2026 X-Force Threat Intelligence Index: Making the case for securing identities, AI‑enhanced detection and proactive risk management

The X-Force Threat Intelligence Index provides an annual, data-driven assessment of the incidents, vulnerabilities and adversary techniques observed across large-scale global environments. This year’s analysis underscores a consistent reality: despite rapid adoption of AI by both defenders and adversaries, the most consequential security outcomes still hinge on the strength and maturity of foundational controls.

Reviewing the trends from our 2025 incident response and investigations data, the exploitation of public-facing applications emerged as the most common initial access vector—up 44% from the previous year. The expanding vulnerability landscape, amplified by misconfigurations and increasingly complex application stacks, continues to broaden the attack surface. Notably, many exploited vulnerabilities did not require authentication, emphasizing the need for more rigorous access control, patch governance and secure implementation practices.

The rapid growth of AI chatbot adoption has created an additional credential harvesting ecosystem. In 2025, over 300,000 ChatGPT credential sets were advertised on the dark web, driven largely by infostealer malware operators who expanded their target lists to include AI services. Password reuse across personal and enterprise accounts continues to create indirect attack paths, where low-value consumer credentials are leveraged for high-value enterprise access.

Supply chain and third-party risks accelerate. Major supply chain incidents have increased nearly fourfold over the past five years, with attackers exploiting trusted developer identities, CI/CD platforms and SaaS integrations, and downstream trust relationships to propagate compromise.

The ransomware ecosystem is more fragmented than ever, with the dominance of attacks attributed to the top 10 groups dropping by 25 percent. X-Force identified 109 distinct extortion groups in 2025, up from 73 in 2024. This points to lower barriers of entry among attackers and more opportunistic operations by actors with varying levels of sophistication, as well as increased decentralization that favors smaller factions over large, well-known gangs.

Manufacturing remained the most targeted industry, followed by the financial services and insurance sectors.

In terms of geographic focus, North America experienced the highest concentration of activity, representing nearly one-third of all observed attacks.

This year’s Threat Intelligence Index affirms a recurring theme that we have been highlighting throughout the past year. The issues that plague organizations are not emerging threats; they reflect persistent gaps in fundamental controls.

While investments in advanced security capabilities are necessary, they are insufficient when baseline controls remain underdeveloped or inconsistently applied. This insufficiency translates into actual incidents and attacks that materialize on organizational networks, disrupting operations and compromising data that lead to heavy losses and even crisis level cyberattacks.

Based on observed trends, X-Force recommends the following prioritized actions:

Organizations must shift from reactive responses to proactive, AI‑driven security as attackers use AI to scale phishing, accelerate malware creation and refine social engineering. This requires understanding the rapidly evolving threat landscape, strengthening risk management foundations, and using agentic‑AI, AISPM, and autonomous SOC capabilities to better protect critical assets and supply‑chain dependencies.

As credential‑driven attacks grow more sophisticated, organizations must use AI‑powered identity threat detection and posture management to gain visibility into risks across both human and machine identities. Treating identity as critical infrastructure requires centralized governance, continuous risk‑based access controls and AI‑specific defenses to counter increasingly advanced threats.

Security leaders must continuously identify weaknesses—such as insecure code, weak credentials, misconfigurations and missing patches—by returning to foundational, proactive practices. If attackers gain a foothold, strong configuration hygiene, continuous monitoring and frequent penetration testing help prevent initial exploitation from turning into credential theft or data exfiltration.

Because AI systems introduce new and amplified risks, organizations must apply rigorous governance that is open, hybrid and platform‑agnostic to ensure trustworthy and compliant AI deployment. Strong model evaluation, secure authentication and monitoring for abnormal access or credential exposure are essential to protecting AI platforms across the enterprise.

Misconfigurations, breaches, and human error can expose sensitive brand and infrastructure assets beyond an organization’s control. To reduce this risk, teams should work with trusted partners to identify these exposures across the surface, deep, and dark web and monitor for signs attackers use—such as stolen credentials and suspicious domains.

For comprehensive analysis and supporting data, download the full X‑Force Threat Intelligence Index, and read the summary release on the IBM Newsroom.