Global Incident Response Report 2025

We see five major emerging trends reshaping the threat landscape.

• First, threat actors are augmenting traditional ransomware and extortion with attacks designed to intentionally disrupt operations. In 2024, 86% of incidents that Unit 42 responded to involved business disruption — spanning operational downtime, reputational damage or both.
• Second, software supply chain and cloud attacks are growing in both frequency and sophistication. In the cloud, threat actors often embed within misconfigured environments to scan vast networks for valuable data. In one campaign, attackers scanned more than 230 million unique targets for sensitive information.
• Third, the increasing speed of intrusions — amplified by automation and streamlined hacker toolkits — gives defenders minimal time to detect and respond. In nearly one in five cases, data exfiltration took place within the first hour of compromise.
• Fourth, organizations face an elevated risk of insider threats, as nation-states like North Korea target organizations to steal information and fund national initiatives. Insider threat cases tied to North Korea tripled in 2024.
• Fifth, early observations of AI-assisted attacks show how AI can amplify the scale and speed of intrusions.

Amid these trends, we're also seeing a multi-pronged approach in attacks, as threat actors target multiple areas of the attack surface. In fact, 70% of the incidents Unit 42 responded to happened on three or more fronts, underscoring the need to protect endpoints, networks, cloud environments and the human factor in tandem. And on the human element — nearly half of the security incidents (44%) we investigated involved a web browser, including phishing attacks, malicious redirects and malware downloads.

Drawing from thousands of incident responses over years of experience, we've identified three core enablers that allow adversaries to succeed: complexity, gaps in visibility and excessive trust. Fragmented security architectures, unmanaged assets and overly permissive accounts all give attackers the space they need to succeed.

To confront these challenges, security leaders must accelerate their journey to Zero Trust, reducing implicit trust across the ecosystem. Equally crucial is securing applications and cloud environments from development to runtime, ensuring that misconfigurations and vulnerabilities are swiftly addressed. Finally, it's essential to empower security operations to see more and respond faster — with consolidated visibility across on-premises, cloud and endpoint logs, as well as automation-driven threat detection and remediation.