Most cloud intrusions in 2025 did not start with an exotic exploit. They started where on-premises identity meets cloud identity. Industry threat-intelligence research published in early 2026 found that the majority of cloud compromises stemmed from weaknesses in identity controls, workload configuration, and hybrid-cloud integration — not zero-days (Dark Reading). That single finding rewrites the hybrid defender's priorities. The work is not patching faster than attackers can weaponize CVEs. The work is watching the bridge between your on-prem Active Directory and your cloud tenant, because that is the surface attackers actually pivot through.
This guide explains what hybrid cloud threat detection is, how it works at the level of east-west traffic, identity events, and workload telemetry, and which specific MITRE ATT&CK techniques small SOC teams should be ready to detect today. It maps the canonical hybrid attack patterns — Storm-0501's evolution to cloud-based ransomware, ShinyHunters' OAuth-token identity bridges into Snowflake — to telemetry sources you can actually collect. It compares NDR, CDR, CNAPP, ITDR, and XDR for hybrid coverage so you can rationalize five overlapping acronyms into a defensible buying decision. And it crosswalks the result to NIS2, DORA, and NIST CSF 2.0.
What is hybrid cloud threat detection?
Hybrid cloud threat detection is the practice of identifying and investigating attacker activity that spans on-premises infrastructure and one or more public cloud environments, with particular focus on the identity, network, and workload signals that cross the on-prem to cloud bridge. It treats the bridge — not the perimeter — as the primary attack surface.
The reframing matters because the data has shifted. According to Ponemon Institute's Cost of a Data Breach study (2025), breaches involving multiple environments — the hybrid configuration — averaged $5.05M, the highest of any environment category and roughly 25% above on-premises-only breaches (coverage on Dark Reading). And in a 2025 hybrid cloud security survey of 1,021 security and IT leaders, 55% of respondents said their organizations had experienced a breach in the past year, up significantly year-over-year. Attackers are not finding hybrid environments hard. Defenders are.
Why hybrid is uniquely hard comes down to signal silos. On-prem teams run a SIEM that ingests Active Directory and firewall logs. Cloud teams collect cloud-native audit logs in a separate console. Identity teams watch Entra ID sign-ins. Network teams watch east-west traffic — when they can see it. None of those tools, on their own, sees the full timeline of a hybrid attack. Hybrid cloud threat detection is the discipline of stitching them together.
This is distinct from cloud-only detection (CDR), which scopes itself to cloud workloads and the cloud control plane, and from traditional on-prem-only detection, which stops at the perimeter. It complements the broader hybrid cloud security and cloud security disciplines, but its specific job is the detect function across the bridge.
How hybrid cloud threat detection works
At a process level, hybrid cloud threat detection follows eight repeatable steps:
- Collect telemetry from on-prem network, cloud flow logs, and identity systems.
- Establish behavioral baselines per device, identity, and workload.
- Correlate east-west traffic with identity events across environments.
- Detect anomalies that bridge on-prem and cloud (e.g., Entra Connect Sync compromise).
- Map detections to MITRE ATT&CK Cloud Matrix techniques.
- Investigate using a stitched timeline across on-prem and cloud.
- Respond by containing identity, network, or workload simultaneously.
- Continuously refine baselines from analyst feedback.
Three signal sources do most of the work: east-west network traffic, identity events that cross the Entra ID and on-prem AD bridge, and workload telemetry across both sides. The technical mechanics live underneath each one.
East-west traffic visibility across on-prem and cloud
North-south traffic crosses a network perimeter. East-west traffic moves laterally between systems — server to server, VM to VM, container to container. Perimeter tools see north-south. They are blind to east-west by design. That blindness is where attackers hide lateral movement.
Closing the gap means placing sensors where east-west actually flows. On-prem, that is TAPs and SPAN ports at network aggregation points. In cloud, that is VPC traffic mirroring on AWS, virtual TAPs on Azure, and packet mirroring on GCP. The output is network metadata — connection records, protocol headers, JA3/JA4 fingerprints — not full packet captures. Metadata is cheap to retain and rich enough for behavioral analysis.
Encryption is the next obstacle. Industry-cited figures put encrypted enterprise traffic at over 80%, and the trend is one-way. Decrypting east-west at scale is a non-starter for most teams — too expensive, too risky, often too noisy. The modern approach treats encrypted traffic as a feature set rather than an obstacle. JA3 and the newer JA4 family fingerprint TLS clients from handshake parameters. Encrypted Traffic Analytics (ETA) layers behavioral metadata — packet sizes, timing, sequence patterns — on top. Together, they let defenders identify, for example, Cobalt Strike beaconing by its consistent TLS fingerprint and beacon cadence, without ever terminating the TLS session. In the same 2025 hybrid cloud security survey of 1,021 security and IT leaders, 89% of respondents called deep observability — combining logs, metrics, and packet metadata — fundamental to their security strategy.
Identity-aware detection across the Entra ID and on-prem AD bridge
Hybrid identity is a sliding glass door. From the inside, it looks like one room — users sign in once, claims flow through, resources unlock on either side. From the attacker's side, that single door is the most valuable surface in the environment. Compromise the door, and you control both rooms.
The architectural variants matter because each one creates different detection signals. Password Hash Sync (PHS) replicates password hashes from on-prem AD into Entra ID. Pass-Through Authentication (PTA) keeps verification on-prem and uses a lightweight agent in the cloud. AD FS federation hands authentication to an on-prem Federation Service. The common thread across all three is a server — Entra Connect (formerly Azure AD Connect) — that holds the keys.
That server is the canonical hybrid attack target. The high-fidelity detection signals defenders should build around it include Global Admin sign-ins originating from a hybrid-joined server, Directory Synchronization Account (DSA) credential extraction events outside scheduled sync windows, and the insertion of a malicious federated domain into the tenant. Behavioral analytics on identity logs surfaces these patterns reliably; raw log review rarely does.
Workload telemetry correlation
The third signal source is workload. On-prem, that means hypervisor and process telemetry from EDR. In cloud, it means runtime sensors and audit logs from the cloud provider. The point of collecting both is correlation — a weak signal in identity logs becomes a high-fidelity incident when paired with a matching network signal and a matching workload event in the same time window.
Hybrid cloud threats and MITRE ATT&CK mapping
Two named threat actors anchor the modern hybrid threat narrative — Storm-0501 and ShinyHunters. Both pivoted through the identity bridge. Both are now patterns, not one-offs.
Storm-0501 is the canonical hybrid kill chain. As documented by MSTIC and reported in BleepingComputer and Dark Reading, the actor traverses Active Directory, moves laterally with Evil-WinRM (PowerShell-over-WinRM post-exploitation), compromises an Entra Connect Sync server, extracts the Directory Synchronization Account credentials, signs into the cloud as Global Admin from a hybrid-joined server, then pivots to cloud-native ransomware. The 2025 evolution added cloud-native data exfiltration from Azure Storage, deletion of Recovery Services vaults, and re-encryption of cloud data with attacker-controlled Key Vault keys — ransomware without traditional malware. Additional reporting on the underlying credential hygiene problem appears in Dark Reading's coverage of sloppy Entra ID credentials in hybrid cloud ransomware.
ShinyHunters — collaborating with Scattered Spider / The Com on social engineering — used a different bridge. Rather than compromise an identity sync server, the actor compromised SaaS integrators (Anodot in April 2026; Vercel and Context AI in April 2026) to harvest long-lived OAuth tokens, then used those tokens as identity bridges into downstream tenants (The Hacker News — ShinyHunters tag; Vercel / Context AI breach coverage; ShinyHunters / Scattered Spider collaboration). MFA on the downstream tenant did not help, because the attacker authenticated with a valid OAuth grant the user had already approved.
A third pattern showed up at the protocol level. CVE-2025-53786 (CVSS 8.0) allowed post-authentication privilege escalation from on-prem Exchange admin to Exchange Online via shared service principal abuse. CISA published an alert and issued Emergency Directive 25-02 mandating mitigation by 2025-08-11. The hybrid integration layer itself is now an active vulnerability target.
Mandiant M-Trends 2026 puts numbers on the trend: 32% of 2025 intrusions began with exploits, the median dwell time is 14 days, and the mean time to exploit is now -7 days — meaning exploitation often precedes patch release. That shifts the burden onto detection.
MITRE ATT&CK Cloud Matrix techniques to monitor
The table below maps the techniques most relevant to hybrid detection — from technique ID to the telemetry source where the signal actually lives, and to a sample detection rule a small team can write this quarter. Mapping detections to ATT&CK is the throughline that makes the rest of the program defensible across audits and reviews; the cyber kill chain gives you the narrative arc, ATT&CK gives you the identifiers.
| Technique ID |
Technique |
Hybrid trigger |
Telemetry source |
Sample detection logic |
T1556.007 |
Modify Authentication Process: Hybrid Identity |
Entra Connect / AAD Connect server compromise |
Entra ID sign-in logs, on-prem AD security events |
Alert on DSA credential read events outside scheduled sync windows |
T1078.004 |
Valid Accounts: Cloud Accounts |
Stolen OAuth token used from new geography or non-customer IP |
Entra ID sign-in logs; cloud audit logs |
Impossible-travel + new-IP combination on cloud-app access |
T1021.006 |
Remote Services: WinRM (Storm-0501 lateral movement) |
Evil-WinRM use across AD-joined hosts |
EDR + on-prem network metadata |
WinRM session from non-admin workstation to multiple hosts |
T1550 |
Use Alternate Authentication Material |
Token replay across on-prem and cloud |
Identity logs (both sides) |
Same token observed from disjoint network segments |
T1098.005 |
Account Manipulation: Device Registration |
Attacker registers new device in Entra ID |
Entra ID audit logs |
Device registration immediately followed by sensitive resource access |
The full MITRE ATT&CK Cloud Matrix is the canonical source — start here, expand as coverage matures.
Detection categories: NDR vs CDR vs CNAPP vs ITDR vs XDR
Five overlapping acronyms cover hybrid detection from different angles. A CIO/CISO with under five security FTEs cannot rationalize all five into a procurement plan without a single decision matrix. The matrix below is that.
| Category |
Detection layer |
Primary signal source |
Hybrid coverage gap addressed |
Best fit for |
| NDR (network detection and response) |
Network |
East-west and north-south traffic metadata |
Lateral movement, encrypted east-west, on-prem to cloud bridge traffic |
Hybrid environments with strong network depth |
| CDR (cloud detection and response) |
Cloud workloads + control plane |
Cloud audit logs, runtime sensors |
Cloud-native attacks, control-plane abuse |
Cloud-heavy estates |
| CNAPP (cloud-native application protection platform) |
Posture + workload |
Cloud configuration + workload scanners |
Misconfiguration, vulnerable workloads |
Pre-runtime posture |
| ITDR (identity threat detection and response) |
Identity |
Entra ID, on-prem AD, federation events |
Identity-bridge attacks, token theft |
Identity-led threat models |
| XDR (extended detection and response) |
Aggregation across signals |
Endpoint + network + cloud + identity feeds |
Cross-domain correlation |
Teams unifying multiple feeds |
The unsettled debate is between CNAPP and CDR. CNAPP-platform vendors argue their platform now includes runtime CDR. Standalone CDR vendors argue CNAPP is fundamentally preventative — posture and configuration — and that runtime detection is a different muscle. The practical answer is that most enterprises need both functions; whether they buy them as one product or two is a buying-cycle question, not a capability question.
For a hybrid environment specifically, the minimum viable coverage is usually two of the five: NDR (for the bridge and east-west) plus ITDR (for identity-led attacks). CDR enters when cloud workloads dominate the estate. XDR enters when the team is already running multiple feeds and needs aggregation. The classic SOC triad — network, endpoint, log — is a useful baseline; for hybrid, identity needs to be the fourth leg. In the same 2025 hybrid cloud security survey, 70% of respondents named public cloud as the greatest risk in their environment, which is consistent with that prioritization.
This is also why the broader category of hybrid threat detection is rarely solved by a single product — it is solved by a small set of well-integrated ones.
Hybrid cloud threat detection in practice
Two real-world incidents teach the pattern more clearly than any abstract framework.
What the Snowflake / Anodot identity-bridge campaigns taught defenders
In 2024, ShinyHunters-affiliated actors used credentials harvested from historical infostealer infections — some dating back to 2020 — to access roughly 165 organizations including AT&T, Ticketmaster/Live Nation, Santander, LendingTree, Advance Auto Parts, and Neiman Marcus. The Cloud Security Alliance's retrospective put the diagnostic numbers on the table: more than 80% of compromised accounts had prior credential exposure, and impacted accounts lacked multi-factor authentication. The credential theft was old. The detection gap was that nobody was watching for old-credential reuse against new geographies and new devices.
The 2026 evolution sharpened the pattern. Attackers compromised the SaaS integrator Anodot, harvested OAuth tokens, and used those tokens as long-lived identity bridges into downstream tenants — including Snowflake — without exploiting Snowflake itself. The Vercel/Context AI breach in April 2026 followed the same template. This is a supply chain attack executed at the identity layer, and the defender takeaway is concrete: hybrid detection must include OAuth grants to integrator service principals, followed by anomalous source-IP usage, followed by non-interactive authentication from new devices. Without those three signals stitched together, account takeover via OAuth bridge is invisible.
What Storm-0501 taught defenders
Storm-0501's kill chain reads, end to end: initial AD foothold, Evil-WinRM lateral movement, DSA credential extraction from Entra Connect Sync, Global Admin sign-in from a hybrid-joined Windows server, Recovery Services vault deletion, and cloud-side re-encryption via an attacker-controlled Key Vault. Each stage is a detection opportunity. The single highest-fidelity signal most defenders missed: a Global Admin sign-in originating from a hybrid-joined Windows server is unusual and should fire a high-severity alert. Microsoft has since restricted Directory Synchronization Account permissions in Entra Connect Sync and Cloud Sync — a defensive change defenders can rely on, but not the only one they should make.
Implementing hybrid cloud threat detection
For a small SOC team — under five FTEs, hybrid environment, regulated industry — a workable rollout is seven steps:
- Inventory the bridge. Document hybrid identity architecture (PHS, PTA, AD FS), Entra Connect / Entra Connect Sync servers, federated domains, hybrid Exchange tenancy, and SaaS integrators with long-lived OAuth grants. You cannot detect what you have not mapped.
- Close the east-west visibility gap. Add NDR sensors at on-prem aggregation points and cloud VPC mirrors. Capture metadata, not full packets, to keep storage and processing costs manageable.
- Stand up identity-aware detections. Tune correlations between Entra ID and on-prem AD signals. Enable phishing-resistant MFA per CISA SCuBA Hybrid Identity Solutions Guidance. Treat the identity layer as its own monitoring domain, not a SIEM afterthought.
- Align detections to the MITRE ATT&CK Cloud Matrix. Start with the five techniques in the table above (
T1556.007, T1078.004, T1021.006, T1550, T1098.005). Expand outward as coverage matures. - Write three high-fidelity detection rules first. Global Admin sign-in from a hybrid-joined server. DSA credential read outside scheduled sync windows. OAuth grant to an integrator service principal followed by unfamiliar source-IP activity. These three alone cover the dominant 2024-2026 hybrid attack patterns.
- Build a unified investigation timeline. Whether the stitching layer is a SIEM or an NDR platform, the analyst needs identity events, network metadata, and cloud audit logs in one view. Cross-domain correlation is the difference between an incident response workflow that resolves in hours and one that drags for days.
- Test and validate. Run purple-team exercises against the identity bridge. Measure mean time to detect and mean time to respond. Roll the lessons back into SOC operations and the threat hunting playbook.
The 55% breach rate from the same 2025 hybrid cloud security survey of 1,021 security and IT leaders is worth keeping in front of executive sponsors — the baseline likelihood of a breach is now high enough that detection investment is, by any honest reading, a controllable cost. Ponemon Institute's Cost of a Data Breach study (2025) puts the average multi-environment breach at $5.05M. Detection spend is small compared to that ledger.
Hybrid cloud threat detection and compliance
Detection capability maps cleanly onto regulatory obligation. The crosswalk below covers the four frameworks regulated ICP industries — financial services, healthcare, manufacturing — most often face. This is the mapping, not compliance advice.
| Framework |
Requirement |
Hybrid detection capability that maps |
| NIST CSF 2.0 |
DE.AE Adverse Event Analysis; DE.CM Continuous Monitoring |
Cross-domain telemetry correlation; east-west and identity continuous monitoring |
| EU NIS2 (Article 21) |
Incident handling and detection capabilities for essential and important entities |
Detection coverage across identity, network, workload; documented response runbooks |
| EU DORA (Article 10) |
Detection of anomalous activities; 4-hour early-warning reporting under active enforcement since 2026-01-17 |
Real-time hybrid detections with automated incident packaging |
| CISA SCuBA HISG |
Phishing-resistant MFA, conditional access, modern federation |
Detections that validate MFA enforcement and flag federation anomalies |
Geographic specifics matter. EU financial entities under DORA face a 4-hour incident-reporting clock from the moment an event qualifies as a major ICT-related incident. In Germany, the NIS2 BSI registration deadline of 2026-03-06 saw approximately 33% compliance, suggesting many essential and important entities are still building toward documented detection capabilities. The security frameworks themselves do not prescribe vendors — they prescribe outcomes a defensible detection program can demonstrate.
Modern approaches to hybrid cloud threat detection
The category is evolving on three fronts.
AI-driven cross-domain correlation is consolidating the analyst workflow. Rather than three handoffs between identity, network, and cloud teams, modern detection platforms stitch the three signal domains into a single attack graph and surface a prioritized incident with the on-prem and cloud halves already linked. The methodology is what matters more than the marketing label — AI threat detection is a means to faster, cleaner attacker behavior analysis, not an end in itself.
Encrypted east-west analysis without decryption is now table stakes. JA3/JA4 fingerprinting and Encrypted Traffic Analytics treat encrypted traffic as a feature set to model rather than an obstacle to remove. The defensive math is simpler than it sounds: malware beacons rarely vary their TLS fingerprint, and behavioral metadata (packet sizes, flow timing) is a stable signature even when payloads are unreadable.
Active resilience is the third front. Mandiant M-Trends 2026 highlights the "Recovery Denial" tactic — attackers explicitly target backup infrastructure to deny recovery and force ransom payment (Mandiant M-Trends 2026). Google Cloud's Threat Horizons reporting for H1 2026 notes 48-hour mass exploitation timelines on managed Kubernetes. The defensive consequence is that immutable backups, cloud-native key-vault hardening, and runbooks that assume attackers have already deleted recovery points are no longer optional.
How Vectra AI thinks about hybrid cloud threat detection
Vectra AI's Attack Signal Intelligence treats the modern network — on-prem, cloud, identity, SaaS, and IoT/OT — as one unified attack surface. The methodology is simple to state: assume compromise; prioritize signal over noise; surface the few behaviors that matter when an attacker bridges the on-prem to cloud gap. The work is in the math and the labels behind the scenes, but for the analyst it shows up as a clear, prioritized incident with the on-prem and cloud halves already stitched together — exactly the timeline a Storm-0501 or ShinyHunters investigation requires.
Conclusion
Hybrid cloud threat detection is no longer an optional sub-discipline of cloud security. The data points all run the same direction: hybrid breaches are now the most expensive category, the majority of cloud intrusions exploit identity controls rather than zero-days, and the canonical 2024-2026 attack patterns — Storm-0501's evolution to cloud-based ransomware, ShinyHunters' OAuth-token bridges into Snowflake — both pivot through the on-prem to cloud bridge.
The good news is that the defender's playbook is concrete. Inventory the bridge. Add east-west sensors at on-prem aggregation points and cloud VPC mirrors. Tune identity correlations across Entra ID and on-prem AD. Map detections to the MITRE ATT&CK Cloud Matrix techniques that adversaries actually use against hybrid environments. Write three high-fidelity rules — Global Admin sign-in from a hybrid-joined server, DSA credential read outside sync windows, OAuth grant followed by unfamiliar source-IP activity — and stitch the resulting incidents into a unified timeline. None of this requires a sprawling team or an unbounded budget. It requires the discipline to treat the bridge as the attack surface it has become.
For deeper architecture context, the hybrid cloud security cluster is the next read, and the network detection and response, identity threat detection and response, and MITRE ATT&CK topic pages provide the underpinning concepts each of the seven implementation steps draws on. The cyber resilience and zero trust frameworks tie these capabilities back to executive-level outcomes.
