SOC detection response time has become attackers’ primary attack surface. Unit 42, the threat intelligence and incident response arm of Palo Alto Networks, reports a 4x year-over-year compression in attack timelines in its 2026 Global Incident Response Report. In the fastest observed cases, attackers moved from initial access to confirmed data exfiltration in 72 minutes.
- 65% of initial access vectors in Unit 42 investigations were identity-based: compromised credentials, multi-factor authentication (MFA) manipulation, or help-desk impersonation.
- In 87% of incidents, investigators reviewed evidence from two or more distinct sources to reconstruct what occurred; complex cases drew on as many as 10 sources.
- Muddled Libra (also tracked as Scattered Spider) and Spoiled Scorpius, distributors of RansomHub ransomware, exemplify this compression. Spoiled Scorpius exfiltrated hundreds of gigabytes within hours of gaining access through improperly secured remote access infrastructure.
- The speed gap is a process problem, not a headcount problem: by the time an alert clears manual triage, the adversary has often finished the job.
72 Minutes: The Anatomy of an Identity-Driven Breach
Unit 42’s investigations across 2025 and into 2026 reveal a consistent attacker playbook. Social entry comes first: attackers exploit compromised credentials, MFA push fatigue, or a call to the helpdesk impersonating IT support. Muddled Libra, the extortion group that made corporate helpdesk social engineering a repeatable commodity tactic, uses exactly this pattern to obtain single sign-on (SSO) tokens. From there, privilege escalation begins within minutes. Attackers provision cloud resources, spin up rogue virtual machines, and mount virtual drives to stage data for exfiltration – all before most SOC analysts have correlated the first low-priority alert.
The 87% multi-source evidence statistic is the operational cost in plain numbers. When a single incident requires context from ten separate toolsets, the investigation itself becomes the delay that lets attackers finish. A sequential triage model – validate, then investigate, then escalate, then contain – was designed for attackers who moved across days. The 72-minute window has made that design obsolete.
Why Manual Alert Correlation Widens the SOC Detection Response Gap
Alerts from identity, endpoint, cloud, and Software as a Service (SaaS) environments were not designed to correlate automatically. A suspicious PowerShell execution looks routine in isolation; an impossible-travel login looks routine in isolation; abnormal administrative account activity looks routine in isolation. All three together, in sequence, within 20 minutes, describe an active compromise. An analyst working those alerts through separate consoles must open three tools, match timestamps, and build context before confidence reaches the threshold for containment – and during those minutes, Spoiled Scorpius is staging the exfiltration.
The conventional response to detection gaps has been to add analysts. Unit 42 rejects that framing directly: this is a process problem. More analysts running sequential triage at higher volume produces the same outcome at greater cost. The NCSC has documented a related failure mode – ticket-count SOC metrics systematically close real attacks as false positives because isolated alert volume overwhelms contextual correlation capacity. The fix is structural.
Three Process Changes That Compress SOC Detection Response Time
Three structural changes address the process problem Unit 42’s data documents. Start with correlation architecture, then predefine response playbooks, then shift detection to behavioral signals.
Correlate identity, endpoint, and cloud signals into unified incidents automatically – If post-incident reconstruction routinely requires 10 data sources, the detection workflow needs to correlate those same 10 sources before containment. Related signals across identity providers, endpoint detection, cloud audit logs, and SaaS access logs should group into a single incident view. Analysts need to see a unified picture, not a queue of low-priority alerts that only make sense in aggregate.
Predefine containment for the identity attack patterns Unit 42 documents – Compromised accounts following MFA manipulation, suspicious PowerShell execution after unusual authentication, and privilege escalation within minutes of initial access are not novel scenarios. They appear consistently across Unit 42 incident response engagements. When attackers move in 72 minutes, response decisions cannot start from a blank playbook. Prebuilt containment workflows for these behavioral sequences let teams act while Muddled Libra’s lateral movement is still in progress.
Prioritize behavioral detections over static indicators of compromise – Muddled Libra and Spoiled Scorpius change tooling between campaigns; they do not change behaviors. Rapid privilege escalation after initial authentication, impossible-travel logins, and data staging within minutes of access are behaviors that precede exfiltration consistently in Unit 42’s pattern library. See related analysis on incident response metrics that predict program maturity for the measurement framework. Static indicators are lagging signals; behavioral detections close the SOC detection response time gap that makes a 72-minute attack survivable.
Join our LinkedIn group Information Security Community!
