No Slack account needed. One of the core philosophies we implement at Guardz is the deep integration of security and intelligence teams with our proprietary AI capabilities. This synergy enables us to parse massive amounts of data and extract high-fidelity insights at a speed that neither humans nor standalone bots can match. In the MSP world, “AI” is often dismissed as a buzzword for a noisy alert engine.We are doing it differently. We treat AI as a force multiplier rather than a black box. While the machine handles the heavy lifting, such as data crunching, high-frequency pattern recognition, and initial mitigation, the human factor is what steers the ship. Our security researchers provide the battle scars, context, and intuition necessary for success. They define the hunt by instructing the AI exactly where to dig and what constitutes a genuine threat versus background noise. When defending a client’s critical assets, the goal is not to gather more data but to provide better answers. By merging human expertise with machine speed, we deliver: This approach was put to the ultimate test during a recent security incident when SentinelOne blocked a new and aggressive variant ofINC Ransomware. This incident serves as a reminder that cybersecurity is a team sport where response time, communication, and coordination between MDR, Security Research, and Account Management make the difference between a minor alert and a catastrophic outage. Note:Some telemetry data and screenshots in this report were captured from different consoles at varying times in both UTC and IST. They have been synchronized for this timeline. On the morning of February 19, 2026, a threat actor detonated INC Ransomware across a customer’s entire network. Within mere minutes, nearly every Windows endpoint in the organization was subjected to active encryption. Under normal circumstances, an attack of this speed and scale would be a catastrophic, business-ending event. However, the crisis was averted not because a human operator intervened in time, but because the security infrastructure was designed to outpace the adversary. SentinelOne’s endpoint agent, operating autonomously and without any human direction, detected, terminated, quarantined, remediated, and rolled back every single threat across the environment. The final statistics of the encounter illustrate the magnitude of the attempted breach: INC Ransomis a sophisticated ransomware operation that first emerged in July 2023. The group employs adouble-extortion model, which involves encrypting an organization’s mission-critical data while simultaneously exfiltrating sensitive information. This data is then used as leverage on their dedicated leak site, where they publish the files of victims who refuse to meet their financial demands. The group has historically targeted a diverse range of sectors, with a particular focus on healthcare, education, government, and Managed Service Providers (MSPs). Their technical approach is characterized by high-level precision, favoringhands-on keyboardtactics over automated scripts. They are known for utilizing legitimate IT administration tools for reconnaissance and deploying their payloads from staged internal infrastructure to bypass perimeter defenses. The following signatures were identified during the forensic analysis of the intrusion, providing a blueprint of the group’s operational methodology. What makes this incident remarkable is the absolute visibility maintained throughout the intrusion. The defense detected and responded to every phase of the kill chain; the threat actor was never truly invisible. From the initial port scan to the final ransomware execution, every action was identified, flagged, and neutralized in real time. The threat actor operated fromunmanaged internal infrastructure,specifically two staging clients that lacked the SentinelOne agent. However, their period of invisibility ended the moment they reached out to a managed endpoint. When the actor attempted to use a workstation’s Chrome browser to download a port-scanning tool for network mapping, the system intervened immediately. The reconnaissance tool terminated in just 59 milliseconds, denying the attacker the scan results needed to proceed. When they attempted to push the ransomware payload from those same unmanaged servers 68 minutes later, every managed endpoint acted autonomously to block and roll back the assault. The initial phase of the attack involved a reconnaissance attempt performed under a specific hijacked account. The actor navigated to a browser, downloaded a fresh copy ofAdvanced Port Scanner, and attempted to execute the binary to map the environment’s topology. The security platform captured the entire sequence, identifying the following artifacts: Within 20 seconds of these events, the SentinelOne Cloud synchronized the telemetry across the environment and upgraded the confidence level from“Suspicious”to“Malicious.”AnMDR Analystimmediately reviewed ...