Darktrace Says Identity Is Now Cybersecurity’s Primary Battleground as Vulnerabilities Climb 20%

The front door to the enterprise is no longer the firewall. It is the login screen.

According to the newly released Annual Threat Report 2026 from Darktrace, publicly disclosed software vulnerabilities rose 20 percent year over year in 2025. Yet attackers are increasingly choosing not to exploit those weaknesses directly. Instead, they are signing in.

Across the Americas, nearly 70 percent of investigated incidents began with stolen or misused credentials. In Europe, 58 percent of incidents originated from compromised cloud accounts and email, overtaking traditional network intrusion paths. The findings point to a structural shift in how cybercriminals and state aligned actors gain access to organizations that now run on cloud services and SaaS platforms.

The implication is clear. Identity has become the new perimeter.

From Breaking In to Logging In

Security leaders have spent decades hardening networks against exploits. But as enterprises migrate workloads to Microsoft 365, SaaS applications, and multi cloud infrastructure, access control is increasingly governed by user accounts rather than network boundaries.

“Traditional perimeter defenses were built for a world where attackers had to break in,” said Nathaniel Jones, VP of Security and AI Strategy at Darktrace. “Today they simply log in. Stopping identity-led intrusions requires the ability to recognize when legitimate accounts begin to behave in ways that do not align with normal activity, and that means moving beyond static controls toward security that understands context and intent.”

That shift is reflected in headline making breaches over the past year, where compromised credentials rather than zero day exploits provided the initial foothold. Once inside, attackers used legitimate permissions and trusted tools to move laterally, blend into routine activity, and escalate impact.

Phishing remains the primary mechanism for harvesting those credentials. Darktrace reports detecting 32 million phishing emails globally in 2025, including more than 8.2 million targeting high value individuals. Over a quarter of all phishing activity was aimed at privileged or executive accounts, reflecting a strategic focus on identities that unlock broader access.

Azure, Containers, and the Cloud Attack Surface

Cloud compromise now dominates initial access patterns on both sides of the Atlantic. In the Americas, SaaS platforms and Microsoft 365 accounts were common entry points, often followed by double or triple extortion campaigns.

Among cloud providers, Azure attracted the largest share of observed malware samples at 43.5 percent, compared with 33.2 percent for Google Cloud Platform and 23.2 percent for Amazon Web Services. Containerized environments are also under growing pressure. Docker based infrastructure accounted for more than half of honeypot targeting activity tied to unique malicious IP addresses.

With 94 percent of organizations relying on cloud computing, the exposure is systemic. A single compromised account can cascade across interconnected services, APIs, and automated workflows.

Phishing Enters Its AI Era

Email attacks are evolving beyond generic spam campaigns. The report highlights increasing signs of AI assisted social engineering. Indicators of AI generated content rose year over year, with novel persuasion techniques climbing from 32 percent to 38 percent. Long form phishing messages designed to appear legitimate increased from 27 percent to 33 percent.

QR code phishing also surged. Darktrace observed a 28 percent increase in QR based attacks, from 940,000 incidents in 2024 to more than 1.2 million in 2025. Attackers are experimenting with tactics such as splitting a malicious QR code into separate images or embedding harmful codes within legitimate ones to evade link scanning tools.

Meanwhile, reputation based defenses are losing effectiveness. More than 1.6 million phishing emails leveraged newly created domains spun up specifically for malicious use. Seventy percent of phishing emails passed DMARC authentication, allowing them to appear legitimate to both users and automated filters.

“Phishing has become far more convincing and far more targeted,” Jones said. “Attackers are using AI to craft messages that look authentic, exploit human trust, and slip past traditional email filters. Defenders need technology that can identify subtle signs of abnormality even when an email appears legitimate at first glance.”

Critical Infrastructure in the Crosshairs

The report also outlines mounting risks to critical national infrastructure. Cyber operations linked to geopolitical tensions disrupted energy and telecommunications networks, with downstream effects on healthcare and public services.

Groups including Salt Typhoon and Volt Typhoon expanded operations beyond espionage into strategic access and pre positioning inside telecommunications and energy organizations. Activity attributed to actors affiliated with North Korea blended financially motivated campaigns with broader intelligence objectives, including the deployment of trojanized malware in financial services environments.

These campaigns reflect a broader convergence of criminal and state sponsored tactics. Identity compromise remains central. Whether the objective is espionage, disruption, or financial extortion, attackers increasingly rely on valid credentials to operate undetected.

Security in a Post Perimeter World

The Annual Threat Report 2026 suggests the cybersecurity industry is entering a new phase defined by acceleration and precision. Publicly disclosed vulnerabilities continue to rise, but attackers are optimizing for the path of least resistance, which is often human trust and credential access.

“The speed and scale of modern attacks demand continuous visibility into how users and systems behave. Identity has become the most reliable path for attackers, and cloud interconnectivity means a single compromised account can have far-reaching consequences. Behavioral AI gives defenders the ability to detect small deviations early, before they develop into major incidents,” Jones concluded.

For security teams, the message is blunt. If identity is the new perimeter, then monitoring behavior across cloud, SaaS, and hybrid environments is no longer optional. It is the difference between spotting subtle anomalies and discovering a breach only after trusted accounts have already done the damage.