US cybersecurity firm Palo Alto Networks has released alarming data on cyberattack speeds. Its Unit 42 threat intelligence division analyzed over 750 major cyber incidents across 50 countries, documenting acceleration driven by artificial intelligence. In the fastest attacks, threat actors moved from initial access to complete data exfiltration in just 72 minutes, i.e., 4x faster than 2024’s nearly five-hour average. Unit 42 simulated an AI-assisted attack reaching exfiltration in 25 minutes.
AI is the primary accelerant. Threat actors use large language models for reconnaissance, phishing, scripting, and operational execution. Attackers now automate hyper-personalized social engineering, scraping professional profiles and organizational data to craft targeted lures. Synthetic identities powered by deepfakes, deployed by groups like Muddled Libra and North Korean IT workers, pass remote hiring workflows. The Shai-Hulud campaign showed attackers using LLMs to generate malicious scripts at scale.
The 2026 Unit 42 report identified four critical trends. First, identity is the primary vector: 89% of investigations involved identity weaknesses. Attackers log in with stolen credentials and tokens, exploiting fragmented identity estates to escalate privileges and move laterally. A prior Unit 42 study found 99% of identities had excessive permissions. Identity-based phishing (22%) and vulnerability exploitation (22%) tied as leading initial access vectors.
Second, attack complexity is growing. 87% of attacks span multiple surfaces, with 67% crossing three or more attack surfaces simultaneously. Third, the browser is a primary battleground, featuring in 48% of attacks to harvest credentials. Fourth, SaaS supply chain attacks surged 3.8x since 2022, with 23% of incidents exploiting third-party applications.
Extortion tactics evolved. Encryption now appears in 78% of extortion cases, down from 90% previously, as attackers prioritize data theft and exposure. Median ransom demands rose from US$1.25 million to US$1.5 million.
Unit 42 recommends deploying phishing-resistant FIDO2 hardware keys for high-value roles. Google’s 2018 deployment to 85,000+ employees resulted in zero successful phishing attacks. Cloudflare eliminated SMS-based MFA entirely, rolling out FIDO2-only authentication with YubiKeys, preventing campaigns that compromised competitors.
Organizations should establish strict 90-day rotation schedules for machine identities, adopt Just-in-Time privilege elevation, and implement video-verified helpdesk recovery workflows. Zero Trust principles combined with consolidated telemetry enable response faster than the 72-minute attack window.
