Darktrace’s Annual Threat Report 2026 starts with a familiar problem for defenders: known software flaws are growing faster than most teams can keep up with. The report tallies 48,185 CVEs published in 2025, a 20.6% jump from the year before.
At the same time, many intrusions don’t start with a brand-new vulnerability. The report says attackers are bypassing “traditional exploits” more often and leaning into identity compromise and trust abuse. Logging in beats breaking in.
That’s the paradox. You can run a disciplined patch program and still get hit if a phished password, hijacked session, or over-permissioned account gives an attacker a clean path in. Patching still matters, but it can’t be the whole plan when the exploit is a credential that looks legitimate until it doesn’t.
Identity as the Primary Attack Vector
The report’s most consistent theme across 2025 is identity compromise. In the Americas, Darktrace says SaaS/M365 account compromise plus phishing or email-based social engineering account for nearly 70% of recorded incidents. Attackers are getting in through accounts—especially email and SaaS identities—then using the same tools employees rely on.
That changes what an intrusion looks like. It may start with a quiet inbox rule forwarding sensitive mail.
Zero-days still matter, and some attackers use them. But credential abuse keeps winning because it blends in, and it often buys time.
For defenders, the takeaway isn’t “patch less.” It’s that IAM has moved into the center of day-to-day security work. A few priorities tend to pay off quickly:
- Use MFA everywhere but make it harder to trick. Push-based MFA can be worn down with fatigue and social pressure. Move toward phishing-resistant options where you can and tighten help-desk and self-service reset paths. Account recovery is part of authentication.
- Clamp down on SaaS permissions. Audit app consents. Limit who can approve them. Watch for new or unusual consent grants and role changes, because those events can turn a single compromised user into broader access.
- Reduce standing privilege. Least privilege and just-in-time admin access can limit what a stolen account can do before you catch it.
- Monitor sessions and tokens as closely as passwords. Many takeovers don’t need the password again once the attacker has a valid session or token.
Phishing Evolves: QR Codes and Social Engineering
Phishing is still doing the heavy lifting. The report says Darktrace detected over 32 million high-confidence phishing emails in 2025.
What’s changing is how attackers route people around controls. Darktrace tracked more than 940,000 phishing emails containing QR codes in 2024, rising to more than 1.2 million in 2025—about a 28% jump.
A common sequence is an email lands in a work inbox, a user scans a QR code, credential theft happens in a mobile browser, and the attacker uses those credentials back in the corporate cloud.
The report also found a heavy share of spear-phishing and novel social engineering, and notes that many phishing emails passed DMARC authentication.
Darktrace’s SOC commentary also points to “spam bomb” campaigns paired with follow-up calls that impersonate IT.
Cloud as the Expanding Battleground
The cloud is where core business systems live, which makes it where attackers want to operate. In its cloud analysis, the report points to Azure as the most targeted provider in its dataset.
The bigger issue is how quickly compromise can expand once identity is in play. A single foothold can cascade across connected services. The practical change is speed; once an identity is abused in the cloud or SaaS, attackers can fan out in minutes, not days.
Three factors drive that acceleration:
- Misconfigurations. Darktrace cites industry estimates that misconfigurations account for about 23% of cloud security incidents.
- Identity sprawl. Every new workload, service account, API key, and third-party integration adds another identity that can authenticate. These identities are created quickly, granted access quickly, and often reviewed slowly.
- SaaS integrations. OAuth apps and connectors speed up work, but they also create permission paths that are hard to untangle under pressure. One bad grant can turn into broad access across mail, files, and collaboration data.
This is where cloud security and identity security fuse. In the cloud, permissions decide the blast radius.
Regional Variations, Universal Risks
Across regions, two problems show up again and again in the report: identity abuse and ransomware. The tactics shift based on infrastructure, regulation, and target mix, but the objectives stay consistent: access and leverage.
In the United States, Darktrace describes an environment driven by identity-led intrusions and ransomware ecosystems. Email and SaaS compromise often shows up as the initial foothold, then operators move fast into extortion, sometimes double or triple extortion.
Across the Americas, Darktrace still sees identity-led access dominating, with phishing and account compromise central to most incidents. It also notes that extortion doesn’t always require encryption. In parts of Latin America, data-leak pressure and credential theft can be the play.
The routes vary, but the end goal is usually the same. Attackers want access that lasts, and a way to turn that access into money, intelligence, disruption, or all three.
Strategic Implications for Security Leaders
For many teams, vulnerability counts have been the steering wheel. The report argues that it’s no longer enough on its own. Attackers are increasingly bypassing traditional exploit paths, and remediation capacity is finite.
Treat identity telemetry as core security data, not just audit logs. Visibility needs to include logins, sessions, token use, privilege changes, and consent grants. And it needs to be continuous, because account misuse can unfold quickly.
Invest in detection that focuses on behavior. When attackers use real accounts, static rules, and signature-driven tools miss too much. Behavioral anomaly detection can surface odd logins, unusual data transfers, and permission use that doesn’t fit established patterns for that user or service.
That doesn’t mean “set it and forget it.” “Human oversight remains vital when using AI in offensive cybersecurity,” said Amit Zimerman, co-founder and chief product officer at Oasis Security. “While AI is highly efficient in automating and scaling tasks, human expertise is necessary to interpret complex results, make critical decisions, and apply context-specific reasoning.”
Harden cloud-native controls. Tighten IAM roles, reduce standing privilege, govern app consents, limit risky integrations, and watch for configuration drift. Build fast containment paths for cloud account takeover: revoke sessions, rotate secrets, remove suspicious app grants, and isolate the affected identity before it becomes a wider incident.
Securing the Human and Machine Identity Era
Identity now includes employees, contractors, service accounts, tokens, OAuth apps, and AI agents acting on someone’s behalf. These identities multiply fast, get broad access “for now,” and often linger long after anyone remembers why.
Identity is now both the attack surface and the control plane: attackers steal it to get in, and permissions decide what they can do next.
“This report’s findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just ‘who,’ or in the case of AI agents, ‘what,’ has access to the enterprise,” said Mark McClain, chief executive officer at SailPoint.
In 2026, identity-first security has to be the operating model: fewer long-lived credentials, less standing privilege, tighter consent rules, stronger MFA with hardened recovery, and monitoring that flags behavior that doesn’t fit.
The old playbook was “patch faster.” Now it’s “secure identities first.”
