CrowdStrike 2026 Global Threat Report

Mark Fermor

Director & Co-Founder, Firevault

What This Report Covers

The CrowdStrike 2026 Global Threat Report is one of the most comprehensive annual assessments of the cyber threat landscape, drawing on trillions of telemetry events across endpoints, cloud workloads, identities, and networks. In 2025, CrowdStrike named 24 new adversaries, bringing the total tracked to 281.

This insight piece distils nine key findings from the report and examines what each means for organisations seeking to protect their most critical and sensitive data.

1. 82% of Detections Were Malware-Free

In 2025, 82% of all CrowdStrike detections were malware-free, up from just 51% in 2020. Adversaries are no longer relying on traditional malware. They operate through valid credentials, trusted identity flows, approved SaaS integrations, and inherited software supply chains.

This means conventional signature-based defences are detecting fewer than one in five intrusions. Adversaries blend into normal activity, moving through authorised pathways and trusted systems.

Firevault view: When 82% of intrusions leave no malware signature, the question is not whether your detection tools will catch the threat, but what happens to your data when they do not. Data stored in a Firevault offline secure storage environment cannot be reached through any network pathway, regardless of how an adversary gained access to your digital estate.

Malware-Free Detections (2020 to 2025)

Source: CrowdStrike 2026 Global Threat Report

2. 29-Minute Average Breakout Time, Fastest in 27 Seconds

The average eCrime breakout time fell to 29 minutes in 2025, a 65% increase in speed from the prior year. The fastest observed breakout took just 27 seconds. In one documented intrusion by CHATTY SPIDER, data exfiltration began within four minutes of initial access.

This compression of the attack timeline means that traditional incident response processes, which typically operate on timescales of hours or days, are fundamentally mismatched against the speed of modern adversaries.

Firevault view: When the fastest adversaries are exfiltrating data in under 30 seconds, response speed alone is no longer a viable strategy. The only reliable protection is ensuring that the data they are seeking is not accessible from any connected system. Firevault's Layer 1 physical air gap removes the most critical data from the attack surface entirely.

Average eCrime Breakout Time (Minutes)

Source: CrowdStrike 2026 Global Threat Report. Fastest observed breakout in 2025: 27 seconds.

3. 89% Increase in AI-Enabled Adversary Attacks

CrowdStrike observed an 89% year-over-year increase in attacks by AI-enabled adversaries. AI is being used to generate convincing phishing campaigns, create fake personas for social engineering, develop and obfuscate malware, translate lures into multiple languages, and even generate scripts for post-exploitation activities.

FAMOUS CHOLLIMA incorporated ChatGPT, Gemini, GitHub Copilot, and other AI tools into fraudulent employment operations. PUNK SPIDER used Gemini and DeepSeek to generate credential-dumping scripts. Two ransomware variants, FunkLocker and RALord, share encryption flaws specific to templates generated by the unrestricted AI model WormGPT.

Firevault view: AI has lowered the barrier to entry for sophisticated attacks. Adversaries who previously lacked the technical expertise to develop custom tooling can now generate production-grade attack scripts in seconds. This democratisation of offensive capability means that every organisation, regardless of size or sector, faces threats that were previously reserved for nation-state targets. Offline secure storage provides a control that remains effective regardless of how the attack was generated.

Top Industries Targeted by Interactive Intrusions (2025)

Source: CrowdStrike 2026 Global Threat Report

4. Supply Chain Attacks as Defining Tactic

In February 2025, PRESSURE CHOLLIMA executed the largest single financial theft ever reported, stealing $1.46 billion in cryptocurrency through trojanized software delivered via a supply chain compromise. This was not an isolated incident. Throughout 2025, adversaries systematically compromised upstream providers, development ecosystems, and public code repositories to gain broad access across downstream organisations.

In November 2025, threat actors compromised 690 npm packages to distribute the self-propagating information stealer ShaiHulud. In another attack, malicious Nx build packages were designed to use victims' own local AI CLI tools (Claude, Gemini) to generate commands that would steal authentication materials.

Firevault view: Supply chain compromise is uniquely dangerous because it exploits the very trust relationships organisations rely upon. When adversaries can weaponise your own development tools and trusted software updates, every connected system becomes a potential entry point. Data that is physically separated from the network cannot be reached through any compromised supply chain pathway.

5. 37% Rise in Cloud-Conscious Intrusions

Cloud-conscious intrusions rose 37% year-over-year in 2025. The increase among state-nexus threat actors was 266%. Valid account abuse accounted for 35% of all cloud incidents, reinforcing that identity has become central to intrusion.

Both eCrime and targeted intrusion adversaries evolved their cloud-targeting techniques, successfully subverting the implicit trust users place in cloud entities and technologies to achieve persistence, lateral movement, and data exfiltration.

Firevault view: The 266% increase in state-nexus cloud attacks signals a structural shift in how nation-state adversaries operate. Cloud environments are now primary targets, not secondary ones. For organisations storing sensitive or regulated data in cloud environments, the question is not whether these environments will be targeted, but when. Firevault provides a Layer 1 physical air gap that ensures the most critical data remains beyond the reach of any cloud-based attack.

Year-over-Year Increase in Key Threat Vectors (2025)

Source: CrowdStrike 2026 Global Threat Report

6. China-Nexus Activity Increased 38%

China-nexus adversaries increased their activity by 38% across all sectors. Attacks targeting logistics increased by 85%, telecommunications by 30%, and financial services by 20%. These adversaries systematically exploited vulnerabilities in VPN appliances, firewalls, gateways, and other internet-facing systems to establish long-term access for intelligence collection.

In 67% of the vulnerabilities China-nexus adversaries exploited, the flaw provided immediate system access. Newly disclosed vulnerabilities were weaponised within days of their public release. In one long-running intrusion, an adversary maintained persistent access for 22 months.

Firevault view: The 22-month persistent access finding is particularly concerning for UK organisations in telecommunications, financial services, and logistics. These are precisely the sectors covered by NIS2 and sector-specific regulatory requirements. When adversaries can maintain undetected access for nearly two years, the only reliable safeguard for the most sensitive data is to ensure it was never accessible from the compromised network in the first place.

7. 42% Increase in Zero-Day Exploitation

CrowdStrike observed a 42% year-over-year increase in the number of zero-day vulnerabilities exploited prior to public disclosure. Of those exploited vulnerabilities, 40% targeted internet-facing edge devices, including VPN servers, mail servers, firewalls, and routers.

China-nexus adversaries demonstrated the ability to weaponise newly disclosed vulnerabilities within two to six days of public release. GRACEFUL SPIDER, an eCrime adversary, has repeatedly exploited zero-day vulnerabilities targeting internet-exposed enterprise web applications since 2020.

Firevault view: Zero-day exploitation is, by definition, an attack that cannot be patched against in advance. When 40% of zero-days target edge devices that frequently lack endpoint detection coverage, even well-resourced security teams face an unavoidable gap. Offline secure storage closes this gap for the most critical data by removing it from any network-accessible infrastructure.

Interactive Intrusions by Region (2025)

Source: CrowdStrike 2026 Global Threat Report

8. Cross-Domain Evasion Redefines the Threat

The report identifies cross-domain evasion as the defining characteristic of 2025 intrusions. Adversaries exploit visibility gaps created by fragmented security controls across identity, SaaS, cloud, and unmanaged devices, chaining together access paths to stay off well-protected endpoints.

SCATTERED SPIDER and BLOCKADE SPIDER exemplified this approach, rapidly moving laterally across traditional servers, hypervisors, cloud environments, unmanaged hosts, and SaaS applications. In one incident, BLOCKADE SPIDER used a compromised SSO account belonging to an information security employee to access the organisation's own EDR user interface and modify detection rules.

Firevault view: When adversaries can modify your own security tooling from within your environment, the entire software-based security model has a structural limitation. Every tool in the chain becomes a potential target. The Firevault architecture operates on a fundamentally different principle: the most critical data is stored in a physically separated environment that cannot be reached, modified, or compromised through any digital pathway.

9. Ransomware Remains the Primary eCrime Threat

Despite improved detection capabilities and law enforcement disruptions, ransomware remained 2025's primary eCrime threat. The ecosystem proved remarkably resilient. Fake CAPTCHA campaigns surged by 563%, and spam email volume rose by 141% year-over-year.

PUNK SPIDER, the most active ransomware adversary in 2025, conducted 198 intrusions, a 134% increase year-over-year. This adversary increasingly used remote encryption via SMB shares, encrypting data without ever executing ransomware on managed hosts.

Firevault view: Remote encryption via SMB shares is a technique specifically designed to bypass endpoint detection. When ransomware no longer needs to execute on your monitored systems, the entire detection model shifts. For organisations holding data subject to regulatory obligations or business-critical operations, a physical air-gapped copy stored in a Firevault Bunker provides the ultimate recovery assurance, ensuring that even a successful ransomware attack cannot reach the backup of last resort.

What This Means for UK Enterprises

The CrowdStrike 2026 Global Threat Report confirms a fundamental truth about the current threat landscape: the adversaries are operating inside your trusted systems, using your own tools, and moving faster than your response capabilities allow.

Software-based security remains essential. Detection, identity management, cloud security, and endpoint protection are all necessary layers. But the report makes clear that these layers are insufficient on their own when 82% of intrusions leave no malware signature and the fastest adversaries break out in 27 seconds.

The most secure data is the data that cannot be reached.

Firevault exists to provide that final layer of protection: a Layer 1 physical air gap that stores the most critical data in a physically separated, offline environment. No network connection. No digital pathway. No possibility of remote compromise.

For organisations subject to NIS2, FCA, SRA, or DORA requirements, offline secure storage is not a luxury. It is a compliance necessity.

Explore how Firevault protects your most critical data →

CrowdStrike 2026 Global Threat Report

The CrowdStrike 2026 Global Threat Report analysed trillions of security events across 281 tracked adversaries. Its findings, from 27-second breakout times to 82% malware-free intrusions, confirm that the most critical data must be stored beyond the reach of any network.