Annual Threat Dynamics 2026: Cyber threats in motion - PwC

PwC Global Today’s issues Cybersecurity and privacy Cyber threat intelligence Annual Threat Dynamics 2026: Cyber threats in motion Annual Threat Dynamics 2026: Cyber threats in motion Insight 3 minute read March 24, 2026 Share In an identity-driven, AI-accelerated threat landscape, resilience belongs to organisations that govern identity at speed, validate trust continuously, and treat cyber risk as inseparable from business and geopolitical strategy. The takeaways Identity is the key battleground AI is accelerating both sides of the race Cyber risk is inseparable from business and geopolitical strategy The cyber threat landscape has shifted into high gear, with identity-centric attacks taking pole position as adversaries chose to log in rather than break in. AI is increasingly being used by both attackers and defenders, and threat actors across a wide range of motivations found new ways to accelerate through the blind corners of edge devices, supply chains, and cloud ecosystems — turning trusted dependencies into high-speed attack paths with cascading impact. From record-level ransomware leak site victimisation and crypto heists, to pervasive compromises of technologies and sustained espionage campaigns targeting critical infrastructure, we are seeing an increasingly capable and adaptive threat landscape in which adversaries employ full-stack tradecraft and are fluidly navigating identity, cloud, edge, and application layers with unprecedented precision. In this environment, the advantage belongs to organisations that treat security not as a fixed set of controls, but as a high-performance system — governing identity at speed, validating trust at every turn, and aligning cyber, business, and geopolitical strategy to stay ahead of an ever-faster field. Our report “Annual Threat Dynamics 2026: Cyber threats in motion” examines the threat actors, trends, and motivations defining the cyber threat landscape. It includes an overview of the factors influencing an overall increase in threat activity as well as emerging trends, the evolving tools, techniques, and procedures (TTPs) of notable threat actors across a wide range of motivations, and the impact of wider geopolitics and technological innovation.  To download the report, please enable Analytical/Performance cookies. You can update your preferences at any time by clicking the 'Manage cookie settings' icon in the lower-left corner of your browser window. Trends The cyber threat landscape is evolving at an unprecedented pace. Lines are blurring and the rules of engagement have changed. Identity is the key battleground Adversaries across a wide range of motivations are increasingly choosing to log in rather than break in, exploiting credentials, session tokens, and federated access to bypass traditional perimeter defences.  Social engineering is evolving in sophistication, with AI-generated deepfakes, IT helpdesk impersonation, stolen identities for illicit remote worker operations, and multi-stage phishing campaigns targeting human and machine identities alike. As organisations expand their SaaS ecosystems and cloud dependencies, the attack surface is widening — with a single compromised identity capable of unlocking cascading access across entire environments. Looking ahead Identity will remain in pole position as the primary attack vector. As organisations adopt zero-trust architectures, adversaries will iterate with techniques to spoof device posture, abuse non-human identities (NHIs), and target AI-driven automated workflows. Treating identity governance as a strategic, board-level priority — not a technical checkbox — will be critical to staying ahead of the field. AI is accelerating both sides of the race Threat actors are embracing AI not as an enhancement but as a core component of their tradecraft, using it to automate reconnaissance, generate convincing phishing lures, accelerate malware development, and scale social engineering across languages and platforms. The time between an AI capability being publicly released and its weaponisation by threat actors is shrinking dramatically, whilst autonomous AI agents capable of executing entire attack sequences without human intervention are a prime concern. AI also represents the single greatest opportunity for defenders to match the pace, enabling faster detection, automated containment, and intelligence-led decision-making at scale. Looking ahead AI-driven threats may outpace traditional detection and response models, and quantum advancements will change the track entirely. Organisations should anticipate malware that natively incorporates AI to evade detection and target high-value data, alongside a widening pool of less skilled threat actors leveraging AI to punch above their weight. Investing in AI-enhanced defence, embedding frameworks into threat modelling, and becoming post-quantum ready will be essential to keeping pace. Cyber risk is inseparable from business and geopolitical strategy Geopolitical turbulence continues to influence the threat landscape, with more threat actors blending espionage, influence operations, and disruption at strategic inflection points seen around the world. Financial crime, insider threats, digital-to-physical security concerns, and supply chain compromise are converging into a single pressure point, with threat actors simultaneously targeting executives, developers, vendors, hiring processes, and financial workflows from multiple angles. The boundaries between motivations continued to blur, as ransomware operators sold strategically sensitive data, espionage motivated threat actors leveraged cyber criminal tooling, and North Korea-based threat actors industrialised fraudulent employment and cryptocurrency theft at unprecedented scale. Looking ahead No cyber intrusion exists in a vacuum. Trade disputes, elections, conflicts, and shifting alliances will continue to shape threat actor targeting and tempo. Organisations that embed geopolitical and supply chain risk into strategic decision-making — aligning cyber, legal, HR, finance, and communications capabilities — will be positioned to navigate the turbulence ahead. Sectors Threat actors vary in motivation and sophistication, tailoring operations and opportunistic attacks in different sectors. The following is a view of sector-specific motivations summarised by PwC Threat Intelligence from 2025 case studies and in-house analytics. Motivations Crime Espionage Hacktivism Sabotage Aerospace and Defence Asset and Wealth Management Automotive Construction Education Energy Financial Services Food and Agriculture Government Healthcare Hospitality and Leisure Legal Manufacturing Media and Entertainment Pharmaceuticals and Life Sciences Professional Services Resources and Mining Retail Technology Telecommunications Transport and Logistics The aerospace and defence sector, considered critical national infrastructure in most countries, has been persistently targeted by threat actors for sensitive data concerning military operations, plans, and capabilities. Further, innovation like the advancement of AI, drone technologies, and space-based capabilities alongside the continued growth of defence contracting have expanded this sector’s attack surface, including for cyber crime. We observed threat actors targeting entities around the world, highly likely in response to geopolitical tensions and conflicts, with certain conflicts spreading and others not abating. Chart Pie chart with 4 slices. Cyber crime 11%​Cyber crime 11% Espionage 80%​Espionage 80% Hacktivism 3%​Hacktivism 3% Sabotage 6%​Sabotage 6% End of interactive chart. About the team Kris McConkey Global Threat Intelligence Lead Partner, PwC United Kingdom Email Matt Carey Global Threat Intelligence Lead, Director, PwC Sweden Email Rachel Mullan Global Threat Intelligence Lead, Director, PwC United Kingdom Email View More Cyber Threat Intelligence Learn more about our team and our services. Learn more Related content Global cyber benchmarking study This Strategy& study analyzes how countries achieve cyber resilience through cyber security policies, public-private collaboration, and regulatory frameworks. 5 Min Read From KPOT to Koi Koi’s evolution from KPOT to a private, cross-platform stealer is a shift away from Malware-as-a-Service and evades traditional detection. Publication New world, new rules: Cybersecurity in an era of uncertainty - The C-suite playbook Check out the latest findings from PwC’s 2026 Global Digital Insights Survey, reflecting the views of over 3,800 executives. Our approach to comparative threat actor attribution assessments How we develop cyber threat intelligence attribution assessments when there are numerous organisations tracking the same threat actors or clusters of activity Follow us PwC office locations Site map Contact us © 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. Legal notices Privacy Cookie policy Legal disclaimer Terms and conditions Cookies: The choice is yours We use cookies to make our site work well for you and so we can continually improve it. The cookies that keep the site functioning are always on. We use analytics and marketing cookies to help us understand what content is of most interest and to personalise your user experience. Accept All Cookies Necessary cookies only Manage cookie settings