Cyber ​​attacks are enabled by fundamental failures, Palo Alto analysis finds

Cyberattas attacks are moving faster, narrowing the gap between initial compromise and negative consequences, and the advent of AI is speeding up their timelines in a way that human defenders can no longer keep up with.

That’s the broad and perhaps unsurprising finding of Palo Alto Networks’ 2026 Global Incident Response Report, which analyzed 750 incidents in 50 countries that were investigated by the company’s Unit 42 global intelligence and incident response team.

In the fastest attacks analyzed, threat actors went from first access to data extraction in 72 minutes, down from about five hours in 2024. Increasingly, this is explained by AI’s ability to compress recovery times, phishing, encryption, and execution, the company said.

However, a closer look gives CISOs the pinnacle of comfort: what really kills organizations is not fast-moving attackers or an AI wolf, but fundamental failures such as weak authentication, lack of real-time visibility, and poor repairability caused by the complex spread of security systems.

In theory, all of this is fixable. As the authors note: “Despite the speed and spontaneity we see, many of the events we respond to do not start with something completely new, they start with gaps that appear over and over again.”

The struggle for self-awareness

A recurring theme is the struggle many organizations have with recognition and trust, which Division 42 found to be involved in 90% of the incidents it investigated. Attacker tactics include social engineering in 33% of incidents, phishing based in 22%, data abuse and brute force in 21%, and insider threats in 8%.

Too many accounts have excessive permissions; this was the case for 99% of the 680,000 cloud users, roles, and services analyzed by Unit 42, including some that had been inactive for 60 days or more. The identity attack landscape continues to grow faster than the problems can be solved, as organizations add more cloud, SaaS, and AI applications.

Increasingly, these identities are related to machine identities (service accounts, default roles, API keys, AI agents), shadow identities (unauthorized accounts, developer environments, and third parties), and identity “repositories” (on-premises AD and many cloud identity providers).

“It’s rare for attacks to stay in one place. Instead, we’re seeing coordinated activity across environments, networks, cloud, SaaS, and ownership, forcing defenders to monitor all of them simultaneously,” Unit 42 said.

Supply chains are another vulnerable area. In 23% of cases, attackers were able to exploit third-party SaaS applications, bypassing traditional security controls. “When an upstream provider reported a compromise or termination, customers were often left to stop and answer the basic question: are we affected? In many cases, they had limited visibility into their exposure,” Unit 42 said.

Changing the paradigm

Unit 42’s answer to this endless cycle of attackers always being one step ahead of the defenders is to change the perspective: cybersecurity has become more specialized, that is, the answer is to use a managed service built from the ground up to fight real threats rather than invisible threats.

With that in mind, Palo Alto Networks this week introduced a new SOC service, Unit 42 Managed Extended Security Intelligence and Automation Management (XSIAM) 2.0. This, the company says, has expanded its XSIAM 1.0 to include comprehensive onboarding, threat hunting and response, and modeling of attack patterns faster than a standard SOC.

Is this convincing? CISOs will have heard this message before: old things don’t work anymore, so invest in something new. And there’s always an old system or service that needs to be torn down to be replaced with a shiny, new one.

To complicate matters, the concept of more advanced SOCs may not be a panacea. Some have even argued that SOCs themselves could end up suffering from the same skills shortages and budget constraints as traditional IT departments.

As Palo Alto Networks puts it: “The defense window has collapsed, and most SOCs are not built for the speed of today’s attacks.” So, ditch the old tools like traditional SIEMs and SOAR, which only generate alerts; a modern AI-powered SOC must run on it at “machine speed.”