Unit 42 Report: AI and Attack Surface Complexity Fuel Majority of Breaches

Rhea-AI Summary

Palo Alto Networks (NASDAQ: PANW) Unit 42 2026 Global Incident Response Report finds AI and sprawling attack surfaces driving faster, more complex breaches. Based on 750+ incidents, Unit 42 reports attack speed rose 4x year-over-year, identity was exploited in 89% of investigations, and 87% of attacks spanned multiple surfaces.

Key metrics: fastest exfiltration in 72 minutes, 65% of initial access via identity techniques, browser involved in 48% of attacks, and SaaS supply-chain incidents rose 3.8x since 2022.

Positive

• Attack speed increased by 4x year-over-year
• Identity exploitation in 89% of investigations
• Attacks span multiple surfaces in 87% of cases
• SaaS supply-chain attacks rose 3.8x since 2022
• Unit 42 analyzed over 750 high-stakes incidents

Negative

• Fastest attacks achieved data exfiltration in 72 minutes
• 65% of initial access is identity-driven
• Browsers involved in 48% of attacks
• Unit 42 links 90% of breaches to misconfigurations or security gaps

Key Figures

Incidents analyzed: over 750 incidents Attack speed increase: 4x faster Identity weaknesses: 89% of investigations +5 more

8 metrics

Incidents analyzed over 750 incidents Unit 42 2026 Global Incident Response Report dataset

Attack speed increase 4x faster Acceleration in attack speeds over the past year

Identity weaknesses 89% of investigations Share of cases where identity weaknesses were exploited

Multi-surface attacks 87% of attacks Attacks involving two or more attack surfaces

Fastest exfiltration time 72 minutes Time from initial access to data exfiltration in fastest attacks

Identity-based initial access 65% of attacks Share of initial access via identity-based techniques

Browser involvement 48% of attacks Attacks involving the browser as a primary battleground

SaaS supply chain share 23% of attacks Incidents involving third-party SaaS applications

Market Reality Check

Price: $166.95 Vol: Volume 12,577,729 is clos...

normal vol

$166.95 Last Close

Volume Volume 12,577,729 is close to the 20-day average of 12,209,557, indicating no major volume dislocation. normal

Technical Shares at $166.95 trade below the $193.26 200-day MA and sit 25.34% under the 52-week high, 15.82% above the 52-week low.

Peers on Argus

PANW is up 2.54% while key software/security peers show mixed moves: CRWD +3.05%...

1 Down

PANW is up 2.54% while key software/security peers show mixed moves: CRWD +3.05%, FTNT +1.19%, NET +4.95%, SNPS +3.25%, ZS +1.94%. Only SNPS appears in the momentum scanner, moving down 2.54%, reinforcing a stock-specific reaction to this AI/incident-response report.

Previous AI Reports

5 past events · Latest: Feb 05 (Positive)

Same Type Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
Feb 05	AI partner program	Positive	-7.2%	Upgraded NextWave partner program focused on AI-driven security outcomes.
Dec 19	AI cloud partnership	Positive	+0.5%	Expanded Google Cloud partnership to secure AI and cloud workloads.
Dec 16	Cloud security report	Positive	+0.7%	State of Cloud Security Report highlighting AI-driven attack surface growth.
Nov 18	AI agent protections	Positive	-0.9%	New Prisma AIRS integrations to secure AI agent platforms in real time.
Nov 18	AI security outlook	Positive	-0.9%	Publication of six AI-era cybersecurity predictions for 2026.

Pattern Detected

AI-tagged announcements have often seen muted or negative follow-through, with 3 of the last 5 AI news events followed by declines despite generally positive strategic messages.

Recent Company History

Over the past few months, Palo Alto Networks has repeatedly highlighted AI-focused initiatives. AI-tagged news on Nov 18, 2025 (Prisma AIRS integrations) and Dec 16, 2025 (cloud security report) emphasized securing expanding AI attack surfaces. A landmark AI and cloud partnership with Google Cloud on Dec 19, 2025 underscored platform depth. Most recently, the Feb 5, 2026 AI-driven NextWave partner program revamp drew a negative price reaction. Today’s Unit 42 incident-response report continues this AI-and-security narrative.

Historical Comparison

-1.6% avg move · In the last 5 AI-tagged releases, PANW’s average move was -1.57%. Today’s +2.54% reaction to another...

AI

-1.6%

Average Historical Move AI

In the last 5 AI-tagged releases, PANW’s average move was -1.57%. Today’s +2.54% reaction to another AI-focused Unit 42 report stands out versus that generally softer historical pattern.

AI-tagged news has progressed from projections and integrations to concrete reports on AI-driven threats, reinforcing a consistent narrative around securing expanding AI and cloud attack surfaces.

Market Pulse Summary

This announcement highlights Unit 42’s findings that AI, identity weaknesses, and multi-surface comp...

Analysis

This announcement highlights Unit 42’s findings that AI, identity weaknesses, and multi-surface complexity drive most breaches, with attacks accelerating and often involving browsers and third-party SaaS. For Palo Alto Networks, it extends a series of AI-focused reports and partnerships that position its platform around unified, identity-aware defense. Investors may watch how these insights feed product adoption, incident-response demand, and upcoming AI-security offerings, especially alongside recent AI and cloud-security initiatives.

Key Terms

attack surface, social engineering, oauth tokens, saas, +1 more

5 terms

attack surface technical

"AI, sprawling attack surfaces, and identity fuel the majority of breaches."

The attack surface is the collection of points where a company's digital systems, devices, or networks can be accessed, misused, or breached — think of it as the number of doors and windows a thief could try. A larger or more complex attack surface raises the chance of a costly security breach, which can lead to direct losses, regulatory fines, and damage to customer trust and the company's stock value, so investors watch it as a measure of operational and cybersecurity risk.

social engineering technical

"65% of initial access is driven by identity-based techniques, like social engineering and credential misuse"

Social engineering is the practice of manipulating people into revealing confidential information, granting access, or taking actions that compromise security, often by posing as a trusted person or using urgent, persuasive stories. For investors it matters because these scams can lead to direct financial loss, theft of sensitive corporate data, disrupted operations, or damage to a company’s reputation — similar to a con artist who tricks a business into handing over its keys.

oauth tokens technical

"as threat actors abuse OAuth tokens and API keys for lateral movement."

OAuth tokens are digital keys issued by an authentication system that let an app or service access specific data or actions on behalf of a user without revealing the user’s password. For investors, they matter because tokens control who can read or move sensitive data and can expire or be revoked like a temporary key; mishandled or stolen tokens can cause breaches, operational outages, regulatory fines, or reputational damage that affect a company’s value.

saas technical

"Attacks involving third-party SaaS applications have surged 3.8x since 2022"

SaaS, or Software as a Service, is a way of delivering computer programs over the internet, allowing users to access and use them through a web browser without needing to install or maintain the software themselves. For investors, it highlights a business model where companies generate recurring revenue by providing ongoing access to their software, often leading to predictable income and growth potential.

zero trust technical

"Adopt zero trust to continuously verify every interaction"

Zero trust is a security approach that assumes no one, whether inside or outside an organization, should be automatically trusted. Instead, every access request is carefully verified before being granted, much like checking ID at every door rather than trusting someone just because they are known. For investors, it emphasizes the importance of protecting digital assets and data from potential breaches, reducing overall risk.

AI-generated analysis. Not financial advice.

Adversaries leverage AI to accelerate attacks, exploiting identity weakness and enterprise complexity

SANTA CLARA, Calif., Feb. 17, 2026 /PRNewswire/ -- The Unit 42 2026 Global Incident Response Report, released today by Palo Alto Networks (NASDAQ: PANW), reveals an era of accelerated attacks where AI, sprawling attack surfaces, and identity fuel the majority of breaches. Based on Unit 42^® analysis of over 750 high-stakes incidents, adversaries are leveraging AI throughout the attack lifecycle, accelerating attack speeds by 4x over the past year. Enterprise complexity is working in the attackers' favor — identity weaknesses were exploited in 89% of investigations, while 87% of attacks involved multiple attack surfaces.

Sam Rubin, SVP of Unit 42 Consulting & Threat Intelligence, Palo Alto Networks
"Enterprise complexity has become the adversary's greatest advantage. This risk is compounded as attackers increasingly target credentials, utilizing autonomous AI agents to bridge human and machine identities for independent action. To mitigate these threats, organizations must reduce complexity and move to a unified platform approach that relentlessly eliminates implicit trust."

2026 Global Incident Response Report Highlights

• AI bolsters attack speeds: As threat actors increasingly leverage AI and advanced automation, the time from initial access to data exfiltration has plummeted to just 72 minutes in the fastest attacks — a 4x increase in speed over the past year.
• Attack complexity is growing: 87% of attacks span two or more attack surfaces, blending activity across endpoints, cloud, SaaS platforms and identity systems. Unit 42 tracked activity across as many as 10 different fronts simultaneously.
• Identity drives initial access: 65% of initial access is driven by identity-based techniques, like social engineering and credential misuse, while vulnerabilities account for initial access in 22% of all attacks.
• The browser is a primary battleground: 48% of attacks involve the browser, reflecting how routine web sessions are weaponized to harvest credentials and bypass local controls.
• SaaS supply chain attacks increase: Attacks involving third-party SaaS applications have surged 3.8x since 2022, accounting for 23% of all attacks as threat actors abuse OAuth tokens and API keys for lateral movement.

Bridging the Critical Gaps in Defense
Unit 42 links 90% of data breaches to misconfigurations or security gaps, with complexity, poor visibility and excessive trust acting as systemic attack enablers.

To counter the collapse of the attack lifecycle, the report recommends that defenders move beyond traditional perimeter security and adopt a unified platform approach that:

• Moves at machine speed: Empower SOCs with AI and automation to detect and contain high-velocity attacks in minutes rather than hours.
• Secures the build pipeline: Embed security directly into the software and AI development lifecycle to block vulnerabilities before they reach the cloud.
• Modernizes identity defense: Centralize management of human, machine and agentic identities to close governance gaps and stop credential-based exploits.
• Protects the human interface: Use secure browser technology and active exposure management to defend the modern workspace and unmanaged devices.
• Eliminates implicit trust: Adopt zero trust to continuously verify every interaction, neutralizing an attacker's ability to move laterally.

To download the full 2026 Unit 42 Global Incident Response Report and Executive Resource Kit, visit https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report.

About Unit 42
Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders and expert security consultants to create an intelligence-driven, response-ready organization that's passionate about helping you proactively manage cyber risk. Together, our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster. Visit paloaltonetworks.com/unit42.

About Palo Alto Networks
Palo Alto Networks (NASDAQ: PANW), the global AI cybersecurity leader, protects our digital way of life with a comprehensive portfolio of cybersecurity solutions and platforms across Network, Cloud, Security Operations, AI and Identity. Trusted by over 70,000 customers and powered by Unit 42 threat intelligence, our AI-driven platforms eliminate complexity, empowering enterprises to modernize with confidence and securing the speed of innovation. Explore the future of security at www.paloaltonetworks.com.

Palo Alto Networks, Unit 42, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners.

 

View original content to download multimedia:https://www.prnewswire.com/news-releases/unit-42-report-ai-and-attack-surface-complexity-fuel-majority-of-breaches-302689259.html

SOURCE Palo Alto Networks, Inc.

FAQ

How did Unit 42 quantify the attack speed increase in the 2026 report for PANW?

Unit 42 reports attack speeds accelerated 4x year-over-year. According to the company, the fastest incidents reached data exfiltration in 72 minutes, illustrating the impact of AI and automation on attack velocity.

What role did identity play in breaches according to Unit 42's 2026 report (PANW)?

Identity weaknesses were exploited in 89% of investigations, driving 65% of initial access. According to the company, credential misuse and social engineering remain the dominant initial-access vectors.

How common are multi-surface attacks in the Unit 42 2026 report for PANW?

Unit 42 found 87% of attacks spanned two or more attack surfaces. According to the company, adversaries blended endpoints, cloud, SaaS platforms and identity systems across as many as 10 fronts.

What does the report say about SaaS supply-chain attack trends in 2026 for PANW?

SaaS supply-chain attacks increased 3.8x since 2022, accounting for 23% of attacks. According to the company, threat actors abused OAuth tokens and API keys to move laterally via third-party SaaS.

How significant are browser-based attacks in the Unit 42 2026 findings (PANW)?

Browsers were involved in 48% of attacks, making them a primary battleground. According to the company, routine web sessions are being weaponized to harvest credentials and bypass local controls.