Identity remains the primary entry point for cyberattacks, according to Palo Alto Networks’ threat intelligence firm Unit 42. In its annual incident response report released Tuesday, Unit 42 found that identity-based techniques accounted for nearly two-thirds of all initial network intrusions last year, impacting businesses globally.
Social engineering led the attack methods, constituting one-third of the 750 incidents Unit 42 responded to over a one-year period ending in September 2025. Attackers also bypassed security controls through compromised credentials, brute-force attacks, overly permissive identity policies, and insider threats, researchers reported. These findings underscore a persistent vulnerability in how organizations manage and protect digital identities.
Persistent Identity Pitfalls in Cybersecurity
The pitfalls associated with identity extended beyond initial access, with an identity-related element playing a significant role in close to 90% of all incidents. Unit 42’s report highlights the substantial impact of identity abuse, attributing a large portion of this problem to weak security controls and misconfigurations across interconnected tools and systems.
“Across the attack lifecycle, the biggest thing is that once you have an identity, you’ve got everything, you’ve got the key and you’re in,” said Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42. He noted that from a defense perspective, many enterprises struggle to distinguish legitimate activity from malicious actions when identity-based tactics are employed, as they don’t always manifest as unauthorized access from a technical telemetry standpoint, making detection more challenging.
Beyond Compromised Credentials
While vulnerability exploits, an ever-evolving threat, still represented 22% of initial intrusions, humans continue to be the weakest link in the security chain, Rubin stated. The increasing prevalence of machine-based identities and AI agents, which require their own credentials to operate, is inadvertently expanding the attack surface for cybercriminals.
Identity challenges are also emerging within the software supply chain. API access and SaaS integrations, if not properly secured, create additional entry points for attackers. An incident affecting Salesloft Drift customers last summer illustrated how deeply integrated services can unravel, exposing victims multiple layers removed from the initial vendor. Over 700 organizations were directly impacted, but Salesloft Drift’s numerous third-party integrations opened many more potential compromise paths.
More broadly, attackers are leveraging broad account permissions and excessive privileges in cloud-based accounts without adequate segmentation. This allows them to pivot from branch offices into a victim’s headquarters or data centers, turning initial breaches into widespread attacks. Rubin emphasized that improved identity-based practices could have contained the extent of damage, even if they didn’t prevent the initial intrusion.
“It’s a problem of signal and noise,” Rubin added. “Think about a global enterprise and all of this authenticated, legitimate activity happening every day. How do you see and identify the one instance where a user is already authenticated but doing something that they shouldn’t do?”
Challenges for Large and Evolving Organizations
Larger, older organizations face particular disadvantages. Over time, their technology stacks often evolve to include legacy systems acquired through mergers and acquisitions. This results in IT teams managing a complex patchwork of disparate systems that are poorly integrated, creating significant security vulnerabilities and complicating the management of digital identities.
“We forgot as defenders to consider the entire attack chain, because too often we see the defense happens in silos,” Rubin said, noting that attacks pivoting between endpoints and cloud-based services are frequently missed. Each of these transitions presents an opportunity for defenders to halt an attack, yet nearly 90% of incidents investigated by Unit 42 last year involved malicious activity across multiple attack surfaces.
Financially motivated attacks were the majority of the 750 incidents Unit 42 addressed. While the report did not specify the number of attacks resulting in ransomware payments, it stated that median payments increased by 87% year-over-year to $500,000. Attackers are also accelerating their operations, exfiltrating data from victim networks in a median duration of just two days. In 22% of the incidents, data was stolen in under an hour.
Unit 42’s annual report highlights critical areas of concern and prevalent attack trends. However, its scope is limited to incidents that escalated and prompted victims to seek assistance from Unit 42. “The hardest thing about incident response in cybersecurity,” Rubin concluded, “is there is no one global spot for how much is going on.”
Moving forward, organizations will likely focus on strengthening identity and access management protocols to mitigate the risks identified in the report. An important area to watch will be the development and adoption of advanced detection mechanisms that can better differentiate malicious identity-based activities amidst vast amounts of legitimate network traffic.