Palo Alto Networks: Global incident report 2026 analysis

AI, a force multiplier

Perhaps no surprise, AI is first on the list; the company calls it a “force multiplier for threat actors” and says that AI-based automation accelerators have “compressed the attack lifecycle” and that means the space between access to impact. There are new attack vectors to consider in this new universe and cyber-focused software developers will need to think about the fact that in 2025, exfiltration speeds for the fastest attacks quadrupled.

Taking a particularly pertinent example in this area, we can look at so-called parallelised targeting. In this area, AI-assisted workflows allow malicious actors to run reconnaissance and initial access attempts across hundreds of targets in parallel and then concentrate effort where they find a weak signal.

“We see actors using AI to reduce manual work during deployment (script generation, templating) and extortion (messaging consistency). The shift is not that ransomware is new, it is that the operator time required to run it at scale is dropping,” notes Palo Alto Networks.

Fragmented identity estates

Identity ranks second, with identity weaknesses playing “a material role” in almost 90% of Unit 42 cases. The report notes that attackers increasingly log in with stolen credentials and tokens to exploit fragmented identity.

Logically, then, we can remind ourselves that Palo Alto Networks this year completed the acquisition of Chronosphere, an observability platform company that aims to offer deep visibility into an entire digital estate.

The planned integration of Palo Alto Networks Cortex AgentiX with Chronosphere’s cloud-native observability platform is designed to allow teams to apply AI agents capable of finding and fixing security and IT issues automatically because (as the Palo Alto Networks tagline goes)… we know that “AI security without deep observability is blind” these days.

The acquisition has been crafted to deliver essential context across models, prompts, users and performance to move from manual guessing to autonomous remediation, notes the company.

Supply chain drain pains

Next it’s supply chain i.e. the connections that exist between (for example) between a small business (let’s say its a refuse and cleaning supplies company) to a larger business (let’s imagine a bank, a large insurance conglomerate or a petrochemicals company – just for the sake of argument) and the fact that there are electronic synaptic connections points between the two (for administration, invoicing or whatever) and that’s enough to create a software supply chain risk that now extends beyond vulnerable code to the misuse of trusted connectivity.

“Attackers have exploited Software-as-a-Service (SaaS) integrations, vendor tools and application dependencies to bypass perimeters at scale. This shifts the impact from isolated compromise to widespread operational disruption,” explains Palo Alto Networks, in its report.

The fourth area of major cyber vulnerability for firms to consider in light of this report is nation-state actors, who are adapting stealth and persistence tactics to modern enterprise operating environments.

These actors have (in recent times) been seen to increasingly use on persona-driven infiltration (such as fake employment records or synthetic identities) in order to compromise core infrastructure and virtualisation platforms, with early signs of “AI-enabled tradecraft” used to reinforce these footholds.

What is AI-enabled tradecraft?

To stop and clarify this term, AI-enabled tradecraft can be explained as the connection and integration of advanced machine learning and automation techniques (primarily here, we’re talking about autonomous, adaptive algorithms) into the methods used by malicious attackers and the companies trying to defend against them.

While these four trends each present a challenge, attacker success is rarely determined by a single attack vector. Across more than 750 incident response (IR) engagements, 87% of intrusions unfolded on multiple fronts. The company says that this means defenders must protect endpoints, networks, cloud infrastructure, SaaS applications and identity together. Nearly half (48%) involved browser-based activity, reflecting how often attacks intersect with routine workflows like email, web access and day-to-day SaaS usage.

Securing the application ecosystem

A slightly unnerving truth also comes out of this report as its analysis suggests that most breaches were enabled by exposure, not attacker sophistication. In over 90% of breaches, preventable gaps materially enabled the intrusion: limited visibility, inconsistently applied controls or excessive identity trust.

“Security leaders must close the gaps attackers rely on. First, reduce exposure by securing the application ecosystem, including third-party dependencies and integrations and hardening the browser, where many intrusions now begin. In parallel, reduce area of impact by advancing zero trust and tightening identity and access management (IAM) to remove excessive trust and limit lateral movement,” clarified Palo Alto Networks.

In 2025, Unit 42 says it responded to more than 750 major cyber incidents. Its teams worked with large organisations facing extortion, network intrusions, data theft and advanced persistent threats. Targets spanned every major industry and more than 50 countries. In each case, the situation had escalated to the point where the security operations centre SOC called for backup.

I wanna tell you an intrusion story

“Each intrusion tells a story: what the attacker targeted, how they gained access, how the activity escalated and what could have stopped it sooner. In the aggregate, these stories become trends and provide insight into the global threat landscape. They show what’s changing in adversary tradecraft, the repeated mistakes organizations make, and most importantly, what defenders can do to keep their organizations safe. This report distills those lessons,” notes the company.

Over the past year, attack speeds continued to accelerate. Attackers are still early in their adoption of AI-enabled tradecraft, but its impact is already visible. The company says that AI reduces friction across reconnaissance, social engineering, scripting, troubleshooting and extortion operations. It enables greater scale and the ability to launch multiple attacks simultaneously.

The result is a shrinking window for detection and containment, where what happens in the first minutes after initial access can determine whether an incident becomes a breach.

According to the report, “At the same time, most breaches still follow familiar paths. And that is why our most important conclusion remains unchanged: security is solvable. In more than 90% of incidents, misconfigurations or lapses in security coverage materially enabled the intrusion.”

It seems clear that attackers are adapting, but they most often succeed by exploiting preventable gaps – inconsistent control deployment, incomplete telemetry, over-permissive identity trust and unmanaged third-party connectivity across SaaS and cloud.

… and finally

Finally, as the last line of defence, Palo Alto Networks urges organisations to ensure the security operations centre (SOC) can detect and contain threats at machine speed by consolidating telemetry and automating response.

This report offers an “inside the intrusion” section, where the company provides an aggregate view of observed tactics, techniques and procedures across Unit 42 investigations – what attackers target, how they get in, how fast they move and the impacts they drive.

The report is organised as a practical guide to the current threat landscape:

Emerging threats and trends. How attacker tradecraft is evolving: AI as a force multiplier, identity as the most reliable path to success, expanding software supply chain risk through trusted connectivity and evolving nation-state tactics.