The Unit 42 Incident Response Report highlights a rapidly evolving cybersecurity landscape where artificial intelligence, identity vulnerabilities, and complex enterprise environments are fueling the majority of modern breaches. Released by Palo Alto Networks, the report analyzed more than 750 major security incidents and found that attackers are dramatically accelerating their operations using AI and automation.
According to the Unit 42 Incident Response Report, the time between initial compromise and data exfiltration has dropped sharply. In the fastest incidents studied, attackers were able to steal data within just 72 minutes, demonstrating how automation is reshaping the pace of cybercrime.
AI and Automation Are Transforming the Attack Lifecycle
Threat actors are increasingly deploying artificial intelligence across every stage of the attack lifecycle. From reconnaissance and phishing to credential harvesting and lateral movement, automation enables attackers to scale their operations faster than ever before.
Sam Rubin, Senior Vice President of Unit 42 Consulting and Threat Intelligence at Palo Alto Networks, noted that enterprise environments have unintentionally become a major advantage for adversaries.
“Enterprise complexity has become the adversary’s greatest advantage,” Rubin said. “Attackers are targeting credentials and increasingly using autonomous AI agents that can bridge human and machine identities.”
This growing reliance on automation means attackers can coordinate activities across multiple systems simultaneously while maintaining persistence inside networks.
Identity Vulnerabilities Drive Initial Access
One of the most significant insights from the Unit 42 Incident Response Report is the growing role of identity-related weaknesses in cyber attacks.
Investigators found that 89% of incidents involved compromised identity systems, highlighting how credentials have become a primary entry point for attackers. In addition, 65% of initial access attempts relied on identity-based techniques, including social engineering and credential misuse.
Traditional vulnerabilities still play a role, but they account for only 22% of initial access cases, suggesting attackers increasingly prefer exploiting human behavior rather than technical flaws.
Modern Attacks Span Multiple Attack Surfaces
Cyber attacks today rarely occur through a single entry point. Instead, threat actors combine multiple attack vectors across different environments.
The Unit 42 Incident Response Report found that 87% of attacks involve multiple attack surfaces, including endpoints, cloud services, SaaS platforms, and identity systems. In some incidents analyzed by Unit 42 researchers, attackers operated across as many as ten attack surfaces simultaneously.
This layered approach allows attackers to maintain access even if one entry point is detected and blocked.
Browsers and SaaS Platforms Are Emerging Threat Targets
Another major trend identified in the Unit 42 Incident Response Report is the growing role of everyday workplace tools in cyber attacks.
Nearly 48% of incidents involved browsers, where normal web sessions can be exploited to capture credentials or bypass local security controls. Meanwhile, attacks targeting third-party SaaS applications have surged significantly.
Since 2022, SaaS supply chain attacks have increased 3.8 times, now representing 23% of all incidents. Threat actors frequently exploit OAuth tokens and API keys to move laterally across systems and expand their access.
Strengthening Security in an AI-Driven Threat Landscape
Unit 42 researchers found that 90% of data breaches are linked to misconfigurations or security gaps. Complex infrastructures, limited visibility, and excessive trust between systems continue to create opportunities for attackers.
To counter these threats, the Unit 42 Incident Response Report recommends that organizations shift toward unified security platforms capable of responding at machine speed. This includes embedding security directly into development pipelines, strengthening identity management across human and machine accounts, and deploying secure browser technologies to protect the modern workspace.
Organizations are also encouraged to adopt zero-trust security frameworks, ensuring that every access request is continuously verified before granting privileges.
As cyber threats evolve and AI-driven attacks accelerate, the report emphasizes that organizations must modernize their defenses to keep pace with the speed and complexity of modern adversaries.
To download the full report and executive resource kit, visit: https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report
