EP268 Weaponizing the Administrative Fabric: Cloud Identity and SaaS Compromise in M Trends 2026

Guests:

• Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant, Google Cloud
• Scott Runnels, Mandiant Incident Response, Google Cloud

Topics:

• Do we need to rethink "Mean Time to Respond" entirely, or are we just in deep trouble?
• Why are threat groups collaborating so well, and are there actual lessons for defenders in their "business" model?
• What is the scalable advice for teams worried about voice phishing and GenAI cloning?
• What does "weaponizing the administrative fabric" actually mean in a world where identity is the perimeter?
• Why is identity/SaaS compromise "news" in 2026 when cloud security folks have been shouting about it for years? What actually changed?
• What's the latest in supply chain compromise, particularly regarding malicious open-source packages?
• How do we defend against malware that is "lazy" enough to use the victim's own AI tools for reconnaissance?
• What is the specific advice for Detection and Response (D&R) teams to handle "living off the land" (or "living off the cloud")?
• How do you fix the situation when IT and Security departments genuinely hate each other?
• Besides reading the report, what is the one book or piece of advice for a CISO to survive this year?

Resources:

• Video version
• M-Trends 2026 Report
• EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends
• EP254 Escaping 1990s Vulnerability Management: From Unauthenticated Scans to AI-Driven Mitigation
• EP205 Cybersecurity Forecast 2025: Beyond the Hype and into the Reality
• EP147 Special: 2024 Security Forecast Report
• "The Evolution of Cooperation" book