For years, the cybersecurity industry has conditioned executives to expect the next major breach to come from some dazzling zero-day, some nation-state-only capability, or some futuristic AI superweapon.
IBM’s X-Force Threat Intelligence Index 2026 tells a much less glamorous, and much more dangerous, story.
Attackers are still winning because too many organizations are leaving the front door open. IBM found a 44% increase in exploitation of public-facing applications, 56% of tracked vulnerabilities in 2025 required no authentication, and more than 300,000 ChatGPT credentials were observed for sale on the dark web. Add to that a nearly 4x increase in major supply-chain or third-party compromises over five years, and the message is unmistakable: the real crisis is not that attackers became magical. It is that enterprise exposure became systemic.
That is the core lesson from this report.
AI is accelerating cyberattacks. But bad security hygiene is still what makes them work.
IBM’s report is especially important because it cuts through the hype. Yes, AI is now a force multiplier for attackers. It improves phishing quality, compresses decision cycles, helps analyze large datasets faster, and will increasingly support reconnaissance, privilege escalation, and lateral movement. But IBM is explicit: AI has not fundamentally changed attacker playbooks. Threat actors still rely on unpatched vulnerabilities, valid credentials, insecure configurations, and weak operational controls. AI just lets them move faster, test more options, and scale their operations with greater efficiency.
That distinction matters.
Because if leaders think the problem is primarily “advanced AI attacks,” they may invest in the wrong places. They may over-index on flashy tooling while underinvesting in identity hardening, application security, secure deployment, continuous logging, credential protection, and third-party risk governance.
And that is exactly where the attackers are feasting.
IBM’s data shows that exploitation of public-facing applications overtook valid credentials as the leading initial access vector. That is a huge signal to the market. It means attackers are increasingly targeting the places where software is exposed, connected, integrated, and trusted. In other words: the internet-facing enterprise edge, the application layer, and the software delivery chain.
The real story: identity, applications, and supply chains are merging into one attack surface
One of the strongest themes in this year’s IBM report is that the software supply chain is no longer just about code. It is now an intertwined system of developers, CI/CD pipelines, tokens, cloud permissions, SaaS integrations, open-source packages, APIs, and federated identities.
That is why a single compromise now cascades so far.
IBM describes how attackers are hitting GitHub, GitLab, npm, PyPI, cloud interfaces, and SaaS ecosystems because these environments let them steal secrets, pivot into cloud workloads, and persist using legitimate trust relationships. That is also why supply-chain techniques, once associated mainly with nation-state operators, are now showing up more frequently in financially motivated campaigns.
This is not just a “developer security” issue.
It is now a board-level business continuity issue.
If your vendors, identity providers, OAuth relationships, cloud roles, AI tools, and developer workflows are deeply interconnected, then one weak link can become enterprise-wide access. That is exactly why IBM’s report reads less like a collection of incidents and more like a warning about systemic dependency risk.
Credentials remain the fuel of modern cybercrime
Even though vulnerability exploitation rose, valid credentials remain central to the threat landscape.
Why? Because credentials let attackers blend in.
They do not have to smash through defenses if they can simply authenticate, move quietly, escalate privileges, and operate as an “authorized” user. IBM also highlighted something many enterprises still underestimate: AI chatbot and SaaS credentials are now part of the attack surface. The report notes over 300,000 ChatGPT credentials observed for sale, tied largely to infostealer infections and prior credential collections. Whether or not the posted credentials remained valid, the trend itself is the story: organizations are accumulating sensitive identity artifacts in more places than they are effectively protecting.
That should concern every enterprise deploying copilots, chatbots, AI agents, browser-based AI workflows, or employee AI tools.
Because the issue is not just “Can someone log into ChatGPT?”
The issue is: What else is connected to that identity, token, session, prompt history, file access path, SaaS integration, or downstream workflow?
Ransomware is not disappearing. It is fragmenting
Another major takeaway: ransomware did not fade. It diversified.
IBM identified 109 active ransomware or extortion groups in 2025, up from 73 in 2024, and described an ecosystem that is more fragmented, decentralized, and opportunistic. Smaller groups are reusing leaked tooling, borrowed playbooks, and recycled tradecraft. The result is a lower barrier to entry and a wider field of attackers capable of causing serious disruption. At the same time, data extortion and downstream supply-chain effects continue to rise.
This is important because many organizations still think in terms of “top groups” only.
But the market has changed.
You do not need a marquee ransomware brand to create operational pain, steal data, leak credentials, or extort a mid-market company with weak defenses. A smaller actor with decent access, stolen credentials, and a few proven playbooks can still do plenty of damage.
The industry and regional data should wake up executives
Manufacturing was IBM’s most targeted sector for the fifth straight year, with finance and insurance very close behind. North America became the most attacked region, accounting for 29% of incidents, overtaking Asia-Pacific. These are not random numbers. They reflect where the most valuable operational data, industrial processes, financial workflows, and interconnected digital ecosystems live.
Manufacturing remains a magnet because it combines intellectual property, operational technology, supplier interdependence, and low tolerance for downtime.
Finance remains a magnet because money, identity, trust, and data are all concentrated there.
Energy, transportation, retail, healthcare, and government all show the same pattern in different forms: cyber risk is no longer just a security problem. It is an operational resilience problem.
My biggest takeaway: identity must now be treated as critical infrastructure
IBM says it clearly, and I agree completely.
Identity is no longer just an IAM function. It is now foundational infrastructure.
If attackers can steal credentials, manipulate sessions, exploit weak authentication, abuse help desks, hijack OAuth trust, or move through cloud and SaaS environments with legitimate access paths, then identity is not a support layer. It is the battleground.
That is also why I think the response cannot be one-dimensional.
Enterprises now need a layered response:
At the identity layer, they need stronger authentication, better governance, behavioral context, and higher assurance around who or what is actually requesting access.
At the application layer, they need better visibility into exposed services, APIs, public-facing apps, insecure defaults, and misconfigurations.
At the cryptographic layer, they need to start preparing for the reality that sensitive data stolen today may be held for future decryption tomorrow.
And at the AI layer, they need governance, logging, token protection, model security, and real visibility into where AI tools are deployed and how they connect into business workflows.
Where QuSecure, iVALT, and AI PQ Audit fit
This is exactly why I believe the market is moving toward integrated cyber resilience models.
QuSecure is relevant here because IBM’s report is ultimately about preserving trust across a rapidly changing threat environment, and crypto-agility is a major part of that. QuSecure positions its platform around post-quantum cryptography and crypto-agility, including managing cryptographic change and supporting hybrid post-quantum TLS approaches. That matters because organizations cannot treat quantum readiness as a separate future project anymore; it has to become part of the enterprise security modernization roadmap now.
iVALT is relevant because the report’s identity findings point to a much bigger problem than passwords alone. iVALT’s platform is built around human-verified identity, mobile-centric authentication, and stronger validation for humans, AI agents, and devices, with an emphasis on reducing the value of stolen credentials and defending against impersonation and deepfake-driven social engineering. As AI-enabled fraud and identity deception accelerate, this category becomes more important, not less.
And this is also where AI PQ Audit fits strategically.
Because most enterprises still do not have one unified way to assess:
their public-facing exposure
AI deployment risk
credential and identity weaknesses
post-quantum readiness
third-party and SaaS risk
application-layer and cryptographic gaps
That is the gap AI PQ Audit is built to address.
Not as another dashboard for the sake of a dashboard, but as a practical way to help enterprises understand where they are exposed across AI risk, post-quantum risk, application risk, identity risk, and operational cybersecurity readiness.
What enterprises should do now
Here is the real-world action list I would take from IBM’s report:
Treat identity as critical infrastructure. Harden workforce, admin, machine, API, SaaS, and AI identities. Monitor abnormal access, token use, and credential exposure continuously. IBM’s report makes clear that identity compromise remains central to attacker success.
Secure every public-facing app and API like it is already under attack. Because it probably is. The 44% jump in exploitation of public-facing applications should be enough to move this to the top of the CISO agenda.
Reassess your entire software and SaaS supply chain. Not just code dependencies, but CI/CD, OAuth trust, cloud roles, build secrets, third-party integrations, and identity federation.
Lock down AI platforms now, not later. AI chatbots, copilots, and agentic tools need the same rigor as other enterprise SaaS systems, and in some cases more. Credentials, tokens, connectors, uploaded files, and prompt-linked workflows all need governance.
Move toward higher-assurance identity. Passwords and basic MFA are increasingly inadequate against social engineering, deepfakes, and advanced impersonation. This is where human-verified identity models like iVALT become highly relevant.
Start your post-quantum transition before you are forced into it. The enterprises that win will not be the ones that wait for a panic event. They will be the ones that inventory crypto dependencies, prioritize high-value data, and adopt crypto-agile transition models now. That is where firms like QuSecure are especially important.
Use AI PQ Audit as a business-facing audit and exposure engine. Boards and executives need a way to see AI, identity, application, and post-quantum risk together, not as disconnected projects. That is how security becomes a business advantage instead of just a cost center.
Final thought
The most important line in IBM’s 2026 report is not about AI.
It is about discipline.
Attackers are not beating enterprises because they discovered some magical new universe of cyber offense. They are beating enterprises because too many environments still suffer from weak identity hygiene, exposed applications, insecure software pipelines, poor visibility, and incomplete control enforcement.
AI is making that worse by speeding everything up.
Which means the winners in this next era will be the organizations that can do three things at once:
secure identity, secure software, and secure trust.
That is the new cyber mandate.
And the companies that help enterprises do that across identity, cryptography, AI governance, and auditability are going to matter a lot.
Cybersecurity #IBM #XForce #ThreatIntelligence #IdentitySecurity #ZeroTrust #AI #AISecurity #CyberResilience #SupplyChainSecurity #Ransomware #Infostealers #PostQuantumCryptography #PQC #CryptoAgility #QuSecure #iVALT #AIPQAudit #EnterpriseSecurity #CISO
Links to drop into the post comments or article draft https://www.ibm.com/reports/threat-intelligence https://www.ibm.com/think/x-force/threat-intelligence-index-2026-securing-identities-ai-detection-risk-management https://www.qusecure.com/ https://www.ivalt.com/