Responding to Cloud Incidents A Step-by-Step Guide from the 2025 Unit 42 Global Incident Response Report https://unit42.paloaltonetworks.com/responding-to-cloud-incidents/

According to the Unit 42 2025 Global Incident Response Report, 29% of incident investigations conducted in 2024 involved cloud or SaaS environments. One in five incidents involved threat actors adversely impacting cloud environments and assets. With entire business models relying on cloud-native architecture, it is vital to protect cloud surfaces.

Traditional incident investigations focus heavily on endpoints and network activity, so cloud investigations require a mindset shift. When cloud environments are breached, investigations primarily focus on investigating identities, misconfigurations and service interactions.

Unit 42 Cloud Incident Response begins each investigation by asking several questions:

What is the overall impact?
What logs do we have or lack?
Are identity/service misuse, automated actions or API exploitation

contributing factors?

We’ll now go through the process, step by step.