Artificial intelligence (AI), identity weaknesses, and growing enterprise complexity are driving most cybersecurity breaches, according to the 2026 Global Incident Response Report of Palo Alto Networks.
The company’s threat research team, Unit 42, analyzed more than 750 high-stakes incidents and found that attackers are using AI across the entire attack lifecycle. In some cases, the time from initial access to data theft dropped to just 72 minutes. That is four times faster than attacks recorded last year.
The report shows that complexity inside organizations is working in attackers’ favor. Identity weaknesses were exploited in 89% of investigations, while 87% of attacks involved two or more attack surfaces, such as endpoints, cloud systems, software-as-a-service (SaaS) platforms, and identity systems. In some incidents, Unit 42 tracked malicious activity across as many as 10 different fronts at the same time.
“Enterprise complexity has become the adversary’s greatest advantage,” said Sam Rubin, SVP of Unit 42 Consulting & Threat Intelligence of Palo Alto Networks. “This risk is compounded as attackers increasingly target credentials, utilizing autonomous AI agents to bridge human and machine identities for independent action. To mitigate these threats, organizations must reduce complexity and move to a unified platform approach that relentlessly eliminates implicit trust.”
The findings show that 65% of initial access now comes from identity-based techniques, including social engineering and credential misuse. By comparison, software vulnerabilities account for 22% of initial access.
The browser has also become a key battleground. The report found that 48% of attacks involve browsers, where routine web sessions are used to steal credentials and bypass local security controls.
Attacks linked to third-party SaaS applications have increased 3.8 times since 2022 and now account for 23% of cases. Threat actors often abuse OAuth tokens and API keys to move laterally within systems.
Unit 42 linked 90% of data breaches to misconfigurations or security gaps. The report recommends that organizations adopt a unified security platform, strengthen identity controls, secure development pipelines, protect browsers and unmanaged devices, and implement zero trust models to continuously verify every interaction.