Cyberdefenders are certainly up against formidable foes—AI automation and ransomware-as-a-service (RaaS) platforms have reshaped the threat landscape, with nation-state actors automating as many as 90% of an intrusion, according to new research from Quorum Cyber. 

The 2026 Global Cyber Risk Outlook report found that “white label” RaaS platforms enabled bad actors to launch branded criminal operations quickly.  

“Across every industry, from criminal gangs to nation-state actors, attackers are leveraging AI to accelerate their pace and frequency of attacks, increasingly causing defenders to be outmatched like never before,” says Bugcrowd CEO Dave Gerry.  

Ransomware, a persistent problem, shows no sign of letting up. The number of new ransomware groups grew 30 percent in a year’s time and attacks showed a pivot from encryption toward data exfiltration attacks, which are faster and cost far less to execute.  

Ransomware gangs know the value of their work and continue to hammer organizations—average ransom demands soared across industries, particularly in financial services (179%) and manufacturing (97%). As detection windows shrink, barriers to hackers entering the market drop away, opening the field to even those with lesser skills and arming them with capabilities only once available to their elite colleagues.  

Rex Booth, CISO at SailPoint, distinguishes ransomware and breaches. “Ransomware groups often operate like businesses, with structured hierarchies, specialized roles, and even customer service teams to negotiate payments,” he says.  

With that level of organization, a few dominant groups control the market. “In contrast, breaches are the result of a broader set of activities ranging from crime to corporate espionage to state-sponsored attacks—and there are more numerous capable actors playing in that wider space,” Booth says.  

If that makes the threat landscape seem daunting, then consider that the number of vulnerability disclosures zipped past 35,000, representing a 21% rise.  

Noting that “security researchers face a 90-day disclosure embargo, whereas nation-state sponsored threat actor groups are known to stockpile vulnerabilities indefinitely,” Mayuresh Dani, security research manager at Qualys, says, “Due to the speed with which vulnerabilities are being exploited, regression testing might be left incomplete, yielding ‘one-and-done’ fixes that threat actors often bypass.” 

Prophet Security CEO Kamal Shah notes that according to the State of AI in SOC Report, “security leaders anticipate AI will handle approximately 60% of SOC workloads within the next three years.” 

AI can help them “move faster through noise, automate repetitive and tedious work, and spend more time on the parts that require human judgment.” But as AI speeds up the work, teams chain skills, and incentives push toward scale, Shah says, “Security teams should shorten time to answer with outcomes that clearly state scope, impact, affected assets, and next actions, backed by evidence the business can trust.” 

By treating “coordinated disclosure as core infrastructure with a clear VDP or bug bounty program, simple reporting, defined SLAs, safe harbor language, and consistent communication,” then keeping “tight feedback loops with researchers” boosts responsiveness, Shah says, improving report quality and reducing time to fix. 

The public sector continues to be assailed by nation-state actors from Russia, China and Iran, while North Korea upped its take from cybercrime in 2025, likely raking in more than $2 billion from their efforts. 

To better mitigate risk, “organizations must ensure that their supply chain partners follow basic cybersecurity best practices, such as multi-factor authentication (MFA), password management systems, and incident response strategies,” says Matthieu Chan Tsin, senior vice president, resiliency services, at Cowbell.  

But internal defenses matter just as much, he says. “Organizations should have proper system access controls in place, keep software and systems updated, and ensure employees know what to do in the event of a cyber incident,” Tsin explains. 

Cyber insurance is a cornerstone of this strategy. “It’s not just about financial protection. Many insurance providers offer value-added services such as security partnerships, threat intelligence sharing, and access to expert advisory support,” he says.  

Those resources “can help businesses strengthen their cyber posture before an incident even occurs, making insurance an important part of an overall cyber resilience plan,” Tsin adds. 

Gerry contends that “whether through internal security teams or outsourcing part of their security operations to managed services firms, security teams must quickly ramp up their usage of AI in response to the increased threat environment.”  

As the vulnerability window shrinks and previously used tools flag, Dani says “enterprises should require development teams to eliminate a vulnerability class rather than a single code path—reducing leading to repeat bypasses.” 

They “should focus on quality-first patching while providing a greater transparency on failure rates” and there should be “regulatory policy changes that bring some parity between public researchers and state actors,” Dani says, calling on organizations to: 

• Treat every patch as potentially provisional to harden and monitor their complete environment. 

• Apply layered mitigations – network and host-based—even after patching. 

SOC teams can better understand “the tempo and velocity of modern attacks” if they observe “how AI is being used to automate repetitive tasks” by studying automated methodologies, Shah says. 

“AI SOC tools are giving security analysts similar capabilities in handling repetitive tasks such as alert triage and investigation, freeing their time to focus on higher priority security tasks,” says Shah. “By integrating the reports from ethical hackers with new AI defenses, SOC teams can create a practical training ground for junior analysts, helping them transition into high-level operators who proactively hunt for threats, rather than performing manual triage.” 

BeyondTrust Field CTO James Maude called for more investment in shifting left and thinking “more about securing identities and access to reduce our attack surface and blast radius in the event of compromise, rather than simply thinking post breach.” 

Since ransomware and other threats are only as effective as the privileges and access they manage to acquire, Maude says, “if we can implement better hygiene, and place emphasis on least privilege, then the threat actors are far less likely to ransomware us in the first place.” 

Security teams must adjust strategy to deal with the “democratization of cybercrime,” which Booth says, “makes breaches more fragmented and unpredictable.” 

He suggests that “rather than focusing on the personalities behind these attacks, organizations should prioritize prevention strategies, such as zero-trust architectures, continuous monitoring, and robust identity security.” 

The key, he explains, “is to make it harder for any actor, whether a sophisticated group or an individual, to exploit vulnerabilities.” 

Recent Articles By Author

• ShinyHunters Secret to Success: Breaking the Trust Barrier
• Eight Years In, GDPR Changed Everything  
• TeamPCP Takes Cover by Releasing Source Code on GitHub, Spurs Copycats 

More from Teri Robinson