Identity abuse now drives nearly two-thirds of all breaches, according to a Feb. 17 report by the Unit 42 research group at Palo Alto Networks.Unit 42’s report found that 65% of initial access was driven by identity-based techniques, such as social engineering and credential misuse, while vulnerabilities account for initial access in 22% of these attacks.Here’s a quick list of some of the report’s other highlights:"Unit 42’s report emphasizes that identity has become the primary entry point for attacks,” said Jason Fruge, CISO-in-residence at XM Cyber. “Organizations should prioritize remediation by assessing CVEs based on their proximity to privileged identities and other identity-related exposures. Treat a CVE affecting a critical account or identity key as a top priority, regardless of its standalone score. Effective prioritization requires eliminating these interconnected attack paths before they are exploited."Shane Barney, CISO at Keeper Security, explained that identity has become the attacker’s "skeleton key." Instead of forcing their way through a firewall, Barney said adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy.“Unit 42’s findings confirm what many security leaders already suspect: when identity controls are fragmented or overly permissive, attackers do not need novel exploits,” said Barney. “They just need access that looks routine.”Barney added that what makes this all the more dangerous is the rapid proliferation of machine identities. Service accounts, API keys, automation roles and AI agents now outnumber human users in many environments. They are created instantly to support cloud workloads, DevOps pipelines and SaaS integrations, yet they rarely receive the same lifecycle governance as employees.“Credentials persist longer than intended,” said Barney. “Permissions expand over time, and ownership becomes unclear. These gaps create durable, low-noise pathways for attackers. Compromising one over-privileged service account can provide broader and quieter access than compromising a senior executive.”Sean Malone, CISO at BeyondTrust, added that Unit 42’s report is a stark warning for anyone still defending a company like it's 2015. Attackers aren’t picking a single lane anymore; they’re driving across all of them. Malone said when 87% of incidents span multiple attack surfaces and 90% abuse identity weaknesses, we're long past thinking of this as “an endpoint problem” or “an identity problem" in isolation.“Speed is the gut punch,” said Malone. “When the fastest intrusions are hitting exfiltration in about an hour, you don’t have time for handoffs, ticket queues, or ‘we’ll look at it after standup.’ You either have orchestrated controls that can stop and contain fast, or you’re doing incident response later.”Roy Katmor, co-founder and CEO of Orchid Security, said Unit 42's findings show that the traditional network boundary has dissolved: Access decisions across SaaS, cloud, APIs and automation now define the real boundary, so when identity becomes the control plane, it becomes the perimeter.“Identity isn’t centrally installed,” said Katmor. “Every app, workload, integration, and automation onboards its own identities and auth paths: local users, service accounts, API keys/tokens, legacy directories, external domains, and now autonomous agent identities. Even strong IAM programs typically cover only part of this surface.”Here are three tips from Katmor for how teams can manage these challenges:
- AI bolsters attack speeds: Threat actors increasingly leverage AI and advanced automation, which resulted in the time from initial access to data exfiltration plummeting to just 72 minutes in the fastest attacks — a 4x increase in speed over the past year.
- Attack complexity expands: 87% of attacks span two or more attack surfaces, blending activity across endpoints, cloud, SaaS platforms and identity systems.
- The browser has become the primary attack focus: 48% percent of attacks involve the browser, reflecting how routine web sessions are weaponized to harvest credentials and bypass local controls.
- SaaS supply chain attacks increase: Attacks targeting third-party SaaS applications have surged nearly 4x since 2022, accounting for 23% of all attacks as threat actors abuse OAuth tokens and API keys to conduct lateral movement.
- Observability: Unify auditing across IAM and unmanaged apps so bypass paths stop being blind spots; correlate identity events to business context; treat non-human identities (NHIs) as first-class signals.
- Hygiene: Continuously discover orphaned/dormant identities, rotate/expire long-lived tokens, retire/lock down unmanaged auth paths, and enforce least privilege based on actual usage.
- Incident response readiness: Build playbooks for NHI compromise and enable fast scoping: “where else was this identity used?” across the entire environment.





