AI-fuelled cyber attacks now steal data in 72 minutes

Palo Alto Networks' incident response unit, Unit 42, reports a sharp rise in the speed and complexity of cyber attacks, with the fastest intrusions moving from initial access to data theft in 72 minutes.

The findings come from the Unit 42 2026 Global Incident Response Report, based on analysis of more than 750 major incidents across more than 50 countries and multiple industries. It tracks attacker behaviour from initial access through escalation and data exfiltration, and outlines common drivers of successful breaches and areas where organisations remain exposed.

The quickest attacks now reach data exfiltration four times faster than a year ago, a shift the report links to wider use of automation and artificial intelligence by threat actors. That pace leaves defenders less time to detect and contain intrusions before systems and data are affected.

More attack surfaces

The report describes a continued expansion in the number of systems and services involved in a typical intrusion. In 87% of incidents, activity spanned two or more attack surfaces, including endpoints, cloud environments, SaaS applications and identity systems. In some cases, activity occurred across as many as 10 fronts at the same time.

This spread creates more entry points and more opportunities for attackers to move between systems. It also complicates incident response, as security teams must correlate signals across different tools and environments while the attack is still underway.

Identity remains central to both initial access and escalation. In 65% of cases, attacks began with identity-based techniques such as social engineering and credential misuse, while vulnerabilities accounted for initial access in 22%.

Stolen credentials and successful phishing attempts can provide access that appears legitimate to many systems. Once inside, attackers can use permissions and token-based access to move between services without exploiting additional software flaws.

Browser exposure

The report also highlights the browser as an increasingly common area of attacker activity: 48% of incidents involved the browser. Routine web sessions are being used to harvest credentials and bypass local controls.

This focus on browser activity aligns with the shift to web-delivered applications and hybrid work. Many organisations use browsers as the primary interface for email, collaboration, administration portals and line-of-business tools, making browser sessions an attractive target for credential theft and session hijacking.

SaaS supply chain

Attacks involving third-party SaaS applications are also increasing. Incidents tied to third-party SaaS apps have risen 3.8 times since 2022 and now account for 23% of cases in the dataset.

The report describes attackers abusing OAuth tokens and API keys to move laterally between systems. Depending on how tokens are issued, stored and monitored, this access can persist even after passwords change.

Misconfigurations and gaps

Across the incidents examined, 90% of data breaches were linked to misconfigurations or security gaps. Complexity, poor visibility and excessive trust also appeared as recurring factors that attackers exploited.

Misconfigurations range from exposed services and overly broad permissions to weak controls around cloud resources and third-party connections. Combined with fragmented monitoring, these weaknesses can prevent defenders from spotting abnormal activity quickly enough to break the attack chain.

Sam Rubin, SVP of Unit 42 Consulting & Threat Intelligence at Palo Alto Networks, described the problem as operational sprawl and over-trust in interconnected systems.

"Enterprise complexity has become the adversary's greatest advantage. This risk is compounded as attackers increasingly target credentials, utilizing autonomous AI agents to bridge human and machine identities for independent action. To mitigate these threats, organizations must reduce complexity and move to a unified platform approach that relentlessly eliminates implicit trust," said Sam Rubin, SVP of Unit 42 Consulting & Threat Intelligence, Palo Alto Networks.

Defensive priorities

The report sets out several priorities for security leaders as attackers move faster and operate across more systems. It calls for security operations to respond at "machine speed" by using more AI and automation for detection and containment. It also points to the software build pipeline as a key control point, with security embedded into software and AI development lifecycles.

Identity governance features prominently in the recommendations, including centralised management of human, machine and agentic identities. The report also highlights secure browser technology and exposure management as controls for the modern workspace and unmanaged devices.

It further recommends reducing implicit trust through a zero trust approach with continuous verification. Lateral movement remains a key risk once attackers gain a foothold, particularly when credentials, tokens or broad permissions enable access across multiple systems.

The findings add to industry concern about the combination of faster attacks, wider adoption of SaaS and cloud services, and the central role of identity systems. The report suggests organisations plan for incidents that span multiple environments at once and assume credential theft and token abuse will remain common entry points.