2026年Unit42全球事件响应报告

Executive Summary WE SEE FOUR MAJOR TRENDS THAT WILLSHAPE THE THREAT LANDSCAPE FOR 2026. First,AI has become a force multiplier for threat actors.It compresses theattack lifecycle, from access to impact, while introducing new vectors. This speed shift ismeasurable: in 2025, exfiltration speeds for the fastest attacks quadrupled. Second,identity has become the most reliable path to attacker success.Identityweaknesses played a material role in almost 90% of Unit 42 investigations. Attackersincreasingly log in with stolen credentials and tokens, exploiting fragmented identity Third,software supply chain risk has expanded beyond vulnerable code tothe misuse of trusted connectivity.Attackers exploit software-as-a-service (SaaS)integrations, vendor tools and application dependencies to bypass perimeters at scale. Fourth,nation-state actors are adapting stealth and persistence tactics tomodern enterprise operating environments.These actors increasingly relied onpersona-driven infiltration (fake employment, synthetic identities) and deeper compromise While these four trends each present a challenge,attacker success is rarely determinedby a single attack vector.In more than 750 incident response (IR) engagements, 87%of intrusions involved activity across multiple attack surfaces. This means defenders mustprotect endpoints, networks, cloud infrastructure, SaaS applications and identity together. Most breaches were enabled by exposure, not attacker sophistication.In fact, inover 90% of breaches, preventable gaps materially enabled the intrusion: limited visibility,inconsistently applied controls, or excessive identity trust. These conditions delayeddetection, created paths for lateral movement, and increased impact once attackers Security leaders must close the gaps attackers rely on.First, reduce exposure bysecuring the application ecosystem, including third-party dependencies and integrations,and hardening the browser, where many intrusions now begin. In parallel, reduce areaof impact by advancing zero trust and tightening identity and access management (IAM)to remove excessive trust and limit lateral movement. Finally, as the last line of defense, INTRODUCTIONEMERGING THREATS AND TRENDSINSIDE THE INTRUSION SECTION 1:Introduction In 2025, Unit 42 responded to more than 750 major cyber incidents. Our teams worked with large organizations facingextortion, network intrusions, data theft and advanced persistent threats. Targets spanned every major industry and more When that call comes, our incident responders move quickly to investigate, contain and eradicate the threat. We helporganizations establish what happened, restore operations, and reduce the risk of recurrence by strengthening controls, Each intrusion tells a story: what the attacker targeted, how they gained access, how the activity escalated and whatcould have stopped it sooner. In the aggregate, these stories become trends and provide insight into the global threatlandscape. They show what’s changing in adversary tradecraft, the repeated mistakes organizations make, and most Over the past year, attack speeds continued to accelerate. Attackers are still early in their adoption of AI-enabledtradecraft, but its impact is already visible. AI reduces friction across reconnaissance, social engineering, scripting,troubleshooting and extortion operations. It enables greater scale and the ability to launch multiple attacks At the same time, most breaches still follow familiar paths. And that is why our most important conclusion remainsunchanged: security is solvable. In more than 90% of incidents, misconfigurations or lapses in security coveragematerially enabled the intrusion. Attackers are adapting, but they most often succeed by exploiting preventable gaps— This report is organized as a practical guide to the current threat landscape: Emerging Threats and Trends:How attacker tradecraft is evolving—AI as a force multiplier, identity as the most reliable path to success, expanding software supply chain risk through trusted connectivity and Inside the Intrusion:An aggregate view of observed tactics, techniques and procedures across Unit 42 investigations—what attackers target, how they get in, how fast they move and the Recommendations for Defenders:Concrete steps to close the gaps that enable compromise, constrain area of impact, and build response capability fast enough to stop incidents before they escalate. Unit 42 operates 24/7 to protect the digital world from cyberthreats. The goal of this report is straightforward: toturn what we learn on the front lines into decisions that stop incidents before they become breaches. Sam RubinSVP of Consulting and Threat IntelligenceUnit 42 SECTION 2:Emerging TREND 1: AI Has Become a ForceMultiplier for Attackers AI is changing the economics of intrusions. It increases attacker speed,scale and effectiveness while opening entirely new attack vectors. While much of this activity occurs on adversary