Key insights from the Field Effect 2026 Cyber Threat Outlook Report

Most organizations didn’t suffer breaches in 2025 because they lacked tools or effort. They struggled because defenses were optimized for assumptions that no longer hold.

Attackers didn’t rely on novel exploits or sophisticated malware. They rarely need to "hack" their way in. Instead, they authenticated, blended into normal workflows, and moved at machine speed.

Field Effect’s 2026 Cyber Threat Outlook is built on real investigations, frontline telemetry, and incident response engagements across industries. What emerged wasn’t just a list of threats, it was a pattern of structural shifts that quietly undermined traditional security models.

Below are five of the most important changes security leaders need to embed in their cybersecurity strategy. 

Shift 1: Identity as the primary entry point

For years, identity was treated like the front door. In 2025, it became the building.

When attackers can steal a session, abuse a token, or socially engineer a helpdesk workflow, the traditional mental model of "keeping them out of the network" doesn’t hold. They don’t need to break perimeter controls if they can authenticate into cloud services, collaboration platforms, and admin tooling with a legitimacy that looks normal to the environment.

Field Effect’s telemetry reflected this in a way that’s hard to ignore: the majority of incident-related activity tied back to cloud identity compromise, often beginning with phishing-driven business email compromise. That’s not just “phishing is still a problem.” It’s a signal that credentials, tokens, SSO abuse, MFA fatigue, and session hijacking are now the most reliable way to gain meaningful access.

Download report

2026 Cyber Threat Outlook Report

Get deeper insights into today’s threat landscape.

Download the Field Effect 2026 Cyber Threat Outlook to explore the latest attack trends, investigation insights, and practical recommendations for strengthening your defenses.

Download now

And 2025 added a complicating factor that most organizations still haven’t addressed: non-human identities.

Service accounts, API keys, OAuth tokens, and automation credentials exploded as cloud services and AI-enabled tools proliferated. They often run with high privilege, limited oversight, and weak lifecycle management. In practical terms: they behave like ghost admins. They don’t complain when “logged in” at 3 a.m. from a new geography. They don’t stop to question whether something feels off.

So identity attacks bypass defenses and attention.

In 2025, identity attacks became the default operating model across threat clusters. When identity is the primary battleground, “did we roll out MFA?” is no longer the question that matters. The question becomes: Do we detect identity abuse as it unfolds?

Shift 2: Trust as the delivery mechanism 

In 2025, threat actors repeatedly inserted themselves into platforms where users are conditioned to trust activity by default, like Microsoft Teams and Zoom, remote support tools, and more.

Field Effect tracked a Microsoft Teams campaign where attackers impersonated internal IT, created rapidly spinning Microsoft 365 tenants, rotated “Help Desk” identities, and used voice-based persuasion to convince users to grant Quick Assist access. The payload wasn’t the most important part. The important part was the method: weaponizing a trusted support interaction to obtain legitimate remote access and then executing multi-stage actions that looked like IT work.

Earlier in the year, we saw similar dynamics in a state-linked Zoom operation: impersonation of trusted business contacts during scheduled meetings, spoofed Zoom-themed domains, and “audio repair” scripts that nudged victims into executing the attacker’s workflow inside a normal business context.

These aren’t isolated “social engineering incidents.” They’re a pattern: threat actors inserting themselves into the trusted spaces where people, tools, and workflows intersect. And once that happens, many organizations fall into a gap that traditional tooling struggles with:

• The platform is legitimate.

• The request looks plausible.
• The user is cooperating.
• The action resembles routine operational behavior.

This was the through-line across multiple 2025 investigations: collaboration tools, remote support utilities, and administrative workflows became high-value vectors precisely because organizations are trained to treat them as safe.

This is what “trust” looks like as an attack surface. Not users being careless—users being reasonable inside a process that was designed for speed and helpfulness, not verification.

In 2026, this matters because the attacker doesn’t have to be technically sophisticated if they can be operationally convincing.

Shift 3: The same old tactics, but at AI-driven speed

The most important thing AI did to the threat landscape in 2025 was acceleration.

Generative AI let novices produce credible phishing and multilingual lures with almost no effort. And it let sophisticated groups industrialize operations through automation—APIs, scripted reconnaissance, exploit testing, and professionally run “support desk” style interactions that mimic real enterprises.

To put it bluntly, AI is enabling threat actors to treat vulnerability exploitation like a pipeline. Work that used to require humans, things like testing proof-of-concepts, scanning for misconfigurations, and chaining steps, is increasingly programmatic.

This is why 2025 felt different for defenders. Even well-run teams were forced into a losing rhythm:

• Step one: Vulnerability is disclosed

• Step two: Proof of concept spreads

• Step three: Exploitation follows quickly

• Step four: Patching and validation lag behind

The result is a shrinking window between “known issue” and “active compromise.” And that window shrink hits MSPs especially hard, because you’re operating across many client environments with varying patch maturity, varying ownership of edge systems, and varying visibility.

The uncomfortable truth is that process speed has become a security control. A slow escalation path is now a vulnerability class.

Read the full 2026 Threat Outlook Report

Want to dive deeper into the trends, patterns, and novel approaches our cybersecurity team encountered last year?

Download report

Shift 4: The edge became the most fragile boundary

2025 kept proving the same lesson: if the edge is weak, the rest of the environment is negotiating from behind. Attackers increasingly targeted VPNs, firewalls, routers, cloud-exposed services, and other perimeter-adjacent systems where visibility is limited, patching lags, and the boundary between “inside” and “outside” has lost meaning.

But the shift wasn’t just “edge devices are attacked.” The shift was that edge compromise became a launchpad for identity compromise and rapid escalation.

Field Effect documented a sustained SonicWall exploitation campaign where attackers used valid credentials, many tied to historic compromises, and later linked activity to a previously disclosed vulnerability (CVE-2024-40766).

The Akira ransomware operators didn’t have to smash their way in. They authenticated into high-privilege systems and moved quickly: disabling controls, searching for sensitive files, staging and exfiltrating data, then encrypting in a double-extortion model.

Here’s the part that should change how leaders think about patching: Some organizations hadn’t applied the patch. Others had, but failed to rotate credentials that were exposed while the system was vulnerable.

So “we patched” wasn’t the end of the story. The compromise lived on in credential reuse.

This is a 2025 pattern worth underlining for 2026 planning: edge incidents increasingly blend vulnerability exposure with identity failures, and organizations that only address one side stay exposed.

Shift 5: Attackers simply asked to bypass controls

In 2025, when attackers couldn’t bypass security controls, they often just convinced users to do it for them.

Field Effect saw this clearly in the rise of “ClickFix”-style campaigns where fake CAPTCHA prompts and IT-themed personas guided users into manually executing malicious PowerShell commands. No exploit required or attachment needed. Just workflow manipulation.

This represents a deeper change than “users are still the weakest link.” That framing is too simplistic and, frankly, unhelpful.

The real change is that attackers became better students of business operations. They learned where your organization values speed over verification—helpdesk interactions, onboarding flows, tool downloads, meeting invites, “urgent” admin tasks—and they built intrusion paths that ride those same rails.

This is why 2025’s human element was so consequential. Not because people were careless, but because modern work is built on trust and momentum—and attackers are now designing campaigns that use those dynamics as the exploit.

What leaders should take away

At the end of the day, defenders can't really lower adversary intent or stop AI from improving attacker capability. What they can do is reduce the openings their environments present.

For the foreseeable future, the fastest and most measurable risk reduction will come from tightening the fundamentals in the places attackers consistently exploited: identity pathways, edge infrastructure, patching discipline, visibility into trusted tools, and clear response motions when "normal" looks a little off. 

Why this matters in 2026

This briefing is meant to be unsettling in a productive way. Because 2026 planning can’t be a “buy another tool” conversation. Field Effect’s 2026 Cyber Threat Outlook goes deeper with the real-world cases and telemetry that show how these shifts play out in live environments, including:

The full 2026 Cyber Threat Outlook expands on these shifts with real-world case studies, telemetry-driven insights, and clear guidance for the year ahead.

If you’re responsible for security outcomes in 2026, whether you’re protecting your own org or dozens of clients, this report gives you the strategic model and operational signals you need to prioritize correctly.