Cyberattacks are shifting sooner, shrinking the hole between preliminary compromise and dangerous penalties, and the arrival of AI is accelerating their timelines in a manner that human defenders can not sustain with.
That’s the broad and maybe unsurprising discovering of Palo Alto Networks’ 2026 World Incident Response Report, which analyzed 750 incidents in 50 nations that had been investigated by the corporate’s Unit 42 world risk intelligence and incident response staff.
Within the quickest assaults analyzed, risk actors moved from preliminary entry to knowledge exfiltration in 72 minutes, down from almost 5 hours in 2024. More and more, that is defined by AI’s means to compress timelines for reconnaissance, phishing, scripting, and operational execution, the corporate mentioned.
Nonetheless, a better look affords CISOs a crumb of consolation: what is basically killing organizations isn’t a lot fast-moving attackers or the wolf of AI, however fundamental failings reminiscent of weak authentication, an absence of real-time visibility, and misconfigurations attributable to a fancy sprawl of security methods.
In principle, these are all fixable. Because the authors observe: “Regardless of the velocity and automation we’re seeing, many of the incidents we reply to don’t begin with one thing radically new. They begin with gaps that present up many times. In lots of circumstances, attackers didn’t depend on a classy exploit, however on an missed publicity.”
Id wrestle
A recurring theme is the wrestle many organizations have with identification and belief, which Unit 42 discovered performed a task in 90% of the incidents it investigated. Attacker techniques included social engineering in 33% of incidents, identity-based phishing in 22%, credential abuse and brute power in 21%, and insider threats in 8%.
Too many accounts have extreme permissions; this was the case for 99% of the 680,000 cloud customers, roles, and companies analyzed by Unit 42, together with some that had been unused for 60 days or extra. It’s an identification assault floor that retains increasing sooner than the underlying points will be addressed, as organizations add ever extra cloud, SaaS, and AI purposes.
More and more, these identities relate to machine identities (service accounts, automation roles, API keys, AI brokers), shadow identities (unsanctioned accounts, developer environments, and third events), and identification “silos” (on-premises AD plus a number of cloud identification suppliers).
“Not often does an assault keep in a single atmosphere. As an alternative, we see coordinated exercise throughout endpoints, networks, cloud, SaaS, and identification, forcing defenders to watch throughout all of them directly,” mentioned Unit 42.
Provide chains are one other weak space. In 23% of incidents, attackers had been in a position to exploit third-party SaaS purposes, bypassing conventional security controls. “When an upstream supplier reported a compromise or outage, clients had been usually left to cease and reply a fundamental query: are we affected? In lots of circumstances, that they had restricted visibility into their very own publicity,” Unit 42 mentioned.
Altering the paradigm
Unit 42’s reply to this limitless cycle of attackers all the time being one step forward of defenders is to alter the paradigm: cybersecurity has change into so specialised, it says, that the reply is to make use of a managed service constructed from the bottom as much as counter actual slightly than summary threats.
With that in thoughts, Palo Alto Networks this week launched a brand new SOC service, Unit 42 Managed Prolonged Safety Intelligence and Automation Administration (XSIAM) 2.0. This, the corporate claims, has expanded its XSIAM 1.0 to incorporate full onboarding, risk looking and response, and the modelling of assault patterns sooner than a conventional SOC.
Is that this persuasive? CISOs can have heard this message earlier than: the previous stuff not works, so put money into one thing new. And there’s all the time an previous system or service that wants ripping out to get replaced by a shiner, new one.
To complicate issues, the thought of ever extra superior SOCs won’t be a panacea. Some have even argued that that SOCs themselves can find yourself constrained by the identical problems with expertise shortages and funds constraints as conventional IT departments.
As Palo Alto Networks places it: “The window for protection has collapsed, and most SOCs weren’t constructed for the velocity of right now’s assaults.” So, out with previous instruments reminiscent of conventional SIEMs and SOAR, which merely generate alerts; the trendy AI-powered SOC ought to act on them “at machine velocity.”
