More than 90% of breaches investigated in 2025 involved preventable security gaps, according to the latest Unit 42 Global Incident Response Report from Palo Alto Networks.
The new data underscore a persistent problem for security leaders: while attackers are objectively moving faster, many organizations are experiencing difficulties with basic visibility and access control.
Drawing on over 750 incident response engagements worldwide, Unit 42 found that 87% of intrusions spanned several attack surfaces. Threat actors routinely pivoted between endpoints, networks, cloud environments, and software-as-a-service (SaaS) platforms once inside.
Nearly half of all incidents involved a web browser in the attack chain, reflecting how everyday business tools are being used as initial access vectors more and more.
“Most breaches were enabled by exposure, not attacker sophistication,” Sam Rubin, Senior Vice President of Consulting and Threat Intelligence at Palo Alto Networks Unit 42 wrote in the report. “In over 90% of incidents, preventable gaps materially enabled the intrusion: limited visibility, inconsistently applied controls, or excessive identity trust.”
AI Acceleration, Identity Abuse, and Multi-Front Campaigns
The report also highlighted how automation tactics are compressing attack timelines. In some observed cases, attackers exfiltrated data in under two hours. Vulnerability scanning often began within minutes of public disclosure, shrinking defenders’ response windows to near real time.
Identity systems were identified as a primary target. Approximately 65% of investigated incidents involved identity-based techniques, including credential theft and session hijacking. To reduce reliance on malware alone, adversaries have been observed increasingly using valid accounts to reduce detection rates and escalate privileges.
Unit 42 identified three main initial access routes:
- Identity-based social engineering (33%): Phishing and related tactics exploited MFA bypass and focused on user session hijacking.
- Credential misuse and brute force (21%): Stolen credentials and password attacks enabled direct VPN and cloud access.
- Identity misconfigurations and insider abuse (11%): Overly permissive identity and access management (IAM) practices and legitimate credential misuse allowed privilege escalation.
Cloud and SaaS environments featured prominently across investigations, particularly where application programming interfaces (APIs) enabled lateral movement pivots and data theft.
The full findings are available in the 2026 Unit 42 Global Incident Response Report from Palo Alto Networks.
