{"id":7987,"date":"2026-03-27T15:09:43","date_gmt":"2026-03-27T14:09:43","guid":{"rendered":"https:\/\/www.opensight.nl\/blog\/crowdstrike-global-threat-report-the-year-of-the-evasive-adversary\/"},"modified":"2026-03-27T16:25:14","modified_gmt":"2026-03-27T15:25:14","slug":"crowdstrike-global-threat-report-the-year-of-the-evasive-adversary","status":"publish","type":"post","link":"https:\/\/www.opensight.nl\/en\/blog\/crowdstrike-global-threat-report-the-year-of-the-evasive-adversary\/","title":{"rendered":"CrowdStrike Global Threat Report: The year of the &#8220;evasive adversary&#8221;"},"content":{"rendered":"<div class=\"wp-bootstrap-blocks-container container mb-2\">\n\t\n\n<div style=\"height:56px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n<div class=\"wp-bootstrap-blocks-row row justify-content-center\">\n\t\n\n<div class=\"col-12 col-md-10\">\n\t\t\t\n\n<p>In 2025, attackers became faster, smarter, and above all, less visible. The <strong>CrowdStrike 2026 Global Threat Report <\/strong>paints a threat landscape in which adversaries are increasingly exploiting trust: legitimate accounts, trusted cloud services, SaaS integrations, and software supply chains. The result is a type of attack that is difficult to distinguish from normal activity\u2014with an impact that can materialize in minutes.  <\/p>\n\n\n\n<p>At the same time, 2025 is the year in which <strong>AI adversaries<\/strong> truly ramped up their activities. AI has enabled the acceleration of phishing, the automation of reconnaissance, and the \u201ctroubleshooting\u201d of attack techniques. And it doesn\u2019t stop there: AI systems themselves are becoming a new target and part of the attack surface  <\/p>\n\n\n\r\n<div class=\"indiv-block download-button-v2 is-preview\">\r\n  <button class=\"btn btn-custom\" data-bs-toggle=\"collapse\" data-bs-target=\"#collapseDownloadKmwPXrrP\">Download the CrowdStrike Global Threat Report<\/button>\r\n  <input type=\"hidden\" class=\"file-data w-100\" value='[{&quot;file&quot;:7961}]' \/>\r\n  <input type=\"hidden\" class=\"mail-title w-100\" value='CrowdStrike Global Threat Report' \/>\r\n  <input type=\"hidden\" class=\"mail-text w-100\" value='&lt;p data-start=&quot;441&quot; data-end=&quot;578&quot;&gt;Thank you for your interest in the&lt;a href=&quot;http:\/\/opensight.nl\/c\/mail\/CrowdStrikeGlobalThreatReport\/&quot;&gt; CrowdStrike Global Threat Report.&lt;\/a&gt;&lt;br \/&gt;\nPlease find the report attached.&lt;\/p&gt;\n&lt;p data-start=&quot;955&quot; data-end=&quot;1077&quot;&gt;If you have any questions regarding this document or need further clarification, we are happy to assist you.&lt;\/p&gt;\n&lt;p data-start=&quot;1079&quot; data-end=&quot;1118&quot;&gt;With kind regards,&lt;br data-start=&quot;1102&quot; data-end=&quot;1105&quot;&gt;&lt;strong data-start=&quot;1105&quot; data-end=&quot;1118&quot;&gt;OpenSight&lt;\/strong&gt;&lt;\/p&gt;\n' \/>\r\n\r\n  <div class=\"collapse\" id=\"collapseDownloadKmwPXrrP\">\r\n    <div class=\"form-wrapper mt-3\">\r\n      <form action=\"https:\/\/www.opensight.nl\/en\/wp-json\/ws-form\/v1\/submit\" class=\"wsf-form wsf-form-canvas\" id=\"ws-form-1\" data-id=\"20\" method=\"POST\" data-instance-id=\"1\"><\/form>    <\/div>\r\n  <\/div>\r\n<\/div>\n\n\n<div style=\"height:56px\" aria-hidden=\"true\" class=\"wp-block-spacer d-none d-lg-block\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Key findings from the 2025 report<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Attacks are happening faster than ever<\/strong><br\/>The average &#8216;breakout time&#8217; (the time between initial access and lateral movement) dropped to <strong>29 minutes<\/strong> in 2025. This is a 65% increase in speed compared to 2024. CrowdStrike&#8217;s fastest observed breakout took just <strong>27 seconds<\/strong>.  <\/li>\n\n\n\n<li><strong>A growing number of intrusions are malware-free<\/strong><br\/>In 2025, <strong>82%<\/strong> of detections were <strong>malware-free<\/strong>. Attackers use valid credentials, admin tools and &#8216;living off the land&#8217; techniques to avoid detection. <\/li>\n\n\n\n<li>AI accelerates and democratizes attack capabilities<br\/>CrowdStrike observed an <strong>89%<\/strong> year-over-year increase in attacks by <strong>AI-enabled adversaries<\/strong>. AI not only increases the scale of attacks but also empowers less sophisticated actors to carry out operations that previously required greater expertise. <\/li>\n\n\n\n<li><strong>Cloud and identity are at the center of attention<\/strong><br\/>Cloud-related intrusions increased by <strong>37%<\/strong> in 2025. Among state-affiliated actors, this figure was as high as <strong>266%.<\/strong> Furthermore, <strong>valid account abuse<\/strong> accounted for <strong>35%<\/strong> of cloud-related incidents, clearly indicating that identity is the main battleground.  <\/li>\n\n\n\n<li><strong>Zero-day exploits and edge devices are narrowing the defense window<\/strong><br\/>The number of zero-day exploits prior to public disclosure increased by <strong>42%<\/strong>. In 2025, activity linked to China surged by <strong>38%<\/strong>, and in <strong>67%<\/strong> of the vulnerabilities they exploited, the flaw provided direct system access. Furthermore, 40% of these exploits targeted <strong>internet-facing edge devices<\/strong>, such as VPNs, firewalls and gateways.  <\/li>\n\n\n\n<li><strong>The blast radius is being expanded by supply chain attacks<\/strong><br\/>Attackers are increasingly compromising &#8216;upstream&#8217; organizations, such as software vendors, repositories and CI\/CD, in order to impact downstream organizations at scale. The report describes, among other things, the largest reported crypto theft ever: <strong>$1.46 billion<\/strong>, made possible through a supply chain compromise. <\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Manufacturing companies increasingly targeted<\/h3>\n\n\n\n<p>Attacks on industrial organizations and their supply chains led to disruptions in production processes. The speed at which attackers can move within networks makes strict separation between IT and OT, as well as clear chain agreements, essential. <\/p>\n\n\t<\/div>\n\n\n\n<div class=\"col-12 col-md-6\">\n\t\t\t\t<\/div>\n\n<\/div>\n\n\n\n<div style=\"height:56px\" aria-hidden=\"true\" class=\"wp-block-spacer d-none d-lg-block\"><\/div>\n\n\n<div class=\"wp-bootstrap-blocks-row row justify-content-center\">\n\t\n\n<div class=\"col-12 col-md-12 col-lg-5\">\n\t\t\t<div class=\"h-100 d-flex flex-column justify-content-center\">\n\t\t\t\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"595\" height=\"842\" src=\"https:\/\/www.opensight.nl\/content\/crowdstrike-global-threat-report-2026.webp\" alt=\"\" class=\"wp-image-7966\" srcset=\"https:\/\/www.opensight.nl\/content\/crowdstrike-global-threat-report-2026.webp 595w, https:\/\/www.opensight.nl\/content\/crowdstrike-global-threat-report-2026-212x300.webp 212w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/figure>\n\n\t\t<\/div>\n\t<\/div>\n\n\n\n<div class=\"col-12 col-md-12 col-lg-6 offset-lg-1\">\n\t\t\t\n\n<h3 class=\"wp-block-heading\">What does this mean for organizations?<\/h3>\n\n\n\n<p>The common thread is clear: <strong>trust has become the new attack vector<\/strong>. Attackers move through authorized channels (identity, SaaS, cloud, and supply chain) and avoid heavily monitored endpoints. This creates blind spots precisely where business processes depend most on continuity.  <\/p>\n\n\n\n<p>In this context, &#8216;reactive&#8217; defense is becoming increasingly ineffective. When exfiltration can begin in minutes and a breakout can occur in seconds, the speed of detection, decision-making and response is crucial. Ideally, this would be supported by automation and cross-domain correlation.  <\/p>\n\n\t<\/div>\n\n<\/div>\n\n\n\n<div style=\"height:56px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<\/div>\n<div class=\"wp-bootstrap-blocks-container container mb-2\">\n\t\n\n<div style=\"height:56px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n<div class=\"wp-bootstrap-blocks-row row justify-content-center\">\n\t\n\n<div class=\"col-12 col-md-10\">\n\t\t\t\n\n<h3 class=\"wp-block-heading\">Recommended measures (based on the recommendations in the report)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Secure AI: Protect AI Systems as well as AI Usage<\/strong>\n<ul class=\"wp-block-list\">\n<li>Ensure that AI governance and monitoring align with how employees use AI tools.<\/li>\n\n\n\n<li>Implement access controls and data classification to minimize data breaches.<\/li>\n\n\n\n<li>Protect your AI workloads against runtime attacks, such as prompt injection.<\/li>\n\n\n\n<li>Evaluate the suppliers and supply chains involved in the development and integration of AI.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Treat identity and SaaS as primary attack surfaces<\/strong>\n<ul class=\"wp-block-list\">\n<li>Implement phishing-resistant MFA wherever possible.<\/li>\n\n\n\n<li>Enforce the principle of least privilege for service accounts and non-human identities as well.<\/li>\n\n\n\n<li>Monitor anomalous token and SaaS activity (OAuth, sessions, API keys).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Eliminate cross-domain blind spots<\/strong>\n<ul class=\"wp-block-list\">\n<li>Consolidate telemetry across endpoints, the cloud, identity, SaaS, and the network.<\/li>\n\n\n\n<li>Cross-domain correlation and detection (XDR + next-gen SIEM workflows).<\/li>\n\n\n\n<li>Automate data enrichment with threat intelligence to identify attack paths more quickly.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Secure the software supply chain and developer workflows<\/strong>\n<ul class=\"wp-block-list\">\n<li>Harden developer endpoints en CI\/CD.<\/li>\n\n\n\n<li>Validate dependencies and package integrity (scanning, signing, policy).<\/li>\n\n\n\n<li>Conduct third-party risk assessments on tools and suppliers.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Prioritize the patching and monitoring of edge devices<\/strong>\n<ul class=\"wp-block-list\">\n<li>Triage en patch internet-facing systemen versneld (streef naar uren\/dagen, niet weken)<\/li>\n\n\n\n<li>Accelerate the triage and patching of internet-facing systems, aiming for hours or days rather than weeks.<\/li>\n\n\n\n<li>Segment to limit lateral movement from the perimeter<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">In short<\/h3>\n\n\n\n<p>2025 showed us that the most successful attacks are not necessarily the &#8216;newest&#8217; ones, but rather those that are <strong>faster, smarter and better concealed<\/strong> through identity, the cloud, SaaS and supply chains. In 2026, the organization that will make a difference are those that organize their defenses to be just as cross-domain and agile as their adversaries\u2019 operations. <\/p>\n\n\n\n<p><strong>Would you like to discuss what these insights mean for your organization (identity, SaaS, cloud, and edge)?<\/strong> Contact OpenSight for a tailored risk analysis and concrete steps for improvement.<\/p>\n\n\n\r\n<div class=\"indiv-block download-button-v2 is-preview\">\r\n  <button class=\"btn btn-custom\" data-bs-toggle=\"collapse\" data-bs-target=\"#collapseDownloadBOdiAMMq\">Download the CrowdStrike Global Threat Report<\/button>\r\n  <input type=\"hidden\" class=\"file-data w-100\" value='[{&quot;file&quot;:7961}]' \/>\r\n  <input type=\"hidden\" class=\"mail-title w-100\" value='CrowdStrike Global Threat Report' \/>\r\n  <input type=\"hidden\" class=\"mail-text w-100\" value='&lt;p data-start=&quot;441&quot; data-end=&quot;578&quot;&gt;Thank you for your interest in the&lt;a href=&quot;http:\/\/opensight.nl\/c\/mail\/CrowdStrikeGlobalThreatReport\/&quot;&gt; CrowdStrike Global Threat Report.&lt;\/a&gt;&lt;br \/&gt;\nPlease find the report attached.&lt;\/p&gt;\n&lt;p data-start=&quot;955&quot; data-end=&quot;1077&quot;&gt;If you have any questions regarding this document or need further clarification, we are happy to assist you.&lt;\/p&gt;\n&lt;p data-start=&quot;1079&quot; data-end=&quot;1118&quot;&gt;With kind regards,&lt;br data-start=&quot;1102&quot; data-end=&quot;1105&quot;&gt;&lt;strong data-start=&quot;1105&quot; data-end=&quot;1118&quot;&gt;OpenSight&lt;\/strong&gt;&lt;\/p&gt;\n' \/>\r\n\r\n  <div class=\"collapse\" id=\"collapseDownloadBOdiAMMq\">\r\n    <div class=\"form-wrapper mt-3\">\r\n      <form action=\"https:\/\/www.opensight.nl\/en\/wp-json\/ws-form\/v1\/submit\" class=\"wsf-form wsf-form-canvas\" id=\"ws-form-2\" data-id=\"20\" method=\"POST\" data-instance-id=\"2\"><\/form>    <\/div>\r\n  <\/div>\r\n<\/div>\n\t<\/div>\n\n\n\n<div class=\"col-12 col-md-6\">\n\t\t\t\t<\/div>\n\n<\/div>\n\n\n\n<div style=\"height:56px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Discover the key insights from the CrowdStrike Global Threat Report 2026 and strengthen your cybersecurity strategy with actionable recommendations.<\/p>\n","protected":false},"author":5,"featured_media":7969,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"20","_seopress_titles_title":"%%post_title%% %%sep%% %%sitetitle%%","_seopress_titles_desc":"Discover the key insights from the CrowdStrike Global Threat Report 2026 and strengthen your cybersecurity strategy with actionable recommendations.","_seopress_robots_index":"","_improvement_type_select":"improve_an_existing","_thumb_yes_seoaic":false,"_frame_yes_seoaic":false,"seoaic_generate_description":"","seoaic_improve_instructions_prompt":"","seoaic_rollback_content_improvement":"","seoaic_idea_thumbnail_generator":"","thumbnail_generated":false,"thumbnail_generate_prompt":"","seoaic_article_description":"","seoaic_article_subtitles":[],"footnotes":""},"categories":[45,14],"tags":[46,47,50,48],"class_list":["post-7987","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-current","category-security-en","tag-cyber-security","tag-cyber-security-en","tag-cybercrime","tag-tips-en"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/posts\/7987","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/comments?post=7987"}],"version-history":[{"count":3,"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/posts\/7987\/revisions"}],"predecessor-version":[{"id":7990,"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/posts\/7987\/revisions\/7990"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/media\/7969"}],"wp:attachment":[{"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/media?parent=7987"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/categories?post=7987"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.opensight.nl\/en\/wp-json\/wp\/v2\/tags?post=7987"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}