Identity Abuse Now Accounts for Nearly Two-Thirds of Cyber Breaches: Understanding the Shift in Threat Landscape
Cybersecurity Breaches: The Importance of Identity Security
The majority of cybersecurity breaches begin with the exploitation of identity, according to a recent report by Palo Alto Networks’ threat intelligence unit, Unit 42.
Key Findings
The report, which analyzed 750 incidents over a one-year period ending in September 2025, found that nearly two-thirds of initial network intrusions were the result of identity-based attacks.
Social engineering tactics, which involve manipulating individuals into divulging sensitive information or performing certain actions, were the leading method of attack, accounting for one-third of all incidents.
Attackers also used compromised credentials, brute-force attacks, and overly permissive identity policies to bypass security controls and gain unauthorized access to networks.
Insider Threats and Identity Security
Insider threats, which involve individuals with authorized access to a network intentionally or unintentionally compromising security, also played a significant role in many incidents.
According to Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42, “once an attacker has an identity, they have everything they need to gain access to a network.”
Rubin notes that enterprises continue to struggle with detecting identity-based attacks, as they often do not involve unauthorized access from a technical standpoint.
Vulnerability Exploits and the Software Supply Chain
The report also found that vulnerability exploits, while still a significant threat, accounted for only 22% of initial intrusions.
This is likely due to the increasing use of machine-based identities and AI agents, which require an identity to take action and are expanding the attack surface for cybercriminals.
The software supply chain is also becoming a growing concern, as API access and SaaS integrations provide new avenues for attackers to gain access to networks.
Financially Motivated Attacks and the Importance of Detection and Response
Attackers are also using branch offices as a entry point to gain access to a victim’s headquarters or data centers, often due to over-permissioned accounts and a lack of segmentation.
Rubin notes that large and older organizations are at a greater disadvantage due to their complex technology stacks, which often include legacy systems acquired through various business deals.
The report also found that financially motivated attacks accounted for the majority of incidents, with median payments increasing 87% year-over-year to $500,000.
Attackers are also becoming more efficient, with data exfiltration occurring in under two days in many cases.
Conclusion
Overall, the report highlights the critical importance of robust identity security controls and the need for enterprises to improve their detection and response capabilities to identity-based attacks.
About Author
English