Attackers have dramatically accelerated intrusion speed, according to a newly released global incident response study. The study found that the fastest quartile of cases reached data exfiltration in just over an hour, down from roughly 5 hours the prior year.
Unit 42, Palo Alto Networks’ threat intelligence unit, links this acceleration to AI-enabled automation compressing the attack lifecycle. The finding appears in its 2026 Global Incident Response Report, which is based on analysis of over 750 incident response engagements across 50 countries between October 2024 and September 2025
The report also concludes that identity has become the primary attack surface. Nearly 90% of investigations involved identity weaknesses, and about 65% of initial access stemmed from credential theft, MFA bypass or misconfigured access controls. Most intrusions spanned multiple environments, while more than 90% of breaches were tied to preventable gaps, such as unpatched systems, excessive permissions and weak governance.
Intrusion Speed, Identity Exposure, and Multi-Surface Risk
The report documents a sharp acceleration in intrusion speed. The fastest quartile of incidents reached data exfiltration in roughly 72 minutes, compared with about 285 minutes a year earlier, a fourfold reduction in time to impact.
Unit 42 links that compression to AI-enabled automation used across reconnaissance, phishing content generation, scripting and extortion workflows, allowing attackers to run parallelized campaigns with fewer manual constraints.
Nearly 90% of investigations involved identity weaknesses, and about 65% of initial access was identity-driven, including stolen credentials, MFA bypass techniques, IAM misconfigurations, and other identity control failures
This finding dovetails with a previous Unit 42 cloud IAM study analyzing more than 680,000 identities, which found 99% had excessive permissions, highlighting over-permissioning that runs counter to best identity governance and least-privilege practices.
The latest report also found that intrusions routinely span multiple environments: 87% of cases crossed more than one attack surface, and 67% traversed three or more, moving between endpoints, cloud infrastructure, SaaS applications and third-party systems.
That blended pattern reflects how modern enterprises operate, with supplier access, SaaS extensions and cloud workloads interconnected through shared identity and API layers.
Initial access techniques remain familiar. Phishing and vulnerability exploitation each accounted for roughly 22% of initial access cases. The report concludes that more than 90% of incidents were linked to preventable exposure gaps such as unpatched systems, weak segmentation, excessive privileges and inconsistent governance.
Governance Implications for a Compressed Threat Environment
The report frames a new reality: AI-enabled attackers are collapsing the time between breach and business impact, rendering traditional risk oversight cycles too slow.
When exfiltration can occur in little more than an hour, quarterly access reviews and audit-driven controls fail to match operational tempo.
The executive recommendations center on tightening identity discipline. Least-privilege enforcement, continuous access review, and stronger detection for identity misuse are positioned as foundational controls. In ERP environments, where role sprawl, integration accounts, and supplier access converge, those measures become structural safeguards.
Supply chain governance receives similar emphasis. Vendor risk management, software integrity controls, and third-party monitoring become necessary extensions of ERP security because core systems now sit inside interconnected partner ecosystems.
The report further calls for telemetry-driven detection and response with integrated visibility across endpoints, cloud, SaaS, and identity. ERP security now extends beyond the application boundary into the surrounding identity, cloud, and endpoint environment.
What This Means for ERP Insiders
Time compression changes breach economics. A fourfold reduction in time to exfiltration shifts advantage to attackers once initial access succeeds. Containment cost, business interruption risk, and regulatory exposure now concentrate inside a much shorter operational window.
Over-permissioning is a systemic liability. The finding that 99% of sampled cloud identities carried excessive permissions points to structural access sprawl, not isolated configuration error. In large enterprises, identity scale itself becomes a risk multiplier unless privilege discipline keeps pace.
Multi-surface operations erase application boundaries. When most intrusions traverse endpoints, cloud, SaaS and third-party systems, exposure cannot be isolated inside a single platform. Core systems inherit the weaknesses of the broader identity and integration mesh that surrounds them.
