Darktrace’s Annual Threat Report 2026: An In-Depth Look at Cybersecurity Trends
Darktrace has recently released its Annual Threat Report for 2026, shedding light on an evolving cyber threat landscape and the trends that are shaping cyber vulnerabilities this year. A notable finding from the report indicates a staggering 20% year-over-year increase in publicly disclosed vulnerabilities. Interestingly, while these weaknesses are becoming more apparent, attackers are increasingly opting to bypass them in favor of credential abuse and identity-led intrusions.
The Evolving Nature of Cyber Threats
The year 2025 marked a significant shift in the strategies employed by cyber adversaries. Rather than relying solely on traditional exploits, attackers have begun to adopt advanced technologies and techniques that enhance their speed and precision. This change allows them to execute more targeted and adaptive intrusions, making it increasingly difficult for conventional security measures to detect their activities.
Identity: The New Frontier in Cyber Defense
As organizations continue to embrace cloud technology and Software as a Service (SaaS), the focus of cyber defense is rapidly shifting from the network perimeter to user identities. Darktrace’s findings reveal that nearly 70% of cyber incidents in the Americas initiated with compromised accounts. This trend emphasizes that identity-driven compromise has tragically become the most common entry point for attackers.
Nathaniel Jones, Vice President of Security and AI Strategy at Darktrace, highlights this critical shift, stating, “Traditional perimeter defenses were built for a world where attackers had to break in. Today they simply log in.” To combat identity-led attacks, organizations must move beyond static controls and develop security systems that can interpret context and intent, recognizing when legitimate accounts exhibit abnormal behavior.
The Impact of Cloud and SaaS on Cyber Risk
Cloud computing has emerged as a primary vector for cyberattacks on both sides of the Atlantic. In Europe, for instance, 58% of reported incidents began with compromised cloud accounts and emails, overshadowing traditional network breaches, which stood at 42%. In the Americas, breaches often stem from SaaS applications and Microsoft 365 accounts, with many incidents escalating into more severe forms of extortion.
With a staggering 94% of organizations globally now utilizing cloud computing, the ramifications of this trend are far-reaching. Darktrace observes that Azure is currently the most targeted cloud provider, accounting for 43.5% of detected malware samples, compared to 33.2% for Google Cloud Platform (GCP) and 23.2% for Amazon Web Services (AWS). Moreover, Docker environments are becoming attractive targets, with 54.3% of abusive traffic directed at them, indicating the allure of containerized cloud infrastructure for large-scale attacks.
Sophistication of Email Attacks
The analysis of 32 million phishing emails detected by Darktrace reveals a marked increase in the sophistication of email attacks during 2025. These threats have become smarter, integrating AI to create convincing content, evasive payloads, and identity-targeting strategies.
Key indicators of this heightened sophistication include:
- AI-assisted Phishing: The use of artificial intelligence has allowed attackers to craft messages that appear authentic.
- QR-Code Attacks: These types of attacks have become more prevalent, taking advantage of people’s trust in QR codes.
- Fresh Domain Utilization: Attackers are leveraging new domains at scale to avoid detection.
- DMARC Evasion: Some attackers are circumventing email authentication protocols, making their attempts appear legitimate.
Jones notes, “Phishing has become far more convincing and targeted.” He stresses the necessity for defenders to deploy technology capable of identifying subtle deviations from normal behavior, even when emails seem genuine at first glance.
Threats to Critical National Infrastructure
The interplay between geopolitical tensions and significant digital transformation has positioned Critical National Infrastructure (CNI) as a prime target for both state-aligned and criminal actors. Darktrace highlights three major trends influencing CNI risk in 2025:
- Disruption of National Services: Cyberattacks are increasingly aiming to incapacitate essential services.
- Strategic Access and Pre-positioning: Actor groups are focusing on gaining strategic footholds within crucial systems.
- Utilization of Proxy and Hybrid Actors: Many attacks are now executed through intermediaries, complicating detection and attribution.
Jones emphasizes the need for continuous visibility into user and system behavior, warning that identity has become the most reliable avenue for attackers. In a landscape where a single compromised account can lead to substantial fallout, behavioral AI plays a crucial role. It equips defenders with the capabilities to detect minor anomalies before they escalate into larger incidents.
In summary, Darktrace’s report highlights the dynamic nature of cyber threats in 2026, stressing the importance of evolving strategies in the face of increasingly sophisticated attacks targeting identities and cloud services. Organizations must adapt to these trends to safeguard their digital landscapes.
