Flashpoint has announced the release of its 2026 Global Threat Intelligence Report (GTIR), providing security leaders from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office with a proprietary data-driven, ground-truth view of the converging threats defining today’s hybrid risk environment.
Powered by Flashpoint’s Primary Source Collection (PSC), the 2026 GTIR reveals a sharp rise in AI-related discussions, signaling a rapid shift from criminal curiosity to the active development of malicious agentic frameworks. At the same time, the mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to operate as legitimate users. As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust and identity compromise. Meanwhile, the patching window continues to collapse, with mass exploitation of zero-day vulnerabilities occurring in as little as 24 hours after discovery.
“In 2026, cybercrime has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have consolidated into a single, high-velocity threat engine — that agentic AI is rapidly transforming from human-led campaigns to machine-speed operations,” said Josh Lefkowitz, Co-Founder and CEO of Flashpoint. “As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”
Cybercrime Has Entered the Era of Total Convergence
Between late 2025 and early 2026, adversaries rapidly accelerated adoption of agentic AI frameworks capable of orchestrating autonomous attack chains — automating reconnaissance, phishing generation, credential testing, and infrastructure rotation all without direct human control. This dramatically lowers the cost of experimentation and increases the speed of exploitation.
The 2026 GTIR identifies four converging forces reshaping the global threat landscape:
- Agentic AI Operationalization — Autonomous systems capable of executingend-to-end attack chains at machine speed, increasing both the volume and intensity of cybercrime
- Identity as the Primary Exploit Vector — Billions of compromised credentials fueling credential-based intrusions beyond the boundaries of organizational oversight and control
- Compression of the Exploitation Window — Vulnerabilities weaponized within hours of disclosure before organizations can understand their exposures or begin to respond
- The Evolution of Extortion — Ransomware shifting toward identity-driven and insider-enabled models, enhancing its effectiveness
Together, these dynamics form a single, high-velocity threat ecosystem where automation, identity compromise, and vulnerability exploitation reinforce one another.
AI-Related Illicit Activity Surged 1,500% in a Single Month
Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025 from 362,000 mentions to more than 6 million, signaling a rapid transition from experimentation to operationalized malicious AI frameworks.
Threat actors are actively developing autonomous systems capable of scraping data, rotating infrastructure, adjusting messaging, and learning from failed attempts without continuous human oversight. These agentic systems dramatically increase iteration speed and reduce operational friction for attackers.
Identity Has Become the Primary Exploit Vector
Flashpoint observed over 11.1 million machines infected with infostealers in 2025, generating an inventory of 3.3 billion compromised credentials and cloud tokens.
As a result, the mechanics of cybercrime have shifted from “breaking in” to “logging in.” Attackers now leverage stolen session cookies, tokens, and legitimate credentials to bypass traditional security perimeters entirely, turning digital identity into the connective tissue of modern exploitation. The reality of identity data and the potential for its automation necessitates a shift in how organizations must view their attack surface. Infostealers have shown that it is no longer limited to corporate infrastructure; it now includes employee browsers, personal devices, SaaS platforms, and third-party access.
The Window Between Vulnerability Disclosure and Exploitation Is Vanishing
Vulnerability disclosures increased by 12% year-over-year, with one-third (33%) of disclosed vulnerabilities having publicly available exploit code.
Several high-impact vulnerabilities were mass exploited within hours of disclosure, compressing remediation timelines and raising the stakes for exposure management. In this environment, organizations cannot rely solely on reactive patching cycles; they must incorporate early-warning intelligence to anticipate weaponization trends.
Ransomware Is Pivoting Toward Pure-Play Identity Extortion
Ransomware incidents rose by 53% in 2025, with RaaS groups responsible for more than 87% of attacks.
Rather than relying exclusively on encryption payloads, threat actors are increasingly targeting identity and human trust by recruiting malicious insiders, abusing authorized access, and leveraging credential theft to extort organizations without deploying traditional ransomware binaries.
What Security Leaders Will Gain from the 2026 GTIR
The 2026 Global Threat Intelligence Report delivers:
- Deep analysis of the convergence between AI and identity-driven attacks
- Intelligence on the professionalization and franchise model of modern extortion ecosystems
- Data-driven insights to strengthen vulnerability prioritization and exposure management
- Strategic guidance for operationalizing primary-source intelligence
- Recommendations for defending against machine-speed attack chains
The full 2026 Global Threat Intelligence Report is available here.
Click Here For The Original Source.
