In today’s rapidly evolving technological landscape, artificial intelligence (AI) is reshaping the cybersecurity arena. The 2026 ExtraHop Global Threat Landscape Report examines how security teams are responding to developments in AI within this environment, and how these changes are influencing defensive capabilities.
Many organisations are seeing an increase in attack surfaces, with over half of surveyed respondents identifying AI agents, infrastructure, and applications as significant risks. These concerns are reflected in reported incidents, with 85% having experienced events linked to AI systems. The most impactful include AI-enhanced external attacks, session theft, and vulnerabilities introduced by third-party AI agents. These incidents highlight the complexity and adaptability of adversary approaches.
Notably, groups such as LockBit and RansomHub are frequently observed in enterprise attacks, with less emphasis on actors previously highlighted like APT41. The report indicates that emerging threats are increasing in frequency and often focus on smaller payouts rather than larger ones. However, the combined impact of these activities includes both financial and operational costs, which can influence organisational responses.
Research shows that adversaries remain undetected in networks for an average of 2.5 weeks during ransomware incidents, with a portion of organisations identifying breaches only after significant impact has occurred. These dwell times present challenges when combined with encrypted communications and behaviour that mimics normal workflows, which can make early detection more difficult.
Security teams often process large volumes of alerts, and traditional workflows may struggle to prioritise the most critical ones. Issues such as alert fatigue, along with the presence of legitimate high-privilege accounts, can delay response efforts. These challenges are further complicated by AI-generated alerts that can increase false positives and extend investigation timelines.
While automation and AI are positioned to improve response times, they still often require significant manual intervention. Tasks such as threat detection and alert triage continue to rely heavily on human input, which can reduce the time available for proactive activities such as threat hunting and security engineering.
The report emphasises the importance of improving contextual understanding within AI systems to support more informed decision-making. Without real-time visibility into network activity, organisations may face limitations in achieving full situational awareness, which can affect defensive effectiveness.
- AI-enhanced external attacks
- Compromised AI identity
- Vendor data mishandling by AI
- Encrypted channel bypasses
- Alert fatigue challenges