Published
36 minutes ago
on
February 23, 2026
| 2,476 views
-->
By
Ryan Bellefontaine
Graphics & Design
- Abha Patil
The following content is sponsored by Palo Alto
Where Attacks Happen in Cyber Intrusions
Key Takeaways
- Most cyber intrusions span multiple surfaces, so detection must connect signals across layers.
- Identity leads the attack surface list, but endpoints and networks still enable fast pivots.
- The human layer remains decisive, making awareness and phishing resistance operational priorities.
Cyber intrusions rarely follow a single path once attackers get a foothold. Instead, they pivot across systems to widen impact and deepen damage.
This graphic, in partnership with Unit 42 by Palo Alto Networks, shows where attacks occur in cyber intrusions, based on data from the Unit 42 Global Incident Response Report.
Identity Is the Practical Perimeter
Here is a table that breaks intrusions into nine primary attack surfaces observed across investigations.
| Attack Front | Incidents Percentage |
|---|---|
| Identity | 89% |
| Endpoints | 61% |
| Network | 50% |
| Human | 45% |
| 27% | |
| Application | 26% |
| Cloud | 20% |
| SecOps | 10% |
| Database | 1% |
In Unit 42’s sample, 87% of incidents touched at least two surfaces, and 67% hit three or more. Because the categories overlap, a single case can span multiple layers at once.
Identity Dominates, but the “Human Layer” Still Drives Risk
Identity appears in 89% of cases, making it the most common surface in the dataset. Meanwhile, endpoints (61%) and networks (50%) remain common launch points for lateral movement.Email (27%) and applications (26%) sit mid-pack, while cloud services appear in 20% of incidents. Still, even “lower” categories matter when attackers chain small wins into bigger access.
Humans show up in 45% of incidents, often through user-driven activity that enables the next pivot.
Integrated Defenses Beat Siloed Tools
Multi-surface activity means point solutions can miss context when attackers hop layers. Teams need shared signals across identity, endpoint, network, app, and cloud to spot chained actions early.
SecOps appears in 10% of cases, so attackers sometimes probe security operations tooling and workflows. As a result, integrated detection and response helps contain movement before it reaches databases, which appear in 1% of incidents.
See why cyberattacks are getting 4x faster
Related Topics: #technology #cyberattacks #phishing #cyber intrusions #social engineering
You may also like
-
Privacy6 days ago
Visualized: How Cyberattackers Gain Access
See how cyberattackers gain access by abusing identity, credentials, sessions, and permissions—and what to fix first.
Subscribe
Please enable JavaScript in your browser to complete this form.Join 375,000+ email subscribers: *Sign Up