The 2026 Global Security Incident Response Report, issued today by Unit 42, the research arm of Palo Alto Networks, reveals an unprecedented rise in the speed and complexity of cyberattacks. The findings highlight the growing use of artificial intelligence, increasingly exposed digital environments, and the central role of digital identities in modern intrusion tactics.
Analyzing over 750 high-severity incidents, the report shows that attackers are integrating AI technologies throughout attack stages, quadrupling execution speed within a single year. Additionally, the complexity of organizational infrastructures has expanded exploitation opportunities, with identity-related vulnerabilities observed in 89% of security incidents and 87% of attacks targeting multiple systems or technical layers simultaneously.
Sam Rubin, Senior Vice President of Unit 42 at Palo Alto Networks, commented: “The increasing complexity of enterprise environments favors attackers. This risk is magnified as attackers focus on credential theft and deploy AI agents capable of linking human and machine identities to operate autonomously. Organizations must simplify their infrastructure and adopt a unified platform approach to strictly limit unnecessary trust.”
Five Key Trends Shaping the Cyber Threat Landscape
AI Accelerates Attack Execution
Attackers’ growing reliance on AI and advanced automation has shortened the interval between initial access and data exfiltration to just 72 minutes in the fastest attacks—four times faster than the previous year.Increasing Complexity of Attacks
87% of attacks spanned two or more vulnerable surfaces, including endpoints, cloud environments, SaaS platforms, and identity systems. Unit 42 observed simultaneous activity across up to ten different vectors in some cases.Identity as the Primary Attack Vector
65% of initial access points exploited identity-based techniques such as social engineering and credential misuse, while 22% leveraged technical vulnerabilities across all analyzed incidents.Browsers as Frontline Attack Platforms
48% of attacks involved browser exploitation, reflecting the use of routine browsing sessions as entry points for credential theft and bypassing local security controls.Rise in SaaS Supply Chain Attacks
Attacks targeting third-party SaaS applications increased 3.8 times since 2022, accounting for 23% of all incidents. Misused OAuth tokens and API keys were common methods for lateral movement within targeted environments.
Closing Critical Defense Gaps
The report links approximately 90% of data breaches to misconfigurations or security weaknesses within complex technical environments. These include poor operational visibility and excessive, unchecked trust—factors that create fertile ground for attackers.
Given the accelerating attack cycle and shrinking response windows, the report urges organizations to move beyond traditional network-bound defenses and adopt a unified, platform-centric approach focused on:
Operating at machine speed: Enable security operations centers to leverage AI and automation for rapid detection and containment of high-velocity attacks within minutes rather than hours.
Securing development pipelines: Integrate security controls into software and AI system development from the earliest stages to remediate vulnerabilities before deployment into cloud environments.
Strengthening identity protection: Centralize and enforce management of user, system, and machine identities to close governance gaps and mitigate credential-based attacks.
Protecting human interfaces: Apply secure browser technologies and proactive risk management to safeguard modern work environments and unmanaged devices.
Eliminating implicit trust: Adopt a Zero Trust model that continuously validates every connection or access request, limiting attackers’ lateral movement within networks.
