First, AI has become a force multiplier for threat actors. It compresses the attack lifecycle, from access to impact, while introducing new vectors. This speed shift is measurable: in 2025, exfiltration speeds for the fastest attacks quadrupled.
Second, identity has become the most reliable path to attacker success. Identity weaknesses played a material role in almost 90% of Unit 42 investigations. Attackers increasingly “log in” with stolen credentials and tokens, exploiting fragmented identity estates to escalate privileges and move laterally.
Third, software supply chain risk has expanded beyond vulnerable code to the misuse of trusted connectivity. Attackers exploit software-as-a-service (SaaS) integrations, vendor tools and application dependencies to bypass perimeters at scale. This shifts the impact from isolated compromise to widespread operational disruption.
Fourth, nation-state actors are adapting stealth and persistence tactics to modern enterprise operating environments. These actors increasingly rely on persona-driven infiltration (fake employment, synthetic identities) and deeper compromise of core infrastructure and virtualization platforms, with early signs of AI-enabled tradecraft used to reinforce these footholds.
- Advertisement -
While these four trends each present a challenge, attacker success is rarely determined by a single attack vector. In more than 750 incident response (IR) engagements, 87% of intrusions involved activity across multiple attack surfaces. This means defenders must protect endpoints, networks, cloud infrastructure, SaaS applications and identity together. Further, nearly half (48%) involved browser-based activity, reflecting how often attacks intersect with routine workflows like email, web access and day-to-day SaaS usage.
Most breaches were enabled by exposure, not attacker sophistication. In fact, in over 90% of breaches, preventable gaps materially enabled the intrusion: limited visibility, inconsistently applied controls, or excessive identity trust. These conditions delayed detection, created paths for lateral movement, and increased impact once attackers obtained access.