CrowdStrike 2026 Global Threat Report: Hackers Aren’t Breaking In, They’re Logging In.

We have entered the agentic era, and every process is becoming faster and more automated. AI has also introduced a new dimension of risk: adversaries targeting the very AI systems underpinning the modern enterprise.

2025 was marked by the rise of the evasive adversary. Today’s threat actors are invading detection by accelerating their tradecraft with AI, exploiting blind spots, and targeting edge devices to stay under the radar. They have evolved to evade detection better than ever before, speeding up attacks with the fastest e-crime breakout time in just 27 seconds. Adversaries are weaponizing AI, increasing their volume of attacks by 89% and challenging traditional security defences.

The CrowdStrike 2026 Global Threat Report summarizes the analysis the CrowdStrike Intelligence team performed throughout 2025 and describes notable themes, trends, and events across the cyber threat landscape.

According to the latest insights from CrowdStrike, adversaries are increasingly gaining access through legitimate credentials, trusted identities, and unnoticed behaviour. In a cloud-driven environment across AWS, Azure, and GCP, this shift is redefining what it means to be secure.

The Age of the AI Adversary Begins

In 2025, AI-enabled adversaries increased attacks by 89% year over year. AI accelerated phishing and automated reconnaissance, shortening the time from initial access to impact. It elevated less sophisticated threat actors and amplified the most advanced ones. It compressed the time between intent and execution.

The average eCrime breakout time fell to 29 minutes in 2025, a 65% increase in speed from the prior year. The fastest breakout took just 27 seconds.

Attack Trends

Cloud-conscious intrusions rose 37% in 2025, including a 266% increase among state-nexus threat actors. Valid account abuse accounted for 35% of cloud incidents, reinforcing that identity has become central to intrusion. Zero-day exploitation prior to public disclosure increased 42%, compressing the time between vulnerability discovery and active exploitation.
China-nexus activity increased 38% in 2025. In 67% of the vulnerabilities China-nexus adversaries exploited, the flaw provided immediate system access. Of those exploited vulnerabilities, 40% targeted internet-facing edge devices. Newly disclosed vulnerabilities were weaponized within days.

Modern Adversaries gain legitimate access through identity, move rapidly through cloud and edge infrastructure, and weaponize vulnerabilities before defenders can respond. Speed, legitimacy, and low-visibility access paths now define evasive tradecraft.

Key 2025 Trends in evasive adversary.

89% increase in attacks by AI-enabled adversaries
Average eCrime breakout time dropped to 29 minutes, a 65% increase in speed from 2024, and the fastest breakout time was only 27 seconds
82% of detections in 2025 were malware-free, up from 51% in 2020
24 new adversaries tracked by CrowdStrike, raising the total to 281
China-nexus activity increased 38% across all sectors, with an 85% increase in logistics
42% increase in zero-day vulnerabilities exploited prior to public disclosure
Valid account abuse accounted for 35% of cloud incidents
37% rise in cloud-conscious intrusions, with 266% increase by state-nexus threat actors

The Growing Dominance of Interactive Intrusions

In these intrusions, threat actors engage directly with victim environments, using legitimate credentials, native tools, and administrative functions to move laterally and achieve objectives while blending into normal user behaviour. By operating in ways that closely resemble authorized activity, adversaries reduce reliance on malware and evade many signature-based and preventive controls. Defenders are often forced to identify malicious intent within otherwise legitimate actions.

crowdstrike-ai-threats-2026

Multiple AI-related tools have assisted threat actors with developing, organizing, and scaling phishing operations. These tools allow threat actors to plan and accelerate reconnaissance operations, create convincing phishing messages and landing pages, conduct spamming activity, and bypass restricted AI tool safeguards to produce illicit content.

Supply Chain Attacks Enable Evasion of Traditional Security Controls

Supply chain attacks represent a distinct security challenge. Because users trust that legitimate software will not include malicious code and organizational patching policies will not inadvertently infect machines with malware, adversaries can adopt methods that exploit this trust. Adversaries’ increased use of such methods in 2025 marks a shift in initial access techniques to focus on evading traditional security controls.

CrowdStrike Intelligence anticipates that supply chain attacks will continue to pose a significant threat to organizations throughout 2026. Attackers value this method because it offers a wide potential scope and allows them to hijack trusted update mechanisms intended to improve software security.

In supply chain attacks, threat actors modify software provider infrastructure or code bases in ways that obscure threat activity, making them stealthy and challenging to detect. In some cases, supply chain attacks cause further damage when untrusted code is incorporated into wider software ecosystems, infecting additional organizations beyond the original target.

Compromised Software Provider

In late February 2025, PRESSURE CHOLLIMA executed the largest cryptocurrency theft in history by compromising Safe{Wallet}, a digital asset management platform supporting cryptocurrency exchanges, to target funds held by the centralized cryptocurrency exchange Bybit. The adversary initially gained access to Safe{Wallet} systems by compromising a software developer’s machine via a trojanized Python project (likely delivered using social engineering tactics) and exfiltrating development-related credentials.

Conclusion

Threat actors of all skill levels will continue adopting AI for social engineering, IO, and technical activity. Less sophisticated threat actors will use AI to offset limited expertise, enabling more complex attacks but often introducing errors due to poor implementation and limited ability to validate output. More advanced threat actors will increasingly leverage AI for malware development, social engineering, and post-exploitation activities, accelerating attack speed, scale, and effectiveness. With greater resources and maturity, these threat actors are positioned to operationalize agentic AI for minimally supervised or autonomous operations.

As organizations embed AI into core business processes, the attack surface will expand to include AI models, training data, agents, and supply chains. Limited visibility into AI operations will amplify risk and create exploitable gaps.

The cybersecurity playbook is changing, and identity is at the center of it. Organizations that continue to rely on legacy, perimeter-focused defenses will struggle to detect modern threats. The future belongs to those who embrace identity-first security, Zero Trust principles, and continuous monitoring.