CrowdStrike Drops Its 2026 Global Threat Report — and It’s a Wake-Up Call for Every Security Team

There’s a phrase that gets thrown around in security briefings so often it’s lost all meaning: “attackers are getting faster.” It’s the kind of thing you nod at during a conference keynote and then forget by the time you hit the expo floor.

CrowdStrike’s 2026 Global Threat Report just made it impossible to forget.

The headline number: the average eCrime breakout time — the interval between an attacker’s initial compromise and their first lateral movement — dropped to 29 minutes in 2025. Down from 48 minutes in 2024. Down from 98 minutes in 2021. The fastest observed breakout clocked in at 27 seconds. In one case, data exfiltration began within four minutes of initial access.

Let that sit for a moment. Four minutes from compromise to data theft. Most organizations can’t get a Slack thread going in four minutes, let alone contain an active intrusion.

This report paints 2025 as the “year of the evasive adversary.” The defining characteristics: speed, identity abuse, and direct attacks on AI systems themselves. And the data behind those claims is not theoretical. It’s drawn from real-world intrusions, incident response engagements, and threat intelligence across thousands of organizations worldwide.

5 Key Takeaways

1. Breakout Time Has Collapsed to 29 Minutes — and That’s the Average. Average eCrime breakout time fell to 29 minutes in 2025, down from 48 in 2024, with the fastest at 27 seconds. If your incident response process is measured in hours, you are already too late.
2. 82% of Intrusions Are Now Malware-Free. Attackers log in with stolen credentials and native admin tools, not malicious code. Signature-based defenses are no longer the front line — identity monitoring and cross-domain correlation are.
3. AI Is Now Both Weapon and Target. AI-enabled attacks surged 89% year-over-year. Nation-state actors deployed LLM-powered malware; eCrime groups automated credential theft. CrowdStrike also responded to incidents at more than 90 organizations where adversaries directly attacked AI development tools and data platforms.
4. China-Nexus Actors Are Running Industrialized Edge Device Exploitation. China-linked activity grew 38%, with 40% targeting edge devices — VPNs, firewalls, routers — outside most EDR coverage. Exploits were weaponized within two days of disclosure. Zero-day abuse rose 42%.
5. Ransomware Has Left the Endpoint — and a $1.46 Billion Crypto Heist Proves the Scale. Ransomware groups deploy across cloud, identity, and virtualization layers. Cloud-conscious intrusions rose 37%, 266% for state-nexus actors. A DPRK supply chain attack executed the largest financial theft ever recorded.

The Speed Problem Is Now a Math Problem — and Defenders Are Losing

The collapse of breakout time is not a trend. It’s a structural shift in how intrusions work.

When breakout time was measured in hours, defenders had a realistic window to detect, investigate, and contain. When it drops to 29 minutes — with the leading edge measured in seconds — the entire concept of “detect and respond” changes. You are no longer responding to an intrusion in progress. You are responding to an intrusion that has already moved laterally, established persistence, and potentially begun exfiltrating data before your SOC analyst has finished reading the alert.

CrowdStrike attributes this acceleration to a combination of factors: attackers are better at using legitimate credentials and trusted tools, they’re automating post-exploitation activity with AI-generated scripts, and they’re systematically targeting the gaps between security tools. The report notes that 82% of detections in 2025 were malware-free — meaning most intrusions involved no traditional malicious code at all. Attackers used valid credentials, native administrative utilities, and commercial remote access tools to blend into normal business activity.

This is the practical consequence of what the WEF Global Cybersecurity Outlook 2026 describes as increasing organizational complexity, where interdependencies, legacy technologies, and fragmented visibility create systemic risk that compounds over time. When your security stack is optimized for catching malware, and 82% of intrusions don’t use malware, you have an architectural problem, not a tuning problem.

The AI Arms Race Is No Longer Theoretical — It’s Operational

AI-enabled adversary operations surged 89% year-over-year in 2025. But the CrowdStrike report draws an important distinction: AI is accelerating established tactics rather than creating entirely new ones. Threat actors are integrating generative AI across the kill chain — from social engineering to malware development to defense evasion — and the operational impact is significant even if the underlying techniques are familiar.

The specifics are worth paying attention to. Russia-nexus actor FANCY BEAR deployed LLM-enabled malware known as LAMEHUG, which embedded prompt-based logic to automate reconnaissance and document collection from compromised systems. eCrime actor PUNK SPIDER used AI-generated scripts to speed up credential dumping and erase forensic evidence. DPRK-linked FAMOUS CHOLLIMA used AI tools to scale fraudulent insider employment schemes — placing operatives inside target organizations by gaming the hiring process with AI-generated resumes, interview responses, and identity documents.

But the report’s sharpest warning is about AI as a target, not just a tool. CrowdStrike responded to incidents at more than 90 organizations where adversaries injected malicious prompts into legitimate AI development tools, abusing local AI command-line interfaces to generate commands that stole credentials and cryptocurrency. Elsewhere, attackers exploited vulnerabilities in AI platforms such as Langflow to establish persistence and deploy ransomware. Malicious clones of legitimate Model Context Protocol (MCP) servers were used to intercept sensitive data flowing through AI workflows.

The implication is uncomfortable but unavoidable: the AI tools your organization is deploying to improve productivity and security are simultaneously expanding your attack surface. Without governance over model access, prompt inputs, data flows, and integration points, AI adoption is risk adoption.

China-Nexus Actors Are Running an Edge Device Campaign at Scale

Beyond AI, the report documents a sharp escalation in China-nexus activity, up 38% overall in 2025. Logistics targeting increased 85%, with telecommunications and financial services also heavily impacted. But the tactical pattern that matters most is systematic exploitation of internet-facing edge devices.

VPN appliances. Firewalls. Routers. Mail servers. The infrastructure that sits at the perimeter but often falls outside the reach of endpoint detection tools. In 40% of cases where China-nexus actors exploited a vulnerability, the target was an edge device. And the speed is alarming: many exploits were weaponized within days of public disclosure, with some operationalized in as little as two to six days. Zero-day exploitation rose 42% year-over-year.

This is not opportunistic scanning. It is industrialized vulnerability exploitation. The Dragos 2026 OT/ICS Cybersecurity Report describes a nearly identical pattern in industrial environments, where threat groups systematically target internet-facing Ivanti, Fortinet, Cisco, and F5 assets as entry points into operational technology networks. The median time from vulnerability disclosure to public exploit dropped to 24 days — and in some cases, adversaries had working exploits before vendors had patches.

For security and data protection leaders, this creates a structural problem. Edge devices provide immediate system access, they often lack robust monitoring, and patching cycles measured in weeks or months are fundamentally mismatched against weaponization timelines measured in days. If your sensitive data passes through or is accessible from these devices — and for most organizations, it is — you have a visibility gap that adversaries are actively exploiting.

Ransomware Has Left the Endpoint — and Identity Is the New Front Door

The CrowdStrike report details a significant evolution in ransomware operations during 2025. The most sophisticated groups have moved beyond traditional endpoint-focused deployment to cross-domain campaigns that span cloud, identity, and virtualized environments.

SCATTERED SPIDER and BLOCKADE SPIDER moved laterally across cloud and identity infrastructure, often deploying ransomware exclusively on VMware ESXi systems — the virtualization layer that underpins most enterprise server environments but frequently lacks the same monitoring coverage as user endpoints. PUNK SPIDER conducted 198 observed intrusions, a 134% increase, using techniques like remote file encryption over SMB shares that allowed data encryption without executing ransomware directly on managed hosts.

The supply chain dimension is equally alarming. DPRK-linked PRESSURE CHOLLIMA executed a $1.46 billion cryptocurrency theft — the largest single financial heist ever reported — by compromising SafeWallet and Bybit through a supply chain attack. They inserted malicious JavaScript and smart contract logic into trusted financial software, executed the theft, and then reverted the code changes to cover their tracks.

Cloud-conscious intrusions rose 37% in 2025, with a 266% increase from state-nexus actors. Valid account abuse accounted for 35% of cloud incidents. These are not brute-force attacks. These are adversaries who have obtained legitimate credentials — through phishing, infostealer malware, or purchases on dark web marketplaces — and are using them to walk through the front door of cloud and SaaS environments.

The Dragos report corroborates this identity-centric attack model in industrial environments, documenting how ransomware affiliates increasingly rely on credential logs from infostealers, password reuse across OT and IT systems, and compromised vendor accounts to bypass perimeter defenses entirely. The pattern is consistent: across sectors, identity compromise is the primary access vector, and cloud and SaaS platforms are the primary target environment.

What This Means for Security and Data Leaders

The CrowdStrike 2026 Global Threat Report, read alongside the WEF Global Cybersecurity Outlook 2026 and the Dragos OT/ICS report, points to a threat landscape that has fundamentally outpaced the security models most organizations still operate. The convergence is unmistakable: attackers are chaining identity compromise, SaaS abuse, edge exploitation, and AI manipulation into campaigns that cross domain boundaries faster than fragmented security tools can correlate.

The WEF report found that 61% of organizations rank rapidly evolving threat landscapes as their greatest resilience challenge, while 46% flag supply chain vulnerabilities. These are not separate problems. They are facets of the same structural challenge: organizations cannot protect data they cannot see, govern access they cannot monitor, or respond to threats that move faster than their processes allow.

What Every CISO Should Do Now

Treat 29 minutes as the planning assumption, not the exception. Every incident response plan, tabletop exercise, and detection workflow should be stress-tested against a sub-30-minute breakout scenario. If your mean time to detect and contain is measured in hours, you are planning for a threat landscape that no longer exists. Kiteworks’ automated policy enforcement and real-time monitoring operate at the speed the threat demands, ensuring that data access controls are active and enforceable before manual processes can engage.

Move from malware detection to identity-centric defense. With 82% of intrusions malware-free, the center of gravity for detection must shift to identity behavior, access patterns, and cross-domain correlation. This means continuous monitoring of authentication events, privilege escalation, and lateral movement across endpoint, cloud, SaaS, and identity infrastructure. Kiteworks enforces this at the data layer: attribute-based access controls evaluate user identity, data sensitivity, and intended purpose before granting access, and every interaction is logged in a single consolidated audit trail.

Govern your AI tools before adversaries do. The report’s finding that attackers targeted AI systems at more than 90 organizations should trigger an immediate inventory of every AI tool, model, and integration in your environment. Establish access controls, monitor prompt inputs and outputs, and implement data loss prevention tuned for AI-assisted exfiltration. Kiteworks’ Secure MCP Server enforces role-based and attribute-based controls over every external agent interaction, providing the governance infrastructure that AI deployment requires.

Close the edge device visibility gap. Edge devices are the soft underbelly of enterprise security. Patch internet-facing appliances within days — not weeks — of disclosure. Implement network segmentation that limits lateral movement from compromised edge devices. Deploy monitoring that covers the devices your EDR cannot reach. Kiteworks’ hardened virtual appliance architecture with embedded firewalls, intrusion detection, and double encryption at rest ensures that the platform handling your most sensitive data is not part of the unmonitored perimeter.

Demand cross-domain visibility, not siloed dashboards. When ransomware actors deploy exclusively on ESXi, when cloud intrusions rely on stolen identity tokens, and when AI tools become lateral movement vectors, security visibility that stops at the endpoint is security visibility that stops short. Effective defense requires correlation across endpoint, identity, cloud, SaaS, and AI infrastructure in a single operational picture. Kiteworks provides this for sensitive data: unified governance across every communication channel with a consolidated audit log that eliminates the gaps fragmented tools create.

The 29-Minute Reality Requires a Different Architecture

The CrowdStrike 2026 report’s central message is that the adversary has adapted faster than the defender. Breakout times are collapsing. Malware is optional. AI is both weapon and target. Identity is the perimeter. Edge devices are the breach point. And cross-domain campaigns are the norm, not the exception.

For organizations responsible for protecting sensitive data — customer records, financial information, intellectual property, regulated content — the question is no longer whether attackers will reach your data. The question is whether your governance infrastructure can detect, contain, and prove compliance when they do.

Kiteworks is the platform built for this reality: unified data governance across email, file sharing, SFTP, managed file transfer, web forms, and APIs. Zero trust architecture where all IP addresses are blocked by default. Attribute-based access controls that enforce policy at the data layer. A single consolidated audit log that tracks every interaction across every channel. FIPS 140-3 validated encryption with customer-owned keys. And executive-ready compliance reporting across 50+ regulatory frameworks.

The 29-minute breakout window is not a temporary condition. It is the new operating reality. The organizations that will protect their data are the ones whose governance infrastructure was built for machine-speed adversaries, not manual-speed processes.

The window is closing. The question is whether your defenses are already inside it.

To learn how Kiteworks can help, schedule a custom demo today.

Additional Resources

• Blog Post Zero Trust Architecture: Never Trust, Always Verify
• Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
• Blog Post How to Secure Classified Data Once DSPM Flags It
• Blog Post Building Trust in Generative AI with a Zero Trust Approach
• Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders