The Case for Multidomain Visibility

By 
Oct 01, 2025
8 minutes
AI and Cybersecurity
AI Security
Cybersecurity
Data Security
Incident Response
Reports
Unit 42
cyberattacks
Global Incident Response Report

Findings from the 2025 Unit 42 Global Incident Response Report

Cyberattacks rarely follow a linear path. While security teams often zero-in on initial access vectors, like phishing emails, exposed services and credential abuse, these only mark the starting point. What happens next is far more complex. According to the 2025 Global Incident Response Report, 84% of investigated cases involved activity across multiple attack fronts, with 70% spanning at least three vectors and some touching as many as six. These are not isolated incidents; they're coordinated campaigns.

Today’s attackers move laterally, escalating privileges, targeting identities, exploiting cloud misconfigurations and exfiltrating data, sometimes simultaneously. That level of sophistication and the multipronged approach makes for a strong case against operating in silos. Tools that only monitor one domain or that lack integration can leave critical threat signals buried under alert noise or trapped in disconnected logs.

In 85% of cases, Unit 42 incident responders had to access multiple types of data sources to complete their investigation. For matters where this wasn’t the case, that’s not a failure of collection, but of visibility and context. This is what multidomain attacks look like in the field, and why cross-domain correlation and unified response capabilities are now essential for any modern security operations center (SOC).

Initial Intrusion Sets the Stage for Escalated Access

While attacks rarely stay confined to a single vector, Unit 42 found initial access still plays a defining role in how incidents unfold. In 2024, phishing once again became the leading access method, overtaking software and API vulnerabilities (which topped the list the previous year). Phishing accounted for 23% of incidents, with business email compromise (BEC) responsible for 76% of those cases.

These attacks don’t just succeed because of clever lures, but also because of missing or misconfigured foundational controls. Lack of multifactor authentication (MFA) was a factor in 28% of cases, weak or default passwords were in 20%, and insufficient brute-force or account lockout policies were 17%. That’s a wide spread of approaches, not to mention overpermissioned accounts, which are common in fast-moving cloud and hybrid environments, having also contributed to privilege escalation in 17% of cases.

Just behind phishing, software and API vulnerabilities were exploited in 19% of incidents, and previously compromised credentials accounted for 16%. These entry points aren’t just technical distinctions; they often map to different threat actor profiles. For instance, nation-state actors displayed a clear preference for exploiting software and API flaws, targeting unpatched systems and exposed services to quietly gain footholds without triggering user-facing alerts.

Understanding which vectors are favored and why can help teams tailor both prevention and detection strategies. But as attacks rapidly move beyond the entry point, initial access is only one part of a much larger picture.

Why Multidomain Attacks Are So Hard to Catch

Multidomain attacks aren’t just widespread, they’re quiet by design. Threat actors know that most security tools are scoped to a single environment, whether that’s cloud infrastructure, SaaS applications or on-premises networks. Without cross-domain correlation, attackers can slip through the cracks, moving from one system to another without raising alarms. What looks benign in isolation (a login, a script execution, an API call) can amount to a coordinated breach when viewed in full.

These operations are often low and slow on purpose. They unfold over days or weeks, making gradual moves that avoid rate-based alerts or behavioral thresholds. This makes them fundamentally harder to detect, especially when fragmented logging, inconsistent telemetry formats and disconnected detection systems prevent the full picture from coming together. Even when logs are normalized, valuable context (e.g., the identity or risk posture of a specific asset) can be lost in translation.

Consider these real-world examples drawn from the desks of Unit 42:

  • Cloud-to-Cloud Escalation: An attacker compromises AWS credentials, and then, uncovers hard-coded GitHub tokens in a repository. From there, they locate Google Cloud service account keys buried in CI/CD workflows. With no single platform tracking movement across providers, each action appears routine, until the attacker has full control across multiple cloud environments.
  • SaaS Misuse Via Trusted Identities: A third-party contractor’s Entra ID credentials are phished. Using SSO, the attacker accesses internal tools, like Jira, and then, quietly exfiltrates data using Slack or Dropbox. All the activity flows through trusted applications, using legitimate identities. Without robust user behavior analytics, there’s nothing to flag as suspicious.
  • IT-to-OT Lateral Movement: An attacker buys valid VPN credentials from the dark web. With access granted, they pivot across internal IT systems and eventually reach OT environments through an IoT device, where minimal monitoring and legacy protocols provide little resistance. The VPN login looked valid, and OT visibility gaps gave the attacker space to operate unnoticed.

These examples underscore the central truth: Multidomain detection isn’t a logging problem, it’s a correlation and context problem. Without unified visibility, even the best security teams will struggle to respond before significant damage is done.

What Works Defending Against Multi-Domain Attacks?

Stopping multidomain attacks requires more than better alerts or more logging; it demands a shift in how security teams think about visibility, detection and response. As attackers move laterally across cloud, SaaS, IT and OT environments, defenders need integrated telemetry, smarter analytics and automated workflows that keep pace with threats.

Unify Telemetry and Apply AI at Scale

To detect cross-domain attacks, analysts need a full, correlated view of what’s happening across all systems, not just logs, but contextual metadata, identity activity and security signals from every layer of the stack. But that’s only half the challenge: The volume of data is too large and fast-moving to analyze manually. AI and machine learning are essential to identify patterns, filter noise and surface signals that would otherwise go unnoticed. A streamlined security ecosystem, where tools natively integrate and share telemetry, further reduces complexity and accelerates threat detection. The Cortex® platform, for example, correlates telemetry, identity data and behavioral analytics across every domain, so SOC teams can detect complex attacks in real time.

Strengthen Identity and Access Controls

In multidomain breaches, identity is almost always the common denominator. Overpermissioned accounts, federated SSO and dormant service accounts create ideal conditions for lateral movement. Defenders should enforce MFA everywhere (including on service accounts), implement least privilege and actively monitor identity relationships across domains. Even partial implementation of zero trust principles can reduce risk and prevent attackers from turning one compromised credential into full enterprise access.

Use AI-Powered Behavioral Analytics to Spot Anomalies

Rule-based detections struggle to keep up with the pace and creativity of attacker techniques. AI-powered behavioral analytics offer a scalable way to detect abnormal activity, even when it originates from trusted accounts and applications. By learning what “normal” looks like for users, systems and services, these models can flag subtle deviations (e.g., logins at odd times, lateral movement across unusual systems, rapid privilege escalation) before they become full-blown incidents.

Automate Response Actions to Buy Time

Speed matters. The longer it takes to contain a threat, the more domains it can touch. Automated response workflows can immediately revoke credentials, isolate endpoints or block IP addresses without waiting on manual approval. When your SOC platform integrates with IT and business systems, you remove friction points that delay containment and increase exposure. The goal isn’t to replace analysts; it’s to give them a head start when every second counts.

Multidomain attacks are here to stay. But with integrated telemetry, smarter identity governance and automation backed by AI, defenders can stay ahead of attackers even when they’re coming from every direction at once.

See the Attack, Respond with Confidence

Attackers no longer operate within boundaries and neither should your defenses. Stopping multidomain attacks requires unified visibility with smarter detection and faster response. Security teams need tools and partners that can help them correlate signals across environments, surface the real threats and respond before damage spreads.

To dive deeper into the tactics, techniques and trends shaping today’s threat landscape, download the full 2025 Global Incident Response Report. And when you need help investigating complex incidents or managing detection and response around the clock, contact Unit 42 to engage with expert defenders.

Key Takeaways:

  • Cyberattacks are complex and multidomain: Modern cyberattacks rarely follow a linear path. Attacks often span multiple attack fronts (70% across at least three vectors) and move laterally across different environments (cloud, SaaS, IT, OT). This makes them difficult to detect with tools that operate in silos.
  • Unified visibility and correlation are essential: Stopping multidomain attacks requires integrated telemetry, smarter analytics and automated workflows. Security teams need a full, correlated view of what's happening across all systems. It isn’t just logs, but also contextual metadata, identity activity and security signals from every layer of the stack.
  • AI-powered solutions and strong identity controls are crucial: AI and machine learning are essential to identify patterns and surface signals in the vast volume of data. Additionally, strengthening identity and access controls (MFA everywhere, least privilege, monitoring identity relationships) and using AI-powered behavioral analytics to spot anomalies are critical for defending against these sophisticated threats.

 

Related Blogs

Points of View, Reports, Unit 42

Social Engineering on the Rise — New Unit 42 Report

Cybersecurity, Products and Services, Reports, Threat Prevention, Threat Research, Unit 42

Top Three Ways Organizations Were Unprepared for Cyberattacks in 2023

CIO/CISO, Incident Response, Unit 42

Salesforce-Connected Third-Party Drift Application Incident Response

AI Security, CSO Perspective, Points of View, Predictions, Unit 42

Securing the AI Before Times

Announcement, Reports, Unit 42

Palo Alto Networks Named a Leader in WW Incident Response Services

AI Security, Must-Read Articles, News & Events, Reports, Vulnerability Exposed

DeepSeek Unveiled — Exposing the GenAI Risks Hiding in Plain Sight

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.

Get the latest news, invites to events, and threat alerts

Get the latest news, invites to events, and threat alerts