"In the fastest cases, attackers moved from initial access to confirmed data exfiltration in just over an hour (72 minutes), representing a 4X year-over-year acceleration." That single line, lifted from Unit 42's findings, is both a statistic and a clock ticking on modern security operations centers (SOCs).
72-minute attacks and the speed gap
Unit 42 draws a clear line between capability and cadence: attackers are moving far faster, compressing timelines that once took days into hours or minutes. The 2026 Unit 42 Global Incident Response Report documents a dramatic acceleration — in the fastest incidents, adversaries completed initial access to confirmed exfiltration in 72 minutes. The consequence is what Unit 42 calls the "speed gap": when SOCs rely on manual triage and fragmented workflows, defenders generally react on a timeline attackers have already outpaced. "This is not a personnel problem; it’s a process problem," the report states.
How attackers now enter: identity-driven initial access (65%)
Unit 42's investigations show a consistent pattern at the front door: identity-based techniques. According to the 2026 Unit 42 Global Incident Response Report, 65% of initial access is driven by compromised credentials, MFA manipulation, help-desk impersonation or other identity-focused tactics. Named adversaries such as Muddled Libra (aka Scattered Spider) and Spoiled Scorpius — the latter a distributor of RansomHub ransomware — exemplify how threat actors prefer "logging in" over "breaking in." In several cases, Spoiled Scorpius exfiltrated hundreds of gigabytes within hours after exploiting improperly secured remote access infrastructure.
From disconnected alerts to unified incidents: tooling that matters
The warning signs are often present across identity and endpoint controls, Unit 42 finds, but when multiple alerts appear in isolation each can look low priority. Analysts reported that investigators reviewed evidence from multiple sources in nearly every incident: "Per the Unit 42 Global Incident Response Report, in 87% of incidents investigators reviewed evidence from two more distinct sources to establish what occurred," and complex cases used as many as ten sources. Without automated correlation, connecting those signals takes time — a luxury modern attackers do not afford.
To accelerate investigations, Unit 42 analysts use the Cortex SecOps platform to link unusual privileged account activity, PowerShell execution, abnormal authentication patterns, privilege escalation attempts and lateral movement indicators in context. For organizations pursuing broader SOC modernization, Managed XSIAM extends this model: AI-driven correlation, integrated response workflows, continuous SOC engineering and 24/7 expert-led operations. Unit 42 also offers Managed Detection and Response (MDR) that combines AI-driven automation with human threat hunters, and a breach response guarantee that includes 250 hours of Unit 42 Incident Response support.
Four operational shifts SOCs must make now
- Move Beyond Sequential Workflows: Shift from linear "Triage → Investigate" models to workflows where enrichment happens automatically in parallel so analysts need not manually search multiple tools.
- Correlate by Default: Related signals across identity, endpoint, cloud and network should automatically group into unified incidents to reduce investigation time and analyst fatigue.
- Operationalize Response: Predefine containment actions for common scenarios — compromised accounts, suspicious PowerShell execution, malware activity or unauthorized remote access — because response decisions cannot begin from scratch when attackers move in minutes.
- Prioritize Behavior Over Indicators: Focus on attacker behaviors such as rapid privilege escalation, impossible-travel logins, unusual access patterns or abnormal process execution chains, which often reveal malicious intent earlier than static indicators alone.
What this means for technologists, procurement leaders, and incident responders
- Technologists and security teams should prioritize platforms and processes that provide real-time correlation across identity, endpoint, cloud and SaaS signals so alerts that look low‑priority in isolation become high‑confidence incidents when seen together.
- Procurement leaders and C-suite decision-makers should evaluate options that combine AI-driven correlation with expert-led operations; Unit 42 points to Managed XSIAM and MDR as models that pair automation with human threat hunting and response guarantees.
- Incident responders must codify and predefine containment playbooks for identity-driven scenarios and common lateral-movement patterns so that containment actions can execute immediately rather than being debated in the minutes that matter.
Unit 42's account is stark in its simplicity: attackers are exploiting identity vectors and automating speed, while defenders too often remain bound to sequential, manual workflows. The remedy the report prescribes is equally straightforward — automate correlation, enrich alerts in parallel, and bake response into the operating model — but doing so will test the technical and organizational will of security teams. The next entry in the Unit 42 series promises to drill deeper into this shift, noting it will "examine how identity-based attacks are rapidly replacing malware as the preferred path to compromise" and what organizations can do to defend against them.
