The window to stop a cyberattack has shrunk to just over an hour as attackers use artificial intelligence (AI), according to the 2026 Unit 42 Global Incident Response Report, noting that organizations must quickly align their operations with the speed of the attacker.
The findings are based on a review of more than 750 incidents in 2025, which revealed that the time required for attackers to extract information has dropped to 72 minutes, down from 285 minutes the previous year.
This acceleration is driven by AI acting as a “force multiplier,” allowing threat actors to self-identify and exploit vulnerabilities within minutes of public exposure.
By improving the efficiency of phishing and malware distribution, AI has effectively compressed the attack lifecycle and widened the gap between rapid fire intervention and self-defense.
Of the incidents investigated by Unit 42, 90% were found to have identity vulnerabilities playing a key role, as attackers increasingly bypass software exploits by “signing in” with stolen credentials or hijacked sessions.
This is mainly accomplished through phishing and software vulnerability exploitation, which remain the most common entry points, each accounting for 22% of observed incidents, the report said.
Once inside, threat actors use these active credentials to quickly move and integrate with normal business operations, often using an organization’s internal AI resources to map systems and increase their reach.
This trend is fueled by a widespread governance gap where 99% of cloud ownership, including human users and machine accounts, hold redundant permissions, providing silent, high-level means of lateral movement.
Also, the report found that software supply chain risk has shifted to the misuse of trusted communications, as Software as a Service (SaaS) data penetration jumps to 23% by 2025.
Attackers also use interconnected Application Programming Interfaces (APIs) and poorly managed dynamic libraries to achieve a “one-to-many” effect.
Meanwhile, state actors from China, North Korea, and Iran have changed their strategy to long-term concealment by compromising deep levels of infrastructure, such as virtualization and administrative layers, in order to maintain a permanent presence.
This sophisticated commercial operation involves the use of highly insidious “employment fraud”, where cybercriminals create fake job sites and fake interviews to trick unsuspecting workers into installing malware.
By prioritizing persistence over immediate disruption, these actors can remain hidden within the network for long periods of time, turning formal corporate recruitment and information technology (IT) processes into direct intelligence-gathering methods.
To counter these threats, the report recommends that companies shift to Active Exposure Management by using integrated containment, automation, and identity management as their primary security perimeter.
Organizations are also advised to go beyond static scanning to fully manage third-party integration and device ownership before they are deployed.
Unit 42 is the global threat intelligence and incident response arm of Palo Alto Networks, a leading cybersecurity company that provides specialized technology and tools to help organizations manage complex digital threats. – Edg Adrian A. Eva
