If an attacker gained access to your environment right now, how long would it take your team to detect them?
It’s a question worth sitting with, because for many security teams, the honest answer is: not quickly enough.
Attackers are moving faster, relying less on malware, and using trusted systems to stay hidden. In many cases, the gap between initial access and real impact is now measured in minutes, not hours.
The challenge isn’t understanding these threats. It’s knowing whether your current controls would actually catch them.
Each year, the CrowdStrike Global Threat Report maps how these attacks are evolving. Based on analysis of trillions of security events across endpoints, cloud systems, identities and networks, the 2026 report highlights several significant shifts in attacker behaviour.
Below are five key takeaways, and what they mean for your security programme.
1. Attackers Are Moving Faster Than Ever
One of the most striking findings in the report is the speed at which attackers now operate once they gain initial access.
CrowdStrike reports that the average breakout time, the period between initial access and lateral movement, has dropped to just 29 minutes. In the fastest recorded case, the breakout time was only 27 seconds.
This is part of a consistent trend. In 2023, average breakout time was 62 minutes. By 2024, it had fallen to 48 minutes, and in the latest report it has dropped again to just 29 minutes.
In one intrusion analysed by the report, attackers began attempting data exfiltration within four minutes of gaining access to a compromised environment.
In practice, this leaves very little margin for error. Many security teams are still relying on processes that assume they have time to investigate and respond, when in reality, the window to act may already have passed.
2. Most Attacks No Longer Rely on Malware
Another major shift highlighted in the report is the decline of traditional malware-based attacks.
In 2025, 82% of detections involved no malware at all, with attackers instead relying on legitimate credentials, trusted identity systems and built-in administrative tools.
This approach, sometimes referred to as “living off the land”, allows attackers to blend their activity into normal system behaviour. By operating through trusted tools and authorised access paths, malicious activity can be much harder to detect using traditional security controls.
Many organisations are still heavily focused on detecting malware, despite the majority of modern attacks avoiding it entirely. This creates a gap where malicious activity can go unnoticed, even in environments with mature security tooling.
This shift is increasingly reflected in real-world testing.
“From a red team perspective, this aligns closely with what we are seeing in practice. Guided by current threat intelligence, we emulate real-world adversaries using living-off-the-land techniques, leveraging native tools and legitimate access paths within the environment.
This reflects how modern attackers are operating, as highlighted in the report, and provides a far more realistic way to assess an organisation’s detection and response capabilities.”
– Warren, Lead Penetration Tester
3. Identity Has Become the Primary Attack Surface
The report highlights how identity systems have become central to many modern intrusions.
In many environments, identity is no longer just part of the attack path, it is the primary route attackers use to gain access and move through the organisation.
In cloud environments, valid account abuse accounted for 35% of observed incidents, demonstrating how attackers increasingly rely on compromised credentials to gain access and escalate privileges.
Identity platforms such as Active Directory, cloud authentication services and single sign-on systems now sit at the centre of organisational security. When attackers compromise these systems, they can often move laterally through networks without triggering traditional security alerts.
Many penetration tests reveal weaknesses such as:
- Excessive user privileges
- Poorly secured service accounts
- Inconsistent multi-factor authentication enforcement
- Insufficient monitoring of privileged access.
These weaknesses can provide attackers with the foothold they need to escalate their access rapidly.
4. AI Is Accelerating Attack Activity
Artificial intelligence is now influencing both sides of the cybersecurity landscape.
According to the report, attacks by AI-enabled adversaries increased by 89% year-over-year.
Threat actors are using AI to assist with a variety of activities, including:
- Generating phishing content
- Automating reconnaissance
- Accelerating malware development
- Creating convincing fake identities for social engineering.
Importantly, the report notes that AI is not yet introducing entirely new attack techniques. Instead, it is primarily enhancing existing methods, allowing attackers to operate faster and at greater scale.
For security teams, this means familiar threats such as phishing and credential compromise are becoming harder to manage, not because they are new, but because of the speed and volume at which they now occur.
5. Cloud, Cross-Domain and Zero-Day Attacks Are Increasing
The report also highlights the growing complexity of modern attack paths.
Cloud-conscious intrusions rose 37% in 2025, with state-sponsored threat actors showing particularly strong growth in this area.
Attackers increasingly move across multiple parts of an organisation’s infrastructure, including:
- Cloud environments
- Identity systems
- SaaS platforms
- Endpoints
- Virtualised infrastructure.
This cross-domain movement can create detection challenges because many organisations monitor these systems separately. Attackers can exploit gaps between these controls to remain undetected.
In many organisations, these gaps exist simply because different parts of the environment are monitored in isolation, making it difficult to see how an attack progresses across systems in real time.
At the same time, the report highlights the continued rise in previously unknown vulnerabilities being exploited by attackers. CrowdStrike observed a 42% increase in zero-day vulnerabilities being exploited before public disclosure.
This trend reinforces the need for organisations to adopt security strategies that go beyond patch management alone. While timely patching remains critical, defenders must also focus on behavioural detection and threat monitoring to identify malicious activity that exploits unknown vulnerabilities.
The common thread across these trends is not just how attackers are evolving, but how easily they can exploit gaps in visibility, identity controls and response capability.
What This Means for Organisations
Taken together, the findings from the CrowdStrike Global Threat Report illustrate a threat landscape defined by speed, stealth and increasingly sophisticated attack techniques.
Attackers are:
- Moving faster once inside networks
- Relying more heavily on identity compromise
- Operating without traditional malware
- Leveraging AI to scale existing attack techniques
- Exploiting visibility gaps across cloud and hybrid environments.
For most security teams, this highlights the need for strong identity security, comprehensive monitoring and realistic testing of defensive capabilities.
Reports like this provide valuable insight into how adversaries are evolving, but insight alone does not answer the most important question:
How would our own environment perform against these techniques?
Independent security testing, including penetration testing and continuous adversary emulation, can help organisations answer that question and identify weaknesses before real attackers do.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
