HomeWebinarCard
Log in

Fuel Virtual Briefing: 2026 Incident Response Report

February 25, 2026|Not specified|Past event

Cyber attacks that once unfolded over hours now reach data exfiltration in 72 minutes thanks to AI, according to a report on 750 real incidents released five days ago.

Key takeaways

  • Unit 42's 2026 Global Incident Response Report, drawn from over 750 engagements across 50 countries in 2025, shows the fastest attacks quadrupled in speed while spanning multiple attack surfaces in 87 percent of cases.
  • Identity weaknesses played a role in nearly 90 percent of breaches and over 90 percent overall stemmed from preventable gaps such as misconfigurations and excessive permissions rather than novel exploits.
  • SaaS supply-chain attacks involving trusted OAuth tokens and API keys surged 3.8 times since 2022 to reach 23 percent of incidents, driving operational disruption and pushing median ransom payments up 87 percent to $500,000.

Accelerated Cyber Risks

The Unit 42 2026 Global Incident Response Report, published February 17 by Palo Alto Networks' threat intelligence and response team, captures a decisive shift in the threat landscape. Analysts reviewed more than 750 high-stakes cases handled between October 2024 and September 2025, spanning every major industry and more than 50 countries. The data reveal AI moving from experimental tool to operational force multiplier for attackers.

Attack timelines have collapsed. In the fastest quartile of intrusions, adversaries progressed from initial access to exfiltration in 72 minutes, four times quicker than the previous year's 4.8 hours. Browser activity featured in 48 percent of cases, often harvesting credentials and bypassing endpoint controls, while 87 percent of intrusions touched at least two attack surfaces and 43 percent touched four or more.

Identity has become the dominant vector. Weaknesses in credential management, privilege escalation, or session tokens contributed to nearly 90 percent of investigations. Sixty-five percent of initial access relied on identity-based techniques such as social engineering or stolen credentials; 99 percent of cloud identities carried excessive permissions. These gaps persist amid governance drift, where rapid digital expansion outpaces controls.

Supply-chain risks have broadened beyond code repositories. Attacks abusing third-party SaaS integrations rose sharply, accounting for 23 percent of incidents and enabling lateral movement through inherited permissions. Median initial ransom demands climbed to $1.5 million from $1.25 million, with actual payments averaging $500,000. Forty-one percent of victims restored from backups without paying, but attackers encrypted or destroyed backups in 26 percent of cases.

Nation-state actors add stealth. Groups now deploy persona-driven infiltration using fake employment offers, synthetic identities, and AI-generated deepfakes, blending into routine hiring processes. The non-obvious tension is that most damage stems not from unattainable attacker sophistication but from complexity that defenders themselves created through sprawling cloud estates, SaaS sprawl, and unmonitored machine identities. Organizations racing to adopt AI and connected services simultaneously widen the very surfaces attackers exploit at machine speed.

Sources

You might also like

We use cookies to measure site usage. Privacy Policy