AI-driven cyberattacks now breach systems in 72 minutes, study finds

The window to stop a cyberattack has plummeted to just over an hour as attackers leverage artificial intelligence (AI), according to the 2026 Unit 42 Global Incident Response Report, noting that organizations must immediately align their operations with attacker speed.

The findings are based on a review of more than 750 incidents in 2025, which revealed that the time required for attackers to exfiltrate data dropped to 72 minutes, down from 285 minutes the year before.

This acceleration is driven by AI acting as a “force multiplier,” allowing threat actors to automate reconnaissance and exploit vulnerabilities within minutes of public disclosure.

By enhancing the efficiency of phishing and malware deployment, AI has effectively compressed the attack lifecycle and widened the gap between rapid-fire intrusions and manual defenses.

Of the incidents investigated by Unit 42, 90% were found to have identity weaknesses play a material role, as attackers increasingly bypass software exploits by “logging in” with stolen credentials or hijacked sessions.

This is primarily achieved through phishing and the exploitation of software vulnerabilities, which remain the most common entry points, each accounting for 22% of observed incidents, the report said.

Once inside, threat actors leverage these valid credentials to move faster and blend into normal business activity, often utilizing an organization’s own internal AI services to map systems and escalate their access.

This trend is fueled by a widespread governance gap where 99% of cloud identities, including human users and machine accounts, hold excessive permissions, providing quiet, high-leverage paths for lateral movement.

Also, the report found that software supply chain risk has shifted toward the misuse of trusted connectivity, with Software as a Service (SaaS) data relevance jumping to 23% in 2025.

Attackers also exploit interconnected Application Programming Interfaces (APIs) and poorly governed transitive libraries to achieve a “one-to-many” impact.

Meanwhile, nation-state actors from China, North Korea, and Iran have shifted their strategy toward long-term stealth by compromising deep infrastructure levels, such as virtualization and management layers, to maintain a permanent presence.

This refined tradecraft includes the use of highly deceptive “employment fraud,” where hackers create fake job portals and conduct fictitious interviews to trick unsuspecting employees into installing malware.

By prioritizing persistence over immediate disruption, these actors can remain hidden within a network for extended periods, turning legitimate corporate recruitment and information technology (IT) processes into direct paths for intelligence gathering.

To counter these threats, the report recommends that companies shift to Active Exposure Management by adopting integrated, automated containment, and treating identity as their primary security boundary.

Organizations are also advised to move beyond static scanning to actively govern third-party integrations and machine identities before they can be weaponized.

Unit 42 is the global threat intelligence and incident response arm of Palo Alto Networks, a leading cybersecurity firm that provides specialized expertise and tools to help organizations handle complex digital threats. — Edg Adrian A. Eva