Identity Loopholes Drive Nearly 90% of Unit 42’s Global Incident Response Report 2026 Investigations
Attackers don't need to pick locks when the doors are already open. That's the uncomfortable reality laid bare by Palo Alto Networks' Unit 42 Global Incident Response Report 2026, released February 19, 2026. Drawing on more than 750 major incident response engagements across 50+ countries, the report delivers a verdict that should keep every CISO up tonight: identity weaknesses played a material role in nearly 90% of all investigations. Not vulnerability exploits. Not zero-day wizardry. Identity.
The data confirms what frontline responders have been saying for years: the most reliable path into an enterprise is through the front door, using stolen credentials, hijacked sessions, and permissions that should have been revoked months or years ago. And the speed at which attackers are exploiting these gaps has reached a new threshold. The fastest intrusions in 2025 went from initial compromise to confirmed data exfiltration in just 72 minutes — four times faster than the same metric the year before.
For data security, data compliance, and data privacy leaders, this report is a wake-up call wrapped in hard numbers.
And it is precisely this gap — between perimeter defense and operational enforcement of identity and data controls — that data governance platforms like Kiteworks are designed to close.
5 Key Takeaways
- Identity Is the Attacker's Front Door — and It's Wide Open. Identity weaknesses played a material role in nearly 90% of the more than 750 incident response investigations Unit 42 handled in 2025. Sixty-five percent of initial access was driven by identity-based techniques — phishing, credential misuse, brute force, and IAM misconfigurations. Attackers don't need sophisticated exploit chains when they can log in with stolen credentials, hijacked sessions, or mis-scoped privileges. An analysis of more than 680,000 cloud identities found that 99% had excessive permissions. Kiteworks addresses this directly through least-privilege access enforcement, continuous verification for every data request, and comprehensive audit trails that track every identity interaction with sensitive data — giving security teams the visibility to detect credential misuse before it becomes a breach.
- The Fastest Attacks Now Exfiltrate Data in 72 Minutes. The fastest quartile of intrusions reached confirmed data exfiltration in just 72 minutes in 2025 — down from 285 minutes the prior year, a 4x acceleration. The median time to exfiltration was two days. For organizations operating under breach notification requirements like GDPR's 72-hour window or state privacy laws, a two-day median means the regulatory clock starts before many organizations have confirmed an incident. Kiteworks' real-time monitoring and automated alerting detect anomalous data movement as it happens — not after forensic reconstruction — enabling security teams to contain data exposure within the shrinking window attackers now operate in.
- Over 90% of Breaches Were Enabled by Preventable Gaps — Not Sophisticated Exploits. In more than 90% of breaches, preventable gaps materially enabled the intrusion: limited visibility, inconsistently applied controls, or excessive identity trust. These are not advanced persistent threats breaking through cutting-edge defenses. These are misconfigurations, incomplete telemetry, and over-permissive access creating the path of least resistance. In 87% of investigations, responders reviewed evidence from two or more distinct sources to reconstruct what happened. Kiteworks eliminates these visibility gaps by consolidating all sensitive content communications — email, file sharing, SFTP, APIs, managed file transfer — into a unified platform with centralized audit logging, automated policy enforcement, and consistent data classification across every channel.
- Software Supply Chain Risk Has Expanded to Trusted Connectivity. Supply chain risk is no longer limited to vulnerable code. Attackers exploit SaaS integrations, vendor management tools, and application dependencies to bypass perimeters at scale. Data from SaaS applications was relevant to 23% of Unit 42 cases in 2025, up from 6% in 2022. In one investigation, attackers leveraged valid OAuth tokens from a compromised platform to access downstream environments — and post-incident review revealed nearly 100 additional unmonitored third-party integrations. Kiteworks addresses vendor and supply chain risk through continuous monitoring of vendor data access patterns across every channel, flagging behavioral deviations that signal new or changed capabilities, and maintaining audit trails that document exactly what data vendors access and when.
- Extortion Has Decoupled From Encryption — Data Theft Is the New Leverage. Encryption appeared in only 78% of extortion cases in 2025, the sharpest decline in the dataset's five-year history. Attackers increasingly view encryption as optional — data theft and the threat of public exposure provide sufficient leverage on their own. Median ransom demands rose to $1.5 million and median payments nearly doubled to $500,000. Even organizations with robust backup capabilities face extortion based on stolen data. Under GDPR, state privacy laws, and sector-specific regulations, unauthorized data exfiltration triggers notification requirements regardless of encryption. Kiteworks' data-centric security model — enforcing access controls, data classification, and encryption at the content layer — ensures that even when attackers gain network access, sensitive data remains protected and auditable.
The Identity Problem Is Worse Than You Think
Unit 42's data paints a detailed picture of how identity has become the dominant attack surface. Sixty-five percent of initial access in 2025 was driven by identity-based techniques. That breaks down into identity-related social engineering at 33% (with phishing alone at 22%), credential misuse and brute force at 21%, and identity policy failures and insider risk at 11%.
But initial access is only the start. After getting in, attackers weaponize identity gaps to escalate privileges, move laterally, and reach sensitive data. Unit 42's analysis of more than 680,000 cloud identities found that 99% of cloud users, roles, and services had excessive permissions — some unused for 60 days or more. That is not a typo. Ninety-nine percent.
Over-scoped roles, inherited permissions, and unretired legacy grants create repeatable escalation paths. Attackers don't need sophisticated tooling when they can simply write to IAM and escalate privileges using the organization's own access architecture. Token theft and illicit OAuth grants let them bypass multi-factor authentication, persist without repeated logins, and operate quietly.
The implications for data privacy are severe. When a single compromised identity can cascade into broad access across cloud environments, SaaS applications, and on-premises systems, the scope of potential data exposure expands dramatically. Every unmonitored service account and every dormant OAuth integration becomes a potential conduit for regulated data to leave the organization.
Kiteworks addresses this risk at the data layer. Its attribute-based access controls enforce least-privilege principles for every user, service account, and system that touches sensitive content. Continuous verification evaluates every data request against current policies — not authenticate once, access forever. And comprehensive audit trails track every identity interaction with protected data, giving security teams the evidence they need to detect credential misuse before it escalates into a reportable breach.
Attacks Now Span Everything, Everywhere
One of the most striking findings in the report is the sheer breadth of modern intrusions. Eighty-seven percent of the incidents Unit 42 investigated involved activity across multiple attack surfaces — endpoints, networks, cloud infrastructure, SaaS applications, and identity systems simultaneously. Sixty-seven percent touched three or more surfaces. Some incidents spanned as many as eight.
This multi-surface reality has direct implications for compliance frameworks that were designed around perimeter-based security models. When attackers chain together cloud identities, SaaS tokens, and on-premises Active Directory in a single intrusion, the regulatory exposure is not confined to one system or one data classification. It sprawls across jurisdictions, data types, and business units.
Nearly half of all incidents (48%) involved browser-based activity, reflecting how often attacks intersect with the everyday workflows where employees access email, cloud applications, and corporate data. The browser has become the new corporate desktop — and one of the most underprotected surfaces in the enterprise.
The cloud attack surface continues to expand as well. About 35% of investigations involved cloud or SaaS assets, and data from SaaS applications was relevant to 23% of cases in 2025, up from just 6% in 2022. That four-year trajectory tells a clear story: as organizations move sensitive data and business processes into cloud-based tools, attackers follow.
This is why Kiteworks consolidates all sensitive content communications — email, file sharing, SFTP, APIs, web forms, and managed file transfer — into a single platform with unified security policies and centralized audit logging. When every channel through which data moves is governed by the same access controls and monitored through the same audit infrastructure, attackers cannot exploit the gaps between siloed tools. The unified telemetry gives SOC teams the cross-surface visibility that Unit 42 identifies as the most critical missing capability in the organizations it investigates.
The Speed Problem: 72 Minutes to Data Theft
The velocity findings in this report fundamentally change the math on incident response.
The fastest quartile of intrusions reached confirmed data exfiltration in 72 minutes during calendar year 2025. The same metric was 285 minutes in 2024. That is a 4x acceleration in a single year. The share of incidents reaching exfiltration in under one hour also grew, from 19% to 22%.
Even the median time to exfiltration was just two days. For organizations operating under data breach notification requirements — whether GDPR's 72-hour window, state-level privacy laws, or sector-specific regulations — a two-day median means the clock starts ticking before many organizations have even confirmed an incident is underway.
This acceleration is directly connected to the identity problem. When attackers authenticate with valid credentials, they skip the noisy exploitation phase that traditional security tools are designed to catch. They land inside the perimeter with trusted access and begin collecting data immediately. There is no malware signature to trigger an alert. There is no vulnerability exploit to log. There is just a legitimate-looking login followed by legitimate-looking data access — until the data leaves the building.
Unit 42 attributes much of this acceleration to the operational use of artificial intelligence by threat actors. In 2025, attackers moved from experimentation to routine use of AI across reconnaissance, social engineering, script generation, and troubleshooting. AI reduces the friction at every stage of the attack lifecycle, enabling actors to run multiple operations in parallel and compress the time between initial access and impact.
Kiteworks' real-time monitoring and automated alerting capabilities are designed for exactly this scenario. When data access patterns deviate from established baselines — sudden spikes in volume, unusual access times, queries to data classifications outside a user's normal scope — Kiteworks flags the anomaly immediately and triggers automated containment actions. In a world where exfiltration happens in 72 minutes, the difference between a contained incident and a reportable breach is whether your detection operates in real time or relies on after-the-fact log review.
Over 90% of Breaches Were Preventable — and That Should Sting
Here is the finding that should sting the most: in more than 90% of breaches, preventable gaps materially enabled the intrusion. Not advanced persistent threats. Not nation-state exploits. Preventable gaps — limited visibility, inconsistently applied controls, and excessive identity trust.
Unit 42 identified three systemic conditions that appeared repeatedly across investigations.
First, visibility gaps. Critical telemetry often existed but was trapped in siloed tools, preventing defenders from correlating signals across identity, endpoint, cloud, and SaaS layers. In 87% of investigations, responders had to review evidence from two or more distinct sources to reconstruct what happened, with complex cases drawing on as many as ten.
Second, environmental complexity. Security baselines were rarely applied universally. Endpoint protection might be fully deployed in one business unit but missing or degraded in another. This inconsistency creates a path of least resistance that attackers reliably find and exploit.
Third, identity drift. Permissions accumulate over time as roles change, exceptions persist, and legacy grants go unretired. The result is an identity estate where nearly every account carries more access than it needs, and where a compromised credential provides far more reach than it should.
For compliance and privacy teams, this finding reframes the conversation. The risk is not that adversaries are too sophisticated to stop. The risk is that fundamental hygiene — consistent control deployment, timely permission reviews, unified telemetry — is not being maintained across the enterprise. These are the gaps that lead to reportable breaches, regulatory penalties, and customer notification obligations.
Kiteworks directly addresses all three systemic conditions. Its unified platform eliminates visibility gaps by consolidating sensitive content communications into a single audit infrastructure. Automated policy enforcement ensures controls are applied consistently across every channel and business unit — not just the ones that were prioritized during the last security review. And its attribute-based access controls combat identity drift by enforcing data-level permissions that don't rely on inherited roles or accumulated privileges — access is evaluated against current policy for every request, every time.
Supply Chain Risk Expands to Trusted Connectivity
The report documents a meaningful expansion of software supply chain risk beyond vulnerable code to include SaaS integrations, vendor management tools, and application dependencies.
Data from SaaS applications was relevant to 23% of Unit 42 cases in 2025. In one investigation, attackers leveraged valid OAuth tokens from a compromised sales engagement platform to access downstream Salesforce environments. The activity looked like routine CRM automation. Post-incident review revealed nearly 100 additional third-party integrations connected to Salesforce — many dormant, unmonitored, or owned by former employees.
Vendor tools, particularly remote monitoring and management platforms, also emerged as a significant risk vector. Unit 42 identified that 39% of command-and-control techniques were related to remote access tools, which blend into routine administrative traffic and are difficult to distinguish from legitimate vendor activity.
For organizations managing data privacy obligations, these findings highlight a critical blind spot. Third-party integrations often inherit the same permissions granted during initial setup, sometimes including the ability to read sensitive data, manage users, or modify records. When an upstream provider is compromised, those inherited permissions become the attack vector — and the affected organization may have limited visibility into what data was accessed or exfiltrated.
Open-source dependency risk compounds the problem. Unit 42 research indicates that over 60% of vulnerabilities in cloud-native applications reside in transitive libraries — the indirect dependencies pulled in through packages that your code relies on. Threat actors are also injecting malicious code into upstream packages that execute during build and install steps, compromising pipelines before deployment.
Kiteworks addresses vendor and supply chain risk through continuous monitoring of all channels through which vendors interact with organizational data. When vendor accounts exhibit unusual behavior — changes in data volume, access frequency, or query patterns — Kiteworks flags the deviation immediately and documents the evidence. This gives security teams the visibility to identify when a vendor product has changed in ways that affect how sensitive data is being processed, and the audit trail to demonstrate compliance or reveal exposure.
Extortion Is Decoupling From Encryption — Data Theft Is the New Leverage
The economics of cybercrime are shifting in ways that directly affect data protection strategies. Encryption appeared in only 78% of extortion cases in 2025, a sharp decline from the near-or-above-90% levels maintained from 2021 through 2024.
Attackers increasingly view encryption as optional. Data theft and the threat of public exposure are sufficient leverage on their own. Median initial ransom demands rose from $1.25 million to $1.5 million, while median payments nearly doubled from $267,500 to $500,000.
This shift has significant implications for data privacy. Even organizations with robust backup and recovery capabilities — the traditional defense against ransomware — now face extortion based on the threat of data exposure. About 41% of victims could restore from backup without paying, but that did not eliminate the pressure created by stolen data. And in 26% of extortion cases, attackers specifically targeted backup systems.
The threat of data exposure creates regulatory and legal obligations regardless of whether systems were encrypted. Under GDPR, state privacy laws, and sector-specific regulations, the unauthorized exfiltration of personal data triggers notification requirements, regulatory scrutiny, and potential penalties — whether or not the attacker ever deployed ransomware.
Kiteworks' data-centric security model is built for this reality. By enforcing encryption, access controls, and data classification at the content layer, Kiteworks ensures that even when attackers gain network access, the data itself remains protected. If data is exfiltrated, comprehensive audit trails document exactly what was taken, when, and through which channel — providing the forensic evidence that regulators require and reducing the scope of breach notification obligations.
From Exposure to Execution: What Security Leaders Should Do Now
The Unit 42 report outlines specific recommendations organized around three priorities: reducing exposure, constraining the area of impact, and building response capability that can operate at machine speed. For data security and compliance leaders, the following actions are most urgent.
Deploy phishing-resistant MFA and enforce least-privilege access. Prioritize FIDO2/WebAuthn for privileged roles. Eliminate standing admin rights in favor of just-in-time privileged access. Kiteworks enforces least-privilege access at the data layer, ensuring that every request is evaluated against current policy regardless of the user's network-level permissions.
Inventory and rotate machine identities. Establish continuous discovery for service accounts, automation roles, and API keys. Rotate static credentials for any privileged service account unchanged in 90 days. Kiteworks' comprehensive audit trails provide the foundation for this inventory by logging every data interaction across every channel.
Implement continuous monitoring for vendor and third-party access. Move beyond point-in-time assessments. Kiteworks monitors vendor data access patterns continuously across email, file sharing, APIs, SFTP, and managed file transfer. When vendor behavior changes, Kiteworks flags the deviation and documents the evidence.
Consolidate telemetry into a unified view. Fragmented visibility was a primary driver of attacker success in 2025. Kiteworks' unified platform consolidates audit logging across all sensitive content channels, eliminating the siloed tools that force responders to manually reconstruct attacks from disparate sources.
Invest in prevention, not just response. Rebalance spending toward governance maturity, asset management, data classification, and supply chain oversight. Kiteworks delivers the preventive infrastructure — automated policy enforcement, data classification, access controls, and vendor monitoring — that stops breaches from happening rather than documenting them after the fact.
Prepare for sub-hour exfiltration timelines. With the fastest attacks now exfiltrating data in 72 minutes, detection and containment must operate in real time. Kiteworks' automated alerting and containment capabilities detect anomalous data movement as it happens, not after forensic review.
The Exposure Gap Will Not Close Itself
The Unit 42 Global Incident Response Report 2026 makes one thing inescapably clear: identity is the battlefield, and most organizations are losing. Not because the attackers are brilliant, but because the basics are not being done consistently. Permissions accumulate. Integrations go unmonitored. Visibility stays siloed. And when the attacker logs in with a valid credential, the window between access and data theft is now measured in minutes, not days.
For every leader responsible for data security, compliance, or privacy, the message is the same: the gap between your identity governance program on paper and the reality of your identity estate in production is where your next breach lives. Close it before someone else finds it first.
Kiteworks provides the operational infrastructure that closes this gap. Comprehensive audit trails that prove controls are enforced. Continuous monitoring that detects behavioral changes before they become compliance violations. Least-privilege access controls that prevent compromised identities from reaching data beyond their authorized purpose. And the scalable, automated infrastructure that makes enterprise-grade data governance accessible to organizations of every size.
The organizations that avoid the next breach will be the ones that moved beyond policy documents to operational enforcement. That built the infrastructure to match their governance ambitions. That treated data security not as a compliance checkbox but as a business imperative — and deployed the platforms to back it up.
To learn how Kiteworks can help, schedule a custom demo today.
Frequently Asked Questions
OAuth token abuse and illicit grant attacks are among the most effective identity-based techniques because they target the authorization layer rather than the authentication layer — meaning MFA doesn’t stop them. In a typical attack, a threat actor tricks a user into authorizing a malicious application through a legitimate OAuth consent flow, or compromises a vendor platform that already holds valid OAuth tokens to downstream SaaS environments. Once the attacker holds a valid access token, they can query APIs, read sensitive data, and move laterally without triggering authentication alerts — because from the system’s perspective, every request is legitimately authorized. Unit 42’s investigation found nearly 100 dormant, unmonitored third-party integrations attached to a single Salesforce instance. Stopping this requires three controls that operate independently of MFA: continuous inventory and review of all OAuth grants and third-party integrations with revocation of dormant grants; behavioral monitoring that establishes baselines for each integration and flags deviations in volume, query patterns, or data classification accessed; and audit trails that document every API call and data access event made through each integration, making unauthorized access visible the moment it occurs rather than weeks later during forensic reconstruction.
Unit 42’s finding that 99% of cloud users, roles, and services carry excessive permissions — some unused for 60 days or more — reflects a structural problem that point-in-time access reviews cannot solve. Permissions accumulate through role inheritance, exception approvals that never expire, and legacy grants from departed employees or decommissioned systems. Effective remediation at scale requires three things. First, continuous discovery rather than periodic audits: automated tooling that identifies every IAM identity — human users, service accounts, API keys, automation roles — and maps what each one actually accessed in the previous 30, 60, and 90 days versus what its permissions allow. Second, data-layer enforcement as a compensating control: even where IAM cleanup is incomplete, attribute-based access controls at the data layer enforce what an identity can actually reach within a system, decoupling data access from infrastructure-level permissions. Third, just-in-time privilege: eliminating standing admin rights in favor of time-limited elevated access that expires automatically. This removes the accumulated privilege that makes compromised credentials so valuable to attackers — a stolen credential for an account with JIT access provides no persistent elevation.
A two-day median time to confirmed exfiltration creates acute breach notification exposure because most regulatory frameworks start the notification clock at the point of becoming aware of a personal data breach — not at the point of confirmed forensic certainty. Under GDPR, organizations must notify their supervisory authority within 72 hours of becoming aware of a breach involving personal data. If exfiltration occurs on day one and detection happens on day two, the 72-hour window may already be running. US state privacy laws — including those modeled on California’s CCPA framework — impose notification requirements within 30 to 72 hours for certain categories of sensitive data. The compliance problem is compounded by the telemetry gap: in 87% of Unit 42 investigations, responders had to reconstruct events from two or more siloed sources. Without unified audit trails that capture every data access event across email, SFTP, APIs, and managed file transfer channels, organizations cannot determine what data was accessed or exfiltrated quickly enough to meet notification deadlines — creating a secondary regulatory violation on top of the underlying breach.
Fragmented telemetry enables attackers because it forces defenders to operate with incomplete pictures while attackers operate with full visibility of the environment they’ve compromised. In 87% of Unit 42 investigations, reconstructing what happened required evidence from two or more distinct sources; complex cases drew on as many as ten. Each source boundary represents a gap where attacker activity went unrecorded, unalerted, or unconnected to adjacent signals. Unified audit infrastructure that closes this gap requires five capabilities: comprehensive coverage across every channel through which sensitive data moves — email, file sharing, SFTP, APIs, MFT, and web forms — so no exfiltration path exists outside the forensic record; real-time searchability rather than batch processing, so forensic timelines are available in minutes not hours when an incident is suspected; consistent data classification that tags records by sensitivity across every channel, making it possible to immediately scope what categories of data were accessed; identity correlation that links service accounts, API tokens, and human users to a common identity record; and DLP integration that flags policy violations as they occur rather than discovering them in retrospect. Without all five, investigators will always be reconstructing the attack from fragments — after it has already succeeded.
The shift to encryption-optional extortion — present in only 78% of 2025 cases, down sharply from 90%+ in prior years — invalidates the assumption that backup-and-recovery capabilities constitute a complete ransomware defense. When 41% of victims can restore from backup without paying but still face extortion based on stolen data, the attack has already succeeded at its primary objective before the ransom demand arrives. For data privacy and compliance, the implication is direct: unauthorized exfiltration of personal data triggers GDPR, HIPAA, state privacy law, and sector-specific notification obligations regardless of whether ransomware was deployed or systems were encrypted. Organizations that treat ransomware response as primarily a recovery problem are missing the notification, regulatory, and reputational exposure that data theft creates independently of encryption. The required shift is from backup-centric defense to data-centric prevention: enforcing access controls and DLP at the content layer so that even if an attacker gains network access, they cannot reach data beyond the scope of the compromised identity, and comprehensive audit trails that immediately scope what was accessed if exfiltration does occur — enabling defensible breach notification rather than worst-case-assumption disclosures.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
- Blog Post How to Secure Classified Data Once DSPM Flags It
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders