The IT Nerd

Flashpoint today announced the release of its 2026 Global Threat Intelligence Report (GTIR), providing security leaders from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office with a proprietary data-driven, ground-truth view of the converging threats defining today’s hybrid risk environment.

Powered by Flashpoint’s Primary Source Collection (PSC), the 2026 GTIR reveals a sharp rise in AI-related discussions, signaling a rapid shift from criminal curiosity to the active development of malicious agentic frameworks. At the same time, the mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to operate as legitimate users. As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust and identity compromise. Meanwhile, the patching window continues to collapse, with mass exploitation of zero-day vulnerabilities occurring in as little as 24 hours after discovery.

Cybercrime Has Entered the Era of Total Convergence

Between late 2025 and early 2026, adversaries rapidly accelerated adoption of agentic AI frameworks capable of orchestrating autonomous attack chains — automating reconnaissance, phishing generation, credential testing, and infrastructure rotation all without direct human control. This dramatically lowers the cost of experimentation and increases the speed of exploitation.

The 2026 GTIR identifies four converging forces reshaping the global threat landscape:

• Agentic AI Operationalization — Autonomous systems capable of executing
  end-to-end attack chains at machine speed, increasing both the volume and intensity of
  cybercrime
• Identity as the Primary Exploit Vector — Billions of compromised credentials fueling
  credential-based intrusions beyond the boundaries of organizational oversight and
  control
• Compression of the Exploitation Window — Vulnerabilities weaponized within hours
  of disclosure before organizations can understand their exposures or begin to respond
• The Evolution of Extortion — Ransomware shifting toward identity-driven and
  insider-enabled models, enhancing its effectiveness

Together, these dynamics form a single, high-velocity threat ecosystem where automation,
identity compromise, and vulnerability exploitation reinforce one another.

AI-Related Illicit Activity Surged 1,500% in a Single Month

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025 from 362,000 mentions to more than 6 million, signaling a rapid transition from experimentation to operationalized malicious AI frameworks.

Threat actors are actively developing autonomous systems capable of scraping data, rotating infrastructure, adjusting messaging, and learning from failed attempts without continuous human oversight. These agentic systems dramatically increase iteration speed and reduce operational friction for attackers.

Identity Has Become the Primary Exploit Vector

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, generating an inventory of 3.3 billion compromised credentials and cloud tokens.

As a result, the mechanics of cybercrime have shifted from “breaking in” to “logging in.” Attackers now leverage stolen session cookies, tokens, and legitimate credentials to bypass traditional security perimeters entirely, turning digital identity into the connective tissue of modern exploitation. The reality of identity data and the potential for its automation necessitate a shift in how organizations must view their attack surface. Infostealers have shown that it is no longer limited to corporate infrastructure; it now includes employee browsers, personal devices, SaaS platforms, and third-party access.

The Window Between Vulnerability Disclosure and Exploitation Is Vanishing

Vulnerability disclosures increased by 12% year-over-year, with one-third (33%) of disclosed vulnerabilities having publicly available exploit code.

Several high-impact vulnerabilities were mass exploited within hours of disclosure, compressing remediation timelines and raising the stakes for exposure management. In this environment, organizations cannot rely solely on reactive patching cycles; they must incorporate early-warning intelligence to anticipate weaponization trends.

Ransomware Is Pivoting Toward Pure-Play Identity Extortion

Ransomware incidents rose by 53% in 2025, with RaaS groups responsible for more than 87% of attacks.

Rather than relying exclusively on encryption payloads, threat actors are increasingly targeting identity and human trust by recruiting malicious insiders, abusing authorized access, and leveraging credential theft to extort organizations without deploying traditional ransomware binaries.

Who should read the 2026 GTIR?

The report is designed for CISOs, threat intelligence teams, vulnerability management leaders, fraud and risk teams, and executive decision-makers seeking a strategic view of converged cyber and hybrid threats.

Read the full report here: https://flashpoint.io/resources/report/flashpoint-global-threat-intelligence-report-2026