As organisations accelerate digital transformation and AI adoption, cyber adversaries are evolving even faster. Today, Palo Alto Networks® released the Unit 42® Global Incident Response Report 2026, revealing that attackers are leveraging artificial intelligence, identity misuse and trusted software supply chains to breach organisations with unprecedented speed.

Based on more than 750 major incident response engagements across over 50 countries between October 2024 and September 2025, the report highlights a decisive shift in attacker behaviour: speed, automation and authenticated access now define modern intrusions.

AI is rapidly compressing the attack lifecycle. In 2025, the fastest 25% of intrusions reached data exfiltration in just 72 minutes – down from 285 minutes the previous year. Meanwhile, identity weaknesses played a material role in nearly 90% of investigations, reinforcing that identity is now the primary attack surface in cloud-first environments.

Philippa Cogswell, Vice President, Unit 42 – Asia Pacific & Japan, Palo Alto Networks

“Attackers are combining AI acceleration with identity-based access to move faster and blend in better than ever before. But what stands out is that more than 90% of breaches were enabled by preventable gaps – misconfigurations, inconsistent controls and excessive identity trust. Security is solvable. Organisations that consolidate visibility, enforce least privilege and automate response can dramatically reduce both the likelihood and impact of a breach.”

​​Unlike traditional attacks confined to a single system, modern intrusions span the enterprise. In 87% of cases, attackers operated across multiple attack surfaces, including endpoints, networks, cloud, SaaS and identity layers. Nearly half (48%) involved browser-based activity, underscoring the browser as a critical frontline in today’s threat landscape.

The report also reveals a significant evolution in extortion tactics. While ransomware remains prevalent, encryption is no longer guaranteed. In 2025, encryption appeared in 78% of extortion cases, down sharply from above 90% in previous years. Attackers are increasingly relying on data theft and exposure as primary leverage. Median ransom demands rose from US$1.25 million in 2024 to US$1.5 million in 2025.

Key findings from the Unit 42 Global Incident Response Report 2026 include:

• AI as a Force Multiplier: Threat actors are automating reconnaissance, phishing, scripting and extortion operations, enabling parallelised attacks at scale and reducing time-to-impact.
• Identity as the Primary Entry Point: 65% of initial access is identity-driven, with stolen credentials, MFA bypass and IAM misconfigurations enabling rapid privilege escalation and lateral movement.
• Software Supply Chain Risk Expansion: SaaS integrations, vendor management planes and transitive open-source dependencies are creating inherited trust pathways attackers exploit for downstream impact.
• Nation-State Adaptation: State-aligned actors are shifting toward deeper infrastructure compromise, virtualization layer exploitation and persona-driven infiltration, with early signs of AI-enabled tradecraft.

To counter these trends, Unit 42 recommends organisations:

• Deploy phishing-resistant MFA and eliminate standing administrative privileges
• Continuously monitor and govern human and machine identities
• Consolidate telemetry across endpoint, cloud, SaaS and network environments
• Automate containment actions to reduce response time from hours to minutes
• Inventory and govern third-party SaaS integrations and AI workflows

The Unit 42 Global Incident Response Report 2026 is available now. To download the full report, visit: 2026 Unit 42 Global Incident Response Report – Palo Alto Networks