Unit42, the threat intelligence and security consulting team at Palo Alto Networks, has published the Global Incident Response Report 2026, exploring threat trends likely to influence the landscape for the rest of the year. The report, based on data gathered from cyber incidents in 2025, highlights many significant insights into modern security challenges. Nearly two-thirds (65%) of initial intrusions in the report were identity-based, and identity-related weaknesses were materially involved in 90% of investigations. This report demonstrates attackers’ popular shift from exploit-driven breaches to credential-driven access.
Social Engineering Still Dominates
Of the more than 750 incidents covered in the report, social engineering was responsible for one-third—22% identity-based phishing and 11% other social engineering tactics. The most commonly used methods include phishing, impersonation, MFA fatigue, and credential harvesting. Threat actors leverage these techniques to take advantage of human psychology and user error, circumventing the need for advanced technical skill to launch attacks.
Identity-based attacks are attractive to threat actors due to the low cost and high success rate compared with tactics that require more investment of skills and resources. Tactics relying upon obtaining a login, escalating privileges, and moving laterally are being increasingly normalized. Compromising an account can grant threat actors access to extremely sensitive data and systems, especially with privilege escalation and lateral movement.
AI as a Force Multiplier
The Unit42 report emphasizes the significance of AI in both compressing the attack lifecycle and creating new vectors for attack. In 2025, the speed of data exfiltration quadrupled as attackers continued to automate key processes like reconnaissance and privilege escalation. This has staggering implications for detection and response timelines, sharply cutting down on the amount of time that defenders have to identify and block threats.
Attackers are also using AI technology to enhance their attacks in a variety of ways beyond speed. Relying on AI for malware, phishing messages, and deepfake capabilities enables threat actors to craft more convincing attacks with higher payouts and success rates. Automating time-consuming steps in the process also frees up attackers’ time to develop their methods further.
Machine Identities and AI Agents Expand the Attack Surface
In addition to helping bad actors conduct larger, faster, and more effective attacks, the growing use of AI on the enterprise side also amplifies threats. Increasing use of service accounts, workload identities, API keys, and AI agents adds non-human identities that frequently outnumber human users, leading to a widening attack surface that is difficult to defend.
These identities are often granted excessive permissions and long-lived tokens, enabling them to pose even greater risks. There are major gaps in monitoring and visibility regarding human vs. non-human identities, making it difficult to detect and prevent threats. Machine identities behave completely differently from human users, rendering traditional security measures designed for human identities ineffective.
Software Supply Chain and SaaS Connectivity Risks
Another trend highlighted in the report is a significant shift from risks rooted in vulnerable code to risks through trusted integrations. Abuse of software-as-a-service (SaaS) connections, vendor tools, and federated trust is on the rise as attackers realize the benefits of exploiting third-party and supply chain relationships. API key exposure and SaaS sprawl are increasingly valuable entry vectors for attackers, enabling them to infiltrate through under-monitored channels and evade detection.
The risks of deeply interconnected supply chains and SaaS relationships only deepen as the blast radius of trusted connectivity abuse continues to expand. “Organizations need to widen their lens and treat supply chain risk—both software and AI—as part of the core Zero Trust strategy,” says Ronald Lewis, Senior Manager, Security Compliance and Auditing at Black Duck, a Burlington, Massachusetts-based provider of application security solutions. “The trust relationships inside SaaS, APIs, CI/CD, and AI models are increasingly where attackers gain access.”
Nation-State Adaptation
Nation-state-affiliated actors present an area of particular concern with regard to ongoing threat trends. Infiltration driven by deepfake technology and other synthetic identities is increasingly common in state-sponsored attacks, leading to a deeper compromise of virtualization and infrastructure layers. The report notes early signs of AI-enabled tradecraft used by nation-state actors to support persistent footholds within target systems.
The use of AI tools and identity-based tactics in nation-state-linked attacks underscores the significance of multi-channel attacks and the need for robust, layered security. Organizations need to understand that “attackers aren’t picking a single lane anymore; they’re driving across all of them,” according to Sean Malone, Chief Information Security Officer at BeyondTrust, an Atlanta, Georgia-based privilege-centric identity security provider. “When 87% of incidents span multiple attack surfaces and 90% abuse identity weaknesses, we're long past thinking of this as 'an endpoint problem' or 'an identity problem' in isolation.”
What This Means for Defenders
Defenders should look to threat intelligence like this report to inform their priorities and decisions moving forward. Threat trends emphasize the continued significance of identity as a primary security control, not just a box to check for IAM hygiene. Continuous validation of privileges and trust relationships is essential in protecting against third-party and supply chain risks. Identity fragmentation must be treated as a risk multiplier and secured accordingly with effective protection and monitoring. Collapsing silos between IAM, security, and cloud teams is an urgent requirement to ensure widespread visibility and coordination of defenses.
