80% of Att&Ck Mitre Techniques Now Dedicated to Evasion and Persistence
Defenders might be bummed, but not surprised, to know that adversaries have shifted from immediate disruption to long-lived access, according to research from Picus Labs.
The Red Report 2026—The Top 10 Most Prevalent Att&Ck Mitre Techniques, which analyzed more than 1.1 million malicious files and mapped upwards of 15.5 million adversarial actions in 2025, noted that while for a decade “the primary concern for CISOs was business interruption caused by ransomware,” but this year’s findings showed “the risk profile has inverted.”
The researchers “observed a 38% decline in Data Encrypted for Impact, replaced by a massive surge in techniques designed for invisibility and espionage,” which confirms “a critical evolution in the threat landscape.” Process Injection dominates, meaning that “attackers are prioritizing dwell time over destruction” with “the goal no longer to crash your systems, but to inhabit them unnoticed.”
Of concern, Virtualization and Sandbox Evasion rocketed up to fourth place “as context-aware malware learns to detect analysis environments (e.g., sandboxes) through artifact checks, timing, and user interaction patterns. Many samples refuse to execute when watched,” the report said. And, in fact, “many samples refuse to execute when watched,” meaning that “files can pass automated gateways and only activate in production, creating a dangerous false sense of safety.”
The researchers also found that bad actors are “pushing command and control through high-reputation services, including OpenAI and AWS, to blend with normal business traffic and evade blocklists,” while at the same time “state-aligned actors are using remote access hardware such as IP-KVMs to bypass endpoint agents altogether.” As a result, EDR visibility is diminished, forcing defenders to turn to identity, network, and workload telemetry.
Identity is a real failure point, “with credentials from Password Stores and Command and Scripting Interpreter in the Top 10—attackers are weaponizing identity systems and administrative tooling,” Picus Labs says. In fact, of the top ten techniques, 80% are now dedicated to evasion and persistence.
“Unlike the latest guidance, earlier versions or MITRE ATT&CK were often brief, generic, and lacked actionable detail,” says Agnidipta Sarkar, chief evangelist at ColorTokens.
“The other reality is that most organizations now run on a mix of cloud, container, endpoint, ICS, and SaaS platforms, and thus detection engineering must automate mapping from ATT&CK objects to logs, alerts, and platforms while keeping coverage up to date,” says Sarkar, noting that in earlier versions, “detection content was not enough for direct integration into automation and engineering workflows.”
Still, the current scenario “is still far from ideal,” he says. “For example, lateral movement needs more updates.”
In the coming year, Derek Manky, chief security strategist and global vice president of threat intelligence with Fortinet’s FortiGuard Labs, says that “security operations will move closer to what FortiGuard Labs describes as machine-speed defense—a continuous process of intelligence, validation, and containment that compresses detection and response from hours to minutes.”
Frameworks like continuous threat exposure management (CTEM) and MITRE ATT&CK, he says, “will need to be leveraged so defenders can quickly map active threats, identify exposures, and prioritize remediation based on live data.”
And defenders must make identity “the foundation of security operations, as organizations will need to not only authenticate people but also [non-human interactions (NHI) from] automated agents, AI processes, and machine-to-machine interactions,” which “will become critical to preventing large-scale privilege escalation and data exposure.”
