Report by Palo Alto Unit 42
2026 Global Incident Response Report
8 FINDINGSPublished Feb 17, 2026
View Original Report →Key Findings
Encryption-based extortion declined by 15% compared to the previous year.
Palo Alto Unit 422026 Global Incident Response Report·Feb 17, 2026
EncryptionExtortion
Many organizations run 50 or more security products.
Palo Alto Unit 422026 Global Incident Response Report·Feb 17, 2026
Security OperationsTool SprawlSecurity Tools
Nearly 48% of incidents include browser-based activity.
Palo Alto Unit 422026 Global Incident Response Report·Feb 17, 2026
Browser Security
In the fastest cases, attackers moved from initial access to data exfiltration in 72 minutes, four times faster than the previous year.
Palo Alto Unit 422026 Global Incident Response Report·Feb 17, 2026
Initial AccessData Exfiltration
Identity weaknesses play a material role in nearly 90% of investigated incidents.
Palo Alto Unit 422026 Global Incident Response Report·Feb 17, 2026
IdentityAccess Management
Attackers leverage third-party SaaS applications in 23% of incidents.
Palo Alto Unit 422026 Global Incident Response Report·Feb 17, 2026
SaaS
Misconfigurations or gaps in security coverage materially enable attacks in over 90% of incidents.
Palo Alto Unit 422026 Global Incident Response Report·Feb 17, 2026
MisconfigurationGaps In Security Coverage
87% of intrusions involve activity across multiple attack surfaces.
Palo Alto Unit 422026 Global Incident Response Report·Feb 17, 2026
Attack Surface