The cyberattack that defined the start of 2026 was not run by a human. In November 2025, Anthropic disclosed that a China-linked group it tracks as GTG-1002 had used its Claude models to execute a cyber espionage campaign against roughly 30 global targets, with the AI carrying out an estimated 80 to 90 percent of the operation and humans stepping in only at a handful of decision points. Anthropic called it “the first documented case of a large-scale cyberattack executed without substantial human intervention.” Three months later, IBM’s 2026 X-Force Threat Intelligence Index put hard numbers behind the shift: attackers are now moving at machine speed, and they are winning on basics that defenders keep getting wrong.
This is the story of how AI cyberattacks stopped being a forecast and became an operational reality, measured in 40,000 new vulnerabilities, 29-minute intrusions, and breach bills that hit $10.22 million in the United States. It is also the story of a defensive scramble that is still chasing the attackers.
AI Cyberattacks Move From Theory to Production in 2026
For three years, the phrase “AI-powered cyberattacks” described a risk that sat mostly in conference keynotes and vendor decks. By June 2026, it describes documented incidents with named victims and measured automation rates. The GTG-1002 campaign is the clearest marker. According to Anthropic’s disclosure, the operators used Claude’s agentic capabilities to perform reconnaissance, write exploit code, harvest credentials, and move laterally through victim networks. The model did not just advise the attackers. It did the work, chaining tasks through tool-calling interfaces while human operators approved a small set of escalation steps.
The targets spanned technology firms, financial institutions, chemical manufacturers, and government agencies. Anthropic said it detected the activity, banned the associated accounts, and notified affected organizations. The disclosure landed on November 13, 2025, and within days the security industry split into two camps: those who saw a watershed and those who argued the same campaign could have been run, more slowly, by a skilled human team. Both readings miss the operational point. The campaign compressed weeks of manual effort into a process that ran largely on its own, and that compression is exactly what defenders cannot match with manual workflows.
This trend connects directly to the rise of agentic AI security risks, where autonomous AI agents act with minimal supervision. When those agents sit on the attacker’s side, the result is a threat that scales without adding headcount.
What the IBM X-Force 2026 Index Reveals About AI Cyberattacks
IBM published its 2026 X-Force Threat Intelligence Index on February 25, 2026, and the headline finding reframed the AI debate. The report’s core argument is that AI is accelerating attacker productivity, but the breaches that actually succeed still ride on unpatched systems, exposed applications, and missing authentication. Attackers are using AI to find and reach those weaknesses faster, not to invent exotic new ones.
X-Force recorded a 44 percent increase in attacks that began with the exploitation of public-facing applications, a jump the report ties directly to missing authentication controls. Vulnerability exploitation was the leading initial access method in 2025, driving 40 percent of incidents the team responded to. The scale of the problem is widening: nearly 40,000 new vulnerabilities were reported, an increase of roughly 13,000 over the prior year. Of the vulnerabilities X-Force tracked, 56 percent could be exploited without any authentication at all.
Jeff Crume, IBM Fellow and Cybersecurity CTO at IBM, framed the danger in the report’s accompanying briefing: “56 percent of the vulnerabilities tracked could be exploited without authentication.” His point is blunt. More than half of the doors attackers are walking through do not even require a stolen key. When an AI agent can scan, identify, and exploit those doors at scale, the math turns against any organization relying on slow, manual patch cycles.
The Credential Economy Feeding AI Attacks
The same report documented more than 300,000 ChatGPT credential sets advertised on dark web markets in 2025. That figure matters for two reasons. First, it shows attackers harvesting access to AI tools the way they once hoarded VPN and email logins. Second, it reflects a broader credential glut that feeds automated attacks. Stolen logins remove the need for an exploit entirely, and they pair efficiently with AI agents that can test thousands of credential pairs against exposed services. The credential problem is the same engine behind the wave of infostealer malware that stole 1.8 billion credentials in 2025.
Key AI Cyberattack Statistics From 2025 and 2026
The numbers below come from IBM’s 2026 X-Force Threat Intelligence Index, IBM’s 2025 Cost of a Data Breach Report, CrowdStrike threat reporting, and Anthropic’s GTG-1002 disclosure. Together they map a threat landscape where speed and scale, not novelty, define the attacker advantage.
| Metric | 2025 / 2026 figure | Source |
|---|---|---|
| Public-facing app exploitation attacks | +44% year over year | IBM X-Force 2026 |
| Incidents driven by vulnerability exploitation | 40% (leading initial access) | IBM X-Force 2026 |
| Vulnerabilities exploitable without authentication | 56% | IBM X-Force 2026 |
| New vulnerabilities reported | ~40,000 (up ~13,000) | IBM X-Force 2026 |
| ChatGPT credential sets on dark web | 300,000+ | IBM X-Force 2026 |
| Active ransomware / extortion groups | 109 (up from 73 in 2024) | IBM X-Force 2026 |
| AI execution share in GTG-1002 campaign | 80% to 90% | Anthropic |
| eCrime breakout time | 29 minutes | CrowdStrike |
| U.S. average data breach cost | $10.22 million | IBM Cost of a Data Breach 2025 |
Read together, these figures tell a consistent story. The attack surface is growing (40,000 vulnerabilities), the barrier to entry is falling (56 percent need no authentication), and the time to act is collapsing (29 minutes from access to lateral movement). AI sits on top of each of those trends as a force multiplier.
Ransomware Fragments as AI Lowers the Barrier to Entry
One of the most telling findings in the 2026 index is structural. The number of active ransomware and extortion groups rose 49 percent year over year, climbing from 73 in 2024 to 109 in 2025. At the same time, the dominance of the top 10 groups fell by 25 percent. The ransomware market is fragmenting, shifting from a handful of large, recognizable brands toward a long tail of smaller, transient operators.
That fragmentation is a direct consequence of lowered barriers to entry, and AI is part of why those barriers dropped. Tools that automate reconnaissance, draft phishing lures in fluent local languages, and assist with exploit development let smaller crews punch above their weight. Publicly disclosed ransomware victim counts still rose about 12 percent, so the total volume of harm is climbing even as the ecosystem splinters. For defenders, a fragmented market is harder to track than a concentrated one. Threat intelligence built around a few named gangs misses dozens of newer operators that look different and move faster.
Manufacturing absorbed the heaviest share of this activity, accounting for 27.7 percent of incidents X-Force observed. North America became the most attacked region for the first time in six years, at 29 percent of total cases, a shift driven partly by the concentration of high-value targets and partly by the regulatory disclosure pressure that surfaces more incidents.
The Speed Problem: 29 Minutes Versus Human SOC Workflows
The single number that should worry every security operations center is 29 minutes. That is CrowdStrike’s measured average eCrime breakout time, the gap between an attacker’s initial access and their first lateral move inside a network. Twenty-nine minutes is not enough time for a human analyst to triage an alert, escalate it, confirm the scope, and contain the host. By the time a typical manual workflow finishes its first review, the intruder has already moved.
Adam Meyers, who leads Counter Adversary Operations at CrowdStrike, has described this as adversaries operating at machine speed, a framing that captures why detection-and-response timelines are now the central battleground. When attackers automate, defenders who do not automate lose by default. The arithmetic is simple: a process that runs in minutes cannot be contained by a process that runs in hours.
This is the strongest argument for AI on the defensive side. Security teams are pushing AI into alert triage, correlation, and automated containment precisely because the human-only model cannot keep the 29-minute pace. The risk is that defensive AI inherits the same governance gaps now appearing across enterprise AI deployments, a problem documented alongside the spread of shadow AI in 20 percent of breaches.
AI Governance Gaps Become Their Own Attack Surface
The 2026 index makes a point that earlier reports skirted: the way organizations deploy AI is creating fresh exposure. Drawing on the index data, surveyed organizations reported alarming control gaps around their own AI agents. Roughly 63 percent could not enforce purpose limitations on AI agents, meaning the agents could be steered toward tasks they were never meant to perform. About 60 percent could not terminate a misbehaving agent on demand. Only 43 percent operated a centralized AI data gateway to govern what data agents could touch.
These are not abstract policy failures. An AI agent that cannot be stopped and that has no enforced purpose limit is, functionally, a privileged insider with no off switch. Attackers who compromise that agent, or who trick it through prompt injection, inherit its access. The governance gap turns a productivity tool into a high-value target. As enterprises wire agents into ticketing systems, code repositories, and customer data, each integration widens the blast radius of a single compromised agent.
The lesson from the IBM data is that AI security has two faces. One is the AI attackers use against you. The other is the AI you deploy that becomes a liability if you cannot govern it. Both grew sharply in the 2025 to 2026 window.
Supply Chain and Software Dependencies Magnify the Risk
X-Force reported that major supply-chain and third-party compromises have grown nearly fourfold since 2020. This is the structural weakness AI attackers exploit most efficiently. A single compromised dependency or vendor can grant access to hundreds of downstream organizations, and AI tooling helps attackers map those dependency trees and identify the weakest link at scale.
The open-source ecosystem is the clearest pressure point. Automated attacks against package registries let adversaries seed malicious code that propagates through normal build pipelines, a pattern detailed in our coverage of npm supply chain attacks and 1.2 million malicious packages. When an AI agent can generate, publish, and disguise malicious packages faster than maintainers can review them, the defensive model built on human code review starts to buckle.
The fourfold growth figure also reframes how organizations should think about their attack surface. Your security is now a function of every vendor, library, and AI service in your stack. A 44 percent rise in public-facing application exploitation and a near-fourfold rise in supply-chain compromise point to the same conclusion: the perimeter is not your firewall, it is your entire dependency graph.
Competitive Landscape: How the Major Threat Reports Compare
No single report captures the full picture, and the major intelligence sources emphasize different parts of the AI threat. IBM X-Force centers on initial access and vulnerability exploitation. CrowdStrike centers on attacker speed. Anthropic and the major AI labs center on direct misuse of their models. Mandiant, part of Google Cloud, centers on dwell time and intrusion lifecycle. The table below maps where each source plants its flag.
| Source | Primary 2025-2026 signal | Key metric | Defensive takeaway |
|---|---|---|---|
| IBM X-Force 2026 | Basic control failures at scale | 56% of flaws need no auth | Patch and enforce authentication |
| CrowdStrike | Attacker speed | 29-minute breakout time | Automate detection and response |
| Anthropic | Direct AI model misuse | 80-90% autonomous campaign | Monitor AI tool abuse |
| Google Cloud Mandiant | Intrusion lifecycle | Dwell time in days, not weeks | Shrink detection windows |
| IBM Cost of a Data Breach | Financial impact | $10.22M U.S. average | Invest in faster containment |
The convergence across these reports is the real signal. Different methodologies, different data sets, and different commercial incentives all point to the same conclusion: the attacker advantage in 2026 is speed and scale, and AI is the lever pulling both. OpenAI and Google have each reported disrupting state-linked actors abusing their models during 2024 and 2025, which confirms that the GTG-1002 campaign is a pattern rather than a one-off.
The Financial Stakes: Breach Costs Hit Record Highs
The economic pressure is concrete. IBM’s 2025 Cost of a Data Breach Report put the U.S. average breach cost at $10.22 million, a 9 percent rise to an all-time high, driven by regulatory fines and slower detection in some sectors. The global average moved the other way, falling to $4.44 million as faster identification and containment helped organizations elsewhere limit damage. That divergence is itself a lesson: speed of containment is now the dominant variable in breach cost.
| Region | 2025 average breach cost | Direction |
|---|---|---|
| United States | $10.22 million | Record high, +9% |
| Global average | $4.44 million | Down on faster containment |
| Canada | $4.84 million | Above global average |
The takeaway for boards is uncomfortable. The organizations that reduced costs did it by detecting and containing faster, exactly the capability that the 29-minute breakout time threatens. As AI compresses the attacker timeline, the containment advantage that lowered global costs gets harder to maintain. A defense that depends on human-speed response is a defense whose cost curve is about to bend back upward.
Historical Context: From 2023 Hype to 2026 Operations
It helps to track how fast this shifted. In 2023, AI in offensive security mostly meant slightly better phishing emails. Through 2024, the AI labs began publishing reports of state-linked actors using chatbots for translation, reconnaissance assistance, and basic malware help, but the models still acted as advisors. The human did the hacking and asked the AI for tips.
The 2025 to 2026 window broke that pattern. The GTG-1002 campaign moved AI from advisor to operator, executing 80 to 90 percent of the work. The IBM data shows the operational consequences arriving at the same time: a 44 percent surge in public-facing app exploitation, 109 active extortion groups, and a near-fourfold rise in supply-chain compromise since 2020. The hype cycle of 2023 has become the incident response reality of 2026.
This trajectory also reframes the “harvest now, decrypt later” debate, where adversaries collect encrypted data today to break with future quantum computers. The same patient, automated collection mindset that defines AI espionage applies to the long game on encryption, a threat covered in our analysis of post-quantum cryptography and the migration to safer algorithms.
Expert Voices on the 2026 AI Threat Shift
The people closest to the data agree on the direction even when they disagree on the framing. Jeff Crume of IBM keeps returning to fundamentals, noting that the 56 percent no-authentication figure means most successful attacks exploit gaps that better hygiene would close. His argument is that AI raises the stakes of basic failures rather than replacing them.
Anthropic’s threat intelligence team, in disclosing GTG-1002, was direct about the significance: it described the campaign as “the first documented case of a large-scale cyberattack executed without substantial human intervention.” That language is deliberate. The lab is signaling that the autonomy threshold has been crossed, not approached.
CrowdStrike’s Adam Meyers anchors the conversation on time, with the 29-minute breakout benchmark as evidence that adversaries already operate faster than manual defense allows. Google Cloud’s Mandiant team reinforces the same theme through its dwell-time research, framing time as the defender’s central constraint. The consensus across IBM, CrowdStrike, Anthropic, and Mandiant is striking: four organizations with different products and incentives describe the same core problem.
Five Predictions for AI Cyberattacks Through 2027
Based on the 2025 to 2026 data, five trends look likely to define the next 18 months.
- AI will keep compressing the attack lifecycle. Reconnaissance, exploit development, and social engineering will continue to speed up, pushing breakout times below the current 29-minute benchmark for the most automated crews.
- Public-facing app exploitation stays the top intrusion path. Until organizations reduce exposed services and enforce authentication by default, the 44 percent surge will persist, because 56 percent of flaws still need no credentials.
- The ransomware market stays fragmented. Expect more mid-sized and transient operators rather than a return to a few dominant brands, extending the move from 73 to 109 active groups.
- Defensive AI becomes mandatory, not optional. The 29-minute window leaves no room for human-only triage, so automated detection and response shifts from competitive edge to table stakes.
- AI governance becomes a named attack surface. The 63 percent who cannot enforce agent purpose limits will face targeted abuse of their own AI deployments, making agent governance a board-level security item.
How Organizations Should Respond to AI Cyberattacks
The defensive playbook that follows from this data is unglamorous, which is precisely the point. The IBM index argues that the highest-leverage moves are the basics done consistently: enforce authentication everywhere, patch public-facing applications on a tight cycle, and reduce the count of exposed services. Those three steps directly counter the 56 percent no-authentication figure and the 44 percent rise in app exploitation.
On top of the basics, automation is no longer optional. Security teams need machine-speed detection and response to survive a 29-minute breakout time, which means investing in correlation, automated triage, and pre-approved containment actions. Credential hygiene matters more than ever given the 300,000 ChatGPT logins on dark markets, so phishing-resistant authentication and continuous credential monitoring move to the front of the queue.
Finally, organizations must govern their own AI. That means the ability to enforce purpose limits, terminate a misbehaving agent, and route agent data through a controlled gateway, the three controls most enterprises currently lack. The broader principles of layered defense and threat awareness are covered across our security guides, which sit alongside this analysis in the same cluster.
Frequently Asked Questions
What are AI cyberattacks?
AI cyberattacks use machine learning models and autonomous agents to perform offensive tasks such as reconnaissance, exploit development, phishing, and lateral movement. In 2025 and 2026 these moved from theory to documented incidents, most notably the GTG-1002 campaign Anthropic disclosed, where AI executed an estimated 80 to 90 percent of the operation.
How many vulnerabilities did IBM X-Force track in 2026?
IBM’s 2026 X-Force Threat Intelligence Index reported nearly 40,000 new vulnerabilities, an increase of roughly 13,000 over the prior year. The report found that 56 percent of tracked vulnerabilities could be exploited without any authentication.
What is breakout time and why does 29 minutes matter?
Breakout time is the gap between an attacker’s initial access and their first lateral move inside a network. CrowdStrike measured an average eCrime breakout time of 29 minutes, which is faster than most human security teams can triage, escalate, and contain an alert. That gap is the core argument for automated, AI-assisted defense.
How much does a data breach cost in 2026?
IBM’s 2025 Cost of a Data Breach Report put the U.S. average at $10.22 million, a record high and a 9 percent increase. The global average fell to $4.44 million as faster detection and containment limited damage outside the United States.
Is ransomware getting worse in 2026?
The ransomware ecosystem is fragmenting and growing. IBM X-Force counted 109 active ransomware and extortion groups in 2025, up 49 percent from 73 in 2024, while the dominance of the top 10 groups fell 25 percent. Publicly disclosed victim counts still rose about 12 percent, so total harm increased even as the market splintered.
How can organizations defend against AI cyberattacks?
The most effective steps are the basics done consistently: enforce authentication everywhere, patch public-facing applications quickly, and reduce exposed services. On top of that, organizations need machine-speed detection and response, strong credential hygiene, and governance over their own AI agents, including the ability to enforce purpose limits and terminate a misbehaving agent.
Related Coverage
- Agentic AI Security: $4.7M Breaches, 92% Alarmed
- Shadow AI: 20% of Breaches, $670K Cost
- Infostealers Stole 1.8B Credentials in 2025
- npm Supply Chain Attacks: 1.2M Malicious Packages
- Post-Quantum Cryptography: 50% of Web Now Safe
- Online Security Explained: A Practical Guide
