A Unit 42 analysis of more than 750 incidents across 50+ countries highlights how AI, stolen credentials and third-party integrations are shortening detection windows and enlarging breach impact
Topics covered
- Attack tempo and automation: AI compresses the timeline
- Accelerated attacks compress the defender window
- Identity as a primary attack vector
- Software supply chain and trusted integrations
- Attack complexity rises as adversaries span multiple surfaces
- The threat in a single vulnerability
- Where defenders should focus
Unit 42 distills lessons from more than 750 major incidents spanning every primary industry and over 50 countries. The report synthesizes global incident response engagements and identifies persistent failures in defensive posture. Investigations show a clear shift in attacker behaviour: intrusions execute faster than before, adversaries rely heavily on identity and trusted integrations, and compromises often span multiple parts of an environment.
Defenders repeatedly encounter the same root causes. Teams report limited visibility, overly permissive trust relationships, and growing environmental complexity. This article unpacks the principal trends, shows how a single high-severity vulnerability reflects wider patterns, and offers prioritized guidance security teams can implement.
Attack tempo and automation: AI compresses the timeline
The palate never lies, and in cyber incident response the first taste often signals a long meal. As a chef I learned that speed reveals technique; in security, speed exposes automation and orchestration.
Adversaries increasingly use automated tooling and AI-assisted workflows to shorten the time between initial access and objective achievement.
Accelerated attacks compress the defender window
Unit 42 recorded a sharp reduction in the time from initial access to impact. In the fastest intrusions, adversaries moved from entry to data exfiltration in as little as 72 minutes, approximately 4X faster than the prior year. This shift reflects widespread adoption of artificial intelligence for reconnaissance, phishing creation, scripting and operational execution.
The new tempo creates machine-like scale. Threat actors automate discovery, craft convincing lures and execute multi-stage workflows with minimal human supervision. As a result, the early minutes after compromise determine whether containment succeeds or fails.
Defenders face a compressed decision cycle. Without near-real-time detection and automated triage, containment efforts often lag behind adversary movement. Investment in automated alerting, playbooks and rapid isolation can restore parity between response and intrusion velocity.
The palate never lies—and the comparison holds in cyber operations. As a chef I learned that timing, precision and the right tools turn a risky moment into a controlled outcome. Applied to incident response, those principles favor rapid automation, tight telemetry and rehearsed procedures.
Behind every incident there is a chain of choices. Organizations that shorten detection-to-containment times reduce the likelihood that a limited compromise becomes a major breach. Expect operational playbooks and AI-enabled defenses to dominate priorities in the coming cycle.
Identity as a primary attack vector
Building on expectations that operational playbooks and AI-enabled defenses will dominate priorities, identity weaknesses remain the most exploited entry. Attackers often bypass complex exploits by using legitimate sessions created with stolen credentials or tokens. The result is not a smash-and-grab intrusion but an apparently authorized access that carries malicious intent.
How fragmented identity increases risk
When organisations operate multiple identity stores and inconsistent authentication policies, attackers who obtain a single credential can move laterally with minimal friction. Excessive implicit trust between services, long-lived tokens and unmanaged service accounts multiply exposure. A single compromised profile frequently becomes a pivot to sensitive systems and data, expanding the operational blast radius.
Practical identity controls
The palate never lies, and in security the smallest misconfiguration reveals much. Start with rigorous authentication hygiene. Enforce multi-factor authentication across all user and service access. Shorten credential lifetimes and adopt token rotation for service accounts and APIs.
Move toward stronger federated and adaptive models. Implement identity federation with centralised policy control and apply contextual checks such as device posture, geolocation and risk scoring before granting high‑risk access. Where feasible, adopt passwordless authentication to reduce reliance on reusable secrets.
Limit privilege by design. Enforce the principle of least privilege for users and services. Use just-in-time elevation for administrative tasks and continuously validate privileges with automated attestation. Segment identity domains to contain compromises and apply strict service-to-service authentication.
Instrument identity telemetry and make it actionable. Collect authentication logs, token use and entitlement changes centrally. Feed these signals into real‑time analytics and response playbooks so anomalous sessions can be remediated before impact.
Behind every defence there is an operational choice. As chef and writer, I know that technique and consistency matter: finely tuned controls and disciplined execution narrow the window attackers exploit. Organisations that prioritise identity hardening reduce both frequency and severity of intrusions.
Organisations that prioritise identity hardening reduce both frequency and severity of intrusions. Defenders should strengthen identity and access management by removing unnecessary trust relationships and applying strict privilege separation. These steps narrow the area of impact when an account is compromised. They also help turn a security incident into a contained operational event rather than a widespread disruption. Practical measures include tighter credential lifecycle controls, granular authorization checks and real‑time account telemetry to detect anomalous use.
Software supply chain and trusted integrations
Supply chain weaknesses have driven operational disruption in many incidents. In roughly 23% of cases, attackers exploited third‑party SaaS applications or vendor integrations to bypass perimeter defenses and broaden impact. Trusted connections — vendor tools, integrations and dependencies — create implicit paths that allow adversaries to reach otherwise insulated systems.
The palate never lies: behind every integration there is a provenance story that matters for security. Organisations should map those dependencies, verify vendor controls and narrow external privileges to only what is necessary for functionality. Continuous validation of third‑party behaviour, signed supply artifacts and anomaly detection at integration boundaries reduce the chance that a compromised vendor amplifies an intrusion.
Attack complexity rises as adversaries span multiple surfaces
The palate never lies. Cyber intrusions are becoming more layered and subtle, with compromises that taste of many different systems. Unit 42 reports that 87% of intrusions involved activity across multiple attack surfaces, including endpoints, networks, cloud, SaaS and identity. The browser emerged as a key battleground, featuring in about 48% of investigated incidents because routine web and email workflows intersect directly with attacker techniques.
Shift from encryption-based extortion to rapid theft
Extortion dynamics have changed. Traditional encryption-focused extortion fell by approximately 15% year-over-year as many attackers shifted to fast data theft and operational disruption. This method is often faster and quieter, avoiding the telemetry signals defenders traditionally used to detect ransomware-style activity.
Implications for defenders and supply chains
Defenders must adapt detection and response to hybrid, cross-surface campaigns. Enhanced behaviour analysis, signed supply artifacts and anomaly detection at integration boundaries reduce the chance that a compromised vendor amplifies an intrusion. Focused controls at the browser layer and tighter telemetry correlation across identity, endpoint and cloud restore visibility into blended attack paths.
Case example: CVE-2026-1731 and active exploitation
Active exploitation of CVE-2026-1731 illustrates the blended nature of modern intrusions. Attackers chain a browser-based foothold into lateral movement across cloud services and identity tokens. Rapid exfiltration follows, often without the large file-encryption footprint that once signalled ransomware.
As a former chef, I translate this risk into culinary terms: behind every dish there’s a story of provenance and handling. The same applies to software and credentials. Supply-chain hygiene, minimal trust between components and precise telemetry are the equivalent of clean mise en place.
The palate never lies: consistent, layered controls reveal subtle deviations in system behaviour. Prioritising those controls will reduce both the frequency and the business impact of blended intrusions.
The threat in a single vulnerability
The palate never lies: even in cyber security, subtle flavours reveal the source. Prioritising those controls will reduce both the frequency and the business impact of blended intrusions.
On Feb. 6, 2026, BeyondTrust disclosed CVE-2026-1731, a pre-authentication remote code execution in the thin-scc-wrapper component of its remote support software. The flaw permits unauthenticated attackers to inject operating system commands during the WebSocket handshake. Exploitation can yield full appliance compromise for the site user context.
Unit 42 reported exploitation consistent with established intrusion patterns. Observed actions included webshell deployment, creation of administrative accounts, lateral movement and data exfiltration. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on Feb. 13, 2026.
Palo Alto Networks telemetry identified over 16,400 exposed instances. These findings illustrate how a single, high-impact bug can be weaponised across sectors and use trusted tooling and identities to amplify harm.
Where defenders should focus
These findings show how a single high-impact bug can be weaponised across sectors and use trusted tooling and identities to amplify harm. Security teams must prioritise three defensive goals: reduce exposure, shrink the area of impact, and accelerate response.
Reduce exposure by auditing external integrations, browser-based workflows and unmanaged SaaS connections. Inventory and remove unnecessary links to reduce the number of attack surfaces. Apply least-privilege principles before adding any new third-party integration.
Shrink impact by hardening identity controls and eliminating excessive trust relationships. Enforce strong authentication, tighten role definitions and revoke standing privileges that are rarely used. Segment identity domains so a compromised account cannot cascade access across systems.
Accelerate response through improved visibility and automation. Centralise telemetry across cloud and on-premises environments. Adopt AI-assisted detection to filter noise and surface high-confidence alerts so SOC teams can act at machine speed.
The palate never lies: in security as in cooking, small imbalances reveal larger flaws. Behind every control decision there is a story of supply chains, user habits and tooling choices. As a chef I learned that precise, repeatable processes reduce waste and risk.
Translate these priorities into concrete measures: rigorous third-party governance, tighter identity hygiene, enhanced telemetry and automation. Organisations that act on these steps reduce dwell time and limit breach scope, making incidents easier to contain and remediate.
