Seven Sins, One Firewall: Turning the 2026 Cyber Protect Report into Policy

Turn our latest research into action items to keep your organization secure

The 2026 SonicWall Cyber Protect Report broke from tradition this year. Instead of cataloging what attackers did, it asked what actually keeps organizations protected, and named the seven operational gaps that consistently separate the resilient from the exposed. We call them the Seven Deadly Sins of Cybersecurity.

For architects, the report lands differently than a typical threat roundup. The sins aren't abstract. Each one maps to specific, auditable firewall behavior. What follows is a practitioner's translation: how each sin shows up in a SonicOS configuration, and the single most important lever to pull for each.

The Backdrop

Before we get to the sins, these are the numbers worth holding in your head: high and medium severity attacks surged 20.8% to 13.15 billion hits, automated bots generate more than 36,000 vulnerability scans per second, and Log4j still produced 824.9 million IPS hits in 2025, four years after disclosure.  Attackers aren't getting louder. They're getting more accurate, and they're exploiting the same fundamentals year after year.

Let’s review the settings to address the 7 Deadly Sins.

Sin 1: Ignoring the Fundamentals

According to SonicWall threat data, identity, cloud, and credential compromise account for 85% of actionable security alerts. The firewall is both a target and a control plane, so harden it first: bind admin access to your IdP via SAML with MFA enforced, scope management access to a dedicated zone or jump host, and kill the "Allow Management from WAN any/any" rule that shows up in more audits than anyone wants to admit. Review our Credential Auditor in SonicOS 7.3.1 and above.

The one lever: External authentication with MFA on every admin path, no local bypass except documented break-glass with 2FA enabled.

Sin 2: False Confidence

Ransomware was present in 88% of SMB breaches last year. 80% of IT leaders believe they can contain an incident in under eight hours; actual dwell time averages 181 days. SonicWall’s stance here is controls you haven't tested aren't controls: they're assumptions.

Every Allow rule in your policy is a trust statement. If it doesn't have a full security profile set attached (GAV, IPS, Anti-Spyware, App Control, Capture ATP), you're trusting the traffic implicitly. And without DPI-SSL, most of that inspection is blind to encrypted flows, which is most of the internet.

The one lever: Audit your rule base for Allow rules and zones for missing security services.  Aged or obsolete access rules left in a configuration are the chinks in the armor malicious actors hope for.

Sin 3: Overexposed Access

48% of breaches involved compromised VPN credentials as the initial access vector. Average lateral movement occurs within 48 minutes of initial compromise; the fastest observed cases took 18 minutes. That's less time than most change reviews.

Flat zones are the accelerant. Separate or segment your users, servers, IoT, management, and guests into distinct zones, then default-deny between them. Apply IPS and GAV to east-west policies, not just north-south. Block SMB, RDP, and WinRM between user segments unless sourced from named admin jump hosts.  Integrate local Identity into your access rules using SAML or SonicWall’s Directory Connector for SSO (Single-Sign-On) to the firewall for users and devices who reside on your network such as NAS, hyper-visor, Copiers, etc.

The one lever: Pick any user endpoint. Enumerate the server IPs and ports it can reach. If the list is long, segmentation is nominal.

Sin 4: Reactive Security Posture

The average breach goes undetected for 181 days. 44% of alerts go uninvestigated. The firewall generates signal; value is created only when that signal reaches a human who acts.

Forward logs over TLS to a SIEM or managed service — SonicSentry MXDR fits with 24/7 eyes on glass monitoring. Tune verbosity so connection and threat events aren't buried. Export NetFlow for behavioral baselining; logs tell you what was blocked, flow tells you what was allowed and shouldn't have been.  MSPs commonly tune alerts to minimize the noise while looking for the severe alerts.  SonicSentry MXDR turns on all of the noise so we can correlate all of the traffic and our expertise allows us to filter that noise and find that needle in the haystack of alerts.  The value here is not only the identifying of valid alerts, but the hundreds or thousands of suspicious alerts your staff didn’t have to investigate.

The one lever: Pull the last 30 days of high-severity events and count how many have a documented disposition. The ones without are the 44%.

Sin 5: Cost-Driven Decisions

A single SMB breach can exceed $4.91 million. Organizations with incident response plans save an average of $1.23 million per breach. 

On the firewall, cost-driven decisions usually look like expired subscriptions, disabled services "for performance," HA pairs that were never failover-tested, and IR runbooks that read more like wishes than procedures. Pre-stage your isolation rules as disabled policies ready to enable — during an incident, rule syntax is the last thing you want to be composing from scratch.

The one lever: Time how long it would take to isolate a compromised subnet tonight. If the answer involves improvisation, the runbook is incomplete.

Sin 6: Legacy Access Models

VPN CVEs grew 82.5%, with 60% rated high or critical. The old model — authenticate once, trust the network — no longer fits how modern attackers operate.

Start the ZTNA migration. Gen 8 firewalls ship with embedded ZTNA licensing, and Cloud Secure Edge replaces those flat VPN tunnels with continuous identity verification- and application-scoped access. For the legacy VPN that still must exist during transition: MFA mandatory, Endpoint Control posture (SMA Only) checks on, per-user route lists instead of full-tunnel to the LAN zone, and quarterly access recertification that actually disables dormant accounts.

The one lever: For each remote user, describe their access in terms of named applications. If you describe it in terms of "the network," you have legacy access in modern packaging.

Sin 7 — Hype Over Execution

The average enterprise runs 45 security tools. Nearly half of security professionals spend more time maintaining them than defending against attacks. More tooling on top of poor hygiene doesn't produce better outcomes.

The boring work wins here: quarterly review of unused rules, shadowed rules, Any/Any permissive rules, and objects with expired owners. Prefer App Control signatures over port rules. Use SAMI in Unified Management to surface drift across the fleet — treat its findings as work items, not suggestions.

The one lever: Count the access rules on your largest firewall. If you can't name the business purpose of the first 20, the policy is maintaining you.  Use the description field in each rule to clearly identify what the rule does and for whom.

The Uncomfortable Pattern

Seven sins, one thread: the organizations most exposed aren't missing technology. They're missing follow-through. Lack of attention to basic cyber hygiene is where most organizations fail.

That's the useful thing about reading this report as an architect rather than an executive. Follow-through isn't a budget conversation or a procurement decision. It's a policy review on the calendar, an alert disposition audit, a failover test that actually happens, a rule base you can explain line by line. The firewall is one of the few places in the stack where follow-through can be codified, versioned, and audited. That's not a small thing: it’s most of the job.