Enterprise cybersecurity enters 2026 with a paradox that is starting to become uncomfortable: while public discourse is filled with promises of “next-generation” protection, attackers continue to find open doors through the most basic vulnerabilities. The IBM X-Force Threat Intelligence Index 2026 captures this reality with a figure that acts as a siren: the company observed a 44% increase in attacks that began by exploiting exposed internet applications, a jump driven—according to the report—by missing authentication controls and the use of Artificial Intelligence tools that help identify weaknesses at a faster pace.
The conclusion isn’t that hackers are inventing revolutionary techniques. Rather, they have learned to traverse the same old path at an accelerated speed: scan, find the gap, exploit, and move laterally before organizations react. IBM summarizes this with a phrase attributed to Mark Hughes, the company’s global head of cybersecurity services: “attackers aren’t reinventing their playbooks; they’re accelerating them with AI.” This acceleration, the report warns, disproportionately affects companies lagging behind on patching, with weak configurations, and poor credential hygiene.
Vulnerability exploitation is now the primary source of incidents
The index indicates a shift in the hierarchy of causes: vulnerability exploitation has become the leading trigger for attacks, accounting for 40% of incidents observed by X-Force in 2025. This figure reinforces a message many teams have heard for years but that daily urgency often pushes aside: when an attacker can enter without credentials, time works in their favor.
In this scenario, AI becomes a force multiplier. The adversary doesn’t need to be smarter; they only need to be faster and equipped with better tools to prioritize targets, test vectors, and automate repetitive tasks. The result is a shorter attack cycle, where the steps “from scanning to impact” are compressed.
Ransomware: more groups, more fragmentation, more noise
IBM X-Force also depicts a more dispersed and attribution-challenged ransomware ecosystem. The report mentions a 49% year-over-year increase in active ransomware and extortion groups, with smaller, transient actors running lower-volume campaigns. Meanwhile, the count of publicly disclosed victims increased by about 12%.
This picture suggests that ransomware not only persists but also adapts to a market where leaks of tooling, reuse of techniques, and automation with AI lower the barrier to entry. IBM anticipates that as multimodal models mature, adversaries will automate more complex tasks—such as advanced reconnaissance—and speed up attacks that become increasingly “adaptive.”
Identity is once again the weakest link… even in AI platforms
The report includes a warning linked to corporate adoption of assistants and generative tools: in 2025, info-stealer malware exposed more than 300,000 ChatGPT credentials. This data is significant not just for volume, but also for what it implies: AI platforms are inheriting the same risks as other enterprise SaaS solutions.
IBM emphasizes that compromised chatbot credentials go beyond “accessing the account.” They open doors to specific risks: exfiltration of sensitive information, manipulation of responses, or malicious prompt injections that alter system behavior. The message for organizations is clear: adopting AI should be evaluated as part of the corporate perimeter, with strong authentication and conditional access controls.
Supply chain under scrutiny: nearly four times more breaches since 2020
Another trend the index highlights repeatedly is the increasing pressure on the supply chain and third parties. X-Force reports that major supply chain or third-party compromises have nearly quadrupled since 2020, driven by attacks exploiting trust relationships, CI/CD automation, and SaaS integrations.
The 2026 outlook adds nuance: the rise of AI-assisted programming tools accelerates development but can also introduce unchecked code or poorly audited dependencies. The report suggests that this combination will increase pressure on pipelines and open source ecosystems throughout 2026, in a context where the line between state-sponsored and financially motivated actors becomes more blurred: techniques once considered “state-level” now circulate easily in clandestine forums and are reused in financially motivated campaigns.
Industries and geography: manufacturing remains top and North America leads attacks again
In sector classification, manufacturing continues as the most targeted industry for the fifth consecutive year, representing 27.7% of incidents observed by X-Force. The report indicates that data theft is the most common impact in this sector—a reflection of complex supply chains, hybrid environments, and the sensitivity of intellectual property.
Geographically, North America is the most attacked region, accounting for 29% of cases, up from 24% in 2024. IBM emphasizes that this is the first time in six years the region has topped the list, a rise often reflecting the size of the digital footprint, economic value, and exposure of infrastructure.
Final diagnosis: basic flaws in a faster world
Despite AI’s prominence, IBM insists that the root problem remains the same: an overload of vulnerabilities and a lack of fundamentals. Their penetration testing (X-Force Red) continues to find persistent weaknesses in credential hygiene and software configuration, with misconfigured access controls being the most common entry point.
The difference in 2026 is speed. If attackers automate research, analyze massive data sets, and adjust attack paths in real-time, defenses can’t rely solely on reactive measures. The report advocates adopting a more proactive approach, supported by detection and response capabilities with “agent-like” functions to identify breaches before they escalate into incidents.
Frequently Asked Questions (FAQ)
Why are attacks on internet-exposed applications increasing in 2026?
Because many environments still publish services with insufficient or missing authentication controls, and attackers leverage automation and AI to quickly identify and exploit vulnerabilities.
What measures reduce the risk of vulnerability exploitation in public applications?
Patch management prioritized by exposure, review of authentication and authorization, configuration hardening, segmentation, and monitoring exploitation attempts through correlated telemetry (SecOps + IT).
What risks does credential theft of ChatGPT or other AI platforms pose to companies?
Beyond account access, it can facilitate exfiltration of sensitive information, manipulation of outcomes, and prompts-based attacks, making MFA, conditional access, and session controls essential.
Why is the supply chain such an attractive target for attackers?
Because it allows compromising multiple organizations simultaneously by exploiting trust relationships, SaaS integrations, and CI/CD automation—especially as code and dependencies are rapidly integrated.
via: newsroom.ibm