X-Force Threat Intelligence Index 2026

The biggest trends the IBM X-Force team observed in 2025 were a surge in broad‑based exploitations of exposed systems, weaknesses in software supply chains and growing systemic dependencies across cloud and application ecosystems.

Last year, attackers refined their techniques for infiltrating software distribution channels, cloud services and open‑source ecosystems. By doing this, they demonstrated how a single weak point in an interconnected environment can enable large‑scale or high‑privilege access.

X-Force, which pulled data from incident response and penetration tests, the dark web and other threat intelligence sources for this report, identified the leading initial access vector: the exploitation of public-facing applications. The team noted the growing number and complexity of software vulnerabilities—combined with misconfigurations in applications—and AI adoption broadened the attack surface for intrusions. Many vulnerabilities didn’t require authentication at all, highlighting the critical need for stronger access controls, rigorous patching and secure deployment practices.

X-Force also found credential theft remained at the center of many prominent campaigns. Meanwhile, the rapid adoption of AI chatbot platforms for consumers and workplace users introduced a new layer of exposure; credentials tied to these chatbots increasingly surfaced in underground marketplaces, driven largely by infostealer infections on end-user devices.

Threat actors often publicly exaggerate their reach and successes, which can inflate the perceived scale of these compromises. That said, the underlying trend X-Force identified is a clear warning for security leaders: organizations are accumulating sensitive authentication data on systems that may not be adequately secured. Law-enforcement takedowns managed to disrupt portions of the infostealer ecosystem in 2025, but these malware families continue to offer adversaries easy and effective means of gathering high-value credentials.

The ransomware ecosystem also shifted in 2025, becoming more fragmented and volatile, with many small groups conducting lower volume but widespread attacks. Data extortion, supply‑chain compromise and opportunistic targeting of smaller organizations remained prominent trends as well.

The tactics between nation‑state actors and cybercriminal groups continued to converge. X-Force noted tools, techniques and operational patterns increasingly overlapped between these threat communities, complicating attribution and potentially delaying appropriate response actions. In several instances, activity that initially appeared mundane later proved to be part of highly sophisticated, persistent operations.

Artificial intelligence also continued to reshape attacker operations in 2025. While AI has not changed playbooks, it has dramatically increased the speed, scale and efficiency of those operations. Adversaries are now using generative AI to shrink decision cycles, scale social engineering and iterate on attack paths in real time. As multimodal models mature, the barrier to entry will shrink further, allowing lower-skilled workers to automate reconnaissance, privilege escalation and lateral movement, resulting in faster‑moving, and more adaptive threats.

Despite these evolving trends and sometimes sophisticated threats, basic lapses in cybersecurity hygiene contributed to many compromises; X-Force incident response and penetration testing engagements found misconfigured access controls, weak authentication practices, incomplete logging and insufficient vulnerability management as recurring issues. These foundational weaknesses continued to provide attackers with opportunities that are far easier to exploit than advanced or novel techniques.

Overall, 2025 highlighted a clear message: identity protection, secure configuration and visibility across applications, development pipelines and cloud environments are increasingly central to cyber resilience. As attackers continue to refine credential‑driven and supply‑chain‑focused operations, strengthening these fundamentals remains the most effective defense.

The IBM X-Force Threat Intelligence Index 2026 focuses on observations from our expert team of analysts, researchers, and hackers, tracking how threat actors get in, what they do when they’re in, and the impact caused by each breach. X-Force offers these insights as a resource to IBM clients, cybersecurity researchers, policy makers, the media and the broader community of security professionals and business leaders. Through the work of our global team, we aim to deliver a data-driven view of the current threat landscape. It’s our intent to keep all parties informed of the current threat landscape so they can make the best decisions for reducing risk.