Executive Summary
In 2025, Unit 42 responded to more than 750 major cyber incidents. Our teams worked with large organizations facing extortion, network intrusions, data theft and advanced persistent threats. Targets spanned every major industry and more than 50 countries. In each case, the situation had escalated to the point where the SOC called for backup.
Each intrusion tells a story: what the attacker targeted, how they gained access, how the activity escalated and what could have stopped it sooner. In the aggregate, these stories become trends and provide insight into the global threat landscape. They show what’s changing in adversary tradecraft, the repeated mistakes organizations make, and most importantly, what defenders can do to keep their organizations safe. This report distills those lessons.
Deep Dive
We see four major trends that will shape the threat landscape for 2026.
First, AI has become a force multiplier for threat actors. It compresses the attack lifecycle, from access to impact, while introducing new vectors. This speed shift is measurable: in 2025, exfiltration speeds for the fastest attacks quadrupled.
Second, identity has become the most reliable path to attacker success. Identity weaknesses played a material role in almost 90% of Unit 42 investigations. Attackers increasingly “log in” with stolen credentials and tokens, exploiting fragmented identity estates to escalate privileges and move laterally.
Third, software supply chain risk has expanded beyond vulnerable code to the misuse of trusted connectivity. Attackers exploit software-as-a-service (SaaS) integrations, vendor tools and application dependencies to bypass perimeters at scale. This shifts the impact from isolated compromise to widespread operational disruption.
Fourth, nation-state actors are adapting stealth and persistence tactics to modern enterprise operating environments. These actors increasingly rely on persona-driven infiltration (fake employment, synthetic identities) and deeper compromise of core infrastructure and virtualization platforms, with early signs of AI-enabled tradecraft used to reinforce these footholds.
While these four trends each present a challenge, attacker success is rarely determined by a single attack vector. In more than 750 incident response (IR) engagements, 87% of intrusions involved activity across multiple attack surfaces. This means defenders must protect endpoints, networks, cloud infrastructure, SaaS applications and identity together. Further, nearly half (48%) involved browser-based activity, reflecting how often attacks intersect with routine workflows like email, web access and day-to-day SaaS usage.
Most breaches were enabled by exposure, not attacker sophistication. In fact, in over 90% of breaches, preventable gaps materially enabled the intrusion: limited visibility, inconsistently applied controls, or excessive identity trust. These conditions delayed detection, created paths for lateral movement, and increased impact once attackers obtained access.
Retail and Hospitality Perspective
The image below depicts the percentage of investigations based on attack type that Unit 42 performed in 2025 within the Retail and Wholesale sector.
In 2025, Retail and Wholesale accounted for approximately 1/5 of industries both targeted by (18%) and impacted by (19%) extortion-related security incidents, which was on par with the Manufacturing sector. The DragonForce ransomware attacks by Muddled Libra (aka Scattered Spider) on U.S. and U.K. retailers in Q2 2025 represented a notable example of these types of extortion incidents. By comparison, Hospitality was near the bottom of both categories in terms of being targeted by (1%) and impacted by (1%) extortion-related security incidents.
The adoption of data theft and extortion without the use of encryption as a monetization tactic by financially-motivated threat actors such as Bling Libra (aka ShinyHunters) and Chubby Scorpius (aka FIN11) from mid-2025 through the beginning of 2026 represented a notable shift in the cybercrime threat landscape that retail and hospitality organizations must learn to defend against going forward.
Security leaders must close the gaps attackers rely on. First, reduce exposure by securing the application ecosystem, including third-party dependencies and integrations, and hardening the browser, where many intrusions now begin. In parallel, reduce area of impact by advancing zero trust and tightening identity and access management (IAM) to remove excessive trust and limit lateral movement. Finally, as the last line of defense, ensure the security operations center (SOC) can detect and contain threats at machine speed by consolidating telemetry and automating response.
Read the full report: https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report
