Skyhawk Links AI Cloud Attacks to Real-World Hacker Tradecraft

SAN FRANCISCO, CA – March 24, 2026 – As cybersecurity professionals gather for the annual RSA Conference, Skyhawk Security today unveiled a significant enhancement to its cloud security platform, aiming to give beleaguered security teams a powerful new weapon: context. The company has launched “Threat Actor Context,” a feature that enriches its AI-driven attack simulations by mapping them directly to the tradecraft of known, active cyber-adversary groups.

The new capability connects the dots between a potential vulnerability in a company's cloud environment and the specific methods used by groups like Scattered Spider, the cybercriminals behind the high-profile attacks on MGM Resorts and Caesars Entertainment, and state-sponsored actors like APT29, also known as NOBELIUM.

“Security teams have plenty of data, telemetry and alerts. What they’re usually lacking is the context to transform that data into security insights and pinpoint why simulated attack scenarios matter to their business based on activity seen in the wild,” said Chen Burshan, CEO of Skyhawk Security, in the announcement. “We’re helping them view scenarios through the lens of known attacker behavior to better assess exposure and improve prioritization.”

Beyond the Noise: A Cure for Alert Fatigue

The launch addresses one of the most persistent and debilitating problems in modern cybersecurity: alert fatigue. Security Operations Centers (SOCs) are inundated with thousands of alerts daily, many of which are false positives or low-priority findings. The sheer volume makes it nearly impossible for human analysts to distinguish the critical threats from the background noise, leading to burnout and, critically, missed attacks.

Skyhawk's Threat Actor Context aims to cut through this noise by answering the crucial question of “so what?” for every identified vulnerability. Instead of presenting a generic CVE score, the platform now shows that a specific attack path in a company’s cloud infrastructure mirrors the techniques used by APT41 in its “Operation CuckooBees” campaign or the identity-driven intrusion patterns of Scattered Spider. This allows organizations to prioritize not just based on a vulnerability's technical severity, but on the likelihood of its exploitation by a relevant, real-world threat.

This shift from abstract risk scores to concrete adversary behavior is a game-changer for prioritization. The company claims its approach has helped customers achieve a dramatic reduction in noise. In one instance, a Fortune 100 client was able to filter over 500,000 vulnerability findings down to fewer than 300 truly weaponizable and actionable exposures—a 99% improvement in the signal-to-noise ratio. By focusing on the handful of vulnerabilities that known adversaries are actively exploiting, organizations can direct their limited resources far more effectively.

The Autonomous Purple Team: Proactive Defense in the Cloud

This new feature is built upon Skyhawk Security's core technology, which it calls an “Autonomous Purple Team.” In cybersecurity, a “Red Team” simulates attacks to find weaknesses, while a “Blue Team” works to defend the systems. A “Purple Team” is a collaborative effort between the two to continuously improve security. Skyhawk has sought to automate this process with AI.

The platform first creates an AI-generated “Digital Twin,” an exact replica of a customer’s live cloud environment. Against this safe, mirrored environment, an AI-powered Red Team runs continuous attack simulations, probing for exploitable pathways to an organization’s most critical assets, or “crown jewels.” Simultaneously, an AI-powered Blue Team function validates whether existing security controls are effective against these simulated attacks.

This creates a continuous feedback loop that proactively hardens the cloud environment before a real breach can occur. It represents a fundamental shift from the traditional reactive security model—waiting for an alert and then responding—to a proactive one. With the addition of Threat Actor Context, these simulations are no longer generic; they are bespoke scenarios modeled after the most dangerous cyber-adversaries operating today. The platform can now simulate how TraderTraitor, the group linked to the JumpCloud compromise, might try to infiltrate a customer’s environment, allowing defenses to be tested and fortified against that specific threat.

An Escalating AI Arms Race in Cybersecurity

Skyhawk’s announcement lands in the middle of a rapidly evolving and competitive cloud security market, one that is increasingly defined by an AI arms race. Both attackers and defenders are leveraging artificial intelligence to increase the speed, scale, and sophistication of their operations. The market is burgeoning with tools categorized as Cloud Native Application Protection Platforms (CNAPP) and Breach and Attack Simulation (BAS) from major players like CrowdStrike and Palo Alto Networks, all aiming to provide a more unified and intelligent approach to security.

Within this landscape, the emphasis is shifting toward proactive validation and contextual intelligence. The industry recognizes that simply identifying misconfigurations is no longer sufficient. Solutions that can simulate attacks, test controls, and provide actionable intelligence are gaining traction as organizations struggle to keep pace with the evolving threat landscape.

However, the adoption of such advanced tools is not without challenges. The well-documented cybersecurity skills shortage means many organizations lack the in-house expertise to fully operate and manage sophisticated AI-driven platforms. Integrating new, complex systems into an already crowded security stack can be a significant hurdle, and building trust in automated decision-making and prioritization is a crucial step for any security team.

Despite these obstacles, the move toward AI-powered, proactive defense appears inevitable. As cloud environments grow in complexity and attackers become more advanced, the ability to automatically and continuously simulate threats—and to understand those threats in the context of the adversaries who pose them—is becoming less of a luxury and more of a core requirement for survival in the digital age.