The numbers are alarming: AI-powered cyberattacks increased 89% in the past year, according to the CrowdStrike 2026 Global Threat Report. The average time it takes an attacker to move laterally within a network (breakout time) dropped to 29 minutes, with an absolute record of just 27 seconds. And most concerning: 82% of attacks don't use malware, relying instead on identity theft. I've been following these annual reports for years and this is the most alarming one I've read.
Key findings from the report
CrowdStrike, one of the world's largest cybersecurity companies, published its annual report on February 24, 2026:
| Metric | 2024 | 2025/2026 | Change |
|---|---|---|---|
| AI-enabled attacks | Baseline | +89% | Nearly doubled |
| Average breakout time | ~83 min | 29 min | -65% (faster) |
| Record breakout time | 2 min | 27 seconds | All-time record |
| Malware-free attacks | 75% | 82% | +7 points |
| Cloud attacks | Baseline | +37% | Strong growth |
| Cloud attacks (nation-state) | Baseline | +266% | Explosion |
| China-nexus activity | Baseline | +38% | Sustained growth |
How AI is changing cyberattacks
Attackers no longer need to be technical experts. AI enables them to:
- Automate reconnaissance: Russian group FANCY BEAR developed LLM-enabled malware (LAMEHUG) that automates document collection and network reconnaissance
- Generate attack scripts: PUNK SPIDER uses AI to create credential-dumping scripts and automatically erase forensic evidence
- Create fake identities: North Korean group FAMOUS CHOLLIMA uses AI to generate fake personas and scale infiltration operations
- Attack AI systems directly: Attackers inject malicious prompts into GenAI tools at over 90 organizations
According to Adam Meyers, head of counter adversary operations at CrowdStrike: "This is an AI arms race. Breakout time is the clearest signal of how intrusion has changed."
Why 82% of attacks don't use malware
This data point is crucial and changes everything we know about security. In my experience analyzing threats, the shift is fundamental:
- Before (2020): Attackers sent viruses, ransomware, trojans. Your antivirus caught them.
- Now (2026): Attackers steal your username and password (AI-powered phishing, social engineering) and log in as if they were you. There's no malware to detect.
This means your antivirus doesn't protect you from 82% of current threats. What you need is:
- Two-factor authentication (2FA) on ALL your accounts
- Physical security keys (YubiKey, Google Titan) for critical accounts
- Password manager (1Password, Bitwarden) with unique passwords per service
- Identity monitoring: Services like Have I Been Pwned to know if your data was leaked
How to protect yourself: quick checklist
| Action | Priority | Time | Protects against |
|---|---|---|---|
| Enable 2FA on email | Critical | 5 min | Identity theft |
| Enable 2FA on banking | Critical | 5 min | Financial fraud |
| Install password manager | High | 15 min | Password reuse |
| Update OS and apps | High | 10 min | Known vulnerabilities |
| Review access in Google/Apple | Medium | 5 min | Unauthorized app access |
Common issues
I already have antivirus — am I protected?
Only partially. Antivirus protects against the 18% of attacks that do use malware. For the other 82% (identity theft), you need 2FA, unique passwords, and credential monitoring. I've been recommending that people think about identity security, not just antivirus, for a while now.
27 seconds is too fast — what can I do?
That record time is for targeted enterprise attacks. As an individual user, your biggest risk is phishing. The golden rule: never click links in urgent emails. If your bank writes you urgently, open the bank app directly — don't follow the link.
Can AI attacks affect me directly?
Yes. AI-generated phishing attacks are indistinguishable from real emails. They no longer have spelling errors or suspicious formatting. The only real defense is two-factor authentication and manually verifying URLs.
