Until recently, Next Generation Firewalls were the hallmark of our cyber defences. Not so since March 18, 2026, when CISCO joined other firewall vendors when they announced, "There are no workarounds that address this vulnerability," referring to a CVE 10 vulnerability in their Secure Firewall Management Center (FMC), CVE-2026–20131.
Earlier, on January 31, 2026, Google Threat Intelligence Group (GTIG) had already published that they were tracking multiple threat clusters (UNC6661, UNC6671, and UNC6240) to enable a more granular understanding of evolving partnerships and account for potential impersonation activity, which indicates a significant increase in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations.
According to the report, after gaining initial access, the attackers laterally moved through the victim customer environments to exfiltrate data from various SaaS platforms. Once inside, the threat actors target cloud-based software-as-a-service (SaaS) applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands.
The most interesting observation was that these compromises did not result from security vulnerabilities in the vendors' products or infrastructure, but rather from the lateral movement.
The prevention-first cybersecurity has failed as a primary strategy. The IBM Cost of a Data Breach Report 2025 places the global average breach cost at $4.88 million… a record high with healthcare breaches averaging $9.77 million. Lateral movement now drives over 70% of successful breaches, and CrowdStrike's 2026 Global Threat Report shows AI accelerating cyberattacks, with breakout time dropping to 29 minutes and the fastest case at 27 seconds. Attackers are moving faster, and artificial intelligence is helping them do it. The question for boards and CISOs is no longer 'will we be breached?' but 'how do we stay operational when we are?'
And the answers lie in engineering microsegmentation to ensure breach readiness, by integrating it with next-generation firewalls, best-in-class EDR, and world-class OT security tools, coupled with an architectural philosophy built on three principles… anticipate attacks before they form, withstand them with a contained blast radius, and recover swiftly without halting business as unprecedented cyberattacks happen.
In at least one incident in which the threat actor gained access to an Okta customer account, UNC6661 enabled the ToggleBox Recall add-on for the victim's Google Workspace account, a tool designed to search for and permanently delete emails. They then deleted a "Security method enrolled" email from Okta, almost certainly to prevent the employee from identifying that their account was associated with a new MFA device. A