|
 |
The 2026 Global Threat Intelligence Report (GTIR) by Flashpoint presents a picture of a cybersecurity environment undergoing a structural shift rather than incremental change. Its central thesis is that cyber threats have entered an era of “total convergence”—where previously distinct domains such as malware, identity compromise, infrastructure exploitation, and social engineering are now tightly integrated into unified attack ecosystems.
1. From Fragmented Threats to a Converged Attack Surface
Historically, defenders could think in categories: ransomware, phishing, vulnerabilities, and insider threats. The report argues that these distinctions are no longer operationally meaningful. Attackers now combine them fluidly, using whichever vector is most efficient at a given moment.
This convergence is driven by two forces:
The availability of massive datasets (credentials, personal data, access tokens)
The automation of attack workflows, increasingly orchestrated by AI
The result is what Flashpoint describes as a “high-velocity threat engine”, where attacks are continuous, adaptive, and multi-vector by design.
For a non-specialist, the key takeaway is simple: organisations are no longer being “hacked” in a single way. They are being systematically probed across all weak points at once, often by automated systems.
2. Agentic AI and the Rise of Machine-Speed Attacks
The most consequential shift identified in the report is the emergence of agentic AI—autonomous or semi-autonomous systems capable of executing full attack chains with minimal human oversight.
These systems can:
Identify targets
Generate phishing content
Test stolen credentials
Adapt tactics based on failure
Rotate infrastructure to avoid detection
This represents a move from “human-in-the-loop” attacks to machine-speed operations, where iteration is cheap and scale is effectively unlimited.
One striking data point: AI-related illicit activity increased by roughly 1,500% in a single month in late 2025, signaling rapid adoption by threat actors. For defenders, this creates an asymmetry. Attackers can now run thousands of variations of an attack simultaneously, while defenders must still detect and respond with relatively slower processes. This fundamentally changes the economics of cyber conflict.
3. Identity as the Primary Attack Vector
Another core insight is that identity has replaced traditional exploitation as the dominant entry point. Instead of “breaking in,” attackers increasingly log in using stolen credentials. The scale is significant, as approximately 3.3 billion compromised credentials and tokens are circulating in criminal ecosystems today.
These credentials are harvested primarily via infostealer malware and then reused across services. Because many organizations rely on identity-based access (cloud services, SaaS, APIs), compromised credentials provide immediate and often undetected access.
This shift has several implications:
Traditional perimeter defenses (firewalls, endpoint protection) are less effective
Multi-factor authentication can be bypassed or undermined
Insider threat models blur, as attackers operate with legitimate credentials
In practical terms, cybersecurity is becoming less about blocking intrusions and more about verifying trust continuously.
4. Industrialisation of Cybercrime
The report emphasises the professionalisation of cybercrime, describing it as an industrial ecosystem with supply chains, specialisation, and scalable business models. One example is the evolution of ransomware into a “franchise model”:
Core groups develop tools and infrastructure
Affiliates execute attacks
Profits are shared
At the same time, ransomware itself is evolving. Instead of encrypting systems, attackers increasingly rely on:
Data theft
Credential compromise
Extortion without encryption
Ransomware incidents increased by over 50% year-over-year, reflecting both growth in activity and diversification of tactics.
This industrialisation lowers barriers to entry. Less-skilled actors can now conduct sophisticated attacks by leveraging shared tools and services, much like legitimate cloud-based businesses.
5. The Collapse of the Vulnerability Window
Another important trend is the shrinking time between vulnerability disclosure and exploitation.
The report notes:
A 12% increase in vulnerability disclosures, exceeding tens of thousands annually
Exploitation now occurs within hours or days, rather than weeks or months
This is partly due to automation: AI systems can ingest newly disclosed vulnerabilities and immediately test them at scale.
For organisations, this eliminates the luxury of delayed patching cycles. Vulnerability management must become near real-time, or risk exposure to rapid exploitation.
6. Data as Fuel: Infostealers and Credential Economies
Underlying many of these trends is the explosion of infostealer malware, which harvests credentials, session cookies, and other sensitive data from infected devices.
The report links this to:
Millions of infected endpoints
Billio