Darktrace announced the findings of its Annual Threat Report 2026, a comprehensive assessment of the global cyber threat landscape and the trends shaping cyber risk in 2026. Among its key findings, the report highlights a 20% year‑over‑year increase in publicly disclosed vulnerabilities, even as attackers increasingly bypass these weaknesses in favor of credential abuse and identity‑led intrusions.
The cyber threat environment in 2025 was defined by acceleration, convergence, and complexity. Adversaries are no longer relying solely on traditional exploits; they are adopting new technologies and techniques that allow them to move faster and operate with greater precision. This shift has enabled attackers to conduct more targeted, adaptive intrusions that are significantly harder for traditional defenses to detect.
Identity Is the New Perimeter
Identity‑driven compromise has now become the dominant path into organizations. Darktrace’s findings show that, across the Americas, nearly 70% of incidents in the region began with stolen or misused accounts, underscoring how cloud and SaaS adoption have shifted the frontline of cyber defense from the network to the user. As organizations increasingly rely on interconnected cloud services, attackers are targeting the identities that govern access to them, rather than the infrastructure itself.
“Traditional perimeter defenses were built for a world where attackers had to break in,” said Nathaniel Jones, VP of Security and AI Strategy at Darktrace. “Today they simply log in. Stopping identity‑led intrusions requires the ability to recognize when legitimate accounts begin to behave in ways that do not align with normal activity, and that means moving beyond static controls toward security that understands context and intent.”
Cloud and SaaS Environments Are Driving Systemic Risk
Cloud compromise has become the main entry point for cyber-attacks on both sides of the Atlantic. In Europe, 58% of incidents began with compromised cloud accounts and email, overtaking traditional network breaches at 42%. In the Americas, attackers most often break in through SaaS applications and Microsoft 365 accounts, with many of these breaches escalating into double or even triple extortion campaigns.
With 94% of organizations worldwide now relying on cloud computing, the risk is widespread. Across cloud providers, Azure was the most targeted, drawing 43.5% of observed malware samples, compared with 33.2% for Google Cloud Platform (GCP) and 23.2% for Amazon Web Services (AWS). When measured by unique malicious IP addresses, Docker environments accounted for 54.3% of honeypot targeting, underscoring the growing appeal of containerized cloud infrastructure for large scale attacks.
Email Attacks Are Becoming More Sophisticated
Analysis of the 32 million phishing emails detected across Darktrace’s global fleet shows a clear trend: email attacks grew significantly more sophisticated in 2025, with AI‑assisted content, evasive payloads, and identity‑targeting techniques all increasing year-over-year.
Key indicators of this rising sophistication include:
- AI‑assisted phishing accelerating
- QR‑code attacks on the rise
- Fresh domains used at scale
- DMARC evasion through legitimacy
“Phishing has become far more convincing and far more targeted,” Jones comments. “Attackers are using AI to craft messages that look authentic, exploit human trust, and slip past traditional email filters. Defenders need technology that can identify subtle signs of abnormality even when an email appears legitimate at first glance.”
Critical National Infrastructure Outlook
The convergence of geopolitical tensions and rapid digital transformation has made Critical National Infrastructure (CNI) a strategic target for state‑aligned and criminal actors. Darktrace observed three recurring trends shaping CNI risk in 2025:
- Disruption of national services
- Strategic access and pre‑positioning
- Use of proxy and hybrid actors
“The speed and scale of modern attacks demand continuous visibility into how users and systems behave. Identity has become the most reliable path for attackers, and cloud interconnectivity means a single compromised account can have far‑reaching consequences. Behavioral AI gives defenders the ability to detect small deviations early, before they develop into major incidents,” Jones concludes.