Unit 42: identity gaps drive 90%

Palo Alto Networks’ Unit 42 said in its 2026 Global Incident Response Report that identity weaknesses played a material role in 89% of the investigations it handled, making identity the most consistent path to attacker success. The report, released on Feb. 17, was based on more than 750 incident response engagements and said 87% of intrusions involved activity across multiple attack surfaces. Unit 42 said attackers were increasingly “logging in” with stolen credentials and tokens rather than breaking in through a single technical flaw. ### Where does the 90% figure come from? The Feb. 17 report puts the number at 89% of investigations, which Unit 42 and outside coverage rounded to “nearly 90%.” Palo Alto Networks said those identity weaknesses included fragmented identity estates, excessive trust and poor visibility, while CyberScoop reported the same findings as identity-related elements playing a critical role in nearly 90% of incidents. (paloaltonetworks.com) Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42, said enterprise complexity had become “the adversary’s greatest advantage.” In the press release, Rubin said attackers were increasingly targeting credentials and using autonomous AI agents to bridge human and machine identities. (paloaltonetworks.com) ### Why are SaaS integrations showing up in a cloud incident report? Unit 42 said attacks involving third-party SaaS applications had risen 3.8 times since 2022 and accounted for 23% of all attacks in the 2026 report. Palo Alto Networks said threat actors were abusing OAuth tokens and API keys for lateral movement, shifting software supply chain risk beyond vulnerable code and into trusted connectivity between applications and vendors. (paloaltonetworks.com) CyberScoop reported that Unit 42 tied part of the problem to poor security controls and misconfigurations across interconnected tools and systems. Rubin told the publication that API access and SaaS integrations had become another weak link when control keys were not properly controlled. ### How does OIDC fit into that attack path? (paloaltonetworks.com) Unit 42’s prior research on CI/CD environments said OpenID Connect plays a central role in cloud authentication for build and deployment workflows, and that misconfigurations can let threat actors gain unauthorized access to sensitive resources. The company’s third-party token-management research said dormant integrations, insecure storage and poor token rotation can turn trusted connections into supply-chain risk. (cyberscoop.com) OWASP’s 2025 non-human identities guidance said CI/CD integrations commonly authenticate to cloud services with either static credentials or OIDC, and described static credentials as insecure. MITRE ATT&CK separately documents “Cloud Application Integration” as a persistence technique in which attackers leverage OAuth application integrations inside SaaS environments. (unit42.paloaltonetworks.com) ### What does the report say about speed? Palo Alto Networks said the fastest attacks in 2025 took 72 minutes from initial access to data exfiltration, four times faster than the year before. That figure is separate from the user’s “under 72 hours” framing, but it supports the same point: Unit 42 says cloud and identity attacks are compressing fast enough that defenders cannot assume they have days to respond. (owasp.org) The report also said 48% of attacks involved the browser, reflecting how often routine web sessions and SaaS use intersect with credential theft and session abuse. In practice, that places identity telemetry, browser activity and cloud logs in the same investigation path. That last sentence is an inference from Unit 42’s findings on browser-based activity and identity-driven intrusions. (paloaltonetworks.com) ### What should defenders check first? Unit 42 said security leaders should reduce exposure by securing third-party dependencies and integrations, harden identity and access management to remove excessive trust, and give security operations teams consolidated telemetry with automated response. The company also said more than 90% of breaches were materially enabled by preventable gaps such as limited visibility, inconsistently applied controls and excessive identity trust. (paloaltonetworks.com) A practical reading of the report is that identity review can no longer stop at workforce accounts. The sources point to machine identities, SaaS app connections, OIDC trust policies, OAuth token handling, API keys, privilege scope and token lifetime as the places where cloud control can be lost first and recovered last. That synthesis is drawn from Unit 42’s report, its OIDC and token-management research, and MITRE’s SaaS integration technique description. (paloaltonetworks.com)