The average cyberattack breakout time from initial access to lateral movement is now just 29 minutes, according to CrowdStrike’s 2026 Global Threat Report published Tuesday.The report also noted significant increases in AI-enabled attacks, zero-day exploitation, ClickFix attacks and nation-state activity, with North Korea-sponsored attacks more than doubling and China-nexus intrusions increasing by 38%.Attackers are also increasingly targeting the cloud and valid credentials, with a 37% increase in cloud-conscious attacks noted. Cloud-focused attacks among nation-state actors increased 266%, and 35% of cloud incidents involved valid account abuse, CrowdStrike said.
Related reading:
Several factors play in to the accelerated speed of today’s cyberattacks. Threat actors increasingly exploit zero-day vulnerabilities prior to public disclosure, with CrowdStrike reporting a 42% year-over-year increase in zero-day attacks from 2024 to 2025.Many exploited zero-days are in edge devices, for which endpoint detection and response (EDR) solutions often have limited visibility, according to the report. Among the zero-day vulnerabilities exploited by China-nexus actors, 40% were in edge devices, CrowdStrike said.Threat actors are also abusing trust to evade detection by leveraging valid accounts and supply chain intrusions that are less likely to raise suspicion until it is too late.“82% of detections were malware-free as adversaries used valid credentials, trusted identity flows, and approved SaaS integrations to move across domains,” CrowdStrike Senior Vice President of Intelligence Adam Meyers wrote in a blog post about the findings. Adversaries also compromised trusted third-party software in several high-profile attacks in 2025, including in the recently unveiled Notepad++ attack, the record-breaking theft of $1.46 billion in cryptocurrency from Bybit that stemmed from an initial compromise of digital asset management platform Safe{Wallet}, and the Shai-Hulud npm worm attack that compromised more than 20 of CrowdStrike’s own packages.Increase employee awareness of social engineering techniques and boost preparedness for defense teams through tabletop exercises and red/blue team operations to strengthen the human factor
Faster breakout time just 27 seconds
A key focus of CrowdStrike’s 2026 Global Threat Report was the speed at which attackers are now evading defenses and achieving lateral movement, with CrowdStrike dubbing 2026 the “Year of the Evasive Adversary.”While average breakout times fell below 30 minutes for the first time, a 65% speed increase from last year, the fastest recorded breakout time was just 27 seconds; in another highlighted case, data exfiltration was achieved in just four minutes.Faster breakout times make attacks more difficult to detect, narrowing the window for defenders to catch the signs of an attack before damage is done.AI-enabled attacks increase by 89%
CrowdStrike also observed a continued increase in AI-assisted cyberattacks ranging from social engineering to the generation of malware code, although AI remains an amplifier of existing tactics, techniques and procedures (TTPs) rather than an inventor of novel methods.In total, AI-enabled attacks increased by 89% year-over-year, and the report noted that most tracked threat groups that use AI have increased their attack volume since 2024.The report highlighted the use of a large language model (LLM) enabled malware dubbed “LAMEHUG” by the Russia-backed threat actor Fancy Bear, which uses the model Qwen2.5-Coder-32B-Instruct via the Hugging Face API to generate commands for host reconnaissance on the fly.AI is also frequently used by North Korean threat actors such as Famous Chollima to create fake personas and perform coding jobs as part of remote IT worker scams. North Korean-nexus threat activity was noted to have increased by a total of 130% year-over-year.Additionally, the Russia-based financially motivated cybercrime group Renaissance Spider uses AI to translate its ClickFix lures into Ukrainian to better reach its intended targets. ClickFix activity saw an enormous surge overall between 2024 and 2024, with a 563% increase in fake CAPTCHA-themed lures.The security of AI tools used by organizations is also a concern, as highlighted by vulnerabilities such as CVE-2025-3248 in the AI development platform Langflow, which was exploited in attacks including ransomware attacks, according to CrowdStrike.Overall, CrowdStrike makes several recommendations for organizations to defend themselves in 2026’s threat landscape, including:- Secure AI tools through access controls, data loss prevention measures and monitoring of employee AI use
- Focus on identity and software-as-a-service (SaaS) as key attack vectors and enforce multi-factor authentication and least privilege access
- Increase cross-domain correlation through solutions such as extended detection and response (XDR) to reduce blind spots between endpoints, cloud, SaaS and unmanaged systems
- Harden software supply chain defenses by scanning third-party packages and repositories and enforcing code signing and dependency validation
- Prioritize patching of vulnerabilities in edge devices and monitoring of the network perimeter
- Use a threat intelligence-driven approach and threat hunting to more quickly identify emerging attacks methods




