* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* 2025 Unit 42 Incident R...

# ​​2025 Unit 42 Incident Response Report --- Attacks Shift to Disruption

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2025%2F02%2Fincident-response-report-attacks-shift-disruption%2F)  
[](https://twitter.com/share?text=%E2%80%8B%E2%80%8B2025+Unit+42+Incident+Response+Report+%E2%80%94+Attacks+Shift+to+Disruption&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2025%2F02%2Fincident-response-report-attacks-shift-disruption%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2025%2F02%2Fincident-response-report-attacks-shift-disruption%2F&title=%E2%80%8B%E2%80%8B2025+Unit+42+Incident+Response+Report+%E2%80%94+Attacks+Shift+to+Disruption&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2025/02/incident-response-report-attacks-shift-disruption/&ts=markdown)  
\[\](mailto:?subject=​​2025 Unit 42 Incident Response Report — Attacks Shift to Disruption)  
Link copied  
By [Sam Rubin](https://www.paloaltonetworks.com/blog/author/sam-rubin/?ts=markdown "Posts by Sam Rubin")  
Feb 25, 2025  
3 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)  
[Unit 42](https://unit42.paloaltonetworks.com)  
[2025 Incident Response Report](https://www.paloaltonetworks.com/blog/tag/2025-incident-response-report/?ts=markdown)  
[incident response report](https://www.paloaltonetworks.com/blog/tag/incident-response-report/?ts=markdown)

This post is also available in: [繁體中文 (Chinese (Traditional))](https://www.paloaltonetworks.com/blog/2025/04/incident-response-report-attacks-shift-disruption/?lang=zh-hant "Switch to Chinese (Traditional)(繁體中文)") [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/2025/04/incident-response-report-attacks-shift-disruption/?lang=ja "Switch to Japanese(日本語)") [한국어 (Korean)](https://www.paloaltonetworks.com/blog/2025/04/incident-response-report-attacks-shift-disruption/?lang=ko "Switch to Korean(한국어)")

## Business Disruption, AI-Assisted Attacks, Insider Threats and Accelerated Intrusions on Multiple Fronts Define the New Cyberthreat Landscape

Palo Alto Networks Unit 42 today released its [2025 Global Incident Response Report](https://start.paloaltonetworks.com/unit-42-incident-response-report.html), revealing that 86% of major cyber incidents in 2024 resulted in operational downtime, reputational damage or financial loss. The report (based on 500 major cyber incidents that Unit 42 responded to across 38 countries and every major industry) highlights a new trend: financially motivated attackers have shifted their focus to deliberate operational disruption, prioritizing sabotage -- destroying systems, locking customers out and causing prolonged downtime -- to maximize impact and pressure organizations into paying extortion demands.

The speed, sophistication and scale of attacks have reached unprecedented levels with AI-assisted threats and multipronged intrusions, underscoring that organizations faced an increasingly volatile threat landscape in 2024.

### Key Findings --- Cyberthreats Move Faster and Hit Harder

As attackers rewrite the rules of engagement, defenders scramble to keep up. The attacker's new playbook is multipronged, cloud-focused and AI-driven. The 2025 Global Incident Response Report highlights several trends:

* **Cyberattacks Are Moving Faster than Ever --** Attackers exfiltrated data in under 5 hours in 25% of incidents, which is three times faster than in 2021. What's even more alarming is that in one in five cases, data theft occurred in under 1 hour.
* **The Rise of** [Insider Threats](https://paloaltonetworks.com/resources/datasheets/unit42-insider-threat-services) -- Insider-driven cyber [incidents tied to North Korea](https://unit42.paloaltonetworks.com/north-korean-it-workers/) tripled in 2024. North Korean state-sponsored actors have been observed infiltrating organizations by posing as IT professionals, securing employment and then methodically introducing backdoors, stealing data and even altering source code.
* **Multipronged Attacks Are the New Norm --** 70% of incidents involved attackers exploiting three or more attack surfaces, forcing security teams to defend endpoints, networks, cloud environments and the human factor in tandem.
* **Phishing Makes a Comeback --** After vulnerabilities took the top initial access vector spot last year, [phishing has resurged](https://unit42.paloaltonetworks.com/european-phishing-campaign/) as the most common entry point for cyberattacks, responsible for 23% of all initial access. Fueled by generative AI, phishing campaigns are now more sophisticated, convincing and scalable than ever.
* **Cloud Attacks Are Increasing --** Nearly 29% of [cyber incidents involved cloud environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/), with 21% causing operational damage to cloud environments or assets as threat actors embedded within misconfigured environments to scan vast networks for valuable data.
* **AI Is Accelerating the Attack Lifecycle** **--** Attackers use AI-driven methods to enable [more convincing phishing campaigns](https://unit42.paloaltonetworks.com/dynamics-of-deepfake-scams/), [automate malware development](https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/) and [accelerate progression through the attack chain](https://www.paloaltonetworks.com/blog/2023/11/palo-alto-networks-advises-u-s-government-on-ai-and-cybersecurity/?ts=markdown), making cyberattacks both harder to detect and faster to execute. In a controlled experiment, Unit 42 researchers found that AI-assisted attacks could reduce the time to exfiltration to just 25 minutes.

### Why Cyberattacks Succeed --- Attackers Exploit Complexity, Visibility Gaps and Excessive Trust

The report underscores three primary enablers that are allowing adversaries to succeed:

* **Complexity Is Killing Security Effectiveness --** 75% of incidents had evidence in logs, but [silos prevented detection](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown).
* **Gaps in Visibility Allow Attacks to Go Undetected --** 40% of cloud incidents stemmed from [unmonitored cloud assets](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) and shadow IT, making lateral movement easier for attackers.
* **Excessive Trust Makes Attacks More Devastating --** 41% of attacks [leveraged excessive privileges](https://www.paloaltonetworks.com/sase/ztna?ts=markdown), allowing lateral movement and privileged escalation.

Attackers have rewritten their playbooks leveraging AI, automation and multipronged attack strategies to bypass traditional defenses. The time between initial compromise and full-scale impact is shrinking, making rapid detection, response and remediation critical.

The key to staying ahead in 2025 is to proactively secure networks, applications and cloud, as well as empower security operations with AI-driven detection and response for full visibility and faster threat mitigation.

Defenders need to adapt as the attacker playbook evolves. Stay informed, view the [2025 Unit 42 Global Incident Response Report](https://start.paloaltonetworks.com/unit-42-incident-response-report.html).

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

[#### Palo Alto Networks Named a Leader in WW Incident Response Services](https://www.paloaltonetworks.com/blog/2025/08/idc-unit-42-ir/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

[#### Top Three Ways Organizations Were Unprepared for Cyberattacks in 2023](https://www.paloaltonetworks.com/blog/2024/11/top-three-ways-organizations-were-unprepared-for-cyberattacks-in-2023/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

[#### Incident Response by the Numbers](https://www.paloaltonetworks.com/blog/2024/08/incident-response-by-the-numbers/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

[#### Navigating the Complex Threat Landscape --- Key Takeaways for CISOs](https://www.paloaltonetworks.com/blog/2023/11/navigating-the-complex-threat-landscape/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### Where Cloud Security Stands Today and Where AI Breaks It](https://www.paloaltonetworks.com/blog/2025/12/cloud-security-2025-report-insights/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Redefining Workspace: Prisma Browser Secures Leadership in Frost Radar](https://www.paloaltonetworks.com/blog/2025/12/prisma-browser-secures-leadership-in-frost-radar/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language