🚨 Palo Alto's $25B CyberArk Deal Exposes Identity Crisis | Lessons from Dropzone AI's SOC Automation Strategy

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic we cover - Agentic AI in the SOC: What Actually Works (continue reading) 

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

The cybersecurity industry witnessed seismic shifts this week, from the largest identity security acquisition in history to active exploitation of critical SharePoint vulnerabilities affecting hundreds of organizations globally. We also break down critical zero-days, AI evasion techniques, and regulatory shifts from Microsoft and Google.

Meanwhile, enterprises are quietly revolutionizing their security operations with AI agents that can process over 100 distinct LLM invocations per alert investigation, a level of sophistication that separates marketing hype from operational reality.

But the strategic heart of this issue lies in your SOC:

This week,  we spoke with Edward Wu, founder of Dropzone AI, to explore the real-world architecture of Agentic AI in security operations far beyond the marketing hype. Edward brings 30+ patents and eight years of building AI/ML detection products at Actual Hub Networks to our discussion on agentic SOC implementations.

If your team is exploring how LLMs can drive meaningful improvements in triage, MTTR, and SOC workflows, this issue is for you.

📰 TL;DR for Busy Readers

1. Palo Alto Acquires CyberArk for $25B: This mega-deal highlights the critical role of identity and privileged access management (PAM) in securing cloud and AI-driven environments, consolidating security platforms and pushing "agentic AI" security to the forefront. Cloud security leaders should reassess their identity governance and zero-trust strategies.

2. Scattered Spider Targets Snowflake: The notorious threat group is actively exfiltrating data from Snowflake data storage, evolving tactics beyond social engineering to target third-party IT workers. This underscores the need for stringent IAM, behavioral analytics, and third-party risk management for cloud data warehouses.

3. SharePoint Zero-Day Under Active Exploitation: A critical unauthenticated RCE vulnerability (CVE-2025-53770) in on-premises SharePoint servers is being actively exploited globally, with persistent access achieved via MachineKey theft. Immediate action is required for on-prem deployments.

4. New Malware Uses Prompt Injection to Evade AI Tools: "Skynet" malware attempts to manipulate AI-powered security analysis tools using prompt injection, signaling an emerging attack vector against AI in cybersecurity.

5. Cloud Provider Security Enhancements: Microsoft Defender for Cloud adds new regulatory compliance frameworks (DORA, EU AI Act) and container scanning for hardened images , while Google Cloud SCC enhances multi-cloud visibility with Azure Management Group support and new risk scoring. These updates simplify compliance and improve risk prioritization for multi-cloud environments.

6. Agentic AI in SOC Reality Check: Edward Wu of Dropzone AI breaks down the realities of Agentic AI in the SOC. He also explains that while fully autonomous SOCs are not yet practical, AI agents excel at automating repetitive alert investigations, drastically reducing MTTR from hours to minutes. This allows human analysts to focus on complex, high-value projects.

📰 THIS WEEK'S SECURITY HEADLINES

💥 Palo Alto Networks Acquires CyberArk for $25 Billion

Palo Alto Networks announced a definitive agreement to acquire CyberArk, the global leader in identity security, for approximately $25 billion in cash and stock representing a 26% premium and the largest cybersecurity acquisition of 2025. This is Palo Alto's largest acquisition to date, aimed at creating an "end-to-end security platform for the AI era," with a particular focus on securing "agentic AI" and autonomous AI agents.

Why This Matters: This acquisition signifies a major consolidation in the identity and Privileged Access Management (PAM) space. For cloud security professionals, it underscores that identity is the new perimeter, especially with the proliferation of cloud services, microservices, and AI-driven applications. We can potentially expect tighter integration between network, cloud, and identity controls, with detection, IAM, and governance functions embedding deeper into a broader platform strategy. Cloud security leaders should assess how this impacts their vendor strategies, particularly around identity governance and zero-trust architectures. As Edward Wu notes, "Identity is the new perimeter," and securing both human and machine identities in cloud environments is paramount as AI agents become prevalent.

Source: Palo Alto Networks Press Release

🚨 CISA Issues Updated Warning on Scattered Spider's Evolving Snowflake Tactics

What Happened: A joint advisory from US, UK, Canadian, and Australian cybersecurity agencies, updated on July 29, 2025, warns of ongoing campaigns by the threat group Scattered Spider. The group is now specifically targeting Snowflake data storage environments, leveraging existing access to exfiltrate large volumes of sensitive data. They've evolved tactics beyond IT help desk impersonation to target third-party IT workers while impersonating company employees..

Why This Matters: This is a critical alert for any organization using Snowflake or similar cloud data warehouse solutions. Cloud data warehouses are central repositories for vast amounts of sensitive organizational data, and their compromise can lead to massive data breaches, impacting customer privacy, regulatory compliance (GDPR, CCPA), and business reputation. Strict IAM policies for these platforms are essential, including strong, unique credentials and mandatory MFA for all users, especially service accounts or API keys. Implementing robust monitoring and behavioral analytics within Snowflake to detect unusual access patterns or large data exports is crucial. Edward Wu's emphasis on AI agents' ability to "look at an alert and tailor an investigation that's specific to the situations of that particular alert" highlights how AI can assist in the dynamic investigation needed for such evolving threats.

Source: CISA Alert AA23-320A

🔴 SharePoint 0-Day Under Active Mass Exploitation

A critical SharePoint vulnerability (CVE-2025-53770) is being actively exploited in mass attacks affecting over 75 organizations worldwide, enabling unauthenticated remote code execution on on-premises SharePoint servers and weaponized to steal MachineKey configurations for persistent access.

Why This Matters: This represents one of the most severe on-premises vulnerabilities of 2025. For organizations still running on-premises SharePoint, immediate action is paramount. The vulnerability allows attackers to craft forged ViewState payloads that remain valid even after patching, making remediation particularly challenging. Enterprise defenders should immediately disconnect public-facing SharePoint servers, rotate machine keys, and implement AMSI integration. While cloud-managed SharePoint Online instances are generally patched by Microsoft, this incident underscores the importance of a clear strategy for hybrid environments and the potential for lateral movement from compromised on-premises systems into connected cloud resources

Source: The Hacker News

Microsoft Defender for Cloud Expands Regulatory Compliance and Container Scanning Coverage

What Happened: Microsoft Defender for Cloud has announced updates including expanded support for four new regulatory compliance frameworks across Azure, AWS, and GCP environments: Digital Operational Resilience Act (DORA), EU AI Act, Korean Information Security Management System for Public Cloud (k-ISMS-P), and CIS Microsoft Azure Foundations Benchmark v3.0.

Why It Matters: These updates directly address critical concerns for cloud security practitioners. The new regulatory standards, especially DORA and the EU AI Act, are vital for organizations in regulated industries or those deploying AI globally, simplifying multi-cloud compliance auditing and reporting. For cloud-native workloads, expanded scanning coverage for hardened container images like Chainguard and Wolfi is crucial, enabling "shift-left" security by identifying and remediating flaws earlier in the development lifecycle. The introduction of API discovery and security posture for Azure Function Apps and Logic Apps also helps manage the growing API attack surface in serverless architectures.

Source(s): What's new in Defender for Cloud features - Learn Microsoft

Google Cloud Enhances Security Command Center with Azure Management Group Support and New Risk Scoring

What Happened: Google Cloud's Security Command Center (SCC) now supports log ingestion from Microsoft Azure management groups, enabling security findings consumption at a broader management group level, not just subscriptions. SCC also introduced a new risk scoring algorithm designed to better reflect attacker behavior and expanded data residency support for its Enterprise service tier to the EU, Saudi Arabia, and the United States. 

Why It Matters: For multi-cloud security leaders, these updates significantly improve multi-cloud security posture management by centralizing visibility across hybrid environments and simplifying compliance and auditing. The new risk scoring provides more accurate and actionable insights for prioritizing vulnerabilities based on attacker TTPs. Expanded data residency options are crucial for organizations operating under strict data sovereignty regulations like GDPR. These enhancements bolster SCC's capabilities as a Cloud Security Posture Management (CSPM) tool, offering deeper insights and broader coverage for managing security configurations across cloud platforms.

🎯 Topic of the Week:

The Reality of Agentic AI in the SOC: No Hype only Reality

SOC teams are being promised faster MTTR, reduced fatigue, and autonomous triage often via vague promises of “AI-powered” magic. This week, Edward Wu, founder of Dropzone AI, breaks down what Agentic AI really looks like in modern security operations. He also shed light on how AI agents are already transforming Security Operations Centers and what security leaders need to know to harness this technology effectively.

“A real agentic system performs 100+ LLM calls per alert, understands data schemas, and dynamically plans investigations SOAR playbooks can’t do that.” –  Edward, Dropzone AI

The promise of AI in security operations has been oversold for years, but recent implementations reveal a more nuanced reality. 

While fully autonomous SOCs remain technically impossible, sophisticated AI agent orchestration is delivering measurable results for enterprise security teams struggling with alert volumes that have grown exponentially with cloud adoption.

Featured Experts This Week 🎤

• Edward Wu - Founder and CEO, Dropzone AI (30+ patents in AI/ML)

• Ashish Rajan - CISO | Host, Cloud Security Podcast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

• Agentic AI: An AI system that can plan, adapt, and make decisions autonomously within a scope like triaging alerts in the SOC.

• Prompt Injection: A type of attack where malicious input (a "prompt") is crafted to manipulate an AI model's behavior, often overriding previous instructions or extracting sensitive information. 

• Mean Time to Resolution (MTTR): A key security operations metric measuring the average time it takes to detect and fully resolve a security incident from its initial alert.

• SOAR (Security Orchestration, Automation, and Response): Technologies that help automate and streamline security operations tasks, often relying on pre-defined "playbooks" or decision trees.

• Agentic SOC: A security operations center where human security engineers and analysts work alongside AI agents, with agents handling repetitive tasks like initial alert investigation while humans focus on complex missions and strategic oversight.

• Alert Investigation Orchestration: The complex process of coordinating multiple large language model invocations (often 100+ per alert) to autonomously investigate security alerts, requiring sophisticated reasoning and dynamic planning capabilities beyond traditional SOAR playbook automation.

• AI Agent Maturity Levels: A four-stage progression from treating AI as independent contractors (specific tasks) to interns (full projects with review) to senior contributors (trusted autonomous work) to genius-level team members (pattern analysis beyond human capability).

This week's issue is sponsored by Vanta.

Vanta Trust Maturity Report

Vanta’s Trust Maturity Report benchmarks security programs across 11,000+ companies using anonymized platform data. Grounded in the NIST Cybersecurity Framework, it maps organizations into four maturity tiers: Partial, Risk-Informed, Repeatable, and Adaptive.

The report highlights key trends:.

• ^{Only 43% of Partial-tier orgs conduct risk assessments (vs. 100% at higher tiers)}

• ^{92% of Repeatable orgs monitor threats continuously}

• ^{71% of Adaptive orgs leverage AI in their security stack}

   

  📤 Download the report

💡Our Insights from this Practitioner 🔍

The concept of an "Agentic SOC," where human security engineers and analysts work side-by-side with AI agents, is rapidly gaining traction. Edward Wu, a pioneer in this space and founder of Dropzone AI, emphasizes that while a "fully autonomous SOC" that entirely replaces human teams is not yet practical , AI agents are proving to be powerful "foot soldiers" for security teams.

1- The Reality Gap: What Actually Works vs. Marketing Hype

 Edward's perspective on AI in security operations cuts through the industry marketing noise with practical insights from enterprise deployments. "From what we have seen in the field, it is still technically impossible to have a fully autonomous SOC,"  Edward explains, contrasting sharply with vendor claims of complete automation.

 Edward doesn’t sugarcoat the complexity of real-world alert investigation: “It takes 100+ LLM calls to investigate one alert properly.”

This level of orchestration explains why enterprise teams attempting DIY AI implementations often struggle to achieve production-ready results.

SOC teams can’t shortcut this with simple workflows or prompt chaining. SOC Teams will start with humans in the loop and over time, with strong transparency and consistent accuracy, the AI earns trust and is allowed to close benign alerts automatically.

2 - Force Multiplication Over Replacement

 Edward clarifies that the primary value of AI in the SOC is force multiplication. "If one thing we consistently ask every single security leader we're run into is, what would you do with 10 or 20 additional security engineers. And I think every single one of them has a lot of different projects in mind," he states. AI agents tackle the manual, repetitive tasks, freeing up human analysts for more complex, intellectually rewarding projects

The conversation also revealed a crucial distinction between AI replacing humans versus augmenting their capabilities.  Edward uses a military analogy: "Think of AI agents as your foot soldiers, and then your human engineers and analysts working as generals directing the foot soldiers, as well as special forces, tackling complex missions foot soldiers are not well equipped for."

This approach addresses a critical enterprise need. The cybersecurity skills shortage makes AI augmentation a win-win scenario rather than a replacement threat.

3 - Measurable Impact on Critical Metrics: Drastic Reduction in MTTR and Alert Fatigue

One of the most immediate and impactful benefits of agentic AI is the significant reduction in Mean Time to Resolution (MTTR). "With AI agents, what we have seen is that the MTTR time generally can be immediately reduced to within minutes," says Edward. 

This is because software can investigate "all 10 alerts in parallel" , unlike human teams constrained by lunch breaks or meetings. 

This sub-10-minute MTTR is something human-only teams simply cannot achieve, and it's "huge for larger organizations where every minute of the attacker running free within the environment makes potential damages exponentially larger".

Enterprise implementations are delivering quantifiable results that matter to security leaders.  Edward reports that "with AI agents, what we have seen is the MTTR time generally can be immediately reduced to within minutes, and that is something that a security team simply cannot achieve purely with humans."

The efficiency gains extend beyond speed to coverage. Organizations can now investigate alerts they previously ignored due to capacity constraints. "Security teams can really operate as if they have double triple 10x the capacity," enabling comprehensive alert review that increases the probability of catching attackers.

4 - Overcoming SOAR Limitations with Dynamic Planning

Traditional SOAR technologies, while helpful, often rely on rigid, "if/else" decision trees or "playbooks". According to Edward, alert investigations, however, "actually requires a lot of improvisation as well as dynamic planning". This is where AI agents, powered by large language models, excel: "They can look at an alert and tailor an investigation that's specific to the situations of that particular alert."

Edward's insights reveal why enterprise SOC AI implementations are more complex than vendor demos suggest. "Generating the correct SPL search queries is actually very difficult because you not only need to master the search query syntax, you also actually need to understand what are the schema of the data so you can know which fields to filter on when you are looking for logs associated with a specific user."

This complexity multiplies across enterprise tool stacks, which SOAR is not just 1 thing working well. 

Organizations need AI agents that understand Splunk, CrowdStrike, AWS, Azure, and dozens of other security tools each with specialized query languages and data schemas. 

The integration challenge explains why sophisticated vendors like Dropzone AI invest heavily in pre-built integrations rather than expecting customers to DIY their implementations.

5 - Building Trust Through Transparency and Maturity with AI Agents

The path to AI adoption in security operations mirrors traditional team onboarding.  Edward describes a maturity progression where "trust is not a binary thing, it's a spectrum." Organizations start with limited AI authorization investigating alerts and generating reports then gradually expand scope as confidence builds.

Transparency becomes table stakes for enterprise adoption. "At this stage, transparency is not a nice to have, it is a table stake in order for the technology to show its work and be trusted by the security teams." This includes providing full evidence chains and reasoning that led to specific determinations.

Edward outlines a four-level maturity model for adopting AI in the SOC, akin to integrating a new team member:

1. Independent Contractor: Using chatbots for specific, simple tasks like summarizing scripts or writing reports.

2. Intern: AI agents investigate alerts, but humans review every finding and conclusion. This is where security teams "start to build trust with the AI SOC analysts".

3. Senior Individual Contributor: As confidence grows, the AI agent's analytical output is trusted enough to require less human review, with humans coaching it on specific tasks.

4. Genius Level Intelligence: Leveraging AI for tasks "beyond a typical human intelligence or interest," such as finding patterns in thousands of noisy security alerts, which GenAI "doesn't mind and oftentimes they're tremendous at identifying patterns and connecting dots".

This progressive approach emphasizes that "trust is not a binary thing, it's a spectrum". As trust builds, the "scope of authorization will continue to expand" , potentially allowing AI agents to perform automated containment actions like locking user accounts or quarantining endpoints.

6 - Addressing Data Privacy and Training Concerns

Enterprise security teams rightfully question how AI vendors handle sensitive data for model improvement.  Edward's approach at Dropzone AI illustrates industry best practices: "We use a single tenant architecture. So our customer's sensitive data are all segmented in dedicated compute, network and storage components."

The federated learning approach he describes mirrors medical diagnosis improvement: "We are gathering de-identified telemetries of different types of alerts, different types of determinations our system has seen in the field and feeding those back into our product. But there is no PII involved."

7 - The Evolution of SOC Roles

Rather than eliminating positions, AI implementation transforms job functions.  

Edward predicts that while the "level one SOC analyst" job role may eventually be substituted by software, the individuals currently in these roles will be "upleveled to level two or level three analysts, or they will be transitioned to other parts of security". 

The comparison to historical technology transitions resonates: just as typewriter operators evolved to computer users, SOC analysts will focus on more strategic, intellectually rewarding work while AI handles repetitive investigations.

The demand for cybersecurity talent remains high, and AI augmentation will free up humans for "more exciting, more intellectually rewarding" projects beyond repetitive tasks like phishing email analysis.

🔗 Try it yourself: Take Dropzone AI’s Self-Guided Demo to see how agentic alert triage actually works.

Related Resources 📚

• CISA Scattered Spider Advisory - Detailed TTPs and mitigation strategies for evolving ransomware group tactics

• Microsoft SharePoint Security Guidance - Official guidance for CVE-2025-53770 remediation

• Dropzone AI Test Drive (Self Guided Demo) - Ungated product demonstration of AI agent SOC investigation capabilities

• OWASP AI Security Guide - Framework for securing AI implementations in enterprise environments

Related Podcast Episodes 🎧

Question for you? (Reply to this email)

Should Companies build AI SOC capabilities internally versus partnering with specialized vendors?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast