RSACBlogRSASASESecurity
Blog7 minute read

RSA One Year Later: SSE and the Cyber Kill Chain Revisited

At RSA 2025, we made a straightforward argument: the Lockheed Martin Cyber Kill Chain is still a solid framework for defenders, and Security Service Edge (SSE) is an architecture that covers significant ground across it. We came back to RSA 2026 curious to know if it still worked.

In this blog

A lot had changed in twelve months: the threat landscape had intensified, the defensive toolset had matured, and there was a palpable urgency in the room that wasn't there a year ago. When the environment moves this fast, frameworks don't always age gracefully. So, we put it to the test.

 Overview: What did the 2025 talk cover?

SSE is the security layer of a Secure Access Service Edge (SASE) architecture. It is a cloud-delivered model that converges network access and security controls. Where legacy architectures pushed traffic through centralized data centers and relied on siloed point products, SSE consolidates controls into a unified platform that follows users, data, and workloads wherever they go.

Figure 1: SASE/SSE capability model — Security Service Edge and Network as a Service
Figure 1: SASE/SSE capability model — Security Service Edge and Network as a Service

The Kill Chain gave us a shared language for the problem: a Salt Typhoon style double extortion ransomware attack. SSE gave us a systematic way to address it. That shift matters most when the attacker is patient, methodical, and nation-state funded.

Figure 2: The Lockheed Martin Cyber Kill Chain mapped to SSE defensive capabilities
Figure 2: The Lockheed Martin Cyber Kill Chain mapped to SSE defensive capabilities

 The attack pattern: Salt Typhoon and service chaining

The anchor case for our 2025 presentation was Salt Typhoon: a Chinese state-sponsored threat group that compromised U.S. telecommunications providers in one of the most sophisticated intrusions ever attributed to a foreign adversary.

What made Salt Typhoon significant was the method. The attackers gained initial access by exploiting unpatched Cisco edge devices. They leveraged CVEs and related vulnerabilities to gain privilege escalation. From there, they combined custom malware with Live off the Land techniques to move laterally through U.S. telecommunications infrastructure undetected for months. By abusing legitimate protocols, they built encrypted relay channels that looked like normal network traffic.

Live off the Land Attack Definition
Live off the Land Attack Definition

They took advantage of an architecture with single points of failure that operated on implied trust. This is why Kill Chain mapping matters. It forces defenders to ask: 

At which stage could we have seen this? 

At which stage could we have stopped it?

 Salt Typhoon: 2026 update

Salt Typhoon is still active. As of early 2026, the FBI has confirmed the threat is still very much ongoing, and expert witnesses before the Senate Commerce Committee warned that Chinese actors are likely still inside U.S. telecommunications infrastructure today.

A more recent attack by Handala took LotL a step further. When they hit Stryker, they never touched a custom payload. A single compromised Intune administrator credential was enough to issue an enterprise-wide remote wipe command through Microsoft's own device management platform. Two hundred thousand devices across 79 countries. No malware deployed. No signatures to catch. Just a legitimate admin action, at catastrophic scale.

 What's changed for the red hats?

The core structure of the Kill Chain has not changed. Adversaries still move through Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. But now they are doing it faster, with more automation, and with AI augmenting every phase.

  • Nation State Attacks at Machine Speed: Anthropic documented a sophisticated Chinese espionage campaign in which AI executed 80 to 90 percent of attack operations across the kill chain, with human intervention only sporadically required. At peak, the AI made thousands of requests per second. No human team can match that speed.
  • AI-augmented phishing:  Phishing is the most common delivery mechanism across the Kill Chain, and it has increased roughly 200% in volume just in the last few months. And AI-generated lures are becoming indistinguishable from legitimate communication. This means social engineering attacks are now personalized at machine speed. The attacker who once needed a skilled human to write a convincing spear phishing email now uses a simple LLM prompt.
  • Red Hat expertise is more accessible than ever: Our 2025 talk referenced LockBit 3.0 as an example of Ransomware as a Service. This service lowered the barrier to entry for attackers. Now AI is lowering it further. What once required a sophisticated threat actor now requires a simple AI agent. Anthropic's Mythos demonstrated the ability to autonomously identify and exploit zero-day vulnerabilities in every major operating system and browser. The UK AI Security Institute found it succeeded at expert-level hacking tasks 73% of the time and other frontier models are approaching similar capabilities.

 What's changed for the blue hats?

The defensive capabilities within SSE solutions have been advancing to meet these new challenges.

  • Context Rich UEBA: User and Entity Behavior Analytics (UEBA) continues to mature in granularity. It baselines normal patterns at scale and flags deviations in near-real time. For LotL attacks, where the attacker looks like a legitimate user, behavioral analytics is often the only detection surface that matters.
  • LLM for Sec Ops: This tooling reduces alert fatigue by correlating signals across distributed environments. ZTNA telemetry, SWG logs, CASB events, DLP triggers, etc. now surface as a prioritized queue rather than a flood of raw alerts.
  • Maturing Zero Trust: Always-on ZTNA enforces least-privilege access continuously, regardless of where a user sits. SSE vendors are also integrating network segmentation directly into their platforms.
  • Machine learning for Classification: ML-based classification understands context. SSE solutions have significantly upgraded their inline classification engines, enabling real-time data sensitivity decisions at scale. For organizations handling regulated data across SaaS, cloud, and hybrid environments, this is the difference between DLP that works and DLP that exists on paper.
  • AI Red Teaming: SSE platforms have built AI Agent Red Hat teams directly into their architectures. These AI-assisted red teaming tools simulate multi-stage kill chain scenarios autonomously, running context-aware simulations that map findings to frameworks with operator-level remediation steps.

Together, these capabilities represent a meaningful shift in the defender's position.

 Let's run the kill chain again, with today's new threats and tools

 Phase 1: Preparation (Reconnaissance and Weaponization)

  • Attack: AI-assisted recon now runs at thousands of requests per second. Weaponization has followed. With AI prompting, the skill floor for attackers has dropped significantly.
  • Defense: If the connection is inside-out, we don't need a firewall opening a path into our environment from the internet. Always-on ZTNA eliminates this attack surface before reconnaissance can map it. SASE-native vulnerability management closes CVE windows faster. And AI Red Teaming continuously stress-tests posture against the same techniques attackers are automating.

 Phase 2: Intrusion (Delivery, Exploitation, and Installation)

  • Attack: AI-generated phishing is the predominant delivery mechanism. Below that, service chaining remains a strong exploitation and installation method. Handala went further than Salt Typhoon, operating entirely within legitimate platforms without deploying malware at all. Both approaches stress the same detection gap: behavioral and identity signals, not signatures.
  • Defense: For LotL, Context-Driven behavior analytics (UEBA) is crucial. Continuous identity verification through ZTNA ensures valid credentials don't equal assumed access. And native microsegmentation tools impede the lateral movement that LotL attacks rely on.

 Phase 3: Breach (Command and Control and Actions on Objectives)

  • Attack: AI-assisted C2 obfuscation extends dwell time. Increased speed and accessibility mean more actors can reach and sustain this phase for longer.
  • Defense: LLM-driven SecOps tooling is reducing alert fatigue at this stage by correlating and prioritizing data, making the difference between a breach that goes undetected for months and one that surfaces fast. ML-powered classification in CASB and DLP layers addresses data exfiltration with context-aware sensitivity decisions, containing the blast radius before Actions on Objectives can be completed.

 Conclusion: The community is the edge

The technology is better than it was a year ago, the threats are faster, and the stakes are higher. But we came away from RSA 2026 more confident in the framework than ever. Attacks haven't evolved beyond the Kill Chain. They're just iterating faster within it.

While it is alarming, there is good news. This means our answer for defenders hasn't changed.

Run the framework.

Build the architecture.

And keep talking to each other. 

Cybersecurity teams who share what they're seeing, stress-test assumptions, and call out what isn't working are a hard defensive advantage, not a soft one. At World Wide Technology, that's what we show up to do, for our customers, and for every blue-hat practitioner on the front lines of our defense.

Technologies