How Mitiga detects multi-cloud attack chains that no individual platform can see

‍

Modern cloud environments don't live in a single vendor. Your employees authenticate through Okta, manage identities in Azure AD, store files in SharePoint, collaborate in Slack, and run infrastructure in AWS. That's a typical Tuesday morning.

‍

Attackers know this. A sophisticated breach doesn't happen inside one platform — it flows across them. An attacker compromises credentials in Okta, pivots to Azure AD to escalate privileges, then moves to AWS to access sensitive data. Each step, viewed in isolation by each vendor's native security tools, looks like a low-severity event. A login. A group change. A policy update. Nothing alarming.

‍

But stitched together into a single behavioral session? It's a kill chain.

‍

This is the blind spot that most cloud security tools share: they detect events, not journeys. Mitiga built something different.

‍

The Problem: Many Platforms, Many Silos, Zero Correlation

‍

Consider a real scenario. An identity — let's call her Alice — generates these security events across a single morning:

‍

‍

Your cloud vendors each see their own slice. Okta flags the login anomaly as Low — it's a common false positive. Azure AD notes the group change as Medium — admins do this regularly. SharePoint logs the access as routine.

‍

No single vendor raises an alarm. But the sequence tells a completely different story: initial access from an unusual location, immediate privilege escalation through group manipulation, lateral movement to sensitive data, and then — hours later — an attempt to maintain persistence by resetting credentials and removing MFA. This is a textbook account takeover followed by persistence installation.

‍

The challenge isn't data collection. Organizations have the logs. The challenge is reading the story that unfolds across those logs, across vendors, across time.

‍

‍

How Mitiga Sees the Full Picture

‍
Mitiga's detection engine processes security events across dozens of cloud and SaaS platforms — from major cloud providers like AWS, Azure, and GCP, through identity providers like Okta and Entra ID, to SaaS applications like Microsoft 365, Salesforce, GitHub, Slack, and many more. But collecting events from multiple vendors is table stakes. The real innovation is in what happens next.

‍

Behavioral Session Construction

‍
Rather than analyzing events in isolation, Mitiga reconstructs each identity's behavioral sessions — coherent sequences of actions grouped by natural activity patterns. When Alice logs into Okta at 9:01 AM and then creates an Azure AD group at 9:03 AM, those events belong to the same session, even though they happened on different platforms.

‍

This cross-vendor session stitching is what makes the approach powerful. An attacker who pivots from Okta to Azure AD to AWS within a 30-minute window generates a single behavioral session that spans all three platforms. The identity is the thread that connects the dots, regardless of which platform the action touches.

‍

Three Independent Detection Signals

‍
Once sessions are constructed, Mitiga applies three independent detection signals. When multiple signals converge on the same identity, confidence is high.

‍

Signal 1: Peer-Group Deviation.

Not every unusual action is malicious, and not every “normal” action is safe. The key is context: unusual for whom?

‍

Mitiga automatically clusters identities into behavioral peer groups based on their historical activity patterns. Store managers behave like other store managers. DevOps engineers behave like other DevOps engineers. No manual role tagging required — the clusters emerge naturally from observed behavior.

‍

When a store manager suddenly starts creating Azure AD security groups — something zero of their 47 peers have ever done — that's a statistically significant deviation. Conversely, when a DevOps engineer creates a security group, that's routine for their peer group. Same event, completely different risk signal depending on who does it.

‍

Signal 2: Attack Chain Pattern Matching.

Individual events map to stages in the MITRE ATT&CK framework: initial access, credential access, privilege escalation, persistence, lateral movement, data exfiltration. Mitiga scans sessions for temporally ordered multi-step patterns that match known attack playbooks.

‍

A session that contains credential access, followed by MFA manipulation, followed by cross-vendor movement matches the “Account Takeover + Lateral Movement” chain. The temporal ordering matters — these stages must occur in sequence, not just coexist in the same time window. And each step must meet a minimum severity threshold, eliminating noise from routine low-importance events.

‍

Signal 3: Composite Risk Scoring.

A composite score across multiple behavioral dimensions — including behavioral rarity, peer deviation, cross-vendor movement patterns, and more — produces a single risk number per session. This score is normalized across the entire organization, ensuring that it's meaningful regardless of the customer's size or vendor mix.

‍

The power is in convergence. When all three signals independently flag the same session — the peer group says “this is abnormal,” the pattern matcher says “this follows a known attack playbook,” and the risk score says “this is in the top percentile” — that's a high-confidence finding that analysts can act on immediately.

‍

The Cross-Vendor Advantage

‍
This is where Mitiga's multi-platform coverage becomes a genuine detection advantage, not just a broader data collection story.

‍

Our research across organizations of varying sizes — from 86 identities to 45,000 — revealed a consistent finding: cross-vendor transitions account for over 40% of behavioral patterns, and they correlate with higher-risk sessions. When an identity moves from Okta authentication to Azure AD group manipulation to AWS resource access within a single session, that cross-platform pivot is itself a risk indicator.

‍

More importantly, certain attack patterns are only visible when you stitch vendors together:

‍

• Cross-platform privilege escalation: Azure AD PIM activation followed by AWS IAM role assumption — invisible if you're monitoring each platform separately.
• Multi-stage data exfiltration: Salesforce report export followed by O365 email forwarding rule creation — two medium-severity events on different platforms that, together, describe a data theft in progress.
• Identity lifecycle attacks: Okta credential reset followed by Azure AD MFA deactivation — a classic account takeover that spans identity providers.

‍

An organization monitoring only Azure AD would see a group change. An organization monitoring only Okta would see a password reset. Only by connecting the two can you see the attacker's full path from initial compromise to persistent access.

‍

Your CNAPP locks the doors. What happens when attackers log in?
‍Learn why leading enterprises pair CNAPP with AI-native Cloud Detection and Response to achieve Zero-Impact.

From Noise to Signal: Real-World Validation

‍
Building a detection system that fires on everything is easy. Building one that fires on the right things is the hard part.

‍

In production validation across multiple customer environments, Mitiga's behavioral session infrastructure processes hundreds of thousands of security events per organization. The noise reduction pipeline — which dynamically identifies high-volume, low-signal events and collapses repetitive patterns — reduces raw event volume by approximately 90% while preserving security-relevant signals.

‍

After noise reduction, session construction produces stable, interpretable activity windows averaging 5–7 events per session across organizations of all sizes. This consistency held from our smallest test environment to our largest, with tens of thousands of identities — the behavioral model is scale-invariant.

‍

The three-signal approach reduces alert volume to a manageable set of high-confidence findings. Instead of presenting analysts with thousands of individual alerts, Mitiga surfaces the sessions and identities where multiple independent signals agree something is wrong. An analyst reviewing a flagged session sees the complete cross-vendor journey: every step the identity took, which steps are rare for their peer group, which steps match known attack patterns, and which cross-vendor transitions occurred — all in a single, temporal view.

‍

Why This Matters Now

‍
Cloud environments are getting more complex, not less. But two emerging trends are about to make cross-vendor detection dramatically harder — and more essential.

‍

AI-generated attacks move faster across platforms. When an attacker uses AI to automate reconnaissance, craft phishing, and generate privilege escalation scripts, the time between initial access and lateral movement compresses from hours to minutes. A human SOC analyst reviewing single-vendor alerts cannot keep pace with an attack that pivots from Okta to Azure AD to AWS in under ten minutes. Detection that operates at the session level — stitching the full journey in real time — is the only way to match the speed of AI-assisted attackers.

‍

SaaS-to-SaaS integrations are creating lateral movement paths that didn't exist a year ago. Every OAuth connection between Salesforce and Slack, every service principal linking Azure AD to GitHub Actions, every API integration between your HRIS and your identity provider creates a new edge in the attack graph. Attackers no longer need to compromise a human to move between platforms — they can ride the integrations. Our research already uncovered this: integration accounts registered as human users, automated traffic attributed to real employees, service-to-service connections that cross vendor boundaries invisibly. These integrations are the new lateral movement, and they're proliferating faster than security teams can inventory them.

‍

Mitiga's approach is different because the foundational unit of analysis is different. It's not the event. It's not the alert. It's the session — a complete, cross-vendor behavioral journey for a single identity. And the detection logic doesn't ask "is this event bad?" It asks "is this journey abnormal for this identity, compared to their peers, and does it follow a known attack pattern?"

‍

When an attacker crosses from Okta into Azure AD into AWS, they're counting on the boundaries between those platforms to hide their tracks. Mitiga erases those boundaries.