Dataminr 2026 Cyber Threat Landscape Report Warns Cyber “Mega-Loss” Era Has Arrived
The numbers are in, and they’re brutal.
Dataminr’s 2026 Cyber Threat Landscape Report dropped this week with findings that should make every CISO, compliance officer, and board member sit up straight. We’re not talking incremental growth in cyber threats. We’re talking about a 225% increase in average monthly threat actor alerts compared with 2024. That’s not evolution — that’s an explosion.
But here’s what really matters: the nature of these attacks has fundamentally shifted. Attackers aren’t breaking in anymore. They’re logging in. And that distinction changes everything about how organizations need to think about data security, data compliance, and data privacy.
5 Key Takeaways
- Threat Actor Activity Has Exploded — 225% Increase in Monthly Alerts. Dataminr tracked more than 5,000 threat actors over 2025, logging 18,000-plus ransomware alerts and detecting more than 2 million domain impersonation incidents. Average monthly threat actor alerts jumped 225% compared with 2024. This isn’t incremental growth — it’s a structural shift in the volume and velocity of cyber threats facing every organization that handles sensitive data.
- Identity Is Now the Primary Attack Surface. Nearly 30% of intrusions now involve valid credentials. Attackers aren’t breaking in — they’re logging in. An 84% surge in infostealer malware delivered through phishing is fueling this shift, with stolen credentials, session tokens, and browser data packaged for sale on criminal marketplaces. Most social engineering activity is now enhanced by AI, making phishing campaigns more convincing and harder to detect.
- Single-Incident Losses Are Growing Catastrophically Large. While ransomware volume stabilized in 2025, the financial impact of individual incidents grew materially larger. Dataminr’s normalized loss severity analysis shows clustering at the $100 million level — and some incidents exceeding $1 billion. Organizations now face fewer but more systemic, multi-vector attacks combining credential theft, data exfiltration, operational disruption, and regulatory exposure.
- Traditional Vulnerability Scoring No Longer Reflects Real Business Risk. One in four modern breaches involves exploiting a third-party vulnerability, often weaponized within the same calendar year of disclosure. CVSS scores frequently miss critical context — industry targeting patterns, likelihood of exploitation, and potential financial impact. Organizations that prioritize remediation based solely on technical severity scores are optimizing for the wrong metrics.
- Human-Only Security Teams Cannot Keep Pace. With more than 43 terabytes of signals ingested daily and millions of alerts generated annually, the pace and scale of today’s threat landscape has outstripped what human-only security operations can manage. Purpose-built detection platforms are now required to correlate signals early enough to reduce dwell time and prevent catastrophic loss events.
The Identity Problem Nobody Wants to Talk About
Nearly 30% of intrusions now involve valid credentials. Read that again. Almost one in three breaches happens because someone walked through the front door with a stolen key.
This represents a seismic shift in attack methodology. For years, security teams focused obsessively on perimeter defenses. Firewalls. Intrusion detection systems. Network segmentation. All valuable, all necessary — and all increasingly beside the point when attackers simply authenticate as legitimate users.
The mechanism driving this shift? Infostealer malware delivered through phishing, which surged 84% over the past year. These aren’t sophisticated nation-state tools. They’re commodity malware that harvests credentials, session tokens, and browser data, then packages everything neatly for sale on criminal marketplaces.
The problem compounds when you consider scale. Dataminr tracked more than 5,000 threat actors over the year, logged 18,000-plus ransomware alerts, and detected more than 2 million domain impersonation incidents. That’s not a threat landscape. That’s a threat ecosystem operating at industrial scale.
You Trust Your Organization is Secure. But Can You Verify It?
Why Traditional Security Metrics Are Failing
Here’s an uncomfortable truth the Dataminr report surfaces: traditional vulnerability scoring systems don’t reflect actual business risk.
Organizations have spent years prioritizing remediation based on Common Vulnerability Scoring System ratings. A critical vulnerability gets patched immediately. A medium gets scheduled for the next maintenance window. This approach made sense when technical severity correlated with real-world exploitation.
That correlation has broken down.
Attackers weaponize vulnerabilities within calendar months of disclosure. One in four modern breaches involves exploiting a third-party vulnerability, often before traditional risk assessments catch up. Meanwhile, CVSS scores frequently miss context — industry targeting patterns, likelihood of exploitation, and most importantly, potential financial impact.
The result? Organizations patch diligently, check compliance boxes, and still get breached because they’re optimizing for the wrong metrics.
The ‘Mega-Loss’ Reality
Perhaps the most significant finding in the Dataminr report involves loss severity. Ransomware volume stabilized in 2025, which sounds like good news until you examine the distribution of impacts.
Single-incident losses grew materially larger. The report’s normalized loss severity analysis reveals clustering at the $100 million level — and some incidents exceeding $1 billion.
This represents a structural change in cyber risk. Organizations now face fewer but more systemic attacks that combine credential theft, data exfiltration, operational disruption, and regulatory exposure in a single incident. The old model of frequent but contained breaches has given way to rare but catastrophic events.
For compliance officers and risk managers, this shift demands a fundamental rethinking of how cyber risk gets modeled, disclosed, and insured.
The Data Security Gap in Operational Environments
The Dataminr findings align with broader trends documented in the Dragos 2026 OT Cybersecurity Report, which examined threats to operational technology and industrial control systems. Together, these reports paint a picture of converging IT and OT risks that create novel data security challenges.
Threat groups aren’t satisfied with access anymore. They’re systematically mapping control loops, exfiltrating engineering project files, alarm data, HMI/SCADA databases, and configuration backups. This operational data becomes intelligence for future attacks — enabling precision disruption of physical processes.
The data security implications extend beyond traditional IT boundaries. Engineering design files shared between manufacturing floors and suppliers. Quality control procedures exchanged across global sites. Production schedules, maintenance records, and vendor technical specifications. All of this sensitive operational data flows between systems, often through legacy SFTP servers, email attachments, and unsecured file shares.
These channels represent exactly the pathways threat actors exploit. When fewer than 10% of OT networks have proper visibility and monitoring, organizations can’t even see what’s being exfiltrated until the damage is done.
Data Privacy Implications Most Organizations Miss
The Dataminr and Dragos reports focus primarily on security and operational risk. But the data types involved carry significant privacy implications under modern regulatory frameworks.
Consider what gets stolen in these attacks: operator information including named individuals’ behaviors, shift patterns, error histories, and safety incidents. Credentials and activity logs that qualify as sensitive personal data. Configuration files and intrusion walkthroughs that hacktivists publish on Telegram and X, exposing personal identifiers to global audiences.
Organizations typically don’t classify this operational data as personally identifiable information. But under GDPR, CCPA, and emerging state privacy laws, much of it qualifies. The combination of identity data, behavioral patterns, and location information creates regulatory exposure that most industrial organizations haven’t accounted for.
When breach notification requirements kick in, organizations discover they’ve been holding sensitive personal data they never properly inventoried or protected.
The Compliance Reckoning
The findings in both reports map directly onto regulatory obligations that organizations are systematically failing to meet.
Identity abuse through infostealer logs, password reuse, and weak multifactor authentication undermines access control requirements across virtually every compliance framework. Attackers authenticate legitimately into VPNs, RDP sessions, and cloud platforms, bypassing perimeter detections entirely.
Vulnerability management programs aren’t keeping pace with weaponization timelines. When exploits emerge within weeks of disclosure, monthly patching cycles create persistent exposure windows.
Perhaps most concerning: 30% of incident response cases begin with “something seems wrong,” and in many of those, operational telemetry was never collected. Organizations publicly assert “no cyber involvement” in incidents where they lack the visibility to make that determination. Under due-diligence and breach-assessment requirements in most regulatory frameworks, that’s indefensible.
The detection time gap tells the story clearly. Organizations with comprehensive visibility detect incidents in an average of five days. The industry average? Forty-two days. That six-week difference represents extended data exposure, expanded breach scope, and significantly higher regulatory and legal liability — including missed breach notification windows under GDPR‘s 72-hour requirement and equivalent mandates in HIPAA and sector-specific frameworks.
The File Transfer Vulnerability
Ransomware affiliates have identified file transfer platforms as high-value targets. The Dragos report specifically calls out exploitation of MFT and FTP systems including Cleo MFT, CrushFTP, and Wing FTP. These platforms become pivot points for stealing sensitive files, deploying backdoors, and disrupting operations across multiple sites simultaneously.
This targeting makes sense from an attacker’s perspective. File transfer systems by definition handle sensitive data. They often connect otherwise-segregated network segments. And they frequently operate with elevated privileges and minimal monitoring.
For organizations still running legacy file transfer infrastructure, this represents urgent data security exposure. Engineering documents, compliance records, vendor specifications, and regulated data all flow through these channels. When they’re compromised, the blast radius extends across the entire data ecosystem. A purpose-built managed file transfer platform with immutable audit trails, DLP controls, and anomaly detection replaces the legacy SFTP exposure with a governed, auditable channel.
What Actually Works
The Dataminr report concludes that the pace and scale of today’s threat landscape has outstripped human-only security teams. With threat actor alerts up 225% and millions of incidents requiring correlation, the argument for automated detection and response has never been stronger.
But technology alone doesn’t solve the problem. The identity-based nature of modern attacks demands fundamental changes in security architecture.
Multifactor authentication everywhere — not as a checkbox exercise but as genuine defense in depth. Phishing-resistant authentication methods that don’t rely on codes users can be socially engineered into revealing. Continuous monitoring for infostealer exposure, recognizing that credential compromise is an ongoing condition rather than a discrete event.
For operational environments, the priority is visibility. You can’t protect what you can’t see. Organizations need comprehensive audit capabilities across all data exchange channels — email, SFTP, file sharing, APIs. The forty-two-day detection time that defines the industry average stems directly from blind spots in how data moves between systems. SIEM platforms that ingest signals from across those channels — file transfer, email, web forms, APIs — close the gaps that allow adversaries to dwell undetected.
Zero-trust architecture has moved from aspirational to essential. Treating all data exchanges as untrusted — including internal transfers between IT and OT zones — closes the lateral movement paths attackers exploit. This is especially critical at IT/OT boundaries where sensitive operational data must flow for legitimate business purposes.
Supply chain and third-party risk management requires the same scrutiny. When one in four breaches involves third-party vulnerabilities, vendor access governance becomes a first-tier security control. Time-limited permissions, comprehensive tracking, and immediate revocation capabilities for compromised accounts or suspicious external parties are minimum requirements.
Where Organizations Go From Here
The Dataminr 2026 Cyber Threat Landscape Report confirms what security practitioners have suspected: we’ve entered a new era of cyber risk characterized by identity-based attacks, compressed weaponization timelines, and catastrophic single-incident losses.
For data security, this means rethinking perimeter-focused defenses in favor of identity protection and continuous monitoring. For data privacy, it means recognizing that operational data often contains personal information requiring regulatory protection. For data compliance, it means closing the gap between checkbox exercises and genuine security controls that address how attacks actually happen.
The 225% increase in threat actor alerts isn’t a trend line to watch. It’s a wake-up call to act. Organizations that respond by hardening identity controls, achieving comprehensive visibility, and governing data exchanges across all channels will weather this era. Those that don’t will find themselves on the wrong side of the mega-loss distribution.
The choice, as always, belongs to the organizations making it.
To learn how Kiteworks can help, schedule a custom demo today.
Frequently Asked Questions
Infostealer malware — typically delivered via phishing — harvests credentials, session tokens, and browser-stored passwords from infected endpoints, then packages them for sale on criminal marketplaces. Buyers use those credentials to authenticate as legitimate users into VPNs, cloud platforms, and enterprise systems, bypassing perimeter defenses entirely. Nearly 30% of intrusions now follow this pathway. Stopping it requires multifactor authentication that doesn’t rely on SMS codes or one-time passwords users can be socially engineered into revealing — phishing-resistant methods like hardware keys or passkeys are significantly more effective. Layering audit logging and SIEM-based anomaly detection on top of MFA catches credential misuse that authentication alone doesn’t prevent.
CVSS scores measure technical severity — the complexity of exploitation and potential system impact — but don’t account for attacker behavior in practice. One in four modern breaches involves a third-party vulnerability, often weaponized within months of disclosure. CVSS scores miss critical business context: whether the vulnerability targets your specific industry, how quickly exploit code has appeared in the wild, and the potential financial impact if it’s used against your environment. Organizations that patch purely by CVSS score are closing vulnerabilities that attackers aren’t prioritizing, while leaving the ones they are. Effective prioritization requires combining technical scores with threat intelligence on active exploitation patterns and your organization’s supply chain exposure.
Managed file transfer and SFTP platforms are among the most attractive targets in any environment for three compounding reasons. First, they aggregate sensitive data from multiple sources — engineering files, compliance records, vendor specifications, regulated personal data — in one place. Second, they frequently connect otherwise-segregated network segments, making them natural pivot points for lateral movement. Third, legacy deployments commonly operate with elevated privileges and minimal monitoring, meaning compromise goes undetected. The Dragos report’s documentation of attacks on Cleo MFT, CrushFTP, and Wing FTP reflects this pattern. Replacing legacy SFTP with a governed MFT platform that provides immutable audit trails, DLP controls, and anomaly detection removes the blind spots that make these systems so exploitable.
Yes — and this is one of the most consistently overlooked compliance exposures in industrial and critical infrastructure security. Operator information routinely collected in OT environments — named individuals’ shift patterns, access histories, error records, behavioral logs — constitutes personal data under GDPR and CCPA. Most organizations don’t classify it as PII and therefore haven’t inventoried or protected it accordingly. The exposure becomes acute when hacktivist groups publish credential dumps and activity logs publicly — triggering breach notification obligations organizations weren’t expecting under frameworks they believed only applied to their IT systems. Data privacy impact assessments need to explicitly cover OT environments to map this exposure before a regulator does it instead.
The 42-day industry average for detecting OT and enterprise breaches creates compounding compliance liability across multiple dimensions. GDPR requires breach notification to supervisory authorities within 72 hours of awareness — a window organizations routinely miss when they can’t see what’s happening across their data exchange channels. HIPAA imposes 60-day notification deadlines for covered entities, and breach assessment requirements demand documented evidence of what data was accessed. Sector-specific frameworks including NERC CIP and financial services regulators impose their own notification timelines. Beyond notification, the extended dwell time means organizations cannot produce the forensic timelines regulators require: who accessed what data, through which systems, and when. Comprehensive audit trails spanning file transfer, email, APIs, and MFT channels are the foundational requirement — without them, compliance evidence simply doesn’t exist.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
- Blog Post How to Secure Classified Data Once DSPM Flags It
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders