The 2026 Threat Landscape Is Here — And It’s Faster, Smarter, and More Dangerous Than Ever

• 87% of cyber intrusions in 2025 involved activity across multiple attack surfaces, making siloed defenses structurally inadequate.
• 90%+ of breaches were enabled by preventable gaps — misconfigurations, inconsistent controls, or excessive identity trust.
• 65% of initial access was identity-driven, as attackers increasingly log in rather than break in.
• 72 minutes — that’s how fast the quickest quartile of attackers moved from initial access to data exfiltration in 2025, down from 285 minutes the year prior.
• AI has become a force multiplier for attackers — compressing attack timelines, improving social engineering quality, and enabling scale at lower cost.
• Extortion is decoupling from encryption: ransomware actors increasingly skip file-locking and rely on data theft and direct pressure alone.
• Nation-state actors, particularly from China, North Korea, and Iran, are deepening infrastructure-level compromise and experimenting with AI-generated synthetic identities.

The Threat Landscape in 2026: A Reckoning with Speed and Scale

If there is one overarching message from Palo Alto Networks’ Unit 42 Global Incident Response Report 2026, it is this: the window for effective defense is closing, and closing fast. Based on intelligence drawn from more than 750 major incident response engagements conducted between October 2024 and September 2025, this report is one of the most comprehensive real-world snapshots of the enterprise threat landscape available today. And the picture it paints demands immediate attention from security and technology leaders alike.

Unit 42 teams engaged with organizations across every major industry and more than 50 countries, responding to extortion, network intrusions, data theft, and advanced persistent threats. What they found was not a story of exotic zero-day attacks or nation-state sorcery alone. The dominant narrative is far more sobering: most breaches succeeded because of preventable gaps. In more than 90% of incidents, misconfigurations or lapses in security coverage materially enabled the intrusion.

Security is solvable; or at least that’s the Unit 42 team’s conclusion. But solving it is where things get tricky, because it requires change, and that’s something we humans are collectively not great at. This will require a fundamental shift in how organizations think about identity, AI, software supply chains and, equally important, the speed at which defenders must operate.

Four Major Trends Reshaping the Threat Landscape

The report identifies four overarching trends that are redefining the enterprise security challenge in 2026. Each individually would be concerning. Together, they represent a compounding set of risks that are straining the capacity of even well-resourced security teams.

Trend 1: AI Has Become a Force Multiplier for Threat Actors

The AI conversation in cybersecurity is no longer theoretical. In 2025, threat actors moved from experimentation to routine operational use of AI, and the evidence is measurable. The fastest quartile of attacks reached data exfiltration in just 72 minutes, down from 285 minutes the year prior. Unit 42 simulated an AI-assisted attack that compressed time-to-exfiltration to just 25 minutes.

The implications are stark: we’ve talked a lot about how AI is making attackers smarter, but that’s not what worries me the most. In addition to making attackers smarter, it’s making them faster, more scalable, and harder to outpace. Specifically, the report documents three ways AI is reshaping attacker economics.

Speed and scale: Attackers are automating the vulnerability-scanning-to-exploitation loop. Unit 42 research found that threat actors begin scanning for newly disclosed vulnerabilities within 15 minutes of a CVE announcement — and yes, you guessed it, that’s often before many security teams have finished reading the advisory.

Improved tradecraft: Phishing has evolved well beyond ‘better grammar.’ AI now enables hyper-personalized lures built from OSINT collection, and synthetic identities, created via deepfake techniques, are being used to pass remote hiring workflows and steal credentials.

New attack vectors (LOTAIL): A new threat category has emerged: Living off the AI Land (LOTAIL). Just as attackers misuse legitimate Windows tools, they are now weaponizing enterprise AI platforms. With valid credentials, an attacker can use an internal AI assistant to query network maps, admin runbooks, or integration guides, dramatically accelerating lateral movement.

One particularly illustrative case in the report describes what the Unit 42 team termed ‘Vibe Extortion’: an unsophisticated actor who used an LLM to generate a professional-sounding extortion strategy, complete with deadlines and escalation tactics — reading the AI-generated script word-for-word in a threat video. AI didn’t make the attacker more skilled; it made them look credible enough to be dangerous. That distinction matters enormously for how we think about the threat.

Trend 2: Identity Is the Most Reliable Path to Attacker Success

Identity is the new perimeter, and the reality is that it’s being left wide open. Identity weaknesses played a material role in nearly 90% of Unit 42 investigations in 2025. That number alone should reshape where security investments are prioritized.

The data is particularly striking: 65% of initial access was identity-driven, with identity-based phishing (22%), credential misuse (21%), and IAM misconfigurations (3%) among the leading vectors. Attackers are not breaking in; they’re logging in, using stolen credentials, hijacked session tokens, or exploiting over-permissive roles that organizations have simply failed to clean up.

The post-access picture is equally concerning. Unit 42 analysis of more than 680,000 cloud identities found that 99% had excessive permissions, with some unused for 60 days or more. That is not a misconfiguration edge case, it is a systemic governance failure that creates a nearly frictionless path for lateral movement once an attacker establishes a foothold.

Machine identities and AI agents are compounding this problem. Non-human identities — things like service accounts, API keys, and automation roles — frequently outnumber human users, rely on long-lived static credentials, and are inconsistently monitored. For an attacker, compromising a service account can yield higher leverage with far less noise than compromising a person.

Trend 3: Software Supply Chain Risk Has Expanded Beyond Vulnerable Code

Software supply chain risk is no longer just about insecure code in third-party libraries. In 2025, the attack surface expanded to include SaaS integrations, vendor management platforms, and the trusted connectivity that modern enterprise workflows depend on. The defining pattern: when an upstream provider is compromised, downstream organizations are left scrambling to answer a basic question: are we affected? Most had limited visibility to answer it quickly.

The numbers tell a clear story: SaaS application data was relevant to 23% of Unit 42 cases in 2025, up from 18% in 2024, 12% in 2023, and just 6% in 2022. The trajectory reflects how attackers are methodically repositioning their focus toward cloud-based tools where modern business now lives.

Vendor tools, particularly remote monitoring and management (RMM) and mobile device management (MDM) platforms, are being weaponized through legitimate management channels. The report found that 39% of command-and-control techniques involved remote access tools. When attackers gain access to vendor management infrastructure, they can push malware or change configurations in ways that blend seamlessly into routine administrative traffic.

Open-source dependency sprawl is another expanding frontier. Over 60% of vulnerabilities in cloud-native applications reside in transitive libraries, dependencies your code relies on indirectly, often without your knowledge. As GenAI-assisted coding accelerates ingestion of packages, the provenance and integrity scrutiny often does not keep pace.

Trend 4: Nation-State Actors Are Adapting for Stealth and Persistence

Nation-state cyber activity continued to evolve in sophistication and scope in 2025. Three country-aligned clusters — China, North Korea, and Iran — each demonstrated a meaningful shift toward harder-to-detect access methods.

China-aligned groups moved deeper into infrastructure and virtualization platforms, targeting databases and web servers for exfiltration rather than focusing on email collection. The BRICKSTORM malware campaign, attributed by CISA to China state-sponsored actors, concealed command-and-control traffic inside ordinary encrypted web sessions, a technique that makes network-level detection substantially more difficult.

North Korean operators continued two persistent campaigns: Wagemole (in which operatives infiltrate organizations through fraudulent remote employment) and Contagious Interview (malware delivered via fake job interview coding challenges). Both remained active in 2025 despite extensive public reporting. Equally of concern, there are now early signs of AI integration, including AI-generated deepfake personas used to fabricate entire company profiles across social networks to increase recruitment lure credibility.

Iranian groups similarly deployed employment-themed lures, targeting aerospace and satellite-communications providers. Both Screening Serpens and Curious Serpens used signed binaries and advanced evasion to install backdoors capable of long-term intelligence collection.

Inside the Intrusion: What the Data Reveals

Multi-Surface Attacks Are Now the Norm

The idea that security teams can protect one domain in isolation is no longer viable. In 87% of Unit 42 investigations, attackers operated across two or more attack surfaces simultaneously. Forty-three percent involved four or more surfaces, with some cases spanning eight. And you guessed it: identity was the most commonly involved surface, appearing in nearly 90% of incidents. Browser-based activity was implicated in 48% of cases, up from 44% the prior year.

This multi-surface reality has significant implications for security architecture and investment. Endpoint-only or network-only visibility is structurally insufficient when attackers are simultaneously traversing SaaS, cloud, identity, and browser layers.

Phishing and Vulnerability Exploitation Are Deadlocked at the Top

In 2025, phishing and software vulnerability exploitation tied for first, with each accounting for 22% of initial access. Both vectors work because they exploit either human error or unpatched systems at scale. AI-enhanced phishing is achieving higher conversion rates through more sophisticated, personalized lures. And vulnerability exploitation is accelerating as automation compresses the window between disclosure and weaponization.

For larger enterprises, the balance shifts: vulnerability exploitation represented 26% of initial access versus 17% for phishing. This suggests that organizational size creates complexity and patching inconsistency that attackers recognize and actively target.

Attack Speed Is the Defining Operational Challenge

The velocity data in this report should fundamentally reshape how organizations think about detection and response targets. Today, speed is everything. The fastest quartile of attacks reached exfiltration in 72 minutes in 2025, compared to 285 minutes the prior year — a fourfold acceleration. The percentage of incidents reaching exfiltration in under an hour rose from 19% to 22%.

Median time to exfiltration was two days, which is not reassuring, but it illustrates that defenders must be prepared for both lightning-fast smash-and-grab attacks and slow, methodical operations designed to establish durable access. The SOC cannot be calibrated for only one of these scenarios.

Extortion Is Decoupling from Encryption

One of the most significant trend shifts documented in the report is the decoupling of extortion from ransomware encryption. In 2025, encryption appeared in only 78% of extortion cases, which was down sharply from 89-96% in the prior four years. Attackers increasingly view encryption as optional; data theft and direct pressure alone are sufficient to generate leverage.

The economics remain compelling for attackers: median initial ransom demands rose from $1.25 million in 2024 to $1.5 million in 2025, while median payments rose from $267,500 to $500,000. Experienced negotiators reduced payments by a median of 61%, underscoring the value of structured negotiation capability. However, with 26% of victims having backups impacted by attackers (yikes!), restoration is neither guaranteed nor clean.

What Security Leaders Must Do: Closing the Gaps

The recommendations in this report are not abstract but flow directly from the forensic patterns that Unit 42 observed across 750+ investigations. Four strategic imperatives stand out to me.

First, security leaders must empower the SOC to operate at machine speed. The fastest attacks are faster than human-speed response. That requires consolidating telemetry across endpoints, identity, cloud, and SaaS into a unified view. Siloed tools are not the answer here. Additionally, deploying AI-driven behavioral analytics to surface anomalies that rule-based detection misses is, without question, table stakes. Autonomous containment capabilities (revoking tokens, isolating workloads) must be pre-authorized, not improvised.

Second, organizations must advance zero trust with intention. Identity has become the practical perimeter, yet in most organizations it is governed inconsistently and over-permissively. Zero trust is the strategic corrective — but we know that achieving that is or can be complex. That aside, even incremental gains matter: reducing standing admin rights, enforcing least privilege for machine identities, shortening session lifetimes, and requiring just-in-time privilege elevation all meaningfully constrain attacker mobility.

Third, identity must be treated as a dynamic operational system. The governance drift problem is real: permissions accumulate, legacy roles persist, service accounts are messy and/or never cleaned up, and AI agents are deployed with broad default access. Identity must be managed as a living asset with continuous lifecycle review, not as a static credential directory. FIDO2/passkey authentication for high-value roles, continuous rotation of machine credentials, and conditional access that evaluates risk during sessions (not just at login) are baseline requirements.

Fourth, secure the software supply chain with urgency. Organizations need a real-time inventory of SaaS integrations, OAuth grants, and third-party tooling. They also need pre-defined ‘break-glass’ plans to revoke access rapidly when an upstream provider is compromised. Software composition analysis (SCA), build-time provenance controls, and strict review processes for new dependencies are no longer optional for mature security programs.

Analyst Perspective

In closing, what strikes me most about this report is not any single data point, it is the consistency of the failure mode. Year after year, the overwhelming majority of breaches succeed not because attackers are extraordinarily sophisticated, but because organizations have left predictable gaps unaddressed. Excessive permissions. Inconsistent controls. Fragmented telemetry. Ungoverned SaaS integrations.

AI is absolutely intensifying the threat, compressing timelines, scaling operations, and lowering the barrier to credible tradecraft. But AI is not the reason most organizations get breached. The reason is that the foundational work of security hygiene, identity governance, and visibility consolidation has not kept pace with the complexity of modern IT environments.

The encouraging message, if there is one, is that the defensive levers are known. The Unit 42 recommendations are not speculative; they are derived from what actually stops attacks in the real world. The question for security and technology leaders is no longer what to do. It is whether the organizational will, budget, and execution discipline exist to do it before the next incident.

The Bottom Line

The Palo Alto Networks Unit 42 Global Incident Response Report 2026 is essential reading for every enterprise security, technology, and risk leader. It is grounded in forensic reality from more than 750 active investigations — not survey sentiment or hypothetical modeling. The trends it documents: AI-accelerated attack speed, identity as the dominant attack surface, expanding software supply chain risk, and evolving nation-state tradecraft, are already shaping incident patterns today.

Security is solvable. That is the Unit 42 team’s closing assertion, and it is one I share. But it requires operating at the speed and scale of the adversary, which means machine-assisted detection, proactive identity governance, and a willingness to invest in closing the foundational gaps that make most breaches possible in the first place. The organizations that act on this data now will be meaningfully better positioned than those that wait for the breach to prompt the conversation.