Global Incident Response Report 2026

Executive Summary

We see four major trends that will shape the threat landscape for 2026.

First, AI has become a force multiplier for threat actors. It compresses the attack lifecycle, from access to impact, while introducing new vectors. This speed shift is measurable: in 2025, exfiltration speeds for the fastest attacks quadrupled.
Second, identity has become the most reliable path to attacker success. Identity weaknesses played a material role in almost 90% of Unit 42 investigations. Attackers increasingly “log in” with stolen credentials and tokens, exploiting fragmented identity estates to escalate privileges and move laterally.
Third, software supply chain risk has expanded beyond vulnerable code to the misuse of trusted connectivity. Attackers exploit software-as-a-service (SaaS) integrations, vendor tools and application dependencies to bypass perimeters at scale. This shifts the impact from isolated compromise to widespread operational disruption.
Fourth, nation-state actors are adapting stealth and persistence tactics to modern enterprise operating environments. These actors increasingly rely on persona-driven infiltration (fake employment, synthetic identities) and deeper compromise of core infrastructure and virtualization platforms, with early signs of AI-enabled tradecraft used to reinforce these footholds.

While these four trends each present a challenge, attacker success is rarely determined by a single attack vector. In more than 750 incident response (IR) engagements, 87% of intrusions involved activity across multiple attack surfaces. This means defenders must protect endpoints, networks, cloud infrastructure, SaaS applications and identity together. Further, nearly half (48%) involved browser-based activity, reflecting how often attacks intersect with routine workflows like email, web access and day-to-day SaaS usage.

Most breaches were enabled by exposure, not attacker sophistication. In fact, in over 90% of breaches, preventable gaps materially enabled the intrusion: limited visibility, inconsistently applied controls, or excessive identity trust. These conditions delayed detection, created paths for lateral movement, and increased impact once attackers obtained access.

Security leaders must close the gaps attackers rely on. First, reduce exposure by securing the application ecosystem, including third-party dependencies and integrations, and hardening the browser, where many intrusions now begin. In parallel, reduce area of impact by advancing zero trust and tightening identity and access management (IAM) to remove excessive trust and limit lateral movement. Finally, as the last line of defense, ensure the security operations center (SOC) can detect and contain threats at machine speed by consolidating telemetry and automating response.

Download Now

First Name*

Last Name*

Business Email Address*

Company Name*

Job Level*

Hidden

Job Function

Phone Number*

Country*

State*

Province*

Zip Code*

When are you planning to consolidate tools or implement new solutions to mature your Security Operations Center (SOC)?*

Other

What is the main objective or issue that your organization is looking to overcome with this initiative?*

consent

I would like to speak to a sales specialist.

consent

Sign me up to receive news, product updates, sales outreach, event information and special offers about Palo Alto Networks and its partners.

By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Policy and Terms of Use.

If you were referred to this form by a Palo Alto Networks partner or event sponsor or attend a partner/event sponsor session, your registration information may be shared with that company.