2026年全球威胁报告：规避型对手之年

YEAR OF THEEVASIVE ADVERSARY Foreword The Age of the AI Adversary Begins The world is operating in the agentic era. Artificial intelligence is embeddedacross the modern enterprise. Agents write code, analyze data, orchestrateworkflows, and make decisions at machine speed. Every layer of theenterprise is becoming faster and more automated. The adversary is operating in the agentic era as well. In 2025, AI-enabledadversaries increased attacks by89%year-over-year. AI accelerated phishingand automated reconnaissance, shortening the time from initial access to impact.It elevated less sophisticated threat actors and amplified the most advanced ones.It compressed the time between intent and execution. AI has also introduced a new dimension of risk: adversaries targeting the very AIsystems underpinning the modern enterprise. As AI is embedded into developmentpipelines, SaaS platforms, and operational workflows, AI systems themselvesbecome part of the attack surface. Adversaries exploited legitimate AI tools byinjecting malicious prompts that generated unauthorized commands. As innovationaccelerates, exploitation follows. Security must parallel the slope of innovation.In the agentic era, cybersecurity is the foundational infrastructure required toprotect AI itself. The data in this year’s Global Threat Report makes clear that speed is nowthe defining characteristic of intrusion, and it has fundamentally reshapedhow adversaries evade detection. The average eCrime breakout time fell to29 minutesin 2025, a 65% increasein speed from the prior year. The fastest breakout took just27 seconds. In oneintrusion, data exfiltration began within four minutes of initial access. The windowto detect, decide, and respond has narrowed dramatically. In 2025, evasion was defined by the speed at which adversaries exploit trust.Adversaries operated through valid credentials, trusted identity flows, approvedSaaS integrations, and inherited software supply chains. Notably,82%ofdetections were malware-free. Intrusions moved through authorized pathwaysand trusted systems, blending into normal activity. This evasive model extended across multiple domains. Adversaries exploitvisibility gaps created by fragmented security controls (across identity, SaaS,cloud, and unmanaged devices), chaining together access paths to stay offwell-protected endpoints. Cloud-conscious intrusions rose37%in 2025, including a266%increaseamong state-nexus threat actors. Valid account abuse accounted for35%of cloud incidents, reinforcing that identity has become central to intrusion.Zero-day exploitation prior to public disclosure increased42%, compressingthe time between vulnerability discovery and active exploitation. China-nexus activity increased38%in 2025. In67%of the vulnerabilitiesChina-nexus adversaries exploited, the flaw provided immediate system access.Of those exploited vulnerabilities,40%targeted internet-facing edge devices.Newly disclosed vulnerabilities were weaponized within days. Together, these trends show how modern adversaries operate: gain legitimateaccess through identity, move rapidly through cloud and edge infrastructure,and weaponize vulnerabilities before defenders can respond. Speed, legitimacy,and low-visibility access paths now define evasive tradecraft. At CrowdStrike, we built our platform on the understanding that data is thefoundation of both AI and cybersecurity. We process trillions of real-time eventsacross endpoints, cloud workloads, identities, and networks. We correlate thattelemetry with adversary intelligence and years of labeled tradecraft to detect anddisrupt threats at scale. This data advantage allows us to connect signals acrossdomains, identify evasive behavior early, and act decisively before adversariesachieve their objectives. In the agentic era, defending against AI-accelerated adversaries, and securingAI systems themselves, requires operating at machine speed. The CrowdStrike 2026 Global Threat Report reflects this reality. It providesthe intelligence defenders need to understand how adversaries exploit trust,accelerate with AI, and move across domains to remain evasive. Our mission remains unchanged. We stop breaches. In the agentic era, thatmission requires a single platform with the architecture to reason and act at thespeed of the adversary, while securing the AI-powered enterprise. EXPLORE THE CROWDSTRIKEADVERSARY HUB FOR THE LATESTINSIGHTS ON ADVERSARIES,TRADECRAFT, AND ACTIVITY. CrowdStrike CEO and Founder Table ofContents Introduction5 Threat Landscape Overview9 Key Adversary Themes14 Adversaries Leverage AI to Enhanceand Accelerate Operations Ransomware Adversaries ExpandCross-Domain Tradecraft 21 China-Nexus Threat Actors Target NetworkPerimeter Devices for Initial Intrusions Supply Chain Attacks Enable Evasion ofTraditional Security Controls 31 Adversary Objectives Shape Zero-DayExploit Selection 35 Adversaries Subvert Trust in CloudPlatforms and Services Conclusion 46 Re