SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dark control room ai ransomware cloud cyberattack red lock scene
#
Virtualisation
#
Ransomware
#
Cloud Security

AI-driven cyber threats grow as breakouts accelerate

Thu, 26th Feb 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Faster breakouts and more tracked adversaries

The global cyber threat landscape continues to expand. Defenders face more adversaries and less time to contain intrusions, while attackers reduce the time between initial access and lateral movement, increasing the operational load on security teams.

CrowdStrike's latest threat research tracks 281 adversaries, including cybercriminal groups and state-linked operators. It added 24 new adversaries over the past year.

Intrusions are also moving faster. Average breakout time dropped from 62 minutes in 2023 to 29 minutes in 2025. The fastest observed breakout time fell from 51 seconds in 2024 to 27 seconds in 2025. Shorter breakout times narrow the window for investigation and containment and increase the risk of fatigue as incident volume and pace rise.

AI as a dual-use factor

AI now sits at the centre of cybersecurity planning, appearing in both attacker tradecraft and defensive tooling. It also introduces new risks as organisations deploy AI services with limited logging and inconsistent controls.

The research reports an 89% increase in AI-enabled attack disruptions and frames the trend as part of a wider shift towards targeting people and workflows, not just technical weaknesses.

AI adoption is also expanding the attack surface. Adversaries have targeted AI platforms and adjacent tools, including by exploiting vulnerabilities in AI workflow software and using AI for social engineering. The research also notes AI use in malware development and post-compromise activity.

Some activity targets defenders' AI-assisted workflows. The research highlights prompt injection techniques designed to mislead AI-driven analysis, adding pressure on organisations planning to automate triage and investigation.

"AI is a dual-use factor," said Adam Meyers, head of counter adversary operations at CrowdStrike.

Ransomware rises and tactics shift

Ransomware remains a major source of operational disruption. The research reports a 134% increase in ransomware incidents and links the pattern to shifts in the criminal ecosystem. Law enforcement actions can drive temporary drops, followed by new entrants and rebranding among existing groups.

Attackers have refined techniques to encrypt faster, reducing the time defenders have to isolate systems and recover before disruption spreads. Initial access methods are also diversifying. The research highlights voice phishing and the targeting of SaaS accounts as entry points.

Virtualised infrastructure has become a focal point. ESXi hypervisors appear frequently in lateral movement, serving as a platform for broader encryption and data theft. The research also notes experimentation with compromised devices, including weaponising vulnerable hardware such as webcams as part of ransomware operations.

Cloud incidents and identity abuse grow

Cloud environments are becoming a more active battleground. The research reports a 37% increase in cloud incidents and a 266% rise in nation-state targeting of cloud environments.

Identity plays a central role. The research finds that 35% of cloud incidents involved valid credentials and highlights continued abuse of hybrid identity setups, where on-premises and cloud identities sync. Once attackers gain a foothold, this architecture can let them move between domains.

This shift is changing defensive priorities. Endpoint detection remains important, but attackers increasingly move into identity systems, SaaS applications, and cloud management layers. In these areas, they can operate with fewer traditional controls, particularly when using legitimate credentials.

"Identity management is a top priority," said Meyers.

Cross-domain intrusions exploit blind spots

Intrusions increasingly span endpoints, cloud services, network devices, and identity systems. The research describes adversaries exploiting unmanaged devices as stealthy footholds, then harvesting credentials and pivoting into SaaS applications and VPNs.

Virtual environments also contribute. Attackers can reuse decommissioned environments and hide activity in complex infrastructure where monitoring coverage varies. These patterns make detection harder when telemetry remains fragmented across tools and teams.

Security teams now face a visibility problem across domains rather than a single control gap. The research points to the need for integrated telemetry across endpoints, networks, identity providers, and cloud services, as well as prioritising edge device instrumentation and patching, since network devices often lack modern security tooling.

China and rapid exploitation of zero-days

The research highlights Chinese cyber activity as a major factor. It reports a 42% increase in China-linked zero-day exploitation and says Chinese operators weaponised vulnerabilities within two days of public disclosure in observed cases.

It also points to more efficient exploitation. According to the report, 67% of exploits in this cluster provided direct system access without complex exploit chaining. It also highlights persistence, including one case in which an adversary maintained access for 22 months.

The focus on network perimeter and edge devices stands out and is linked to known weaknesses in patching and instrumentation. The research also points to logistics and infrastructure as areas of interest amid wider geopolitical tensions, describing targeting of logistics infrastructure and edge devices as part of planning for disruption scenarios.

"China increased zero-day exploits by 42%," said Meyers.

Security priorities: AI deployments, identity, and visibility

The research sets out three priorities for organisations. The first is securing AI deployments. Rapid rollout has left many organisations with weak monitoring around AI services, including gaps in logging and controls for APIs and AI tooling embedded in business workflows.

The second is identity, including human and non-human identities such as service accounts, application identities, and SaaS authentication. The research points to voice phishing and credential theft as persistent problems and underscores identity's role in cloud intrusions.

The third is cross-domain visibility. The report frames blind spots across cloud, identity, and unmanaged devices as recurring enablers of successful intrusions. It also emphasises edge device patching and monitoring, since these devices can provide an early foothold for later movement into core systems.

"AI currently assists adversaries incrementally," said Meyers.

"Human analysts remain vital," said Meyers.

Related stories
Cisco, UTS open digital innovation hub for AI in Sydney
Critical MediaTek flaw lets attackers steal phone crypto
GTIA launches PeerTrust Circles for security-led IT peers
Tetrate unveils Built on Envoy open source extension hub
DataBahn deepens Microsoft Sentinel tie-up to cut SIEM costs

Top stories

CyberCX becomes official cyber partner to AFL, AFLW
Rescue dog teams join Victorian network for safer searches
Attackers abuse Deno runtime to deploy fileless malware
Gartner tips AI to upend work tools, hiring & data
Anthropic to open Sydney office in Australia, New Zealand