Cyber operations now “inseparable” from physical conflict and espionage

The report emphasises that geopolitical fragmentation and the adoption of Artificial Intelligence (AI) are creating an environment of instability, with persistent attacks becoming the norm in the global threat landscape.

Dr Christopher Ahlberg, co-founder of Recorded Future, shared the report’s key findings and highlighted how cyber operations, intelligence and emerging technologies are reshaping geopolitical competition and national security during a panel discussion held at the recent Munich Cyber Security Conference.

The State of Security Report identifies 2025 as a clear inflection point at which cyber activity became tightly intertwined with real-world geopolitical outcomes. The report finds that AI is contributing towards this convergence by accelerating the scale of deception, identity abuse and uncertainty faster than institutions can adapt, in turn contributing to heightened instability in 2026.

“Uncertainty is no longer episodic,” observed Levi Gundert, chief security and intelligence officer at Recorded Future. “It’s the operating environment. As geopolitical norms weaken, state objectives, criminal capability and private sector technology are increasingly reinforcing one another, compressing warning timelines and expanding plausible deniability. AI is accelerating that dynamic, not through autonomous attacks, but by scaling deception and eroding trust inside decision-making processes.”

Gundert added: “In 2026, cyber risk will be defined less by singular events and more by persistent and fragmented pressure that reshapes competition, escalation and stability over time.”

Key findings

Cyber as coercion

Nation states are increasingly using cyber access – and particularly so at the edge of networks and connectivity infrastructure – as a form of strategic leverage that can be activated during crises

Identity as the new attack surface

Most serious intrusions now begin with stolen credentials rather than technical exploits, shifting the centre of gravity of security towards identity and access

AI-driven verification failure

While fully autonomous AI cyber operations have not yet materialised, AI is already amplifying deception, social engineering and identity abuse at scale

Durable state-aligned ecosystems

From Russian influence operations backed by resilient criminal infrastructure to mercenary spyware and North Korean access-driven sanctions evasion, cyber capabilities are proving adaptive and difficult to dismantle through policy pressure alone

The Recorded Future report predicts that, in 2026, cyber threats will be defined by fragmented and constant pressure driven by persistent access, decentralised criminal ecosystems, influence operations and synthetic identities that will replace singular attacks with continuous and low-visibility disruption.

Key predictions

2026 will be defined by fragmented, always-on threats

Cyber risk will increasingly emanate from constant and overlapping activity orchestrated by states, criminals and proxies rather than from singular, headline-grabbing attacks

State cyber operations will shift fully to persistent pressure

Nation states will rely on quiet pre-positioning, credential theft and identity access in order to maintain continuous leverage and enable rapid escalation with little warning

Connectivity disruption will become the go-to tool of coercion

Instead of destructive cyber attacks, nation states will favour brief and reversible disruptions to cables, satellites and telecoms infrastructure to signal power, while staying below escalation thresholds

Cyber crime will grow smaller, faster and harder to disrupt

Ransomware and extortion groups will splinter into agile and modular crews that prioritise speed, persistence and visibility over large payouts

Influence operations will favour volume over credibility

Hacktivists and influence networks will use AI to flood the information environment with exaggerated or mixed authenticity claims, thereby sustaining confusion even when narratives lack credibility

Standing feature

During the panel discussion, Dr Ahlberg discussed the report’s key findings and outlined how cyber activity has become a standing feature of strategic competition, no longer a separate domain, but rather a persistent layer of pressure shaping crisis escalation, deterrence and instability.

“Cyber operations are no longer preparation for conflict,” concluded Dr Ahlberg. “They are part of conflict. What we’re seeing is that adversaries are logging in, not hacking in. This is a shift towards access, influence and leverage that can be activated at moments of political or military tension, often below the threshold of traditional response.”