​​2025 Unit 42 Incident Response Report — Attacks Shift to Disruption

By 
Feb 25, 2025
3 minutes
... views
Announcement
Reports
Unit 42
2025 Incident Response Report
incident response report

Business Disruption, AI-Assisted Attacks, Insider Threats and Accelerated Intrusions on Multiple Fronts Define the New Cyberthreat Landscape

Palo Alto Networks Unit 42 today released its 2025 Global Incident Response Report, revealing that 86% of major cyber incidents in 2024 resulted in operational downtime, reputational damage or financial loss. The report (based on 500 major cyber incidents that Unit 42 responded to across 38 countries and every major industry) highlights a new trend: financially motivated attackers have shifted their focus to deliberate operational disruption, prioritizing sabotage – destroying systems, locking customers out and causing prolonged downtime – to maximize impact and pressure organizations into paying extortion demands.

The speed, sophistication and scale of attacks have reached unprecedented levels with AI-assisted threats and multipronged intrusions, underscoring that organizations faced an increasingly volatile threat landscape in 2024.

Key Findings — Cyberthreats Move Faster and Hit Harder

As attackers rewrite the rules of engagement, defenders scramble to keep up. The attacker's new playbook is multipronged, cloud-focused and AI-driven. The 2025 Global Incident Response Report highlights several trends:

  • Cyberattacks Are Moving Faster than Ever – Attackers exfiltrated data in under 5 hours in 25% of incidents, which is three times faster than in 2021. What’s even more alarming is that in one in five cases, data theft occurred in under 1 hour.
  • The Rise of Insider Threats – Insider-driven cyber incidents tied to North Korea tripled in 2024. North Korean state-sponsored actors have been observed infiltrating organizations by posing as IT professionals, securing employment and then methodically introducing backdoors, stealing data and even altering source code.
  • Multipronged Attacks Are the New Norm – 70% of incidents involved attackers exploiting three or more attack surfaces, forcing security teams to defend endpoints, networks, cloud environments and the human factor in tandem.
  • Phishing Makes a Comeback – After vulnerabilities took the top initial access vector spot last year, phishing has resurged as the most common entry point for cyberattacks, responsible for 23% of all initial access. Fueled by generative AI, phishing campaigns are now more sophisticated, convincing and scalable than ever.
  • Cloud Attacks Are Increasing – Nearly 29% of cyber incidents involved cloud environments, with 21% causing operational damage to cloud environments or assets as threat actors embedded within misconfigured environments to scan vast networks for valuable data.
  • AI Is Accelerating the Attack Lifecycle Attackers use AI-driven methods to enable more convincing phishing campaigns, automate malware development and accelerate progression through the attack chain, making cyberattacks both harder to detect and faster to execute. In a controlled experiment, Unit 42 researchers found that AI-assisted attacks could reduce the time to exfiltration to just 25 minutes.

Why Cyberattacks Succeed — Attackers Exploit Complexity, Visibility Gaps and Excessive Trust

The report underscores three primary enablers that are allowing adversaries to succeed:

  • Complexity Is Killing Security Effectiveness – 75% of incidents had evidence in logs, but silos prevented detection.
  • Gaps in Visibility Allow Attacks to Go Undetected – 40% of cloud incidents stemmed from unmonitored cloud assets and shadow IT, making lateral movement easier for attackers.
  • Excessive Trust Makes Attacks More Devastating – 41% of attacks leveraged excessive privileges, allowing lateral movement and privileged escalation.

Attackers have rewritten their playbooks leveraging AI, automation and multipronged attack strategies to bypass traditional defenses. The time between initial compromise and full-scale impact is shrinking, making rapid detection, response and remediation critical.

The key to staying ahead in 2025 is to proactively secure networks, applications and cloud, as well as empower security operations with AI-driven detection and response for full visibility and faster threat mitigation.

Defenders need to adapt as the attacker playbook evolves. Stay informed, view the 2025 Unit 42 Global Incident Response Report.

Related Blogs

Cybersecurity, Products and Services, Reports, Threat Prevention, Threat Research, Unit 42

Top Three Ways Organizations Were Unprepared for Cyberattacks in 2023

Announcement, Unit 42

Incident Response by the Numbers

Announcement, Points of View, Reports, Unit 42

Navigating the Complex Threat Landscape — Key Takeaways for CISOs

Announcement, IoT Security, Products and Services, Reports

Palo Alto Networks Recognized as a Leader in Omdia Market Radar

Announcement, News and Events, Products and Services, Reports

MITRE ATT&CK Evaluations — Cortex XDR Among Elite in Endpoint Security

Announcement, CNAPP, Company & Culture, Reports

Nikesh Arora on Mad Money

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.

Get the latest news, invites to events, and threat alerts