Unit 42: Watch Out! Attacks Growing More Aggressive

Unit 42’s 2026 Global Incident Response Report, released by Palo Alto Networks, underscores a new phase in the escalation of cyber attacks. An analysis of more than 750 high-risk incidents by Unit 42 shows that artificial intelligence (AI), attack surface complexity, and identity exploitation are dominant factors in security breaches over the past year. Attackers now harness AI at every stage of the attack—from reconnaissance to data exfiltration—and speed up operational tempo by as much as four times compared with the previous year. In the fastest case, the time from initial access to data theft was just 72 minutes. 89 percent of incidents involved abuse of identity weaknesses, while 87 percent of attacks occurred on two or more surfaces simultaneously, covering endpoints, cloud, SaaS, and identity systems. Moreover, Unit 42 detected simultaneous activity across as many as 10 different surfaces in a single attack chain. Sam Rubin, Senior Vice-President of Unit 42 Consulting and Threat Intelligence at Palo Alto Networks, warned that organisational complexity has become the main vulnerability. Credentials are increasingly sought after, and autonomous AI agents are used to bridge human and machine identities to carry out actions independently. Key findings from the 2026 report include: - AI accelerates attacks: Automation and AI shorten the time from initial access to exfiltration, with 72 minutes becoming the fastest recorded interval. - Attacks growing more complex: 87 percent of cases involve multi-surface exposure; lateral movement is increasingly widespread. - Identity as the main entry point: 65 percent of initial access stems from identity-based techniques (social engineering and credential abuse); 22 percent relate to vulnerability exploitation. - Browsers as battlegrounds: 48 percent of attacks involve the browser to steal credentials and bypass local controls. - Surge in SaaS supply-chain attacks: Incidents involving third-party SaaS applications have risen 3.8-fold since 2022 and now account for 23 percent of total attacks, including abuse of OAuth tokens and APIs. Research also shows 90 percent of data leaks relate to misconfiguration or security gaps. The primary drivers are system complexity, limited visibility, and overreliance on trust. The report recommends a platform-based, zero-trust approach: strengthening the SOC with AI and automation, integrating security from the development stage, modernising identity management for humans and machines, securing browsers and unmanaged devices, and removing implicit trust through continual verification.