The 2026 Darktrace Annual Threat Report delivers a clear, uncompromising message: the era of the perimeter is officially over. The primary challenge for CISOs is no longer just keeping attackers out; it is identifying them once they have already "logged in" using legitimate, but compromised, identities.
For cybersecurity professionals, the report is a roadmap of the shifting tactics, techniques, and procedures (TTPs) that defined 2025 and will dictate risk in the year ahead.
Identity has emerged as the single most consistent threat across the global landscape. In a significant shift, identity compromise and the exploitation of trust have eclipsed traditional vulnerability exploitation as the dominant attack vector.
Attackers are increasingly using valid credentials to log in and blend into normal operational activity, making them incredibly difficult to distinguish from legitimate users. This known as Living Off the Land (LOTL).
Native English-speaking groups like Scattered Spider have mastered helpdesk impersonation and MFA-bypass techniques to gain high-privileged access to hybrid cloud environments like Okta and AWS.
Identity-based attacks, particularly phishing, now see massive spikes during retail events. For example, Black Friday-related phishing skyrocketed by 620% in late 2025.
As organizations deepen their reliance on the cloud, threat actors are following the data. Cloud and SaaS environments are now being used as "systemic risk multipliers."
In the Americas, SaaS/M365 account compromises and email-based social engineering now account for nearly 70% of all recorded incidents.
Attackers are moving away from opportunistic campaigns toward targeting SaaS platforms directly to achieve massive downstream impact across multiple environments through a single foothold. It's basic supply chain exposure.
Darktrace's honeypot data indicate that Microsoft Azure was the most targeted cloud provider in 2025, accounting for 43.5% of malware samples collected across major platforms.Ransomware remains the fastest path to material business impact, but the "business model" has matured into a highly specialized ecosystem. Some key ransomware-related takeaways:
Double and triple extortion: There is a sharp move away from pure encryption toward data leak pressure tactics. Groups like Akira—one of the most active families globally—consistently demand payment for both file decryption and to prevent the release of stolen data.
The speed gap: Exploitation is now happening faster than ever, often before a vulnerability is even disclosed (pre-CVE).
Sector at risk: Manufacturing has become a primary target, accounting for 29% of all recorded ransomware incidents in the Americas, driven by the sector's reliance on interconnected OT and legacy systems.
Perhaps the most concerning trend is the pre-positioning of nation-state actors within critical national infrastructure (CNI). This is no longer just about espionage; it is about "strategic leverage."
Actors like Salt Typhoon (China-nexus) have successfully infiltrated telecommunications infrastructure, while Volt Typhoon has been detected pre-positioning implants in energy organizations for potential disruptive OT attacks.
States like North Korea (DPRK) are increasingly using hybrid groups, or proxy agents, to conduct financially motivated operations—such as cryptocurrency mining—to fund their intelligence-gathering efforts.
The 2026 outlook requires a fundamental pivot in how CISOs and their teams define resilience.
Because attackers are using valid credentials, signature-based defenses are insufficient. Security teams must prioritize behavioral-led detection that can identify subtle anomalies in how an identity or cloud account is acting, regardless of whether the login was technically valid.
Resilience in 2026 depends on the aggressive application of least privilege principles. If an identity is compromised, the "blast radius" must be contained by architectural limits.
With vulnerability volumes growing by 20% year-on-year and exploitation speeds accelerating, manual remediation is a losing game. Embracing autonomous response technology is essential to containing potential exploits at an early stage, before they can escalate into a full-scale crisis.
We asked some representatives from cybersecurity vendors for their thoughts on the findings in the report.
Mark McClain, CEO at SailPoint Technologies, said:
"As the report highlights, identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security. This report's findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just 'who,' or in the case of AI agents, 'what,' has access to the enterprise, but what data they can access and what they are able to do once inside."
"The modern enterprise requires a new control plane, driven by unifying identity, data, and security. The combined power of these contexts enables real-time decisions to reduce risk without impacting the business. These decisions can be driven by the nature of the identity, the context of the apps and data it can access, the behavior around how it is using these apps and data and the security signals and risk warnings that may surround it. To combat this new era of threats, driven by the force multiplier of AI, we need to embrace a new approach of adaptive identity."
Morey Haber, Chief Security Advisor at BeyondTrust, said:
"Cybersecurity has always been a forward-looking discipline. By anticipating where technology, threat actors, and regulation are heading, we can better protect our customers and help the industry prepare for what’s next. Looking ahead allows us to adapt faster and turn insight into proactive security action. The future of cybersecurity isn't just about defending data, it’s about anticipating how digital and physical worlds will continue to collide. The organizations that will thrive are those that treat identity as the new perimeter and innovation as their strongest defense."
Amit Zimerman, Co-Founder and Chief Product Officer at Oasis Security, said:
"Human oversight remains vital when using AI in offensive cybersecurity. While AI is highly efficient in automating and scaling tasks, human expertise is necessary to interpret complex results, make critical decisions, and apply context-specific reasoning. Humans are essential for ensuring that AI-driven tools are used responsibly and for validating the results of AI processes, especially when it comes to the nuances of certain vulnerabilities or threat landscapes. AI also plays a significant role in 'shift-left' approaches by identifying security vulnerabilities earlier in the software development lifecycle. When integrated into offensive security measures, AI can detect and address issues before they make it into production, reducing the cost of remediation and improving the overall security posture of an organization."
Diana Kelley, CISO at Noma Security, said:
"AI risks have rapidly moved from a watch list item to a front-line security concern, especially when it comes to data security and misuse. To manage this emerging threat landscape, security teams need a mature, continuous security approach, which includes blue team programs, starting with a full inventory of all AI systems, including agentic components as a baseline for governance and risk management."
"For practitioners, securing AI in 2026 and beyond is not just about protecting models. It requires addressing stack sprawl and moving toward a platform-driven approach that delivers defense in depth through unified, AI-aware identity, configuration, and data visibility. Organizations that simplify their cloud and AI security stack, and enable effective automation, will be far better positioned to safely scale AI as threats continue to evolve."
Shane Barney, CISO at Keeper Security, said:
"Identity has become the attacker's skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy. When identity controls are fragmented or overly permissive, attackers don't need novel exploits. They just need access that looks routine. Identity now defines the enterprise perimeter. When every identity is governed with least privilege and continuously validated, a stolen credential becomes a contained event instead of an enterprise-wide incident."