CrowdStrike dropped their 2026 Global Threat Report today and I want to take a moment to let one number sink in.
Twenty-seven seconds.
That is the fastest observed eCrime breakout time recorded in CrowdStrike’s frontline incident data from 2025. Breakout time, for those not obsessed with threat intelligence metrics, is the time between an attacker achieving initial access to your environment and that attacker moving laterally to access additional systems. Twenty-seven seconds.
When I started doing this work, the conventional wisdom was that attackers would dwell in a network for weeks or months before anyone noticed—see the three-month Conduent dwell time I wrote about today—but that was about stealth, not speed. Modern eCrime operators are running fully automated post-exploitation chains. The moment they establish a foothold, tooling is already executing: credential dumping, lateral movement, privilege escalation, all in a pre-packaged sequence that runs faster than a human analyst can read a SIEM alert.
The average in 2025 was 29 minutes. That’s down from 45 minutes the previous year, according to CrowdStrike’s press release. The trend line is not going in a reassuring direction.
The Report’s Core Finding: AI Accelerated Everything
CrowdStrike’s overarching thesis for 2026 is that AI is now the primary accelerant on the threat side. Not “AI might eventually be used by threat actors.” It’s happening, it’s measured, and the numbers are significant.
AI-enabled adversaries increased their activity by 89% year-over-year. Let that land. Nearly double the activity volume from adversaries specifically leveraging AI tooling to enhance their operations.
And here’s the line from the report that should keep every CISO awake: CrowdStrike intelligence analyst Adam Meyers said in today’s coverage: “I don’t think AI is going to create the malware — I think AI is going to be the malware.”
That’s not marketing hyperbole. It’s a description of where the trajectory is pointing. AI isn’t a tool that helps threat actors write better phishing emails anymore—it’s becoming embedded in the attack chain itself, automating reconnaissance, adapting to defensive countermeasures in real-time, and generating convincing context-specific lures at scale.
Russia’s FANCY BEAR Gets an AI Upgrade
The report names specific threat actors and their AI adoption, which is where it gets particularly alarming.
Russia-nexus FANCY BEAR—also known as APT28, the GRU-linked group that has been caught in virtually every major Western political intrusion operation for a decade—deployed what CrowdStrike calls LAMEHUG: LLM-enabled malware that automates reconnaissance and document collection, per CrowdStrike’s release.
FANCY BEAR isn’t a crew of bedroom hackers. They have the full resources and technical infrastructure of Russian military intelligence. They’ve been running sophisticated operations since at least 2007. And now they’re plugging large language models directly into their malware to automate the cognitive work of target reconnaissance.
Think about what automated reconnaissance means at scale. Instead of an analyst manually reviewing stolen documents to identify high-value targets, relationships, and sensitive information—which takes time and human labor—LAMEHUG can process thousands of documents, identify the most sensitive material, map organizational relationships, and generate follow-on targeting intelligence automatically. The volume of intelligence they can extract from a single compromise multiplies dramatically.
I’ve written extensively about how geopolitical threat actors operate in the grey zone between espionage and disruption. FANCY BEAR with AI-enhanced malware is exactly that grey zone, moving faster and more efficiently than any human operator could.
North Korea Had a Hell of a Year
If FANCY BEAR is concerning, the North Korea numbers in this report are frankly staggering.
North Korea-nexus incidents jumped 130% year-over-year. FAMOUS CHOLLIMA—the CrowdStrike designation for the cluster associated with North Korean IT worker fraud schemes—doubled their activity compared to 2024, per the Adversary Podcast breakdown of the report.
We covered Lazarus Group adopting Medusa ransomware in today’s other post. That’s one operational cell, running one RaaS affiliate scheme. FAMOUS CHOLLIMA is running an entirely separate operation: fake IT workers using AI-generated personas to get hired at Western companies, then using that insider access to exfiltrate data and funnel money to Pyongyang. CrowdStrike says AI is now enabling them to scale those insider operations—more convincing fake identities, more consistent behavior simulation, more targets simultaneously.
A 130% year-over-year increase in North Korean incidents. A 130% increase while they’re simultaneously running ransomware operations through Medusa, stealing crypto through Lazarus, and running fake IT worker schemes through FAMOUS CHOLLIMA. These aren’t separate problems. They’re revenue streams in a diversified criminal-geopolitical operation, all being accelerated by AI tooling.
82% Malware-Free. And That’s Not Good News.
Here’s the stat that gets buried in these reports but matters enormously for defensive architecture: 82% of CrowdStrike’s detections in 2025 were malware-free intrusions.
What does malware-free mean? It means the attacker achieved their objectives—access, lateral movement, data exfiltration—without deploying traditional malware that endpoint security tools would detect. Instead, they used legitimate system tools: PowerShell, WMI, LOLBins (Living Off the Land Binaries), stolen credentials, valid remote access software, and built-in OS capabilities.
If your security architecture assumes the primary threat detection signal is “antivirus flagged a malicious file,” you are going to miss 82% of what’s actually happening in your environment. This is not a new insight—CrowdStrike has been reporting the malware-free trend for years—but the percentage keeps climbing, and a lot of organizations are still running a detect-the-malware-file security strategy.
My old post on how to handle antivirus alerts is somehow more relevant than ever, because the point was always that AV is a single signal in a detection stack, not the stack itself. An attacker using stolen credentials and PowerShell doesn’t generate an AV alert. They look like a legitimate admin doing legitimate admin things. You need behavioral detection—UEBA, anomaly detection, identity-based monitoring—to catch them.
Zero-Days Are Getting Worse Too
CrowdStrike recorded a 42% increase in vulnerabilities exploited prior to public disclosure in 2025. That’s the zero-day problem compounding.
The general assumption in most organizations’ patch management programs is: “We’ll patch within 30 days of a CVE being published.” That assumption breaks down completely when the vulnerability is being exploited weeks or months before public disclosure. You can’t patch what you don’t know exists yet.
We saw this dynamic play out in real-time with CVE-2026-2441—discovered February 11, already being exploited in the wild when Google confirmed it, emergency patch out February 16. That’s a five-day exploitation window before even the patch was available, let alone deployed. A 42% increase in this pattern means the window between “vulnerability exists” and “vendor knows about it and patches it” is growing, not shrinking.
The February 2026 Patch Tuesday had six actively exploited zero-days in a single month’s release cycle. Six. The adversary pipeline for finding, developing, and deploying zero-day exploits is becoming more efficient. The 42% year-over-year increase tells you the gap between researcher discovery, adversary exploitation, and vendor patching is being increasingly exploited.
Cloud Is The New Battleground
Cloud-conscious intrusions—CrowdStrike’s term for attacks that specifically target cloud infrastructure and demonstrate attacker knowledge of cloud environments—increased 37% in 2025, per the report.
What does cloud-conscious mean in practice? It means attackers who aren’t just pivoting from an on-premise compromise into cloud infrastructure by accident. It means attackers who understand IAM roles, S3 bucket permissions, Lambda functions, container orchestration, and cloud-native persistence mechanisms—and are specifically targeting cloud control planes to maximize the blast radius of a compromise.
The shift to cloud has been happening for years. The security tooling for cloud environments has lagged significantly behind on-premise security maturity. Most organizations have much more visibility into their on-premise environments than their cloud workloads. Attackers know this. A 37% year-over-year increase in cloud-conscious intrusions tells you the adversary community has fully internalized where the vulnerable, high-value infrastructure now lives.
What To Actually Do With This Information
CrowdStrike publishes this report every year. Every year the numbers are worse. Every year executives download it, read the executive summary, nod, and then go back to budgeting security at 3% of IT spend. So let me frame this practically.
Your detection stack needs to work on malware-free intrusions. If you’re still primarily relying on signature-based AV and perimeter firewalls, 82% of modern intrusions will walk right through undetected. You need identity-based behavioral monitoring, privileged access anomaly detection, and lateral movement detection that doesn’t depend on seeing a malicious file. EDR that covers the full attack chain, not just file-based threats.
Your breakout-time assumption needs to reflect reality. If your incident response plan assumes you have hours or days to contain an intrusion after initial detection, you need to revise it. Twenty-nine minute average breakout time means your containment actions need to happen in the first thirty minutes after detection. Not after the IR team finishes reading the alert and joins the call. Automated response actions—isolation of affected endpoints, suspension of compromised accounts, blocking of lateral movement paths—need to happen programmatically.
Treat your AI-exposed attack surface as a first-class security concern. CrowdStrike reports adversaries are injecting malicious prompts into GenAI tools at more than 90 organizations. If your organization uses AI assistants, copilots, or LLM-enabled tools connected to sensitive data or systems, the attack surface includes prompt injection and indirect prompt injection through poisoned inputs. This is not theoretical—it’s in CrowdStrike’s 2025 observation data.
Run a cloud IAM audit. With cloud-conscious intrusions up 37%, your cloud Identity and Access Management configuration is a high-priority review target. Over-permissioned IAM roles, unused credentials, wildcard policies, and service accounts with admin rights are all active targets. If your last IAM audit was more than six months ago, it’s time for another one.
MFA everywhere. Yes, I’ll keep saying it. CrowdStrike’s report notes that credential-based attacks remain a primary initial access vector. Valid credentials used from unexpected contexts. Stolen session tokens. Credential stuffing against exposed login portals. Phishing-resistant MFA—hardware keys, FIDO2, not SMS—cuts the legs off credential-based initial access. It’s the highest-return security investment most organizations aren’t fully doing yet.
The Fixer’s Final Word
Twenty-nine minutes average breakout. AI-enabled adversaries up 89%. North Korean incidents up 130%. Zero-day exploitation up 42%. Cloud intrusions up 37%. 82% of attacks leaving no malware fingerprint.
CrowdStrike is telling you, with specificity and receipts, exactly how the threat environment evolved in 2025. The question is whether your organization’s security posture evolved commensurately—or whether you’re running a 2023 security program against 2026 adversaries.
My research on the human and organizational factors that determine whether security controls actually work makes the same point the CrowdStrike report makes: the technology is almost never the limiting factor. The limiting factor is organizational will, resource allocation, and whether leadership understands what they’re actually up against.
Download the report. Read the full thing, not just the executive summary. Then walk into your next board meeting with the 27-second breakout number on a slide and see if that changes the security budget conversation.
