Threats don’t succeed because attackers hold an inherent offensive advantage, or because they’re smarter, or have access to some super-powered technology that defenders don’t. Quite the opposite. Attackers take the path of least resistance, finding ways to breach their targets the same way water leaks through a worn-out roof, through tiny holes and cracks, into dark places we can’t see, where the problem festers and gets worse.
Attacks succeed because defenders don’t know where the holes are, they have insufficient resources to seal them, and they lack visibility into parts of their environments where attackers may be hiding. In a sense, successful attacks hold a mirror up to the organization’s security posture.
Our 2025 Incident Response Report paints a compelling picture of these challenges:
- Almost a third of the cases we investigated were cloud-related, with 21% of cases adversely impacting cloud environments or assets. This is no surprise. The cloud has long been a weak point in terms of security. As business operations come to rely on the cloud, securing it becomes urgent.
- Identity and access management (IAM) issues grew more prevalent than the previous year. At least 18% of incidents involved weak, default or no passwords, while 6% involved password reuse. Excessive policy access was granted in 7% of incidents, and at least 14% of accounts were granted excessive permissions. While more organizations are using multi-factor authentication (MFA), 25% of incidents we investigated involved impact to accounts without MFA. As such, these accounts aren’t hard to compromise, especially with AI-powered phishing techniques, and they grant threat actors huge capability to do damage.
- Attackers are getting better at defensive evasion and other covert methods through EDR-disabling tools and living-off-the-land techniques. These tactics allow them to hide within the “noise” of expected user activity. Defenders lack the correlation capabilities to detect subtle attack patterns.
We observed attackers moving within an hour of compromise in almost 20% of cases, causing both severe operational disruption and cascading impacts, from downtime and service outages to costs reaching billions of dollars.
Though every organization is unique, we found that attackers succeeded this past year for three primary reasons:
- Complexity within the security ecosystem.
- Gaps in visibility.
- Excessive trust.
Now let’s talk about what you can do about them.
Complex Security Is Slow Security
There’s a tool for every security problem you could imagine, and by that logic, more tools should equal more coverage and better security. We’ve seen organizations with over 50 security tools in use, but without sharing telemetry or integrating with each other, they create more siloes than comprehensive coverage.
In 75% of incidents we investigated, critical evidence of the initial intrusion was present in the logs. However, due to complex, disjointed systems, that information wasn’t readily accessible or effectively operationalized. In one ransomware case, endpoint logs revealed lateral movement, but initial access signals were buried in unmonitored network logs. This kind of operational complexity obscures detection, delays response times and provides cover for malicious actors to advance their attacks.
The goal of security tools is to provide a holistic view for analysts. A complete, clear, actionable view would allow them to detect attack patterns early and respond at machine speed. The Cortex platform was designed to enable just that. Cortex integrates all your tools into a single platform to provide a single source of truth. Built-in behavioral models and machine-learning-driven analysis gives analysts the full, real-time picture of an attack and empowers them to respond with precision.
Visibility Gaps Allow Easy Access Points
“You can’t defend what you can’t see” is as powerful a truth as it is a tired cliche.
At the network level, east-west traffic often goes unmonitored, while misconfigured firewalls, proxies and security information and event management (SIEM) rules may allow key events to go unlogged. Visibility becomes especially hard outside the network perimeter, such as in the cases of hybrid architectures and remote workforces. Remote endpoints may miss updates or policy enforcement, and endpoint detection and response (EDR) agents may be disabled, wrongly configured or completely uninstalled.
This allows attackers to traverse various domains to enact their agenda. Issues with security tools and management contributed to nearly 40% of cases, allowing attackers to establish a foothold, move laterally and escalate privileges without detection. Nearly half of attacks began in the web browser, a common weak spot through which attackers conduct phishing attempts, malicious redirects and malware downloads.
Then there’s the cloud. In 2024, 29% of cases were cloud-related. In 21% of cases, we saw threat actors inflict damage to cloud assets. We saw threat groups like Bling Libra and Muddled Libra exploit misconfigurations in the cloud and leverage exposed credentials to gain access to the target’s cloud environment. In one cloud case, attackers exfiltrated data by leveraging an unmonitored, privileged AWS account, which went undetected because the cloud service was not integrated with the SOC.
Cloud environments are fast and flexible. Services are usually provisioned by individual teams rather than centralized IT, and these services are temporary. The 2025 Global Incident Response Report found that organizations spin up an average of 300 new cloud services each month. Cloud activity and assets often leave security out of the loop, creating shadow IT in the cloud that may go completely missed by monitoring tools. As such, they are often rife with misconfigurations, unclear ownership or tagging, and deviating from established security and compliance policies.
Cortex Cloud brings cloud environments into the fold of security. By combining application security, cloud posture management and runtime protection into a single platform, Cortex Cloud allows security teams to manage risks from the development phase through runtime operations. The platform offers comprehensive visibility into cloud assets and configurations for better risk assessment and vulnerability management.
Meanwhile, Prisma Browser is the secure browser that team members work within and extends security policies to this medium. The platform blocks phishing sites, malicious redirects and malware in real-time while securing browser access to SaaS apps and preventing unauthorized activity.
Excessive Trust Creates Excessive Risk
Our 2025 Global Incident Response Report found that 41% of cases involved issues with identity and access management, including excessive privilege misuse, allowing attackers to move laterally or escalate their own permissions. Insider threats also increased, particularly in the form of North Korean rogue assets (nation-state actors posing as IT workers who apply to open positions using stolen identities).
Identity sits at the core of security: Who’s doing what, and should they be doing it?
As such, IAM serves as a gatekeeper for organizational access. However, between overprivileged accounts, bad password hygiene and vulnerabilities like hard-coded credentials, IAM can become a single point of failure. When roles are poorly segregated, attackers can start by compromising a low-access account and climb the permission ladder by chaining together access flaws.
Because this activity happens through a legitimate account, bad actors can blend in with normal network activity.
Tactics Reflect These Weaknesses
Our research saw 70% of incidents unfold across at least three different attack vectors, with some spanning as many as eight. Complexity concealed the attacker’s presence, low visibility delayed detection, and excessive trust worsened the impact.
Attackers are evolving their tactics, techniques and procedures (TTPs) to take advantage of these weaknesses.
- Attacks involving the browser are prevalent, accounting for almost half of the security incidents we investigated, often taking the form of phishing, abusive URL redirects and malware downloads. Most endpoint and network security tools don’t monitor in-browser behavior or extensions, nor can they differentiate between legitimate and attacker-driven browser sessions. Because many team members work all day in the browser, they assume that anything in the browser is safe.
- Living-off-the-land techniques exploit native infrastructure and utilities, like PowerShell, to execute system commands, inject malicious code, dump credentials and more. Complexity lends itself to tool overlap, which creates noise for attackers to hide within. Without an established baseline of behavior, detecting abnormal activity by legitimate tools becomes impossible. Not to mention, IT, security and DevOps teams are more likely to trust native tools.
- Phishing or previously compromised credentials were the initial access vector for 39% of incidents we investigated. We observed attackers using deepfakes and AI-crafted phishing campaigns to create malicious assets that seem much more authentic than in previous years. Even well-trained and well-resourced organizations were compromised through these methods. Again, security teams often lack the granularity to identify suspicious behavior from legitimate accounts.
All of these techniques exploit the trust that teams implicitly place in their tools and procedures, which allows attackers to work subtly, evading detection and maximizing impact.
Defend from Every Angle
From AI to cloud-native architectures and beyond, technology is advancing at a pace and direction that makes these issues less and less tenable. Teams are often so overwhelmed with the daily work of security that they lack the means to make broader improvements to the security function, and sometimes struggle to even respond to live incidents.
A trusted partner, like Unit 42, puts elite researchers, responders and threat hunters in your corner. Our world-renowned team will guide you before, during and after an incident with an intelligence-driven approach:
- Cloud IR Assessment
We’ll help you align your security program to the dynamic and distributed nature of modern cloud environments, ensuring effective protection from development through deployment. - Zero Trust Advisory
Let us help you gain the foundational visibility needed to focus your zero trust efforts where they’ll have the greatest impact. We’ll connect zero trust to outcomes that matter and help secure executive support and investment by tying strategy to business impact. - Unit 42 Retainer
Our experts become an extension of your team, monitoring your organization 24/7. They’ll become well-versed in your environment so they can respond quickly and accurately, should an incident occur.
For a deep dive into the latest threat research and tips on how defenders can turn the tables on threat actors, check out the full 2025 Unit 42 Global Incident Response Report. To hear more about how Unit 42 can help evolve your security strategy, reach out to us.
FAQs on Threat Actors:
- Why do threat actors succeed, even against well-resourced organizations?
Threat actors succeed by exploiting weaknesses, like insufficient visibility into an organization's environment, a lack of resources to address vulnerabilities, or the complexity of security ecosystems that create blind spots. - What are the primary reasons for successful attacks, according to the 2025 Incident Response Report?
The 2025 Incident Response Report identifies three main reasons for successful attacks: complexity within the security ecosystem, gaps in visibility and excessive trust within an organization's systems and user access. These factors create opportunities for attackers to hide and move quickly, causing significant damage. - How can organizations defend themselves against these evolving threats?
Organizations can defend themselves by addressing the root causes of successful attacks. This includes simplifying security tools into integrated platforms, like Cortex, to gain a holistic view, improving visibility across all environments (including cloud and remote workforces). Solutions like Cortex Cloud and Prisma Browser, and implementing a strong IAM strategy can reduce excessive trust and prevent privilege misuse. Partnering with experts like Unit 42 can also provide intelligence-driven guidance and support.