Identity is still the primary entry point for cyberattacks, according to Palo Alto Networks’ threat intelligence firm Unit 42. In its annual incident response report, Unit 42 found that identity-based techniques accounted for nearly two-thirds of all initial network intrusions last year.
Social engineering was the leading attack method, accounting for one-third of the incidents Unit 42 responded to in the one-year period ending in September 2025. Attackers also bypassed security controls with compromised credentials, brute-force attacks, overly permissive identity policies and insider threats.
Unit 42’s report highlights the explosive impact of identity abuse, and pins much of the problem on poor security controls and misconfigurations across interconnected tools and systems. The rise of machine-based identities and AI agents, which require an identity to take action, is expanding the attack surface for cybercriminals.
Identity challenges are manifesting in the software supply chain as well, as API access and SaaS integrations become another weak link and a way in for attackers if control keys aren’t properly controlled. Additional findings from the report include:
- AI has become a force multiplier for threat actors. It compresses the attack lifecycle, from access to impact, while introducing new vectors. This speed shift is measurable: in 2025, exfiltration speeds for the fastest attacks quadrupled.
- Identity has become the most reliable path to attacker success. Identity weaknesses played a material role in almost 90 percent of Unit 42 investigations. Attackers increasingly “log in” with stolen credentials and tokens, exploiting fragmented identity estates to escalate privileges and move laterally.
- Software supply chain risk has expanded beyond vulnerable code to the misuse of trusted connectivity. Attackers exploit software-as-a-service (SaaS) integrations, vendor tools and application dependencies to bypass perimeters at scale.
- Nation-state actors are adapting stealth and persistence tactics to modern enterprise operating environments. These actors increasingly rely on persona-driven infiltration (fake employment, synthetic identities) and deeper compromise of core infrastructure and virtualization platforms.
Several industry stakeholders also shared their thoughts on the report.
Ronald Lewis, Security Compliance and Auditing at Black Duck
"Many organizations are rushing toward Zero Trust by taking the fastest possible path, and that shortcut is becoming a security risk on its own. Most companies check a few boxes—turn on MFA, adopt SSO, add conditional access—and call it Zero Trust.
"The problem is that partial implementations don’t deliver the actual benefits of Zero Trust. They create something that looks like progress but leaves big gaps in identity governance, SaaS sprawl, API trust chains, and machine-to-machine access. That false sense of safety is often more dangerous than having no Zero Trust at all.
"Attackers have figured this out, and AI is helping them do it faster. Instead of spending days or weeks mapping out an environment, adversaries use AI to scan identity systems, identify configuration drift, assess token handling practices, and identifying access patterns in minutes.
"Anything that’s inconsistent, misaligned, or overly permissive stands out like a beacon. These aren’t weaknesses you see on a dashboard—they’re the cracks created when organizations settle for the “good enough” version of Zero Trust. This is super dangerous, as proven by Unit 42's research.
"The success that attackers are seeing and the repercussions speak for themselves. AI is making privilege escalation, lateral movement, and account compromise easier and faster than ever. Stolen tokens bypass the very controls organizations think will save them. SaaS integrations become silent backdoors (remember Salesforce/Drift?). Machine identities multiply without governance. In other words, attackers aren’t breaking down the door—they’re simply walking through the side entrance left wide open by incomplete Zero Trust rollouts.
"What should organizations be doing differently? First, they need to recognize that Zero Trust isn’t a product—you can’t buy it, install it, and declare victory. It’s a posture, a set of behaviors, and a continuous validation model. The work begins after the initial deployment, not before.
"That means tightening identity governance, validating trust on every connection, and treating machine identities with the same rigor as human ones. It also means closing the gaps between cloud, SaaS, and internal systems instead of assuming the tools will magically integrate cleanly.
"There is no substitute for the basics--cyber security basics, that is--such as supply chain management. Organizations need to widen their lens and treat supply chain risk—both software and AI—as part of the core Zero Trust strategy.
"The trust relationships inside SaaS, APIs, CI/CD, and AI models are increasingly where attackers gain access. Teams that focus only on user access miss the bigger picture. The path forward is a more mature, holistic approach: continuous verification across identities, applications, integrations, and AI systems.
"Companies that embrace that shift will be far better positioned than those hoping a fast-path Zero Trust deployment will hold up under AI-powered pressure."
Sean Malone, CISO at BeyondTrust
"Unit 42’s report is a stark warning for anyone still defending a company like it's 2015: attackers aren’t picking a single lane anymore; they’re driving across all of them. When 87 percent of incidents span multiple attack surfaces and 90 percent abuse identity weaknesses, we're long past thinking of this as 'an endpoint problem' or 'an identity problem' in isolation.
"Speed is the gut punch. When the fastest intrusions are hitting exfiltration in about an hour, you don’t have time for handoffs, ticket queues, or 'we’ll look at it after standup.' You either have orchestrated controls that can stop and contain fast, or you’re doing incident response later.
"Security teams need to nail the unglamorous-but-effective foundation: treat identity like production infrastructure, not a convenience layer. Deploy phishing-resistant MFA, leverage conditional access and Just-in-Time auth, kill excessive privilege, and get serious about token/session hygiene. Then assume compromise and shrink the blast radius: segment what matters, lock down egress, and make data paths explicit so exfiltration isn’t the default outcome.
"Finally, move protection to where work actually happens: endpoint, browser, and SaaS. Harden workstation privilege, deploy managed browser policies and SSE/CASB controls. Rehearse and automate a 'first 30 minutes' playbook that’s ruthless: revoke sessions, rotate secrets, isolate high-value systems, and cut off outbound channels before access turns into impact."
Mark McClain, CEO at SailPoint
"Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security.
"This report's findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just who, or in the case of AI agents, what, has access to the enterprise, but what data they can access and what they are able to do once inside.
"The modern enterprise needs a new control plane, driven by unifying identity, data, and security. The combined power of these contexts enables real-time decisions to reduce risk without impacting the business. These decisions can be driven by the nature of the identity, the context of the apps and data it can access, the behavior around how it is using these apps and data, and the security signals and risk warnings that may surround it."
Shane Barney, CISO at Keeper Security
"Identity has become the attacker’s skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy.
"Unit 42’s findings confirm what many security leaders already suspect: when identity controls are fragmented or overly permissive, attackers do not need novel exploits. They just need access that looks routine.
"What is making this more dangerous is the rapid proliferation of machine identities. Service accounts, API keys, automation roles and AI agents now outnumber human users in many environments. They are created instantly to support cloud workloads, DevOps pipelines and SaaS integrations, yet they rarely receive the same lifecycle governance as employees.
"Credentials persist longer than intended. Permissions expand over time. Ownership becomes unclear. These gaps create durable, low-noise pathways for attackers. Compromising one over-privileged service account can provide broader and quieter access than compromising a senior executive.
"The response has to center on reducing implicit trust across both human and non-human identities. Phishing-resistant authentication should protect high-risk users. Standing administrative rights should give way to time-bound, just-in-time privilege with full session visibility.
"Machine identities must be continuously discovered, tightly scoped to function, rotated regularly and assigned accountable owners. SaaS integrations and OAuth grants should be treated as privileged access channels, not background plumbing.
"Identity now defines the enterprise perimeter. When every identity is governed with least privilege and continuously validated, a stolen credential becomes a contained event instead of an enterprise-wide incident."
Collin Hogue-Spears, Sr. Director of Solution Management at Black Duck
"Identity is the primary attack vector because adversaries authenticate with harvested credentials faster than security teams detect the compromise. Credential theft is not a preliminary step; it is the attack. Unit 42 identified weaknesses in nearly 90 percent of their caseload, and the fastest adversaries completed full exfiltration in 72 minutes. No exploit chain. No zero-day. A valid login and a countdown.
"Security teams must deploy continuous access evaluation that revokes sessions and OAuth tokens in response to anomalous behavior in real time, not at scheduled expiry. If your tokens outlive the adversary's entire kill chain, you hand them a signed pass through every downstream system. Adversaries already know how long your SOC takes to notice. They built the entire kill chain to finish exfiltration before your first alert escalates."
