Cyberattacks are moving faster, shrinking the gap between initial compromise and bad consequences, and the advent of AI is accelerating their timelines in a way that human defenders can no longer keep up with.
That’s the broad and perhaps unsurprising finding of Palo Alto Networks’ 2026 Global Incident Response Report, which analyzed 750 incidents in 50 countries that were investigated by the company’s Unit 42 global threat intelligence and incident response team.
In the fastest attacks analyzed, threat actors moved from initial access to data exfiltration in 72 minutes, down from nearly five hours in 2024. Increasingly, this is explained by AI’s ability to compress timelines for reconnaissance, phishing, scripting, and operational execution, the company said.
However, a closer look offers CISOs a crumb of comfort: what is really killing organizations isn’t so much fast-moving attackers or the wolf of AI, but basic failings such as weak authentication, a lack of real-time visibility, and misconfigurations caused by a complex sprawl of security systems.
In theory, these are all fixable. As the authors observe: “Despite the speed and automation we’re seeing, most of the incidents we respond to don’t start with something radically new. They start with gaps that show up again and again. In many cases, attackers didn’t rely on a sophisticated exploit, but on an overlooked exposure.”
Identity struggle
A recurring theme is the struggle many organizations have with identity and trust, which Unit 42 found played a role in 90% of the incidents it investigated. Attacker tactics included social engineering in 33% of incidents, identity-based phishing in 22%, credential abuse and brute force in 21%, and insider threats in 8%.
Too many accounts have excessive permissions; this was the case for 99% of the 680,000 cloud users, roles, and services analyzed by Unit 42, including some that had been unused for 60 days or more. It’s an identity attack surface that keeps expanding faster than the underlying issues can be addressed, as organizations add ever more cloud, SaaS, and AI applications.
Increasingly, these identities relate to machine identities (service accounts, automation roles, API keys, AI agents), shadow identities (unsanctioned accounts, developer environments, and third parties), and identity “silos” (on-premises AD plus multiple cloud identity providers).
“Rarely does an attack stay in one environment. Instead, we see coordinated activity across endpoints, networks, cloud, SaaS, and identity, forcing defenders to monitor across all of them at once,” said Unit 42.
Supply chains are another vulnerable area. In 23% of incidents, attackers were able to exploit third-party SaaS applications, bypassing traditional security controls. “When an upstream provider reported a compromise or outage, customers were often left to stop and answer a basic question: are we affected? In many cases, they had limited visibility into their own exposure,” Unit 42 said.
Changing the paradigm
Unit 42’s answer to this endless cycle of attackers always being one step ahead of defenders is to change the paradigm: cybersecurity has become so specialized, it says, that the answer is to use a managed service built from the ground up to counter real rather than abstract threats.
With that in mind, Palo Alto Networks this week launched a new SOC service, Unit 42 Managed Extended Security Intelligence and Automation Management (XSIAM) 2.0. This, the company claims, has expanded its XSIAM 1.0 to include complete onboarding, threat hunting and response, and the modelling of attack patterns faster than a traditional SOC.
Is this persuasive? CISOs will have heard this message before: the old stuff no longer works, so invest in something new. And there is always an old system or service that needs ripping out to be replaced by a shiner, new one.
To complicate matters, the idea of ever more advanced SOCs might not be a panacea. Some have even argued that that SOCs themselves can end up constrained by the same issues of skills shortages and budget constraints as traditional IT departments.
As Palo Alto Networks puts it: “The window for defense has collapsed, and most SOCs weren’t built for the speed of today’s attacks.” So, out with old tools such as traditional SIEMs and SOAR, which merely generate alerts; the modern AI-powered SOC should act on them “at machine speed.”