IBM's 2026 Threat Report: Cybersecurity Got Worse

Here's a sentence I never thought I'd write: over half of the vulnerabilities that security researchers tracked last year could be exploited without authentication. As in, attackers don't need to phish anyone, steal passwords, or bypass multi-factor authentication. They just... walk in.

That's one of several deeply unsettling findings from IBM's 2026 X-Force Threat Intelligence Index, presented by Jeff Crume in a video that manages to make catastrophic security failures sound almost reasonable through sheer data density. The report—which tracks cyber threats across industries and geographies—basically confirms what many in the security community have been whispering: we're not winning this fight, and the gap is widening.

The Numbers That Should Keep You Up at Night

Let's start with the headline stat: 44% of security incidents now stem from vulnerability exploitation, representing a sharp rise from previous years. That's paired with nearly 40,000 new vulnerabilities reported—13,000 more than the year before.

But it's the 56% figure that really hits different. More than half of tracked vulnerabilities require zero authentication to exploit. Crume puts it bluntly: "Somebody just walks right in. They don't even have to identify themselves."

Think about what that means from an attacker's perspective. No crafting convincing phishing emails. No credential theft. No social engineering. Just find the vulnerability, exploit it, and you're inside the system. As a bonus? Fewer forensic footprints, since there's no compromised credential to trace.

One example Crume mentions involved a popular app server that allowed unauthenticated users to upload arbitrary files, leading to remote code execution—which is security-speak for "attackers can now run whatever code they want on your system." It's essentially full compromise.

The really concerning part? This 56% figure has remained largely unchanged for three consecutive years. As Crume notes, "We don't seem to be learning the lesson here that we need to be learning."

Supply Chains Are the New Front Line

Then there's the 4x statistic—supply chain and third-party compromises have nearly quadrupled over the past five years. Attackers are increasingly targeting where software is developed and deployed, exploiting SaaS integrations and other connection points.

Crume's metaphor is apt: "Slipping in contaminated flour makes for a bad cake, and messing with the ingredients of a software system creates a house of cards just waiting to fall."

This shift makes sense strategically. Why hack 100 companies individually when you can compromise one software vendor and gain access to all their clients? It's efficient, devastating, and increasingly common.

When Nation States and Criminals Share a Playbook

One of the more fascinating findings involves what security researchers call TTPs—tactics, techniques, and procedures. Historically, nation-state actors operated differently from ransomware gangs and other financially motivated criminals. Different goals, different methods.

Not anymore. The report shows substantial convergence in TTPs across threat actor types. Nation-state actors are using tools previously associated with cybercriminals, and vice versa. Crume cites North Korean state actors deploying info stealers—software designed to harvest passwords and secrets—that were once predominantly the domain of criminal operations.

This blurring of lines complicates attribution and defense. When everyone's using similar techniques, it's harder to identify who's attacking you and what they want. Is it espionage? Ransomware? Both?

The Ransomware Boom Continues

Speaking of ransomware: the number of active ransomware groups jumped 49% compared to the previous year. That's not a typo—nearly half again as many groups are now operating.

What's driving this growth? Crume points to "smaller transient operators driving more low-volume campaigns with AI and other ransomware-as-a-service tools." The barrier to entry has collapsed. As he explains: "You can basically set it and forget it. Let your AI go out and figure out what the targets will be, what exploits they're going to be using, and then launch the attack and do the collections."

This democratization of cybercrime creates a different threat landscape. Instead of a handful of sophisticated groups that security teams can track and study, there are now dozens or hundreds of smaller operators—more dispersed, harder to attribute, collectively harder to defend against.

The AI Factor

AI appears throughout the report, but not in the breathless "AI will save/destroy us" way that dominates most tech coverage. Instead, it's presented as a practical tool that's lowering barriers for attackers while creating new attack surfaces for defenders.

Attackers are using AI to automate target selection, exploit identification, and attack execution. Meanwhile, organizations are adopting AI systems that introduce new vulnerabilities—systems that need governance, security policies, and monitoring that many organizations haven't implemented yet.

Crume's recommendation is straightforward: "Enforce strong AI governance and security through appropriate policies and tooling. Since bad guys are moving to this new attack surface, you need to be there before they get there, not afterwards."

What Organizations Should Actually Do

After laying out all these grim statistics, Crume offers four concrete recommendations:

First, read the full report. His video covers highlights; the complete index contains more detailed insights and industry-specific findings.

Second, "treat identity as critical infrastructure." This means requiring multi-factor authentication, implementing passkeys, and using secrets vaults to manage API keys and cryptographic keys. No more free passes.

Third, enforce AI governance and security through policies and tooling—get ahead of AI-related vulnerabilities before attackers do.

Fourth, "discover and test for vulnerabilities continuously" through regular code reviews and penetration testing. As Crume puts it: "If you're satisfied with your security, so are the bad guys."

The Uncomfortable Truth

What strikes me about this report isn't any single statistic—it's the pattern. Three years of 56% unauthenticated vulnerabilities. A five-year quadrupling of supply chain attacks. A 49% year-over-year increase in ransomware groups.

These aren't random fluctuations. They're trends, and they're all moving in the same direction: toward a more vulnerable, more attacked digital infrastructure.

The report doesn't offer false hope or claim that some silver-bullet technology will fix everything. Instead, it presents evidence that despite growing investment in cybersecurity, attackers are finding it easier, not harder, to compromise systems. The question isn't whether your organization will face these threats—it's whether you'll be ready when you do.

— Zara Chen, Tech & Politics Correspondent