SEATTLE--(BUSINESS WIRE)--ExtraHop®, a leader in modern network detection and response (NDR), today released the 2026 ExtraHop Global Threat Landscape Report, exposing the reality of modern cyber defense in the age of AI.
The comprehensive analysis examines an environment where rapid AI adoption has unlocked new entry points for adversaries and accelerated their velocity, while security teams still struggle to keep pace, unable to uncover hidden threats while drowning in prolonged dwell times and escalating alert noise.
While defenders look to AI to counter these attacks, the findings reveal that security operations centers (SOCs) still rely heavily on manual intervention and maintain a primarily reactive posture.
AI Infrastructure Emerges as Prime Cybersecurity Target
When asked which attack surfaces represent the biggest cybersecurity risk to their organization, more than half (55%) of respondents cited AI agents, agentic infrastructure, and Gen AI applications.
Concerns over AI risks were validated as a majority (85%) of respondents identified security incidents, data exposures, or near misses where the root cause of the incident was an AI system. Examples include:
- AI-enhanced external attacks (40%)
- Compromised AI identity and session theft (38%)
- Third-party vendor/supply chain breach where a vendor's integrated AI or agent mishandled data or created a vulnerability (36%)
- Shadow AI exposure (35%)
- Agentic/API Logic failure (31%)
LockBit and RansomHub Lead Global Cyber Detections as AI Scales Enterprise Attacks
Lockbit and RansomHub were the two threat groups most detected within enterprise networks for the second year in a row.
In contrast, APT41 detections fell by 50% year-over-year.
Dominating groups like RansomHub are known to use AI to maximize the speed and volume of their attacks, compared to state actors like APT41 that limit AI to supportive tasks, preserving a human-led approach.
Top 5 threat actors detected:
- Lockbit
- RansomHub
- Lazarus Group
- DarkSpectre
- Midnight Blizzard (also known as APT29, Nobellium, or Cozy Bear)
Dwell Times Surge as Adversaries Outmaneuver Detection
Threat actors are maintaining a prolonged, quiet presence within enterprise networks, leaving organizations to find out they are compromised only after the damage is done.
- Adversaries had access to enterprise networks for nearly 2.5 weeks on average before being detected in ransomware incidents.
- 49% of organizations did not detect the threat until after data was stolen, up from 31% last year.
- 14% were unaware of an attack until they received a ransom demand, compared to 6% last year.
Prolonged dwell times often parallel a highly complex threat environment where critical alerts are obscured. When asked what delayed a critical alert from being detected or investigated, respondents cited several key factors:
- Attackers used encrypted channels to bypass detection (41%)
- Attacker activity mirrored legitimate, authorized workflows and processes (38%)
- Adversaries used valid, high-privilege account permissions (34%)
- Alert fatigue caused the initial detection to be deprioritized (30%)
- Undetermined baseline behavior enabled anomalous actions to go undetected (27%)
Threat Actors Trade Max Payouts for More Payouts
While the average ransom payment dropped year-over-year, down to $2.8 million from $3.6 million in 2025, the frequency of payments rose sharply. According to this year’s respondents, 83% of victims paid a ransom, compared to 70% previously.
Downtime per incident averaged almost 30 hours. Across the cybersecurity industry, the mounting financial and operational toll of this business disruption is widely recognized as a primary reason why organizations ultimately choose to pay.
AI Security Tooling Falls Short of “Machine-Speed” Promise
While many organizations are turning to AI and agentic security operations, the majority of respondents reported needing mid-to-high levels of manual intervention across the entire threat lifecycle:
- Detection (42%)
- Alert Triage (43%)
- Investigation (49%)
- Response (47%)
Because of these persistent manual demands, strategic security initiatives are frequently sidelined. The report found that SOC analysts are limited to spending just 44% of their time on proactive efforts like threat hunting and detection engineering, leaving the bulk of their hours dedicated to reactive triage and manual data gathering.
AI implementations are occasionally adding to this noise rather than clearing it. Nearly a third (30%) of respondents stated that AI-generated alerts have produced false positives that have negatively impacted their overall investigation timelines.
“When you look at the big picture of modern cyber risk, the thread connecting every major challenge, from missed detections and prolonged dwell times to AI false positives, is a fundamental lack of situational awareness, or ground truth,” said Raja Mukerji, Co-founder and Chief Scientist, ExtraHop. “As threat actors leverage AI to scale their operations, defenders are countering with automated operations that don’t have the context required to make definitive decisions. The network bridges this critical gap, revealing exactly how threats are moving and communicating so security teams have the full picture. Until we enrich our security tooling and AI agents with deep, real-time network context, attackers will continue to have the upper hand."
Explore the 2026 ExtraHop Global Threat Landscape Report to learn more about modern cyber defense and gain data-driven insights to help your team uncover blind spots in your organization's AI risk strategy.
Conducted in partnership with Censuswide, the 2026 ExtraHop Global Threat Landscape Report reflects a survey of 1,800+ security and IT leaders (director level and above) from organizations with 1,000+ employees across the U.S., U.K., France, Germany, Singapore, Australia, and the UAE.
About ExtraHop®
ExtraHop turns the network - the enterprise’s ultimate source of truth - into actionable insight to power security, performance, and resilience. Delivering superior data by design, we ensure superior defense by default.
The ExtraHop modern network detection and response (NDR) platform provides visibility that thinks, analyzing behavior to intercept evasive risks before they cause damage. We transform network noise into definitive context, enabling security teams to make faster decisions and operate at uncompromised scale.
Whether securing cloud modernization or de-risking AI adoption, ExtraHop gives global enterprises the ground truth they need to thrive.
To learn more, visit www.extrahop.com
© 2026 ExtraHop Networks, Inc., RevealX, RevealX 360, RevealX Enterprise, and ExtraHop are registered trademarks or trademarks of ExtraHop Networks, Inc.
Read More:
