Attackers Got 4x Faster. Did Your Security Team?
Unit 42 says attackers are moving four times faster than they were a year ago. Having watched incident response evolve over two decades, I can tell you the real problem is not the speed.
Unit 42 dropped their 2026 Global Incident Response Report this week and the headline number is a good one for scaring executives: attackers are now operating four times faster than they were a year ago. I have been doing incident response work in various forms since the mid-2000s, and my reaction to that number is something between "yes, obviously" and "that is not actually the problem."
The speed thing is real. When I was doing forensics early in my career, a threat actor getting from initial access to domain admin in a few days was considered fast. Then it became hours. Now Unit 42 is documenting cases where the entire kill chain, from phishing click to ransomware detonation, is under 25 minutes. That is genuinely alarming if you are still running a security program designed for the old pace.
But here is the thing I keep coming back to: speed is not the root cause, it is a symptom. Attackers are faster because the attack surface got dramatically larger, the tooling got dramatically better, and most enterprise environments are still running detection and response programs that were architected in 2018. AI-assisted attack tooling is not science fiction anymore. It is being actively used to automate reconnaissance, generate convincing phishing lures, and adapt payloads to evade detection in real time. The attackers got a massive capability upgrade and most defenders got... a bigger dashboard.
I spent several years at RSA briefing C-suite executives on exactly this dynamic. The conversation never really changed. Show them a scary number, watch them approve a budget, watch the vendor sell them a platform that produces more alerts than the team can process. Rinse and repeat. The 4x faster stat is going to land exactly the same way in a lot of boardrooms next quarter.
What actually matters in that report, and what tends to get buried under the headline, is the identity angle. Unit 42 flagged identity, AI, and supply chain exposure as the three pillars of modern attack campaigns. That tracks completely with what I see. The fastest attacks are not zero-day exploits, they are credential abuse. Stolen token, valid session, lateral movement, data out the door. No malware, no signature, no alert. The whole thing looks like a legitimate user doing legitimate things, just a little faster than normal and at 3am.
The product implication here, and I think about this constantly as someone building in the AI and security space, is that the tools we have were built to detect anomalies in a world where human behavior was the baseline. When your environment has AI agents, automated pipelines, and non-human identities doing things at machine speed around the clock, "anomalous" becomes a much harder thing to define. The 4x faster attacker is not your biggest problem. Your biggest problem is that your detection logic was written for a slower, more human world that no longer exists.
I am not saying this to be gloomy. I genuinely think the defenders have better tools available now than at any point in the last 20 years. The gap is not tooling, it is adoption speed and architectural debt. Most organizations are three to five years behind on identity hygiene, non-human identity governance, and detection tuning for modern attack patterns. Closing that gap is not a technology purchase, it is a program change. Those are harder, slower, and less fun to announce at a conference.
Anyway, go read the Unit 42 report if you have not. It is worth your time. Just do not let the 4x number be the only thing you take away from it.