI that helps analysts work faster and AI that takes on the investigative function entirely.
This announcement draws that line with data. 25 million alerts analyzed, 60% going unreviewed in enterprise environments, real threats hiding in the low-severity tier at a rate of more than one per week. These aren’t hypotheticals. They’re findings from production environments at scale where Intezer is not simply delivering better analyst productivity, but rather measurable improvements in enterprise security.
For teams that have been thinking about what comes after MDR, this is the moment to see it working.
As we welcome more than 1,500 nonprofit leaders from around the world to Microsoft’s Global Nonprofit Leaders Summit, we are reminded of the extraordinary work nonprofit organizations do every day to strengthen communities and expand opportunity. Today’s gathering comes at a pivotal moment, as nonprofits confront a new set of questions: How can AI help them serve their communities more effectively? And how do they build the skills and capacity to lead this change from within?
Major technological transitions rarely unfold evenly. As AI diffuses across economies and sectors, it creates new opportunities, but it also introduces significant disruption for workers, families, and communities. Nonprofits are uniquely positioned to drive meaningful change in today’s world. They are the organizations people turn to first to support people as they develop new skills, find new pathways to employment, and stay connected to the systems that sustain them.
To help them maximize their impact with greater scale and efficiency, today we are announcing Microsoft Elevate for Changemakers, a new initiative that provides nonprofit leaders with essential AI credentials, access to a strong peer community, and role-based capacity-building resources. This program is designed to empower those at the forefront of social challenges to confidently lead AI adoption in ways that reflect their missions and the communities they serve.
This new program is part of our broader Microsoft Elevate commitment to ensure people can thrive in the AI economy and reflects Microsoft’s 50-year legacy of supporting nonprofits. As an organization, we are proud to partner with nearly one million nonprofits and education systems globally, and in the next year alone we will deliver more than $5 billion in discounts, donations, and grants to help nonprofit organizations address community needs.
Backed by Microsoft’s pledge to ensure everyone has opportunity in the AI era, Microsoft Elevate for Changemakers helps ensure that those working closest to community challenges remain at the leading edge of AI-powered solutions.
The new Microsoft Elevate for Changemakers program includes:
AI for Nonprofits credential: The AI for Nonprofits credential is a professional certificate, developed with LinkedIn and NetHope, that gives participants a clear, structured learning path built around the real work happening across the nonprofit sector. Earners receive a LinkedIn professional certificate, providing formal recognition of their growing expertise and their commitment to responsible AI use in their organizations.
Live and on-demand AI training to build capacity: Practical skills training built around real nonprofit work, not generic AI content repackaged for the sector. From Copilot fundamentals to change management to responsible AI governance, every module is designed to simplify workflows for nonprofits and help them do more with ease.
A Changemaker Fellowship, a global program for nonprofit professionals at organizations with actionable AI projects ready to advance their missions. This fellowship provides the essential resources, investment, and expert guidance needed to turn AI ambition into lasting impact. Fellows will join a worldwide cohort, create and implement responsible AI adoption plans, develop critical technical and change management skills, and connect with a trusted network of nonprofit AI leaders—all with support from Microsoft and launch partners, including EY and Caribou. The Changemaker Fellowship is now open to nonprofits of all backgrounds.
Transforming possibilities by empowering nonprofits
At its best, AI should expand human agency rather than replace it. The real opportunity is to give people more capacity to solve problems, build new ideas, and strengthen the communities around them.
Across the nonprofit sector, this is already taking shape in practical ways:
Enriching staff time. Much of a typical nonprofit employee week does not directly contribute to the mission work. In fact, research finds that nearly half of nonprofit organizations still use manual data entry and spreadsheets for compliance documentation, meeting summaries, case notes, and other operations. AI reduces that burden in ways that are already real and measurable, giving people more of their week back for the work they came to do. ARCare, a healthcare provider in underserved communities across Arkansas, Kentucky, and Mississippi, is already seeing the benefits of its use of AI technology. With AI handling administrative tasks, staff spend less time on data collection and more time on patient care, and they estimate they have eliminated 6–8 hours a day of manual tasks.
Delivering more impactful programs. AI gives nonprofits the ability to scale what works without losing what makes it work. Opportunity International is using AI to scale impact through a local language chatbot to provide farmers with instant agricultural guidance, overcoming literacy barriers and dramatically expanding reach. By making critical knowledge accessible, AI frees frontline teams to focus on relationships, mentoring, and the long-term change that traditional programs alone can’t achieve.
Engaging supporters and funders more effectively. Raising funds, obtaining grants, and building donor relationships are often the most important strategic priorities—and challenges—for nonprofits that are facing growing demand for services at a time of economic uncertainty. AI doesn’t replace donor relationships. It gives the people managing those relationships more time and capacity to focus on what builds them. Head Start Homes found that as AI increased their organizational bandwidth, they could scale programs and attract new funding.
Transforming operations. AI gives nonprofits the ability to innovate and optimize how they work, bringing greater security, sharper data, and more informed decision-making to every part of the organization. The result is less time spent managing complexity and more capacity directed toward results. The social housing organization, de Alliantie, is a good example. Using AI has allowed de Alliantie to boost efficiency while keeping a human-centered approach to housing support at the center of everything they do. With more than 3,000 calls coming in each week for housing support, using an AI chatbot allowed call center staff to help more people, because the goal was never efficiency for its own sake. It was to make sure the human benefit always comes first.
These real stories of AI empowering mission-driven organizations are made possible by dedicated individuals within nonprofits who are stepping forward to lead transformative change, often without formal recognition or an official mandate. It is their willingness to embrace new technology, learn new skills, and champion responsible AI adoption that is propelling the sector forward.
The work ahead
The millions of global changemakers, volunteers, and leaders across the nonprofit sector are redefining what is possible, ensuring that AI serves as a tool to amplify human capacity and purpose, rather than replace it. Their commitment and leadership are the driving force behind a future where nonprofits harness AI to deliver greater impact, deepen relationships, and strengthen communities.
The path forward will be shaped by the strength and leadership of the nonprofit sector. Every day, these organizations demonstrate what it means to stay close to communities, respond in moments of change, and help people navigate uncertainty with trust and consistency.
That is what makes this moment different. As AI becomes more widely adopted, the organizations best positioned to ensure its benefits are broadly shared are the ones already doing this work.
At Microsoft, we are building on a tradition of support for this sector that began five decades ago with our founder and continues today. Ours is a long-term commitment. Not just as a technology partner, but as part of a broader effort to help ensure the benefits of AI reach the communities nonprofits serve. We will continue investing in the capacity, tools, and partnerships that support this work and look forward to building what comes next together.
Kaspersky Security Services provide a comprehensive cybersecurity ecosystem, taking enterprise threat protection to another level. Services like Kaspersky Managed Detection and Response and Compromise Assessment allow for timely detection of threats and cyberattacks. SOC Consulting provides a practical approach ensuring the corporate infrastructure stays secured, while Incident Response is suited for timely remediation with a maximized recovery rate.
High-level overview of the MDR, IR and CA connection
This new report brings together statistics across regions and industries from our Managed Detection and Response and Incident Response services, and for the first time, it also includes insights from our Compromise Assessment and SOC Consulting services — all to provide you with more comprehensive view of different aspects of corporate information security worldwide.
The scope of MDR and IR services
Provision of Kaspersky’s MDR and IR services follows a global approach. The majority of customers accounted for the CIS (34.7%), the Middle East (20.1%), and Europe (18.6%).
Distribution of customers by geographical region, 2025
MDR telemetry
Following the previous year’s numbers, in 2025, the MDR infrastructure received and processed an average of 15,000 telemetry events per host every day, generating security alerts as a result. These alerts are first processed by AI-powered detection logic, after which Kaspersky SOC analysts handle them as required. Overall, a total of approximately 400,000 alerts were generated in 2025. After counting out false positives, 39,000 alerts were further investigated.
MDR telemetry statistics, 2025
Incident statistics
The distribution of remediation requests by industry has slightly changed as compared to previous years’ pattern. Government (18.5%) and industrial (16.6%) organizations are still the most targeted industries in regards to cyberattacks that require incident response activities. However, this year, the IT sector saw a growth in the number of IR requests, eventually being placed third in the overall industry distribution rankings and thus replacing financial organizations, which were targeted less often than in 2024. This is equally true for smaller-scale attacks that can be contained and remediated through automated means — the only difference is that medium- and low-severity incidents are more often experienced by financial organizations.
Distribution of all incidents by industry sector, 2025
Key trends and statistics
This section presents key findings and trends in cyberattacks in 2025:
The number of high-severity incidents decreased, following a downward trend that we’ve been observing since 2021. The majority of those incidents account for APT attacks and red teaming exercises, which indicates two landscape trends. On the one hand, skilled adversaries make efforts to increase impact, while on the other, organizations spend more resources on probing their defense systems.
The most common vulnerabilities exploited in the wild were related to Microsoft products. Half of all identified CVEs led to remote code execution, notably without authentication in some cases.
Exploitation of public-facing applications, valid accounts, and trusted relationships remain the most popular initial vectors, and their overall share has increased, accounting to over 80% of all attacks in 2025. In particular, attacks through trusted relationships are evolving: their share has increased to 15.5% from 12.8% in 2024. They are also becoming more complex: for instance, we witnessed a case where adversaries had compromised more than two organizations in sequence to ultimately gain access to a third target.
Standard Windows utilities remain a popular LotL tool. Adversaries use those to minimize the risk of detection during delivery to a compromised system. The most popular LOLBins we observed in high-severity incidents were powershell.exe (14.4%), rundll32.exe (5.9%), and mshta.exe (3.8%). Among the most popular legitimate tools used in incidents we flag Mimikatz (14.3%), PowerShell (8.1%), PsExec (7.5%), and AnyDesk (7.5%).
The full 2026 Global Report provides additional information about cyberattacks, including real-world cases discovered by Kaspersky experts. We also describe SOC Consulting projects and Compromise Assessment requests. The report includes comprehensive analysis of initial attack vectors in correlation with the MITRE ATT&CK tactics and techniques and the full list of vulnerabilities that we detected during Incident Response engagements.
Security operations is undergoing a fundamental shift.
As alert volumes continue to rise and environments grow more complex, enterprises are moving away from security models built on manual triage, fragmented automation, and are looking to decrease their reliance on outsourced MDR services. More enterprises are adopting AI SOC as the new model for running security operations, one that can triage and investigate all alerts at machine scale while keeping internal teams focused on judgment and response.
That shift was reflected clearly in Intezer’s momentum over the past year.
In 2025, Intezer processed more than 25 million security alerts across live enterprise SOC environments, as adoption expanded across large and complex organizations looking for a more scalable way to run security operations.
A year of strong growth
Over the past year, Intezer achieved several major company milestones:
Multiplied revenue year over year
Achieved 126% net revenue retention
Expanded adoption across Fortune 500 organizations
Scaled the team across key functions to support a growing enterprise customer base
These milestones reflect more than company growth. They reflect a broader market transition toward AI SOC as enterprises look for ways to investigate every alert, reduce hidden risk, and operate beyond the limits of human investigation capacity.
Growing industry recognition
Intezer’s momentum is also being recognized by media, industry analysts and practitioners. Here is a sampling of recent coverage.
Well known industry analyst Richard Stiennon recently included Intezer in the 2026 Cyber 150, an independently compiled list based on IT-Harvest data, and has also included Intezer in his new book, Guardians of the Machine Age.
At the same time, practitioners are taking notice. In his write-up on Intezer’s 2026 AI SOC Report, Darwin Salazar highlighted the report’s forensic depth, auditability, and practical value in a crowded AI SOC market.
Why this momentum matters
Traditional SOC and MDR models are constrained by human investigation bandwidth. As alert volumes increase, teams are forced to prioritize only a subset of alerts, often based on severity labels before full context is available. That leaves real risk hiding in uninvestigated alerts.
Enterprises are increasingly adopting AI SOC to remove that bottleneck.
Intezer investigates 100% of alerts at forensic depth across endpoint, identity, cloud, network, phishing, and SIEM sources, escalating only the incidents (less than 2%) that require human judgment. This allows security teams to stay in control while scaling operations far beyond what manual investigation models can support.
What the numbers show
The business results from the past year point to strong validation in the market.
Doubling revenue year over year signals accelerating demand.
126% net revenue retention reflects strong customer expansion and continued platform adoption.
Growth across Fortune 500 organizations shows that large enterprises are increasingly embracing this operating model.
And continued team expansion across key functions ensures Intezer can support customers as adoption grows.
Looking ahead
The market is moving toward a new SOC operating model, one where AI executes investigations at scale and human teams focus on decisions, response, and strategy.
Intezer’s momentum over the past year reflects that shift clearly. As more enterprises look to eliminate investigation bottlenecks and reduce cyber risk, AI SOC is moving from emerging category to operational reality.