Unit 42 Global Incident Response Report 2026: What It Means for Houston Businesses

TL;DR: The Unit 42 Global Incident Response Report 2026 analyzed 750+ cyber incidents and found that 90%+ of breaches were caused by preventable gaps – not sophisticated attacks. AI, stolen credentials, and weak identity controls are the biggest risks facing small and mid-sized businesses right now.

 

The Numbers Don’t Lie – And They Should Make You Uncomfortable

Palo Alto Networks’ Unit 42 team spent a year responding to more than 750 major cyber incidents across every major industry and more than 50 countries. The results are documented in the Unit 42 Global Incident Response Report 2026 – and what they found wasn’t a story about exotic zero-day exploits or nation-state wizardry. It was something far more practical – and more fixable.

In more than 90% of those breaches, preventable gaps made the intrusion possible. Limited visibility. Controls that weren’t applied consistently. Too much trust baked into identity and access systems that nobody had cleaned up in years. The attackers didn’t need to be brilliant. They just needed your business to have a soft spot they could find before you did.

For Houston and Katy area businesses operating with lean IT teams or no dedicated IT staff at all, that should land hard. The managed IT support gap isn’t just an inconvenience – according to this data, it’s a direct liability.

(Dominant Driver of Initial Access – Source: Unit 42 Global Incident Response Report 2026)

Trend 1: AI Has Become a Weapon – On Their Side

The report is blunt about this. AI is not making attackers smarter. It’s making them faster and more scalable. That’s the part that matters to your business.

• In 2024, the fastest 25% of attacks reached data exfiltration in 285 minutes. In 2025, that number dropped to 72 minutes – a 75% reduction in the window you have to detect and respond
• Attackers are using AI to write more convincing phishing emails, generate malware scripts, automate reconnaissance, and even run ransom negotiations without a human operator in the loop
• The report documented one case where an unsophisticated actor used an AI chatbot to script a professional extortion demand – complete with deadlines and pressure tactics – while clearly having no technical depth themselves
• Scanning for newly disclosed vulnerabilities now begins within 15 minutes of a CVE announcement, often before security teams have finished reading the advisory
• Nation-state operators from North Korea used AI-generated deepfakes to pass remote hiring processes at U.S. companies, gaining direct insider access

The window between “something happened” and “they have your data” is getting shorter every quarter. If your current managed IT support approach is reactive – meaning you call someone after things break – you’re operating on the wrong side of that timeline.

(Attack Surfaces Involved in Intrusions – Source: Unit 42 Global Incident Response Report 2026)

Trend 2: Your Logins Are the Front Door

Identity-based attacks showed up in nearly 90% of Unit 42 investigations in 2025. Not as a side detail – as a primary factor. The report put it plainly: attackers don’t need to break in when they can log in.

• 65% of all initial access was identity-driven – through phishing, stolen credentials, brute force, or misconfigured access policies
• Identity-based phishing alone accounted for 22% of initial access – tied with software vulnerabilities for the top spot
• Unit 42 analyzed more than 680,000 cloud identities across client accounts and found 99% had excessive permissions – many unused for 60 days or more
• Previously compromised credentials (passwords from old breaches sold on dark web markets) accounted for 13% of initial access
• Once inside, attackers routinely used those valid credentials to move laterally across systems while looking like normal users

The problem isn’t just weak passwords. It’s identity sprawl – service accounts that were never cleaned up, former employee logins that were never deactivated, third-party app integrations that still have admin access from a project that wrapped up two years ago. We see this constantly with Houston businesses that have grown quickly or changed vendors without doing a proper access audit.

Enforcing multi-factor authentication is the floor, not the ceiling. Small business cybersecurity near me searches often lead people to MFA as the magic answer. It helps. But MFA can be bypassed through session token theft and adversary-in-the-middle attacks – both of which showed up frequently in this report. The whole identity system needs governance, not just a second login step.

(Nation State Cyber Activity – Source: Unit 42 Global Incident Response Report 2026) 

Trend 3: Your Vendors Are an Attack Vector Now

Supply chain risk got a major spotlight in the 2026 report. SaaS integrations, vendor tools, and third-party application connections were implicated in a growing share of incidents – 23% of cases involved SaaS data in 2025, up from just 6% in 2022.

• When you connect a third-party app to your business systems via OAuth (the “log in with Google” style of permission grant), that app receives whatever access you originally approved – often more than it needs, and often forgotten
• Remote monitoring and management tools – the same type used by managed IT providers – were implicated in 39% of command-and-control techniques observed in investigations
• One case involved attackers who compromised a sales tool integration and used valid OAuth tokens to reach downstream customer data systems, with activity that looked like normal automation traffic
• Open-source code dependencies were flagged as a significant risk: more than 60% of vulnerabilities in cloud applications live in “transitive libraries” – software packages pulled in automatically by other packages your team never chose directly

For Houston SMBs using cloud-based tools like Microsoft 365, Salesforce, QuickBooks Online, or any SaaS platform with third-party add-ons, this is relevant. Dormant integrations and over-permissioned connectors are sitting in your environment right now. Most businesses have no idea how many.

(Extortion Tactic – Source: Unit 42 Global Incident Response Report 2026)

Trend 4: Ransomware Changed – But Not in Your Favor

The traditional ransomware model – encrypt everything and demand payment to get it back – declined in 2025. Only 78% of extortion cases involved encryption, down from consistently above 90% in prior years.

That sounds like good news. It’s not.

• Attackers have learned that they don’t need to lock you out of your own systems to extort you. Just stealing the data and threatening to publish it is enough.
• Data theft appeared in more than half of extortion cases year over year, and that number has held steady regardless of whether encryption happened
• Median initial ransom demands rose from $1.25 million in 2024 to $1.5 million in 2025
• Median actual payments also increased – from $267,500 to $500,000
• In 26% of extortion cases, attackers targeted and impaired backups as part of their attack, specifically to eliminate the victim’s ability to recover without paying
• Browser activity was involved in 48% of all investigations – up from 44% the prior year – reflecting how frequently attacks begin inside routine web sessions

The business disruption goes beyond the ransom payment. Manufacturing, distribution, shipping, and order processing have been shut down for extended periods across multiple cases profiled in this report. That operational impact hits revenue, customer relationships, and employee productivity in ways that are hard to fully quantify.

(Ransomware Demands – Source: Unit 42 Global Incident Response Report 2026)

How CinchOps Can Help

Most of what the Unit 42 report describes is fixable. Not easy – but fixable, especially with the right managed IT support partner who’s actually paying attention.

CinchOps works with small and mid-sized businesses across Houston, Katy, Sugar Land, and the surrounding area to close exactly the kinds of gaps this report documents. Here’s what that looks like in practice:

• Identity and access audits – We identify and clean up excessive permissions, dormant accounts, stale integrations, and legacy service accounts that create lateral movement paths for attackers
• Multi-factor authentication deployment and hardening – We go beyond basic MFA setup to implement phishing-resistant authentication methods and enforce conditional access policies that evaluate session risk continuously
• Patch management and vulnerability response – With attackers scanning for new vulnerabilities within 15 minutes of disclosure, automated patching on internet-facing systems is not optional. We handle this as a core managed IT function
• Network security monitoring – We maintain visibility across endpoints, cloud environments, and identity systems so that early-stage attacker behavior gets flagged before data leaves your building
• SaaS and third-party integration review – We help you inventory what’s connected to what, remove dormant OAuth connections, and apply least-privilege principles to vendor access
• Security awareness training – Phishing and social engineering tied for the top initial access vector. Your team is part of your security posture. We build that awareness systematically
• Business continuity and data backup – In 26% of cases, attackers targeted backups. We implement backup strategies that are isolated, tested, and resilient to ransomware attacks that try to eliminate your recovery options
• Incident response planning – We help you build and test a response plan so that if something does happen, your team knows exactly what to do in the first 72 minutes – not the first 72 hours

The Unit 42 data makes one thing clear: the gap between a detected threat and a contained breach now measures in minutes, not days. Businesses that have proactive managed IT support with real visibility are in a fundamentally different position than those operating without it.

If you’re not sure where your business stands, that’s exactly the conversation to have. CinchOps offers a network security assessment for Houston and Katy area businesses that gives you a clear, honest picture of where your exposures are – before an attacker finds them first.

❓Frequently Asked Questions

Q: How fast do cyberattacks move in 2026?
The fastest 25% of attacks reached full data exfiltration in just 72 minutes – down from 285 minutes the year before. For Houston SMBs without active network monitoring, that window is effectively zero.

Q: What is the most common way attackers get into a small business network?
Identity-based attacks were a factor in nearly 90% of Unit 42 investigations. Phishing and software vulnerabilities each accounted for 22% of initial access. In most cases, attackers didn’t break in – they logged in with credentials that weren’t properly protected.

Q: Does multi-factor authentication prevent these attacks?
MFA is necessary but not a complete solution. The report documented session token theft and adversary-in-the-middle techniques that bypass standard MFA. Phishing-resistant authentication and regular identity access audits are both required to close the gap.

Q: Why are backups targeted during ransomware attacks?
A business with working backups has less reason to pay. Unit 42 found attackers impaired backup systems in 26% of extortion cases – specifically to eliminate recovery options before the victim realized an attack was underway.

Q: How does managed IT support reduce the risk the Unit 42 report describes?
More than 90% of breaches came from preventable gaps – excessive permissions, missed patches, and limited visibility. Managed IT support addresses these proactively through access audits, automated patching, and continuous monitoring. For most Houston and Katy SMBs, it’s the only practical way to maintain that coverage.

Recommendations

• 2025 Verizon Data Breach Investigation Report
• IBM’s 2025 Cost of a Data Breach Report
• CrowdStrike 2025 Global Threat Report
• Comprehensive Cybersecurity Analysis: First Half of 2025
• Global Cybersecurity Outlook 2026

FREE CYBERSECURITY ASSESSMENT