Cybersecurity has reached a critical inflection point where the traditional measures of defensive success—prevention and detection—are being outpaced by a new metric: machine speed. The recently released Palo Alto Networks / Unit 42 Global Incident Response Report 2026 provides a clear-eyed look at this shift, revealing that what happens in the first minutes of an intrusion now determines whether an incident remains a localized event or escalates into a catastrophic breach.
In 2025, Unit 42 responded to more than 750 major cyber incidents across 50 countries, and the aggregate data from these engagements highlights a threat economy increasingly optimized for scale and efficiency. For cybersecurity leaders and their teams, the report's conclusion is both a warning and a source of hope: while adversary tradecraft is evolving rapidly, the vast majority of breaches are still enabled by preventable gaps, meaning that security remains a solvable challenge for those willing to close them.
The most measurable trend in the 2026 report is the compression of the attack lifecycle, driven by the routine operational use of artificial intelligence. AI has become a massive friction reducer for threat actors, allowing them to automate reconnaissance, social engineering, and the "monitor-diff-test-weaponize" loop for newly-discovered vulnerabilities.
The result is a staggering acceleration in attack speed. Real-world incident response data show that the fastest 25% of intrusions in 2025 reached the exfiltration stage in just 72 minutes—a dramatic decrease from 285 minutes only a year prior. In some simulated AI-assisted attacks, this window shrank even further to a mere 25 minutes. This speed shift means that defenders can no longer rely on human-speed decision-making; the window for detection and containment has effectively moved from days or hours to minutes.
Identity, the new practical perimeter
Perhaps the most critical takeaway for executive leaders is the complete dominance of identity as the primary entry point for modern attacks. In nearly 90% of all Unit 42 investigations, identity weaknesses—such as stolen credentials, hijacked sessions, or misconfigured privileges—played a material role in the intrusion's success.
Attackers are increasingly bypassing software exploits entirely, choosing instead to "log in" using valid credentials and tokens. This approach allows them to blend into normal network activity, making detection far more difficult. Social engineering remains the leading driver of these breaches, accounting for 33% of initial access cases. However, these are no longer simple phishing attempts; they have evolved into hyper-personalized lures and the use of synthetic identities, such as deepfakes, to pass remote hiring workflows and steal sensitive tokens.
While traditional perimeters are dissolving, the attack surface is expanding through the misuse of trusted connectivity. Attackers are exploiting the software supply chain by targeting SaaS integrations, vendor tools, and application dependencies to bypass security controls at scale. This trend shifts the impact of a cyberattack from an isolated compromise to widespread operational disruption across entire business ecosystems.
A significant portion of this risk resides in indirect "transitive" libraries within cloud-native applications, which often go unmonitored. Furthermore, as organizations adopt AI-enabled workflows, they are introducing a new class of "shadow identities"—non-human service accounts and AI agents that frequently outnumber human users and operate with over-privileged access.
Key takeaways for cybersecurity leaders and executives
For CISOs and security leaders, the priority must be reducing exposure through the consolidation of telemetry and the automation of response. Because 87% of intrusions now span multiple attack surfaces—including endpoints, cloud, and SaaS applications—defenders can no longer afford to monitor these environments in silos. Transitioning to behavioral-based security engines and consolidating signals into a unified view is essential to identifying the coordinated movements of an adversary.
Security teams must shift their focus toward identity hygiene and the hardening of development tools. This includes the deployment of phishing-resistant MFA, continuous discovery of non-human identities, and the elimination of standing admin rights in favor of a just-in-time access model. As the attack lifecycle continues to shrink, teams must also authorize autonomous, agentic AI systems to execute surgical containment actions without waiting for manual human intervention.
For business executives, the report underscores that cybersecurity is a business-wide resilience issue, not just a technical one. Nation-state actors are increasingly using "persona-driven" infiltration, such as fake employment, to establish footholds in core infrastructure. Leaders must foster a security culture that treats AI systems with the same discipline as critical infrastructure, ensuring that the human judgment at the heart of daily workflows reinforces, rather than bypasses, governance controls.
We asked experts from cybersecurity vendors for their takes on the report's findings.
Ronald Lewis, Senior Manager, Security Compliance and Auditing, at Black Duck, said:
-
"Many organizations are rushing toward Zero Trust by taking the fastest possible path, and that shortcut is becoming a security risk on its own. Most companies check a few boxes—turn on MFA, adopt SSO, add conditional access—and call it 'Zero Trust.' The problem is that partial implementations don't deliver the actual benefits of Zero Trust. They create something that looks like progress but leaves big gaps in identity governance, SaaS sprawl, API trust chains, and machine-to-machine access. That false sense of safety is often more dangerous than having no Zero Trust at all."
-
"Attackers have figured this out, and AI is helping them do it faster. Instead of spending days or weeks mapping out an environment, adversaries use AI to scan identity systems, identify configuration drift, assess token handling practices, and identify access patterns in minutes. Anything that's inconsistent, misaligned, or overly permissive stands out like a beacon. These aren't weaknesses you see on a dashboard—they're the cracks created when organizations settle for the 'good enough' version of Zero Trust. This is super dangerous, as proven by Unit 42's research."
-
"The success that attackers are seeing and the repercussions speak for themselves. AI is making privilege escalation, lateral movement, and account compromise easier and faster than ever. Stolen tokens bypass the very controls organizations think will save them. SaaS integrations become silent backdoors (remember Salesforce/Drift?). Machine identities multiply without governance. In other words, attackers aren't breaking down the door—they're simply walking through the side entrance left wide open by incomplete Zero Trust rollouts."
Sean Malone, CISO at BeyondTrust, said:
-
"Unit 42's report is a stark warning for anyone still defending a company like it's 2015: attackers aren't picking a single lane anymore; they're driving across all of them. When 87% of incidents span multiple attack surfaces and 90% abuse identity weaknesses, we're long past thinking of this as "an endpoint problem' or 'an identity problem' in isolation. Speed is the gut punch. When the fastest intrusions are hitting exfiltration in about an hour, you don't have time for handoffs, ticket queues, or 'we'll look at it after standup.' You either have orchestrated controls that can stop and contain fast, or you're doing incident response later."
-
"Security teams need to nail the unglamorous-but-effective foundation: treat identity like production infrastructure, not a convenience layer. Deploy phishing-resistant MFA, leverage conditional access and Just-in-Time auth, kill excessive privilege, and get serious about token/session hygiene. Then assume compromise and shrink the blast radius: segment what matters, lock down egress, and make data paths explicit so exfiltration isn't the default outcome. Finally, move protection to where work actually happens: endpoint, browser, and SaaS. Harden workstation privilege, deploy managed browser policies and SSE/CASB controls. Rehearse and automate a 'first 30 minutes' playbook that's ruthless: revoke sessions, rotate secrets, isolate high-value systems, and cut off outbound channels before access turns into impact."
Mark McClain, CEO at SailPoint, said:
-
"Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security. This report's findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just 'who,' or in the case of AI agents, 'what,' has access to the enterprise, but what data they can access and what they are able to do once inside."
-
"The modern enterprise needs a new control plane, driven by unifying identity, data, and security. The combined power of these contexts enables real-time decisions to reduce risk without impacting the business. These decisions can be driven by the nature of the identity, the context of the apps and data it can access, the behavior around how it is using these apps and data, and the security signals and risk warnings that may surround it. To combat this new era of threats, driven by the force multiplier of AI, we need to embrace a new approach of adaptive identity."
Shane Barney, CISO at Keeper Security, said:
-
"Identity has become the attacker's skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens, and abused permissions, then moving laterally under the cover of legitimacy. Unit 42's findings confirm what many security leaders already suspect: when identity controls are fragmented or overly permissive, attackers do not need novel exploits. They just need access that looks routine."
-
"What is making this more dangerous is the rapid proliferation of machine identities. Service accounts, API keys, automation roles, and AI agents now outnumber human users in many environments. They are created instantly to support cloud workloads, DevOps pipelines, and SaaS integrations, yet they rarely receive the same lifecycle governance as employees. Credentials persist longer than intended. Permissions expand over time. Ownership becomes unclear. These gaps create durable, low-noise pathways for attackers. Compromising one over-privileged service account can provide broader and quieter access than compromising a senior executive."
