The cyber threat landscape has shifted into high gear, with identity-centric attacks taking pole position. Cyber criminals are using AI to find new ways to accelerate threats through the blind corners of edge devices (i.e. sensors, smartphones, etc), supply chains, and cloud ecosystems. Geopolitical turbulence continues to influence the threat landscape turning trusted dependencies into high-speed attacks.  

In 2025, PwC identified an almost 60% increase in ransomware victims whose sensitive data had been exposed and published on a ‘leak site’ (increasing from 4,837 victims in 2024 to 7,635 victims in 2025).  From record-level ransomware leak site victimisation and crypto heists, to pervasive compromises of technologies and sustained espionage campaigns targeting critical infrastructure, we are seeing an increasingly capable and adaptive threat landscape.  Cyber criminals are employing their full tradecraft, effortlessly  navigating identity, cloud, edge, and application layers with unprecedented precision. 

PwC’s new report “Annual Threat Dynamics 2026: Cyber threats in motion” examines the emerging cyber trends, threat actors, and motivations defining the global cyber threat landscape. It includes the factors influencing an overall increase in threat activity, the evolving tools, and the impact of wider geopolitics and technological innovation. 

The research finds that the cyber threat landscape is evolving at an unprecedented pace. Lines are blurring and the rules of engagement have changed.  60% of leaders are increasing cyber risk investment in response to geopolitical volatility but only 6% feel very capable of withstanding attacks.  

Identity is the key battleground 

Cyber criminals are increasingly choosing to log in rather than break in. They are stealing login credentials or luring employees into handing over access to bypass traditional perimeter defences. Social engineering is evolving in sophistication, with AI-generated deepfakes, IT helpdesk impersonation, stolen identities for illicit remote worker operations, and multi-stage phishing campaigns targeting human and machine identities alike.  As organisations expand their Software as a Service (SaaS) ecosystems and cloud dependencies, the attack surface is widening — with a single compromised identity capable of unlocking cascading access across entire environments.

AI is accelerating both sides of the cyber race 

AI is accelerating the threat – and defence strategies must keep pace.  AI is increasingly being used by both attackers and defenders.  AI is making attacks harder to spot.  Fake voices and videos are being used to authorise payments.  Phishing messages are more convincing than ever.  The speed of sophistication of attacks has stepped up significantly – and is only accelerating.  Cyber criminals are embracing AI not as an enhancement but as a core component of their tradecraft, using it to automate reconnaissance (i.e. scan information, gather intelligence, identify vulnerabilities etc), generate convincing phishing lures, accelerate malware development, and scale social engineering across languages and platforms.   

The time between an AI capability being publicly released and its weaponisation by cyber criminals is shrinking dramatically, whilst autonomous AI agents capable of executing attacks without human intervention are a prime concern.  AI also represents the single greatest opportunity for defenders to match the pace, enabling faster detection, automated containment, and intelligence-led decision-making at scale. 

Cyber risk is inseparable from business and geopolitical strategy 

Geopolitical turbulence continues to influence the threat landscape, with greater disruption at strategic inflection points seen around the world.  Financial crime, insider threats, digital-to-physical security concerns, and supply chain compromise are converging into a single pressure point.  Threat actors are simultaneously targeting executives, developers, suppliers, hiring processes, and financial workflows from multiple angles. The boundaries between motivations continue to blur, as ransomware operators sell strategically sensitive data, espionage motivated threat actors leverage cyber criminal tooling and certain threat actors industrialise fraudulent employment and cryptocurrency theft at unprecedented scale.  

Looking ahead - sustained increase in the volume and sophistication of threats 

Identity will remain in pole position as the primary route to attack. Cyber criminals will enhance their techniques for evasion and impersonation, such as by spoofing device posture and employing multistage, identity-based attacks. Treating identity governance as a strategic, board-level priority — not a technical checkbox — will be critical to staying ahead of the field. 

Continued AI adoption by cybercriminals will highly likely fuel a sustained increase in the volume and sophistication of threats. Quantum advancements will change the track entirely. Organisations should anticipate malware that natively incorporates AI to evade detection and target high-value data.  Investing in AI-enhanced defence, embedding frameworks into threat modelling, and becoming post-quantum ready will be essential to keeping pace. 

We should expect broader and faster financially motivated attacks over the course of 2026, alongside diversification in ransomware tactics (including new ways to pressure victims to meet ransom demands).  Conflicts, trade disputes, elections, and shifting alliances will continue to shape threat actor targeting. Organisations that embed geopolitical and supply chain risk into strategic decision-making — aligning cyber, legal, HR, finance, and communications capabilities — will be better positioned to navigate the turbulence ahead.   

In an identity-driven, AI-accelerated threat landscape, resilience belongs to organisations that treat cyber risk as inseparable from business and geopolitical strategy, govern identity at speed and validate trust continuously.