Palo Alto Networks’ Unit 42 has released their 2026 Global Incident Response Report, analyzing over 750 major cyber incidents across 50+ countries. The findings paint a stark picture of an evolving threat landscape where attacks are faster, broader, and harder to contain than ever before.
Key Finding: 72-Minute Attack Chains
In the fastest cases Unit 42 investigated, attackers needed just 72 minutes to move from initial access to data exfiltration—four times faster than observed last year. This dramatic compression of attack timelines is driven by AI being used in reconnaissance, phishing, scripting, and operational execution, enabling machine-like speed at scale.
Identity: The Primary Attack Vector
Identity weaknesses played a material role in nearly 90% of investigations. Attackers are increasingly “logging in, not breaking in”—leveraging stolen credentials and tokens to exploit fragmented identity estates, escalate privileges, and move laterally without triggering traditional defenses.
Supply Chain Risk Drives Operational Disruption
In 23% of incidents, attackers leveraged third-party SaaS applications. By abusing trusted integrations, vendor tools, and application dependencies, threat actors bypassed traditional perimeters and expanded impact well beyond single systems.
Additional Critical Findings
- Multi-Surface Attacks: 87% of intrusions involved activity across multiple attack surfaces (endpoints, networks, cloud, SaaS, and identity)
- Browser Battleground: Nearly 48% of incidents included browser-based activity, reflecting how modern attacks intersect with routine workflows
- Extortion Evolution: Encryption-based extortion declined 15%, as more attackers skip encryption and move straight to data theft and disruption—a faster, quieter approach that creates immediate pressure
Why Attacks Still Succeed
Despite increasing sophistication, most incidents Unit 42 responds to don’t start with something radically new—they start with preventable gaps:
- Environmental Complexity: Over 90% of incidents were materially enabled by misconfigurations or gaps in security coverage. Many organizations run 50+ security products, making consistent control deployment extremely difficult.
- Visibility Gaps: During attacks, teams often had to stitch together data from multiple disconnected sources, slowing detection during critical early minutes.
- Excessive Trust: Overly permissive access and unmanaged tokens frequently allowed attackers to move farther than they should after gaining initial footholds.
Recommendations for Defenders
Unit 42’s recommendations for security leaders focus on three priorities:
- Reduce Exposure: Secure the full application ecosystem and treat trusted connections with the same scrutiny as core infrastructure.
- Reduce Area of Impact: Tighten identity and access management while removing unnecessary trust to limit attacker lateral movement.
- Increase Response Speed: Ensure visibility across environments and leverage AI to detect, identify, and prioritize threats—enabling containment at machine speed, faster than adversaries can move.
Why This Matters
This report underscores a fundamental shift in cybersecurity: the window between initial access and business impact is shrinking dramatically. Organizations must adapt their defenses to match the speed of modern AI-assisted attacks while addressing the persistent foundational gaps—complexity, limited visibility, and excessive trust—that attackers continue to exploit.
Source: Palo Alto Networks Blog
