Machine-scale cybercrime: The 2026 State of Malware report

Released today, the ThreatDown 2026 State of Malware report captures a unique moment of transition—when the established world of human-driven intrusion meets the emerging machine-driven future. It explores how the threat landscape is being reshaped by AI, what it means for defenders, and how organizations can prepare for a year when human hackers will hand their playbooks over to tireless machine adversaries that learn, adapt, and scale on their own.

The 2026 State of Malware details the critical lessons that organizations can learn from 2025, and how the threat landscape is likely to change again in 2026:

The cost of cyberattacks is measured in shuttered factories

2025 showed clearly that the effects of cyberattacks now extend far beyond encrypted files and ransom payments. For example, in May, ransomware triggered a technology blackout across Kettering Health’s 14-hospital system in Ohio; in June, an attack on United Natural Foods emptied grocery shelves at 30,000 stores; and in August, a cyberattack brought Jaguar Land Rover’s global auto production to a halt for five weeks, affecting facilities in the UK, China, Slovakia, India, and Brazil.

And the problem of collateral damage is not limited to enterprises. Hiscox data from 2025 shows that 80% of SMEs hit by ransomware paid a ransom, but only 60% recovered their data, while one in three faced substantial fines and nearly 30% reported declines in sales, customer trust, or new-business opportunities.

The commoditization of ransomware and a growing library of turnkey attack methods means that small and medium size enterprises (SMEs) must repel the same threat actors as larger organizations with fewer resources and disproportionately greater consequences.

AI enters the fray

2025 marked the moment when hype and speculation about AI in cybercrime gave way to reality. Deepfakes became standard social engineering tools, while OpenAI CEO, Sam Altman, warned that AI had “fully defeated” the advanced voice and face authentication schemes used by banks.

In August, the first autonomous ransomware campaigns were detected by Anthropic, when a threat actor used the company’s Claude Code agent to automate attacks against multiple targets, including organizations in the healthcare and defense sectors. The agent conducted reconnaissance across thousands of VPN endpoints, harvested credentials, penetrated networks, analyzed stolen data, and even generated tailored ransom notes.

More sophisticated attacks followed, and by the end of the year threat actors had demonstrated that AI agents could cooperate to conduct multiple, complex intrusions simultaneously, with minimal human oversight.

Speed, stealth, and the shrinking window to respond

The defining characteristics of modern intrusions are speed and stealth. Dwell times have collapsed as attackers compress multi-stage attacks into hours to outrun human detection and response. By moving faster, attackers generate fewer alerts, exploit gaps in overnight and weekend coverage, and complete critical stages of an intrusion before defenders can intervene.

This acceleration is paired with a strong emphasis on stealth. Rather than deploying noisy malware, attackers increasingly “live off the land,” blending into normal IT activity by abusing legitimate tools, stolen credentials, and remote monitoring software. Unmanaged systems, shadow IT, and unsupported endpoints have become staging grounds where attackers can harvest credentials, disable defenses, and launch ransomware remotely without being seen.

The result is a fundamental shift in the defender’s challenge. Security teams are no longer racing to stop a single piece of malware, but to identify malicious intent hidden inside routine administrative behavior—often unfolding at machine speed. As AI-driven attacks mature in 2026, organizations that rely on delayed patch cycles, incomplete visibility, or reactive response will find that the window to detect and stop an intrusion has already closed.

To discover the security lessons you can learn from 2025, and what you need to know to defend your organization in 2026, download the full report.