Palo Alto Networks Report: Half of Security Analysts’ Time Is Lost to Data Correlation

• 12 Jan 2026
• TM Team
• 0 Comments

Palo Alto Networks, the world’s leading AI cybersecurity company, released its State of Cloud Security Report 2025, highlighting a growing disconnect between how quickly organizations can detect cyber threats and how long it takes them to fully respond and recover.

The report shows that while detection has improved, response has not kept pace. Nearly three-quarters of organisations (74%) say they can detect and contain cloud-based attacks within 24 hours. However, far fewer can sustain that speed through resolution. One in three organizations need more than a day to close an incident fully, and among these, 9% take between a week and a month to resolve a breach.

A key factor slowing response is operational fragmentation. Half of the surveyed respondents reported that 50% of analysts’ time is spent on data correlation, instead of actively responding to threats. For one in five analysts, this burden is even heavier, consuming up to 80% of their time.

Other key findings:

· Attackers now move faster than defenders can respond. The report finds that breaches which took an average of 44 days in 2021 can now occur in as little as 25 minutes, driven by AI-assisted attack techniques. Meanwhile, one in three organizations still need more than a day to fully resolve an incident, and nearly 1 in 10 take longer.

· Analysts are overwhelmed by fragmentation. According to half of the respondents surveyed, 50% of analyst time is spent correlating data, not responding to threats. And for one in five, it takes up as much as 80% of their time. Disconnected cloud, application, and SOC tools are preventing teams from building a single, coherent view of attacks.

· Cloud maturity does not automatically reduce risk. Organizations that have spent more than five years working in the cloud report higher rates of SaaS misuse (66%) and misconfigured public access (32%) than less-mature peers. They are susceptible to subtler risks, such as persistent oversharing between tenants, token abuse in automation, and uncontrolled synchronization between SaaS systems.

· Cloud incidents are no longer isolated. 70% of incidents now span three or more attack surfaces, reinforcing the need for unified investigation and response across cloud, network, endpoint, and identity layers.

· High-risk issues are lingering in production. One in five organizations report that more than a quarter of high or critical security issues remain in production for over 30 days, even as attackers measure success in minutes.

· Identity and API exposure are driving modern breaches. API attacks saw the steepest year-over-year increase at 41%, while overly permissive identities and compromised tokens continue to enable lateral movement and data exfiltration at scale.