ReliaQuest’s 2026 Annual Threat Report reveals that 2025 saw an unparalleled escalation in AI- and automation-facilitated cyberattacks. Incident data from 2024 was compared to 2025, and ReliaQuest found that threat actors are now faster than ever. To remain ahead of the curve, security practitioners will need to adopt AI in their own defense or be left behind.
AI Increased Attack Speeds Dramatically
In 2025, AI not only increased attack speeds, but it also did so much more efficiently and intelligently. Malefactors were able to automate and deploy AI to create sophisticated phishing attacks at a scale previously unattainable.
This resulted in achieving lateral movement within as few as four minutes (an 85% increase from 2024).
“In 2025, cybercriminal success was defined by speed, and breakout time is the clearest measure of how little time defenders have. Attackers averaged a 34-minute breakout time, and, in the fastest case, reached lateral movement in just 4 minutes (an 85% acceleration over the 27-minute record in 2024), leaving little margin for manual response,” ReliaQuest researchers said.
Defensively speaking, AI-enabled SOCs were able to contain threats in an average of four minutes, versus the potential of up to 16 hours when relying on manual methods.
Ransomware and Automated Reconnaissance
The study also revealed that an estimated 80% of all ransomware attacks used AI or some form of automation, which allows for entirely pre-scripted ransomware attacks utilizing legitimate attack tools.
Attackers are increasingly automating their reconnaissance process by analyzing social media and publicly available information that previously would have taken them days to review. Additionally, researchers reported that the BoaLoader malware has been observed in nearly 1/5 of all ransomware attacks, even though it only emerged late in 2025.
This particular scourge uses large language models to generate deceptive JavaScript code that masquerades as legitimate software.
Initial Access Now Often Comes with Elevated Privileges
Initial access is now often already at an elevated privilege level. Historically, most attacks begin at a low privilege level, giving defenders time to identify and react to privilege elevation. However, by the end of 2025, an estimated 47% of all ransomware attacks were initiated from elevated privilege levels.
This reduces the defender’s window of opportunity to identify and respond to the attack. As such, the attackers can rapidly move towards achieving their objectives.
Last year, social engineering was the leading method for attackers to gain an initial foothold in a network (at 23% of all compromises) followed closely by phishing via URL (23%) and via attachment (13%). Social engineering attacks were amplified too, again through the use of AI.
Before AI, there were many language barriers to social engineering attacks, and it was infinitely harder for bad actors to rapidly generate a range of believable narratives or scenarios.
Exposure-Led Compromise: Visibility Is Key
Unlike phishing and other user-initiated initial access attacks, perimeter exploitation is not about convincing someone to click on something, but rather about something being reachable and trusted and being left in a state that is exploitable.
Whether it is a zero-day, a new version of an old known vulnerability, or a misconfigured cloud, the end result is the same: rapid initial access and expansion. The key to understanding this problem is to understand visibility and resiliency.
Defenders should understand what they own, what they are exposing, and what they are unable to see. “They should then layer controls to achieve defense in depth against the known unknowns, but focus on detecting and containing what happens after entry, not just the specific exploit used,” the researchers said.
These findings are but the tip of the iceberg. To read the full report, click here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.