A new report out today from real-time event and risk detection company Dataminr Inc. has found that 2025 marked a structural shift in cyber risk, as threat actor activity surged, identity-based intrusions accelerated and “mega-loss” events became more common.
Dataminr’s 2026 Cyber Threat Landscape Report finds that there was a 225% increase in average monthly threat actor alerts compared with 2024.
The company tracked more than 5,000 threat actors over the year, logged 18,000-plus ransomware alerts and detected more than 2 million domain impersonation incidents amid a rapidly expanding and increasingly interconnected risk environment.
Dataminr recorded more than 6.3 million external threat alerts in 2025, alongside 4.8 million vulnerability alerts and 3.1 million digital risk alerts, including phishing, doxxing and brand impersonation. Phishing alone accounted for more than 443,000 alerts, while company fraud incidents exceeded 424,000 and hacking services advertisements topped 185,000.
One theme highlighted in the report is that identity is now the primary attack surface, with nearly 30% of intrusions involving valid credentials, with attackers increasingly logging in rather than breaking in. The trend was fueled by an 84% increase in infostealer malware delivered through phishing and by artificial intelligence-enhanced social engineering campaigns that now account for the majority of observed social engineering activity.
On the financial impact side, the report also finds that the impact is shifting, as although ransomware volumes stabilized, single-incident losses grew materially larger in 2025. Dataminr’s normalized loss severity analysis shows a heavier “tail” of high-impact events, with clusters emerging at the $100 million and even $1 billion-plus level.
Organizations were found to be now facing fewer but more systemic, multi-vector attacks combining credential theft, data exfiltration, operational disruption and regulatory exposure, rather than frequent but contained incidents.
Supply chain risk is also covered in the report, with one in four modern breaches now involving exploiting a third-party vulnerability, often weaponized within the same calendar year of disclosure.
The report argues that traditional technical severity scores such as the Common Vulnerability Scoring System are insufficient on their own and should be contextualized with likelihood of exploitation, industry targeting patterns and modeled financial impact to reflect real business risk.
The report concludes by noting that the pace and scale of today’s threat landscape have outstripped what human-only security teams can manage. With more than 43 terabytes of signals ingested daily and millions of alerts generated annually, the company contends that purpose-built AI platforms are required to correlate signals early enough to reduce dwell time and prevent catastrophic loss events.
“The findings in this report demonstrate two critical, undeniable takeaways for any enterprise or government security team: the power of interconnected intelligence and the need for purpose-built AI to handle the chaos of today’s cyber threat landscape,” the report’s authors write.
Image: News/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
