Identity abuse, supply chain infiltration and AI‑driven automation redefine the global cyber threat landscape
Cyber adversaries are evolving at a pace that now outstrips enterprise digital transformation, according to the newly released Unit 42® Global Incident Response Report 2026 from Palo Alto Networks®. The report reveals a striking shift toward AI‑enabled attack automation, identity misuse, and supply chain exploitation trends that are reshaping how modern intrusions unfold across global organisations.
Based on more than 750 major incident response engagements across over 50 countries between October 2024 and September 2025, Unit 42’s latest findings show that attackers are combining accelerated techniques with authenticated access to breach environments faster than ever before.
AI compresses attack timelines
One of the most alarming shifts is the rapid reduction in time-to-impact.
In 2025, the fastest 25% of intrusions reached data exfiltration within 72 minutes, a dramatic drop from 285 minutes in the previous year. Threat actors are increasingly using AI to automate reconnaissance, phishing, scripting, evasion and extortion enabling parallelised attacks at unprecedented scale.
Identity vulnerabilities, meanwhile, have become the softest target. Nearly 90% of all investigations involved identity-related weaknesses, confirming that in cloud-first ecosystems, identity has emerged as the primary attack surface.
“Attackers are combining AI acceleration with identity-based access to move faster and blend in better than ever before. What’s most striking is that over 90% of breaches stem from preventable weaknesses misconfigurations, inconsistent controls and excessive identity trust. Security is solvable. Organisations that consolidate visibility, enforce least privilege and automate response can dramatically reduce both the likelihood and impact of a breach.”
— Philippa Cogswell, Vice President, Unit 42 – Asia Pacific & Japan, Palo Alto Networks
Attacks now span the entire enterprise surface
Modern intrusions are no longer isolated events.
According to the report:
- 87% of attacks spanned multiple surfaces — including endpoints, cloud, networks, SaaS and identity layers.
- 48% involved browser-based activity, cementing the browser as a major frontline in today’s threat landscape.
Extortion evolves beyond encryption
Ransomware remains widespread but enter a new phase.
In 2025, encryption appeared in 78% of extortion incidents, a sharp decline from over 90% in previous years. Attackers are increasingly relying on:
- pure data theft
- exposure threats
- multi-vector extortion techniques
Median ransom demands surged from US$1.25 million in 2024 to US$1.5 million in 2025.
Key Findings from the Unit 42 Global Incident Response Report 2026
- AI as an attack force multiplier: Automates reconnaissance, phishing, scripting and extortion, massively reducing time-to-impact.
- Identity is the main entry point: 65% of intrusions leverage compromised credentials, MFA bypass or IAM misconfigurations.
- Software supply chain exposure widens: SaaS integrations, vendor management layers and open-source dependencies create inherited trust risks.
- Nation-states evolve tactics: Greater focus on infrastructure compromise, virtualisation layer exploitation and persona-driven infiltration with early signs of AI‑enabled tradecraft.
Unit 42’s Recommendations for Organisations
To mitigate emerging threats, Unit 42 advises enterprises to:
- Deploy phishing-resistant MFA and eliminate standing admin privileges
- Continuously govern human and machine identities
- Consolidate telemetry across endpoints, cloud, SaaS and networks
- Automate containment to reduce response from hours to minutes
- Govern all third-party SaaS integrations and AI workflows
The Unit 42 Global Incident Response Report 2026 is available for download at:
2026 Unit 42 Global Incident Response Report Palo Alto Networks