IBM released the 2026 X-Force Threat Intelligence Index on February 25, 2026, and the headline finding won’t surprise anyone who’s spent time in incident response or compliance: attackers aren’t relying on sophisticated zero-days to get in. They’re walking through doors that organizations left open.
The report is built on IBM X-Force’s incident response and investigation data from 2025, and it paints a clear picture of where the threat landscape is heading and, more importantly, where it has been stuck.
Vulnerability Exploitation Is Now the Leading Initial Access Vector#
X-Force observed a 44% increase in attacks that started with the exploitation of public-facing applications. Vulnerability exploitation accounted for 40% of all incidents observed in 2025, overtaking phishing as the primary way attackers gained initial access.
The uncomfortable detail behind that number: of the nearly 40,000 vulnerabilities X-Force tracked in 2025, 56% could be exploited without any form of authentication. No credentials needed. No MFA to bypass. No user interaction required. Attackers are scanning, finding exposed applications with missing authentication controls, and walking straight in.
Supply Chain Breaches Have Quadrupled Since 2020#
X-Force identified a nearly 4x increase in large supply chain and third-party compromises over the past five years. Attackers are shifting focus from breaking through a single organization’s perimeter to exploiting trusted relationships, CI/CD automation, development workflows, and SaaS integrations.
This aligns with findings from other researchers, including the Atlantic Council’s “Breaking Trust” report, which documented systemic weaknesses across global software supply chains. The pattern is consistent: rather than attacking you directly, adversaries target the vendors, dependencies, and integrations you trust.
With AI-powered coding tools accelerating software creation and occasionally introducing unvetted code, X-Force expects pressure on development pipelines and open-source ecosystems to grow throughout 2026.
Ransomware Ecosystem Fragmentation#
Active ransomware and extortion groups surged 49% year over year. That’s not necessarily a sign of more sophisticated operations. It reflects ecosystem fragmentation as barriers to entry collapse. Smaller, transient operators are reusing leaked tooling, following established playbooks, and tapping AI to automate portions of their operations. Their low-volume campaigns make attribution harder for defenders and law enforcement alike.
Publicly disclosed victim counts rose roughly 12%, but the real story is the operational shift. As multimodal AI models mature, X-Force expects adversaries to automate reconnaissance, vulnerability analysis, and even portions of ransomware deployment, making attacks faster and more adaptive.
Identity Is Still the Core Problem#
A recurring theme throughout the report is identity sprawl and credential hygiene failure. X-Force Red penetration tests consistently reveal misconfigured access controls as the most common entry point. Infostealer malware led to the exposure of over 300,000 ChatGPT credentials in 2025 alone, signaling that AI platforms now carry the same credential risk as any other enterprise SaaS solution.
Compromised AI chatbot credentials create risks beyond simple account access. Attackers can manipulate outputs, exfiltrate sensitive data, or inject malicious prompts. As AI agents become more deeply integrated into organizational workflows, stored credentials within those agents represent an emerging and largely unmonitored attack surface.
North America Is the Most Attacked Region for the First Time in Six Years#
North America accounted for 29% of total cases observed by X-Force, up from 24% the prior year, becoming the most targeted region for the first time in six years. The sector hardest hit was critical infrastructure, accounting for 27.7% of all incidents, with data theft as the most common outcome.
What This Means for Security and GRC Teams#
The X-Force 2026 findings reinforce a message that compliance and risk professionals have been hearing for years: foundational controls matter more than advanced tooling.
If your organization is still treating vulnerability management as a quarterly scan exercise, the data says you’re falling behind. If your identity governance program doesn’t extend to non-human identities, service accounts, and AI agent credentials, you have blind spots that attackers are actively exploiting. If your third-party risk management is limited to annual questionnaires, the 4x increase in supply chain compromises should be a wake-up call.
For PCI DSS practitioners specifically, this report validates the direction of v4.x. The emphasis on targeted risk analysis, continuous monitoring, authenticated vulnerability scanning, and defined roles and responsibilities is a direct response to the operational reality X-Force is documenting. The standard is trying to force the operational maturity that the threat landscape demands.
The full report is available from IBM, and there’s a webinar scheduled for March 17 at 11 AM ET with X-Force analysts walking through the findings.
