According to the Unit 42 Incident Response Report 2026: Executive Edition, attacks are getting significantly faster and more efficient, largely due to the use of AI by threat actors. Key changes highlighted in the report: - Unit 42 investigated more than **750 incidents in 2025**. - The **fastest attacks now complete data exfiltration in about 72 minutes**, down from **285 minutes the year before**. - While attackers operate in minutes, **most security teams still respond in days**, creating a widening gap between attacker speed and defender response. AI is a major driver of this shift: - Threat actors use AI to **accelerate reconnaissance, vulnerability scanning, and exploitation**. - Scanning for newly disclosed vulnerabilities now begins **within minutes of public disclosure**, shrinking the window for patching and mitigation. - AI is making existing techniques more effective rather than inventing new ones: phishing is more convincing, malware development is faster, and extortion operations are easier to run at scale. What this means for our organization: - We need to **align security operations to attacker speed**, moving away from manual, siloed processes. - The report recommends **integrated detection and automated containment** across identity, endpoint, cloud, SaaS, and network environments. - Our focus should be on reducing the time from detection to containment, so that a 72‑minute attack window does not turn into a multi-day incident. In short, the threat landscape is reshaping how we need to think about incident response: it’s less about rare, novel attacks and more about consistently closing well-known gaps quickly and in a coordinated way.

The report makes it clear that **identity has become the main way attackers get in and move around**, especially as organizations rely more on cloud and SaaS and less on traditional network perimeters. Key data points from Unit 42: - In nearly **90% of investigations**, identity weaknesses played a **material role** in the incident. - **65% of initial access** is now **identity-driven** (for example, stolen credentials, hijacked sessions, or mis-scoped privileges). - **99% of cloud identities analyzed** had **more privileges than they actually used**, creating unnecessary exposure. Why identity is so attractive to attackers: - Instead of exploiting software flaws, attackers often **just log in** using: - Stolen or phished credentials - Hijacked sessions - Over-privileged accounts - Once they have valid access, they can: - **Blend into normal user or service activity** - **Move faster** with fewer obvious signals - **Expand reach** using excessive permissions The identity attack surface is expanding: - **Machine accounts, service roles, third-party integrations, and AI-related identities** now often outnumber human users. - These non-human identities tend to be: - Over-permissioned - Long-lived - Inconsistently monitored - As identity estates fragment across multiple platforms, **defenders lose end-to-end visibility**, while attackers gain reliable paths for persistence and lateral movement. What we should focus on: - **Treat identity as the primary control plane**, not just an IT admin concern. - Establish **centralized visibility and continuous lifecycle governance** for: - Human users - Machine and service accounts - Third-party and SaaS integrations - Emerging AI-related identities - Systematically **right-size permissions** and reduce excessive trust before attackers can turn access into impact. In practice, this means reimagining identity as a core security domain: if we get identity wrong, even strong network and endpoint controls will struggle to contain modern attacks.

The report emphasizes that in **more than 90% of incidents**, attacker success was driven less by novel techniques and more by **preventable gaps**: limited visibility, inconsistent controls, and excessive trust in identities and integrations. It recommends three executive-level priorities: 1. **Align security operations to attacker speed** - Move from fragmented tools and manual workflows to **integrated detection and automated containment**. - Correlate activity across **identity, endpoint, cloud, SaaS, and network** rather than treating them as separate silos. - Aim to shrink the time from detection to containment so that fast attacks (sometimes under 72 minutes) can be contained before they escalate. 2. **Treat identity as the primary control plane** - Assume that **identity is the main path in**: 65% of initial access is identity-driven, and identity weaknesses played a role in nearly 90% of cases. - Implement **centralized visibility and continuous governance** for: - Human users - Machine and service accounts - Third-party and SaaS integrations - AI-related identities - Systematically reduce **excessive permissions**, especially in cloud, where 99% of identities reviewed had more privileges than they used. 3. **Actively govern exposure and dependencies** - Look beyond code vulnerabilities to **what is connected, what is trusted, and what is exploitable** across: - SaaS integrations (OAuth apps, APIs, automation workflows) - Vendor tools (remote monitoring, device management, etc.) - Open-source and transitive dependencies in the software supply chain - Recognize that supply chain and vendor tools can create **one-to-many impact** and that 39% of observed command-and-control techniques leveraged remote access tools. These priorities are less about buying more point solutions and more about **tightening integration, automation, and governance** across the environments attackers already know how to exploit. By focusing on speed, identity, and connected dependencies, we can materially reduce both the likelihood and the impact of modern attacks.