Introduction
The CyberProof 2026 Global Threat Intelligence: Mapping Threats to Trends Report draws from internal CyberProof SOC environments, cyber threat intelligence feeds, and broader industry reporting to map global threats to emerging trends. This comprehensive analysis reveals that 2025 marked a decisive shift in the threat landscape, where actors moved beyond reliance on novel malware to prioritize speed, coordination, and identity abuse, ultimately turning small access points into high-impact incidents across enterprise platforms and SaaS ecosystems.
As we analyzed the data from 2025, it becomes evident that the traditional concept of a “perimeter” has effectively dissolved. The defining characteristic of the year was not how attackers broke in, but how they logged in. By the end of 2025, identity, cloud, and SaaS environments had become the primary targets, accounting for approximately 22% of all incidents. This shift has forced Security Operations (SecOps) teams to confront a reality where the most damaging breaches involve adversaries posing as legitimate users, leveraging trusted workflows to bypass technical controls entirely.
2025 by the Numbers: A Year of Escalation
The statistics presented in the 2026 report paint a stark picture of an escalating and increasingly costly threat environment. The volume and sophistication of attacks surged across critical sectors, driven by the rapid weaponization of vulnerabilities and the industrialization of cybercrime.
- Retail Under Siege: The retail sector experienced one of its most destabilizing years on record. Ransomware activity against global retailers increased by 58% in Q2 2025 compared to the previous quarter. Even more alarming, 80% of retailers faced a cyberattack during the year, with major disruptions affecting supply chains and leaving shelves empty at grocery chains across Europe and the US.
- Manufacturing Vulnerability: The manufacturing sector saw the steepest increase in hostile activity, with attacks surging 61% compared to 2024. Manufacturing accounted for 26% of all attacks in 2025, highlighting how operational downtime has become a primary lever for extortion.
- The Weaponization of AI: Artificial Intelligence is no longer a theoretical threat; it is a standard component of the adversary’s toolkit. Reporting indicates that approximately 80% of ransomware campaigns incorporated AI at some stage of the attack lifecycle, from generating convincing phishing lures to automating payload development.
- Browser-Based Threats: One of the most explosive trends was the rise of “ClickFix” attacksβsocial engineering tactics that use fake verification prompts to trick users into executing malware. This activity increased by over 500% in 2025, representing nearly 8% of all blocked attack attempts.
- Vulnerability Exploitation: There was a 17% increase in vulnerability exploitation compared to 2024. However, the critical metric was speed: exploitation accounted for an estimated 25β35% of successful ransomware incidents, with threat actors often weaponizing new CVEs within hours of disclosure.
Key Trends Defining the 2025 Threat Landscape
The Industrialization of Identity Attacks
The most pervasive trend of 2025 was the systematic abuse of identity. A few major breaches were the result of sophisticated zero-day exploits against firewalls; however, we note several in the report findings that relied on social engineering targeting IT support staff. Threat actors, particularly the group known as Scattered Spider, mastered the art of impersonating employees to convince help desks to reset Multi-Factor Authentication (MFA) tokens. This technique allowed attackers to gain valid credentials and operate inside the network with the same privileges as legitimate administrators, rendering traditional anomaly detection tools less effective.
Supply Chain and SaaS Abuse
The attack surface has expanded into the third-party ecosystem. A defining campaign of the year involved the Salesforce ecosystem, where attackers exploited OAuth integrations rather than the core platform itself. By compromising connected apps, threat actors were able to access customer CRM environments and exfiltrate billions of records without ever needing to breach Salesforceβs direct defenses. This trend highlights a critical blind spot: organizations are often unaware of the “shadow” connections that third-party applications have to their most sensitive data.
Adversary Collaboration as a Force Multiplier
The report highlights a disturbing evolution in the criminal underground: collaboration is becoming a competitive advantage. The year saw the rise of the “Scattered LAPSUS$ Hunters Collective,” a loose alliance of high-profile groups sharing infrastructure and tradecraft. Similarly, ransomware giants LockBit, DragonForce, and Qilin were observed sharing payload frameworks and affiliate networks. This ecosystem favors adaptation over novelty, allowing criminal groups to reuse successful intrusion models across different sectors and scale their operations faster than defenders can patch.
Geopolitical Spillover
Cyber operations in 2025 mirrored the volatility of global geopolitics. Conflicts in Ukraine, the Middle East, and South Asia triggered coordinated waves of cyber activity that unfolded alongside kinetic military events. The report notes that cyber operations are no longer peripheral to conflict but are a central instrument of state power.
Predictions for 2026: Preparing for the Next Wave
The CyberProof report outlines six critical predictions for the coming year, warning that the convergence of AI, regulatory pressure, and identity deception will create new challenges for defenders.
1. Cyber Criminals Will Gain a Tactical Advantage with AI
In 2026, the asymmetry between attackers and defenders will grow. Cybercriminals utilizing AI do not require the same precision or compliance adherence as corporate security teams, allowing them to innovate faster. The report predicts that that fail to rethink identity access management and privilege models for an AI-driven environment will expose themselves to systemic vulnerabilities.
2. The Rise of Vishing, Deepfakes, and Identity Deception
The convergence of voice-based social engineering (vishing) and deepfake technology is set to define a new era of attacks. The report predicts a significant rise in vishing attacks that embed deepfake audio to impersonate trusted colleagues, particularly executives or IT staff. Platforms like Microsoft Teams are expected to become critical vectors, with attackers utilizing features like “Chat with anyone” to initiate contact. This technology will drastically reduce the time required to execute attacks, enabling rapid lateral movement and overcoming human verification safeguards.
3. Cloud Misconfigurations Will Persist
Despite increased investment in cloud security, human error will remain a primary entry point. As organizations expand into complex, multi-cloud environments, the risk of misconfigured settings and insecure APIs will persist. The report identifies this as a leading cause of cloud-related breaches in 2026, as the complexity of managing sprawling cloud ecosystems continues to outpace the governance capabilities of many organizations.
4. Increasing Use of Regulatory Exposure as Leverage
Ransomware groups are evolving their extortion strategies. In 2026, attackers will increasingly use regulatory exposure as a deliberate lever during negotiations. Having witnessed the impact of strict reporting rules (such as GDPR and SEC mandates), threat actors are now referencing these regulations in ransom notes. They are threatening to notify regulators of breaches directly or leak specific data samples to trigger mandatory reporting, effectively turning an organization’s compliance obligations into an attack surface.
5. The Blurring Lines: Abuse of Legitimate Software
The abuse of legitimate Remote Management and Monitoring (RMM) tools is projected to surge. Attackers are turning essential administrative utilities (like ConnectWise, ScreenConnect, and SimpleHelp) into powerful conduits for intrusion, allowing them to maintain “hands-on-keyboard” access while blending in with normal administrative traffic. Because these tools are often whitelisted and trusted, they provide a stealthy pathway for reconnaissance and ransomware deployment that bypasses many standard detection rules.
6. Shadow AI Will Emerge as the Next Unmanaged Risk Surface
As generative AI adoption accelerates, “Shadow AI” will become a critical risk. Employees are increasingly using personal or unvetted AI tools to speed up tasks, introducing ungoverned data exposure risks. The report warns that without clear policies on model usage and data lineage, sensitive information will be exposed. Most organizations currently lack the visibility to monitor these interactions, creating a massive blind spot that will grow as AI becomes embedded in everyday productivity platforms.
Conclusion
The events of 2025 demonstrate that security strategies built primarily around perimeter defense are no longer sufficient. The adversary has moved inside, leveraging the very tools, identities, and supply chains that businesses rely on. As we enter 2026, the ability to validate identity, govern AI usage, and manage third-party risk will determine the difference between a contained incident and a catastrophic breach.
To learn more about CyberProof research findings, download the full report.
