Glitch effect

Huntress 2026 Cyber Threat Report

The threat landscape never stands still…and 2025 was no different. 

Cybercrime has become the world’s third-largest economy, with costs expected to reach $12.2 trillion annually by 2031. The Huntress 2026 Cyber Threat Report, shaped by data from over 4M endpoints and 9M identities protected by the Huntress Security Platform, exposes how cybercriminals shifted their strategies, streamlined playbooks, and leveled up tradecraft to blend in better than ever.

That's the world your business operates in now. The 2026 Huntress Cyber Threat Report breaks down how modern threats actually work today, drawn from what we see protecting real organizations every day—not headlines, not hype. Here's what changed, why it matters, and what you can do about it.

Here’s a sneak peek:

Glitch effectGlitch effect
Download Your Report
By submitting this form, you accept our Terms of Service & Privacy Policy

Attackers are using your own tools against you

The fastest-growing move we saw wasn't fancy malware. It was abuse of the remote monitoring and management (RMM) tools your team already trusts. RMM abuse jumped 277% year over year and showed up in nearly a quarter of all the incidents we investigated.

RMM Abuse Chart

Why write custom malware when you can sign in to software that's already installed and allowed? When attackers live inside legitimate tools, traditional defenses see normal activity. This is exactly the kind of living-off-the-land tradecraft that Managed EDR is built to catch.

AI turned cybercrime into a franchise

Generative AI didn't just make phishing emails cleaner. It built an underground economy on the abuse of trust. Tools that took skill now come prepackaged, putting fast, convincing attacks in the hands of people who couldn't have pulled them off two years ago.

That's the real shift: the barrier to entry collapsed, and the volume went up with it.

AI Threats

Shady Social Engineering

Your people are the new attack surface. ClickFix and fake CAPTCHA scams are rampant, linked to over 50% of all malware loader activity.

Social Engineering Graph

Ransomware got patient

Time-to-ransom (TTR) stretched from 17 to 20 hours as attackers focused on staying hidden, stealing data, and extorting victims.

Ransomware Stats

Ransomware crews slowed down on purpose. The trend moved from smash-and-grab toward quiet, staged attacks that sit in an environment, take time to learn it, and strike when it hurts most. The report digs into how initial access drives those campaigns. See the deeper ransomware breakdown for the full picture.

Identity Attacks

Stolen credentials are the new front door. Logins with a shady footprint made up 37% of all the identity threats we tracked, and that's often the quiet first step toward business email compromise and bigger payouts.

Once an attacker has a valid login, they can roam your environment and look like an employee. Watching identities the way you watch endpoints is how you close that gap—the job of Managed ITDR and a core part of stopping business email compromise.

Identity Threats

How we built this report

We didn't pull these findings from a survey. They come from telemetry across more than four million endpoints and nine million identities, spanning over 230,000 organizations we protect worldwide. That's the foundation for every stat in the report—real activity, real environments, real outcomes.

What this means for your industry

The playbook is shared, but the impact isn't evenly spread. Attackers tune their approach to the data and downtime that hurt a given sector most—patient records in healthcare, wire transfers and account access in financial services. The report's industry view helps you see where you sit in their plans before they make the first move.

Cybercrime built a business to take yours down. This report hands you their playbook—so you can stay ahead of the hidden competition and keep building without holding your breath.

Frequently asked questions

Anyone responsible for keeping a business safe—small IT teams, in-house security, and partners managing protection for clients of all sizes.

Yes. Download the full report above. Short on time? Start with the TL;DR.

Telemetry from 4M endpoints and 9M identities across 230,000 organizations protected by the Huntress Security Platform.

Pair the findings with continuous detection and response across your endpoints and identities. Start with the Huntress platform overview.