Palo Alto Networks' elite incident response team handled more than 750 major cyber incidents throughout 2025, providing unprecedented insight into the evolving threat landscape as cybercriminals increasingly target organizational identities and exploit artificial intelligence.
According to the newly released Unit 42 Global Incident Response Report, identity weaknesses played a material role in almost 90% of investigations conducted by the cybersecurity firm's response teams.
The incidents spanned every major industry across more than 50 countries, with each case escalating to the point where internal security operations centers required external assistance. Unit 42's teams worked with large organizations facing extortion, network intrusions, data theft, and advanced persistent threats.
%20(1)%20(1).webp)
Four Critical Trends Emerge
The report identifies four major trends that will shape the cybersecurity landscape in 2026, with artificial intelligence serving as a significant force multiplier for threat actors.
"AI has become a force multiplier for threat actors. It compresses the attack lifecycle, from access to impact, while introducing new vectors," the report states. "This speed shift is measurable: in 2025, exfiltration speeds for the fastest attacks quadrupled."
The acceleration represents a fundamental shift in how quickly cybercriminals can execute attacks, from initial compromise to data extraction.
Identity-Based Attacks Dominate
The second trend reveals that attackers increasingly "log in" with stolen credentials and tokens rather than relying on traditional exploitation methods. These threat actors exploit fragmented identity estates to escalate privileges and move laterally through compromised networks.
Supply chain risks have also evolved beyond vulnerable code to encompass the misuse of trusted connectivity. Attackers now exploit software-as-a-service integrations, vendor tools, and application dependencies to bypass security perimeters at scale.
"This shifts the impact from isolated compromise to widespread operational disruption," according to the report.
Nation-State Evolution
The fourth trend shows nation-state actors adapting stealth and persistence tactics to modern enterprise environments. These sophisticated adversaries increasingly rely on persona-driven infiltration, including fake employment and synthetic identities, while achieving deeper compromise of core infrastructure and virtualization platforms.
The report notes early signs of AI-enabled tradecraft being used to reinforce these footholds, suggesting state-sponsored groups are also leveraging artificial intelligence capabilities.
Multi-Vector Attack Reality
Complex attack patterns emerged as the norm rather than the exception. In Unit 42's 750-plus incident response engagements, 87% of intrusions involved activity across multiple attack surfaces, requiring defenders to protect endpoints, networks, cloud infrastructure, SaaS applications, and identity systems simultaneously.
Nearly half of all incidents (48%) involved browser-based activity, reflecting how frequently attacks intersect with routine workflows including email, web access, and daily SaaS usage.
Preventable Gaps Enable Success
The analysis revealed that most breaches resulted from exposure rather than sophisticated attack techniques. In over 90% of breaches, preventable gaps materially enabled the intrusion, including limited visibility, inconsistently applied controls, or excessive identity trust.
These conditions delayed detection, created pathways for lateral movement, and amplified impact once attackers obtained initial access.
Retail and Hospitality Impact
The retail and wholesale sector accounted for approximately one-fifth of industries both targeted by (18%) and impacted by (19%) extortion-related security incidents in 2025, matching the manufacturing sector's exposure levels.
The DragonForce ransomware attacks by Muddled Libra, also known as Scattered Spider, on U.S. and U.K. retailers during the second quarter of 2025 represented a notable example of these extortion incidents.
By comparison, the hospitality industry remained near the bottom of both categories, being targeted by only 1% and impacted by 1% of extortion-related security incidents.
A significant shift in the cybercrime landscape emerged from mid-2025 through early 2026, as financially motivated threat actors like Bling Libra (ShinyHunters) and Chubby Scorpius (FIN11) adopted data theft and extortion tactics without using encryption as their monetization strategy.
Looking ahead, security leaders must focus on closing the gaps that attackers consistently exploit. The report emphasizes reducing exposure by securing application ecosystems, including third-party dependencies and integrations, while hardening browsers where many intrusions now begin. Organizations should also advance zero trust initiatives and tighten identity and access management to remove excessive trust and limit potential impact.