Here's the uncomfortable truth SentinelOne lays out: we have more telemetry about user access than at any point in history, yet identity-based attacks keep getting worse. The report calls this the "Identity Paradox" - an attacker using valid credentials doesn't look like an intruder. They look like a productive employee.

The mechanics have evolved well past simple password theft. Infostealers like Katz Stealer and PXA Stealer now harvest browser session cookies and authentication tokens, not just passwords. When an attacker replays a valid session token, they inherit the user's identity without ever triggering MFA prompts or "impossible travel" alerts.

The report documents several attack patterns hitting businesses right now:

• Adversary-in-the-Middle (AitM) phishing - reverse proxy sites that relay traffic between victims and legitimate services, silently capturing session cookies after successful login
• MFA enrollment hijacking - after compromising an admin account, attackers disable MFA requirements for entire organizational groups, creating a structural blind spot that persists until caught by manual audit
• North Korean IT worker infiltration - SentinelOne tracked over 1,000 job applications and roughly 360 fake personas linked to DPRK operations attempting to secure remote employment at Western tech companies
• OAuth relationship abuse - attackers targeting the connections between SaaS applications to harvest cloud credentials through trusted application paths

In 30 years working in IT, the identity problem is the one that keeps me up at night. A firewall can't stop an attacker who already has the keys. For Houston law firms, CPA practices, and wealth management firms handling sensitive client data, this shift demands a move from protecting the login event to monitoring what happens after authentication.

This chapter of the report should be required reading for every business that uses remote management tools - which is basically everyone with a managed IT environment. SentinelOne documents how threat actors are co-opting Remote Monitoring and Management (RMM) software and PowerShell to blend into routine IT operations.

The attack pattern typically starts with social engineering. Multiple campaigns combined voice phishing (vishing) with email bombardment to create urgency, then impersonated IT support to convince employees to install tools like Microsoft Quick Assist or TeamViewer. The Chaos ransomware group used Microsoft Teams messages to lure users into installing Quick Assist. BlackBasta tricked users into downloading malicious virtual machines through RMM channels.

Once a foothold is established, these tools provide persistent remote control without triggering malware alerts. The most commonly abused tools include ScreenConnect, AnyDesk, RustDesk, and Splashtop. They're installed as Windows services running with SYSTEM privileges and restart automatically after reboots.

The real danger is how attackers disguise persistence. Malicious scheduled tasks named "OneDrive Reporting Task" or "MicrosoftEdgeUpdater" appear completely normal to a busy IT administrator. These tasks run every 3 to 5 minutes, keeping malicious payloads active even if the initial process is killed. Registry "Run" keys modified with names like "ChromeUpdater" launch backdoors on every user login.

PowerShell abuse remains widespread. Groups like Fog, Interlock, and VolkLocker use PowerShell commands to disable Windows Defender real-time monitoring. The ThunderShell campaign ran PowerShell scripts through a renamed Python interpreter to avoid detection entirely.

The perimeter isn't just weakening - it's actively being targeted as the primary attack surface. SentinelOne's research shows that advanced adversaries, particularly state-sponsored groups with ties to China, are prioritizing unmanaged and legacy edge devices that sit outside traditional endpoint security visibility.

The "ArcaneDoor" campaign targeted legacy Cisco Adaptive Security Appliance (ASA) 5500-X series devices throughout 2025. These specific devices were chosen because they lack modern security features like Secure Boot. By chaining zero-day vulnerabilities, attackers deployed firmware-level implants that survive reboots and system upgrades, alongside in-memory payloads that capture authentication traffic and suppress syslog messages.

The speed of exploitation is accelerating. AI-driven automation now allows threat actors to scan the entire global IP space and weaponize edge vulnerabilities within hours of a vulnerability being disclosed. Information disclosure vulnerabilities in Check Point devices were exploited just two days after public disclosure.

The report also documents how compromised edge devices are being converted into Operational Relay Box (ORB) networks - essentially turning your firewall into a relay for someone else's attack traffic, making attribution nearly impossible.

• Compromised Palo Alto Firewall VPNs used as beachheads to deploy webshells on internal servers and create unauthorized backdoor accounts
• ShadowPad malware campaign gained initial access to over 70 organizations by exploiting Check Point gateway vulnerabilities
• Legacy Cisco Firepower and Fortinet VPNs frequently compromised via brute force because they lacked enforced MFA
• Unmanaged Quest KACE appliances left unpatched for months because the device ran an operating system incompatible with the organization's endpoint detection agent

For construction companies, manufacturers, and oil and gas firms across the Houston metro that rely on VPN access for remote sites and field offices, this pattern demands immediate attention. That old firewall you've been meaning to replace? It may already be someone's backdoor.

The shift from breaking in through open doors to abusing trusted relationships represents one of the most concerning trends in the report. SentinelOne describes this as the "Context Gap" - the space where an identity or application is technically authorized to access data, but the intent behind that access is malicious.

The "ShinyHunters" campaign provides a clear example. Attackers didn't need to break through a firewall because they subverted a connected OAuth application. By granting OAuth access to a legitimate tool like Data Loader in a Salesforce environment, adversaries inherited the authorized state of the tool and exfiltrated data directly. The security failure wasn't a lack of permission controls - it was a failure to distinguish a trusted application from one being used with bad intent.

The velocity of modern exfiltration is alarming. The report documents INC ransomware operations that completed high-density data theft in just 19 minutes. After gaining access through a compromised firewall appliance using a service account, attackers moved laterally to production file servers and backup infrastructure. They used a disguised version of the rclone utility renamed as "AcronisSync.exe" to move data to the Mega cloud platform using 90 concurrent streams.

Attackers are also using legitimate cloud providers as relays for command-and-control traffic and data exfiltration. By routing stolen data through services like Cloudflare Workers, Azure, and Amazon S3, the traffic blends into standard enterprise communication patterns and bypasses simple domain-based blocking.

The FreeDrain network hosted over 38,000 phishing lure pages on subdomains of trusted platforms like GitBook, Webflow, and GitHub - exploiting the inherent trust users place in these services.

The report's chapter on maintenance should hit close to home for any business that has ever delayed a patch because the system was "too critical to touch." SentinelOne calls this the "Priority Gap" - the friction between security mandates and IT operations that leaves known vulnerabilities open for exploitation.

The data tells a brutal story. A B0 Ransomware campaign successfully exploited an IIS server where the operating system was fully patched, but the website hosted on it relied on a version of Telerik UI that was a decade old, with a vulnerability that had been public since 2019. The server was up to date at the OS level but wide open at the application layer.

Virtualization platforms are a particularly high-value target. ESXi servers and VMWare infrastructure are often treated as "untouchable" by IT operations because they host production workloads and even scheduled maintenance is considered high-risk. Attackers know this and establish long-term persistence, knowing these systems are rarely rebooted or updated.

The WSUS (Windows Server Update Services) Management API vulnerability (CVE-2025-59287) was targeted within a single day of patch release. A trojanized WsusService.exe executed automated reconnaissance and exfiltration. Because WSUS manages update distribution for entire networks, a compromised update server could potentially deliver malicious payloads to every connected endpoint.

• Application-layer blind spots - servers fully patched at the OS level but vulnerable through neglected third-party components like Telerik UI and Mirth Connect
• Decommissioned-in-name-only systems - servers technically taken out of service but never physically disconnected, with firewall rules left open for months
• Legacy Linux vulnerabilities - privilege-escalation bugs like PwnKit (CVE-2021-4034) still used successfully in 2025 intrusions because affected systems were never brought into a maintained state

We see this pattern constantly with Houston businesses. A engineering firm running specialized software that hasn't been updated in years. A energy services company with field devices running unsupported operating systems. The gap between knowing the risk and fixing it is where attackers live.

The final strategic chapter in the report may be the most sobering. Attackers aren't just using AI as a novelty - they're operationalizing it as an accelerator for every phase of an intrusion. The report documents frameworks like MalTerminal and PromptLock that use large language models to generate ransomware logic or reverse shells at runtime, rather than embedding fixed malicious code in a binary.

The "EvilAI" campaign deployed polymorphic variants that generated several distinct file hashes for effectively the same payload. Rather than relying on a single static binary, the malware repeatedly reintroduced itself with small changes in command-line parameters to maintain persistence across more than 100 systems. Traditional hash-based blocking becomes useless against this kind of variation.

The shrinking response window is the real problem. A chained remote code execution and named-pipe impersonation sequence escalated to SYSTEM privileges in roughly 30 milliseconds. A ScreenConnect incident moved from initial download to persistent service in 49 seconds. When exploit code is integrated into an automation framework, the practical response window for manual processes collapses.

The AkiraBot framework demonstrates AI-powered spam at industrial scale - targeting website contact forms and live chat widgets using OpenAI's API to generate site-specific messages for more than 400,000 websites. Campaigns like LemonDuck use self-healing designs with multiple redundant scheduled tasks, so that when one execution path is blocked, the malware reinstalls itself through an alternative path.

The lesson is clear: human-only investigation workflows are increasingly mismatched against adversaries operating at machine speed. Businesses need automated detection and response - not as a luxury, but as a requirement for survival.

The threats documented in the SentinelOne Annual Threat Report aren't limited to Fortune 500 companies. Every pattern described - stolen identities, hijacked admin tools, unpatched edge devices, AI-powered attacks - applies directly to businesses with 10 to 200 employees. In many ways, smaller organizations are more vulnerable because they lack the dedicated security teams to monitor for these exact behaviors.

CinchOps provides the kind of continuous, layered defense that this report makes clear is no longer optional:

• Identity and access monitoring - implementing post-authentication behavioral monitoring so that stolen credentials and session hijacking trigger alerts based on what accounts do, not just how they log in
• RMM and admin tool governance - maintaining strict allow-lists for remote management tools, monitoring for unauthorized installations, and enforcing out-of-band verification for remote support requests
• Edge device lifecycle management - inventorying all network perimeter devices, enforcing firmware updates, decommissioning legacy hardware that lacks modern security features, and ensuring MFA on every remote access point
• Patch management that includes the application layer - expanding vulnerability management beyond operating system patches to cover third-party components, web frameworks, and integration engines
• Automated threat detection and response - deploying monitoring that operates at machine speed to match the tempo of modern attacks, not relying solely on manual log review
• Business continuity planning - ensuring that when an incident occurs, your business can recover quickly through tested backup and disaster recovery procedures

The SentinelOne report's closing observation applies to every business in the Houston metro: the gap between attackers and defenders isn't about who has better tools. It's about whether the controls around identity, infrastructure, and automation can withstand the specific kinds of pressure described in this report. That's the work we do at CinchOps every day for businesses across Katy, Cypress, The Woodlands, and the broader Houston area.