CrowdStrike 2026 Global Threat Report flags AI surge

The CrowdStrike 2026 Global Threat Report highlights how artificial intelligence is accelerating adversary activity and expanding the enterprise attack surface. According to the findings, the average eCrime breakout time dropped to 29 minutes in 2025. The fastest recorded breakout occurred in just 27 seconds.

The report states that as innovation accelerates, exploitation follows. AI is not only enhancing adversary capabilities but also becoming a direct target.

The findings are based on frontline intelligence tracking more than 280 named adversaries.

Breakout times compress to record lows

One of the most significant indicators in the report is the reduction in breakout time. Compared with 2024, breakout speed increased by 65 percent. In one observed intrusion, data exfiltration began within four minutes of initial access.

Breakout time refers to the period between initial access and lateral movement. Shorter timelines reduce defenders’ ability to detect and respond.

The report frames breakout time as a central signal of how intrusions have evolved.

AI becomes both weapon and target

AI-enabled adversaries increased operations by 89 percent year over year. The report details how attackers are weaponising AI for reconnaissance, credential theft and evasion.

In addition to using AI for offensive operations, adversaries are targeting enterprise AI systems directly.

Key findings include:

• Malicious prompts injected into legitimate GenAI tools at more than 90 organisations to generate commands for credential theft and cryptocurrency extraction.

• Exploitation of vulnerabilities in AI development platforms to establish persistence and deploy ransomware.

• Deployment of malicious AI servers impersonating trusted services to intercept sensitive data.

The report describes prompts as the new attack surface in AI-enabled environments.

Nation-state and eCrime activity intensifies

AI use is not limited to criminal groups. Nation-state actors are integrating AI into operations.

The report notes:

• Russia-linked FANCY BEAR deployed LLM-enabled malware to automate reconnaissance and document collection.

• eCrime actor PUNK SPIDER used AI-generated scripts for credential dumping and forensic evasion.

• DPRK-linked FAMOUS CHOLLIMA scaled insider operations using AI-generated personas.

China-nexus activity increased 38 percent in 2025, with logistics seeing an 85 percent increase in targeting. Sixty-seven percent of exploited vulnerabilities delivered immediate system access, and 40 percent targeted internet-facing edge devices.

DPRK-linked incidents rose more than 130 percent. PRESSURE CHOLLIMA was linked to a USD 1.46 billion cryptocurrency theft, described as the largest reported financial heist of its kind.

Zero day and cloud exploitation expand

The CrowdStrike 2026 Global Threat Report also documents a rise in zero day exploitation. Forty-two percent of vulnerabilities were exploited before public disclosure.

Cloud-focused intrusions rose 37 percent overall. State-nexus actors targeting cloud environments increased activity by 266 percent, primarily for intelligence collection.

The findings indicate that adversaries are moving through trusted identities, SaaS applications and cloud infrastructure, blending activity with legitimate operations.

Industry perspective

Adam Meyers, head of counter adversary operations at CrowdStrike, described the current environment as an AI arms race. He stated that adversaries are moving from initial access to lateral movement in minutes, compressing the time between intent and execution.

He added that security teams must operate faster than adversaries to counter evolving attack techniques.

Structural implications for enterprises

The report underscores three structural shifts:

1. AI accelerating attack development and execution.

2. AI systems becoming direct targets.

3. Cloud and identity infrastructure serving as primary attack paths.

As breakout times shrink and exploitation speeds increase, the CrowdStrike 2026 Global Threat Report frames AI as both the accelerant and the battleground in modern cyber operations.