ABOUT THIS ANALYSIS
Produced by the CyberTech Intelligence Research Desk for CISOs and enterprise risk leaders. All data points are drawn from primary research published by IBM X-Force, CrowdStrike, and Gartner. Every citation links directly to a page displaying the specific data point it supports.
THE EXPERTS’ REFLECTION: 2026 IN REALITY
Security executives in 2026 can hardly open a conversation about AI without directly addressing how it has impacted the objectives of adversaries. That framing is partially right, but it flattens what the data actually shows. AI hasn’t changed what attackers want. It has removed the skill floor and time cost that used to limit how fast they could get it.
The opening finding of IBM X-Force’s 2026 Threat Intelligence Index is worth sitting with: cybercriminals are targeting the simplest gaps first, weak authentication, unpatched software, and credentials that have been circulating on dark web markets for years. And using cutting-edge AI tools that enhance their skills in spotting their next victims in a matter of seconds. The breaches that became headline-makers in the past year did not feature new vulnerabilities; rather, the weaknesses that were exploited the most were those due to a lack of authentication controls, using obsolete software applications, and having the same credentials that had been compromised and exposed for a very long time. ¹
CrowdStrike’s 2026 Global Threat Report, which was published February 24, 2026, also supports this narrative. The adversary that was untraceable was the one who dominated technically in 2025, and their operations and capabilities through being able to identify security gaps in visibility, the targeting of identity, and cloud networks, while entirely bypassing the endpoints, made them very dangerous. ²
Techniques that once required significant resources and expertise are now accessible to almost any actor with a browser and a subscription.
AI AS ADVERSARY INFRASTRUCTURE: SPEED AND SCALE
The number that should be recalibrating SOC investments right now is 29 minutes, the average time between initial access and lateral movement in 2025.
The average eCrime breakout time in 2025 fell to 29 minutes, a 65% speed increase from 2024. The fastest observed breakout was 27 seconds. ² These figures represent the window between initial access and lateral movement onto a second system. Most enterprise SOC workflows, built around triage cycles measured in hours, are not calibrated to operate within that window.
CrowdStrike documented over 90 cases where legitimate AI tools, tools already inside the enterprise, were exploited to generate malicious commands. ChatGPT alone was referenced in criminal forums 550% more than any other AI model, which tells you where adversaries are investing their time to learn. ²
According to IBM X-Force, there is an increase of 44% in attacks that start from exploiting vulnerabilities in public-facing applications because of the ability of artificial intelligence to discover vulnerabilities. In 2025, over 300,000 credential sets for ChatGPT were available on the dark web due to the expansion of infostealers to target AI systems. The number of supply chain attacks has quadrupled since 2020. ¹
The attack surface hasn’t changed shape. The cost of exploiting it has collapsed.
FIGURE 1: AI-Accelerated Attack Metrics (Full Year 2025)
| Metric | Value |
| Average eCrime breakout time ² | 29 minutes |
| Breakout speed increase vs 2024 ² | 65% |
| Fastest observed breakout ² | 27 seconds |
| Organizations with AI tools exploited ² | 90+ |
| ChatGPT references in criminal forums ² | 550% more than any other AI |
| Public-facing app exploitation increases ¹ | 44% YoY |
| ChatGPT credential sets on dark web ¹ | 300,000+ |
| Supply chain incidents since 2020 ¹ | 4x increase |
Sources: As per references shown above, Cyber Tech Intelligence Analysis
IDENTITY AS THE PRIMARY BATTLEGROUND
Two separate research teams, different methodologies, same conclusion: the primary attack surface in 2025 was the credential layer, not the endpoint, not the network edge. Not the endpoint. Not the network perimeter. The credential layer that sits between every user and every enterprise resource, governed by controls designed for a threat environment that no longer exists.
Vulnerability exploitation became the leading cause of attacks in 2025, at 40% of all incidents. ¹ Notably, 56% of disclosed vulnerabilities did not require authentication to exploit, meaning the absence of basic access controls was itself the attack surface. ¹
The ransomware ecosystem fragmented into 109 distinct extortion groups in 2025, up from 73 the year before, a structural shift away from a few dominant players toward a broader, harder-to-track field. Manufacturing remained the most targeted industry, with North America representing nearly one-third of all observed attacks globally. ¹
CrowdStrike confirms the credential abuse dimension. 82% of all detections in 2025 were malware-free, with adversaries operating through valid credentials, approved SaaS integrations, and legitimate remote management tools. ² The shift from malware-based to identity-based intrusion is now the structural norm.
Gartner’s 2026 cybersecurity trends analysis, published February 5, 2026, frames the forward implication. The rise of AI agents is introducing new IAM challenges around credential automation and policy-driven authorization for machine actors. ³ By 2028, 70% of CISOs will use identity visibility capabilities to shrink the IAM attack surface. ⁴ That projection implies the majority are not there yet.
FIGURE 2: Identity Threat Landscape — Key Metrics (Full Year 2025)
| Metric | Value |
| Malware-free detections ² | 82% |
| Incidents from vulnerability exploitation ¹ | 40% |
| Vulnerabilities exploitable without authentication ¹ | 56% |
| Active extortion groups (up 49% from 73) ¹ | 109 |
| North America’s share of global attacks ¹ | ~one-third |
| CISOs using identity intelligence by 2028 ⁴ | 70% (projected) |
| Dark web credentials increase YoY ⁵ | 12% |
| Infostealer dark web advertisements ⁵ | 8 million+ |
Sources: As per references shown above, Cyber Tech Intelligence Analysis
AGENTIC AI: THE DOUBLE-EDGED CAPABILITY
The most consequential forward-looking development in both threat and defense landscapes is agentic AI. The defensive priority for 2026 is clear: autonomous SOC capability and IAM built for machine actors. Gartner flags both as top cybersecurity trends for the year. IBM X-Force puts it more directly, the shift to proactive, agentic-AI-driven security isn’t a future consideration, it’s the current gap. . ¹
A 29-minute average adversary breakout and a 27-second fastest observed breakout cannot be addressed by human-speed triage. ² Autonomous threat detection operating across the full threat lifecycle is the only defense architecture calibrated to the current attack tempo.
The offensive risk is equally documented. The governance risk is already measurable. By 2028, half of all enterprise incident response efforts will involve custom-built AI applications. Through 2027, manual AI compliance processes will leave 75% of regulated organizations exposed to fines exceeding 5% of global revenue. Governance needs are surfacing early in the adoption cycle, before most organizations have deployed at scale. All three projections come from Gartner. ⁶
A 29-minute breakout window and a 27-second worst-case don’t leave room for a human triage queue. The math on autonomous detection isn’t theoretical; it’s the only architecture that fits the current attack tempo. Securing the AI systems themselves requires governance now, not after incidents materialize.
FIGURE 3: Agentic AI — Threat and Defense Projections (2026-2028)
| Metric | Value | Timeline |
| Enterprise apps with AI agents ⁷ | 40% (up from <5% in 2025) | End 2026 |
| IR efforts on AI applications ⁴ | 50% | By 2028 |
| Regulated orgs exposed via manual AI compliance ⁴ | 75% | Through 2027 |
| Enterprises using AI security platforms ⁴ | 50%+ | By 2028 |
| Organizations with AI tools exploited ² | 90+ | Full Year 2025 |
Sources: As per references shown above, Cyber Tech Intelligence Analysis
FOUR STRATEGIC IMPERATIVES
Imperative 1: Treat Identity as Critical Infrastructure
The access control gap is the highest-leverage exposure most organizations are carrying right now, 56% of 2025 vulnerabilities required no authentication to exploit. Closing it means centralized governance, continuous risk-based access controls, and extending IAM to cover machine actors, not just human users. IBM X-Force and Gartner both arrive at the same prescription, from different angles. ¹
Imperative 2: Build Detection to AI Speed
29 minutes is the window. Most enterprise SOC triage cycles are measured in hours. That gap is structural, not operational; you cannot close it by hiring faster analysts. Autonomous SOC capability orchestrating agents across the full threat lifecycle is the architecture IBM X-Force recommends, and the data supports why. ¹
Imperative 3: Govern AI Before Incidents Force It
AI adoption is outrunning security control maturity, and the organizations that close that gap proactively will be in a fundamentally different position than those that wait for the first major AI-application incident to force the conversation. Gartner’s data makes the stakes concrete: 50% of IR efforts focused on AI apps by 2028, 75% of regulated organizations exposed through manual compliance processes through 2027. ³
Imperative 4: Foundational Controls Remain the Highest-Leverage Investment
The breaches that caused the most damage in 2025 did not defeat advanced security programs; they walked through doors that were never locked. Patch governance, access control, configuration hygiene, and penetration testing still deliver the highest return for most organizations. IBM X-Force is unambiguous on this: foundational control strength determined outcomes more than any advanced capability.
FIGURE 4: Four Strategic Imperatives — Gap and Action (2026)
| Imperative | Documented Gap | Action |
| Identity as Critical Infrastructure ¹ | 56% vulns without auth; 82% attacks malware-free | Centralized governance; machine identity coverage |
| AI-Speed Detection ² | 29-min breakout; SOC triage in hours | Autonomous SOC; agentic threat detection |
| AI Governance Before Incidents ³ | 50% IR on AI apps by 2028 | Early engagement; AI security platforms |
| Foundational Controls First ¹ | 44% increase in basic app exploitation | Patch governance; access control; config hygiene |
Sources: As per references shown above, Cyber Tech Intelligence Analysis
CONCLUSION
Key takeaway from IBM X-Force, CrowdStrike, and Gartner analysis: attacks causing the greatest damage in 2025 and 2026 are not overcoming advanced security programs. Rather, these attacks are exploiting foundational weaknesses in systems that were never addressed.
Artificial intelligence is forcing organizations into an era where gaps once regarded as low priority are now critical vulnerabilities due to the speed of exploitation enabled by AI. Gaps in authentication, lack of governance of identity, and credential exposure are being discovered faster than human-speed governance can react.
Organizations that come out ahead will have done two things: closed the foundational gaps, authentication, credential hygiene, and patch discipline before an incident forced them to, and deployed detection capability that operates at the speed the threat environment now demands.
KEY DATA SUMMARY
| Statistic | Value | Timeline |
| Average eCrime breakout time ² | 29 minutes | Full Year 2025 |
| Fastest observed breakout ² | 27 seconds | Full Year 2025 |
| Malware-free detections ² | 82% | Full Year 2025 |
| Breakout speed increase vs 2024 ² | 65% | Full Year 2025 |
| Public-facing app exploitation ¹ | 44% YoY | Full Year 2025 |
| Vulnerabilities without authentication ¹ | 56% | Full Year 2025 |
| Active extortion groups ¹ | 109 (up 49% from 73) | Full Year 2025 |
| ChatGPT credentials on dark web ¹ | 300,000+ | Full Year 2025 |
| Supply chain incidents since 2020 ¹ | 4x increase | 2020-2025 |
| IR on AI apps by 2028 ⁴ | 50% | Projected 2028 |
| Regulated orgs via manual AI compliance ⁴ | 75% | Through 2027 |
| CISOs using identity intelligence ⁴ | 70% | Projected 2028 |
Sources: As per references shown above, Cyber Tech Intelligence Analysis
REFERENCES (HARVARD STYLE)
IBM X-Force (2026) 2026 X-Force Threat Intelligence Index: Making the Case for Securing Identities, AI-Enhanced Detection and Proactive Risk Management. Published 25 February 2026.
CrowdStrike (2026) CrowdStrike 2026 Global Threat Report Findings: AI Accelerates Adversaries. Published 24 February 2026.
Gartner (2026) Gartner Identifies the Top Cybersecurity Trends for 2026. Published 5 February 2026.
Gartner (2026) Gartner Predicts AI Applications Will Drive 50% of Cybersecurity Incident Response Efforts by 2028. Published 17 March 2026.
IBM X-Force (2025) X-Force Threat Intelligence Index 2025: Attackers Steal and Sell User Identities at Scale. IBM Corporation, Armonk, New York.
Gartner (2026). 2026 Hype Cycle for Agentic AI. Gartner Inc., Stamford, Connecticut.
Gartner (2025) Gartner Predicts 40% of Enterprise Apps Will Feature Task-Specific AI Agents by 2026. Published 26 August 2025.
