AI Isn't Building New Attack Playbooks — It's Running Old Ones 44% Faster: What the 2026 IBM X-Force Report Means for Your Business
TL;DR
- IBM's 2026 X-Force Threat Intelligence Index reveals a 44% surge in attacks exploiting public-facing applications — the same basic gaps, moving faster than ever [1]
- Vulnerability exploitation is now the #1 cause of business breaches, accounting for 40% of all incidents — most requiring zero credentials to trigger [1]
- Ransomware groups grew 49% year-over-year; supply chain attacks quadrupled since 2020 [2]
- The fix isn't exotic. The businesses that held up in 2025 fixed the basics: patching, access controls, and credential hygiene — before attackers arrived [3]
IBM just dropped the 2026 X-Force Threat Intelligence Index — their annual deep-dive into what actually happened across thousands of real-world security incidents in 2025. The headline isn't "AI invented terrifying new hacks." The headline is: AI gave attackers a speed gun, and most businesses are still standing still.
Here's what the data actually says — and the five things you can do this week to close the gaps attackers are running through right now.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
What Does the 2026 IBM X-Force Report Actually Show?
The 2026 X-Force Threat Intelligence Index [1] is based on IBM's analysis of incident response cases, penetration testing data, and threat intelligence from across their global security operations. It covers over 150 countries and represents one of the largest real-world datasets in cybersecurity.
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →Here are the numbers that matter for businesses your size.
Application exploitation jumped 44%. Attacks that began by exploiting a public-facing application — your web portal, your customer login page, your CRM — increased 44% in 2025 compared to the year before [1]. The driver: AI-enabled vulnerability scanning that lets attackers find and prioritise gaps in minutes, not days. The gap was always there. It's just getting found and exploited much faster now [4].
Vulnerability exploitation became the #1 entry point. For the first time, exploiting known software vulnerabilities overtook phishing as the leading way attackers get in — accounting for 40% of all incidents observed by X-Force [2]. Critically, IBM found that most of the vulnerabilities being exploited did not require authentication to trigger. That means attackers don't need a login. They just need to find your unpatched software [1].
Ransomware groups grew 49%. The ecosystem fragmented. IBM identified 109 distinct ransomware and extortion groups in 2025 — up from 73 in 2024, a 49% increase [2]. The dominance of top-10 groups dropped by 25%, which actually makes things harder: you're now dealing with dozens of smaller, more opportunistic operators who are harder to track and more willing to target smaller businesses [3].
Supply chain compromises nearly quadrupled since 2020. Large-scale supply chain and third-party incidents have increased nearly 4x since 2020, driven by attackers targeting CI/CD pipelines, SaaS integrations, and the trusted connections between software vendors and their customers [2]. This matters even if you're not the one building software — if your accounting tool, HR platform, or IT vendor gets compromised, that path can lead straight to you.
300,000+ ChatGPT credentials were stolen and sold. Infostealer malware expanded its target lists to include AI platforms in 2025, resulting in over 300,000 ChatGPT credential sets advertised on dark web markets [1]. Attackers buying those credentials don't just get your AI chat history — they get a potential backdoor to any enterprise data you've fed into those systems, plus a starting point for credential-stuffing attacks against your other accounts.
Related: Why 67% of Breaches Start With a Stolen Login
Why This Matters Specifically for SMBs
Enterprise companies get attacked too, but they have security operations centres, dedicated staff, and multi-million dollar tool budgets. SMBs don't — which is why the same report findings hit differently depending on your size.
You're not less targeted. You're differently targeted. The 49% growth in ransomware groups means more opportunistic, automated campaigns — the kind that don't require a nation-state actor spending weeks studying your network. They scan the internet, find an unpatched login page or misconfigured server, and move within hours [4]. Manufacturing was the single most targeted sector for the fifth consecutive year, accounting for 27.7% of incidents — but the same automated tooling is sweeping across professional services, healthcare, retail, and any business with customer data [2].
Speed is the problem, not sophistication. According to IBM's Mark Hughes, Global Managing Partner for Cybersecurity Services: "Attackers aren't reinventing playbooks, they're speeding them up with AI. The core issue is the same: businesses are overwhelmed by software vulnerabilities. The difference now is speed" [2]. This is actually encouraging news. You don't need to prepare for science fiction threats. You need to close the same gaps you've always needed to close — just faster, and more systematically.
The credential problem has reached AI platforms. If your team uses AI tools at work — and most do — those tools now carry the same credential risk as your email or payroll system. Stolen AI credentials can be used to manipulate outputs, exfiltrate data from conversations, or inject malicious prompts into automated workflows [1]. Adding multi-factor authentication to AI platforms is now table stakes.
Related: 80% of Phishing Attacks Are Now AI-Powered: How Your Business Builds a Defence That Works
How Many Vulnerabilities Are We Talking About?
Here's the broader context: it's not just that attackers are moving faster. There are simply more vulnerabilities to exploit. The Forum of Incident Response and Security Teams (FIRST) forecasts that 2026 will be the first year to exceed 50,000 published CVEs — with a median prediction of 59,427 new vulnerabilities [5]. That's a new vulnerability disclosed roughly every nine minutes, 24 hours a day.
FIRST is explicit that the solution isn't to track every CVE. It's to prioritise ruthlessly — focusing on the vulnerabilities that affect systems you actually use, especially those that don't require authentication to exploit [6]. CISA's Known Exploited Vulnerabilities catalogue [7] gives you a curated list of exactly which vulnerabilities attackers are actively using. If something on that list matches your stack, that patch should jump straight to the front of your queue.
For most SMBs, this means treating your patch governance like you treat your accounts payable: it runs on a schedule, nothing falls through the cracks, and anything overdue gets escalated.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →What Does a Practical Response Look Like?
IBM's recommendations in the 2026 report [3] aren't exotic. They're the kind of controls that well-run businesses have been applying for years — the difference is consistency and speed of execution.
1. Fix your public-facing applications first. The 44% surge in application exploitation means your customer portal, login pages, APIs, and internet-connected services are the current frontline. Run a scan on your external attack surface — free tools like Shodan or Qualys Community Edition let you see your business the way an attacker does. Anything that's unpatched, exposed unnecessarily, or missing authentication needs to be dealt with before anything else.
2. Enforce MFA everywhere that matters. IBM's penetration testing data consistently shows misconfigured access controls as the most common entry point they find during assessments [1]. Multi-factor authentication on email, remote access, finance tools, and now AI platforms is no longer optional. The additional time cost — seconds per login — is trivially small compared to the operational cost of a breach.
3. Treat your software vendors as part of your attack surface. The nearly 4x increase in supply chain compromises means your third-party software is a risk factor you need to actively manage [2]. This doesn't mean switching vendors constantly — it means knowing which vendors you rely on, asking them about their security practices, and monitoring for breach notifications that affect them. Services like HaveIBeenPwned and vendor security advisories should be on someone's weekly checklist.
4. Build a patching cadence and actually run it. CISA's Known Exploited Vulnerabilities catalogue [7] is updated continuously. Set a monthly or fortnightly review — or automate it — to ensure anything on that list that matches your software stack gets patched within days, not months. Most breaches in 2025 that involved vulnerability exploitation were using CVEs that had patches available [8].
5. Get eyes on your AI credential exposure. If your team uses ChatGPT, Copilot, or any other AI tool at work, those accounts need the same access hygiene as your core business systems [1]. Review what data is being entered into those tools. Enable MFA. Rotate API keys. Consider whether sensitive business data should be going into these systems at all without proper data handling policies in place.
The Business Case for Getting This Right
Businesses that treat security as competitive infrastructure — not a grudge purchase — get concrete returns. IBM's 2025 Cost of a Data Breach Report found that organisations with strong foundational controls experienced significantly shorter breach detection and containment times, translating directly into lower financial losses [9]. The average cost of a breach for companies with mature security controls was less than half that of companies without them.
For an SMB, a single breach event — even a modest one — can mean weeks of downtime, regulatory notification obligations, loss of customer trust, and legal costs that run into tens or hundreds of thousands of dollars. The upside of getting this right isn't just avoiding those costs. It's operating confidently, growing into new markets that require security certifications, and being able to tell your customers honestly that you take their data seriously.
That's not security as insurance. That's security as a business capability.
FAQ
The IBM X-Force Threat Intelligence Index is an annual report published by IBM Security that analyses real-world cyberattack data from incident response cases, penetration testing, and threat intelligence sources across IBM's global operations. The 2026 edition covers incidents observed in 2025 and provides data-driven analysis of attack trends, entry vectors, and threat actor behaviour [1].
It means that internet-facing applications — login portals, customer management systems, APIs — are being targeted significantly more than in previous years. The increase is largely driven by AI tools that let attackers scan for and identify vulnerable applications much faster than before. For SMBs, this means any unpatched, misconfigured, or unnecessarily exposed web-facing system is at higher risk of being found and exploited [4].
AI and leaked cybercrime tooling have lowered the barrier to entry for running ransomware operations. IBM identified 109 active extortion groups in 2025, up from 73 the year before. Smaller groups need fewer resources to launch attacks, making the threat more distributed and harder to attribute. For SMBs, this means you don't have to be a high-profile target to be targeted [2].
Don't try to patch everything — prioritise ruthlessly. Focus on vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalogue [7], which reflects what attackers are actually using. Prioritise anything that doesn't require authentication to exploit. Run a monthly review against the software and services your business actually uses, and automate patch deployment wherever possible [5].
Treat AI platform accounts like any other critical business system. Enable multi-factor authentication. Use unique, strong passwords or a password manager. Limit what sensitive business information your team inputs into AI tools. If you use AI via API keys, rotate them regularly and store them securely. Review which team members have access and whether all of it is still needed [1].
References
[1] L. Kessem, "2026 X-Force Threat Intelligence Index: Making the case for securing identities, AI-enhanced detection and proactive risk management," IBM Think, Feb. 2026. [Online]. Available: https://www.ibm.com/think/x-force/threat-intelligence-index-2026-securing-identities-ai-detection-risk-management
[2] IBM Security, "IBM 2026 X-Force Threat Index: AI-Driven Attacks are Escalating as Basic Security Gaps Leave Enterprises Exposed," PR Newswire, Feb. 25, 2026. [Online]. Available: https://www.prnewswire.com/news-releases/ibm-2026-x-force-threat-index-ai-driven-attacks-are-escalating-as-basic-security-gaps-leave-enterprises-exposed-302696274.html
[3] IBM Security, "X-Force Threat Intelligence Index 2026," IBM Reports, 2026. [Online]. Available: https://www.ibm.com/reports/threat-intelligence
[4] A. Kovacs, "44% Surge in App Exploits as AI Speeds Up Cyber-Attacks, IBM Finds," Infosecurity Magazine, Mar. 3, 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/app-exploits-surge-ai-speeds/
[5] FIRST, "2026 Vulnerability Forecast," Forum of Incident Response and Security Teams, Feb. 11, 2026. [Online]. Available: https://www.first.org/blog/20260211-vulnerability-forecast-2026
[6] A. Kovacs, "FIRST Forecasts Record-Breaking 50,000+ CVEs in 2026," Infosecurity Magazine, Mar. 3, 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/first-forecasts-record-50000-cve/
[7] CISA, "Known Exploited Vulnerabilities Catalog," Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[8] Link11, "European Cyber Report 2026," Link11, Mar. 2, 2026. [Online]. Available: https://www.link11.com/en/european-cyber-report/
[9] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[10] NIST, "National Vulnerability Database," National Institute of Standards and Technology, 2026. [Online]. Available: https://nvd.nist.gov/
Your business security shouldn't depend on luck or keeping up with every headline. At lil.business, we help SMBs build security that runs systematically — patching cadences, access controls, vendor risk — so you're not scrambling when the next threat report drops. Book a free consultation and let's map your current gaps against what attackers are actually targeting in 2026.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →Hackers Are Using AI To Find The Unlocked Doors In Your Business — Way Faster Than Before
TL;DR
- IBM just released its biggest annual security report, and the key finding is: hackers aren't using new tricks — they're using the same old ones, just much faster [1]
- Attacks on business websites and apps jumped 44% last year [1]
- The fix isn't complicated: patch your software, add MFA, and stop leaving doors unlocked [2]
- This is about keeping your business running strong, not scaring you — and the businesses that act on the basics are the ones that stay safe [3]
Imagine Your Business Is a Building
Your business has doors. Some are main entrances (your website, your login pages, your apps). Some are back doors (the software tools your team uses). Some might even be windows that someone left cracked open (unpatched software).
Hackers are like maintenance workers with a checklist — except they're working for the wrong side. They walk around the building, trying every door and window. In the past, this took them days. Now, they have an AI assistant that does it in minutes.
IBM looked at thousands of real cyberattacks from 2025 and found one thing very clearly: the doors being broken into aren't new or exotic. They're the same ones that have always been there. The only thing that changed is how fast attackers find them [1].
What Did IBM Actually Find?
IBM's X-Force team is like a giant security company that investigates thousands of real business breaches every year. In their 2026 report, they found [1][2]:
Attacks on apps jumped 44%. Nearly half again as many businesses were broken into through their websites, login pages, and apps compared to the year before. AI tools let attackers scan millions of businesses automatically, find the ones with unlocked doors, and move straight to breaking in.
Most attacks didn't even need a password. The most common vulnerabilities being exploited had no lock at all — no login required. Attackers just walked in. That's like leaving the front door of your shop wide open at night [1].
Ransomware gangs grew 49%. There are now 109 different ransomware groups operating — up from 73 the year before. That growth is driven by the same thing: AI and cheap criminal tools lowered the "startup cost" for running an attack operation [2]. More groups means more people running more automated scans looking for businesses like yours.
Your vendors are a risk too. Supply chain attacks — where someone attacks a software company to then reach all their customers — have nearly quadrupled since 2020 [2]. Think of it like this: if a locksmith company got hacked, every building that uses their locks might be at risk.
AI tools are being targeted now too. Over 300,000 sets of ChatGPT login credentials were stolen and sold online last year [1]. If your team logs into AI tools at work, those accounts need the same protection as your email.
Why Should a Small Business Care?
Fair question. Big reports full of numbers can feel like they're about big companies.
But here's the reality: the 49% growth in ransomware groups happened because of automation. These aren't hackers sitting down and personally studying your business. They're running automated tools that scan every business connected to the internet — big or small — and flag the ones with vulnerabilities. If your website login page hasn't been updated in a year, you're on that list [4].
Also, the businesses that got hit hardest weren't necessarily the ones doing anything unusual. They were the ones with doors they forgot to lock [2].
5 Things You Can Actually Do This Week
Here's the good news: the things that stop most of these attacks are not expensive or complicated. IBM's own recommendations [3] come down to the basics:
1. Update your software. Especially anything customer-facing — your website, your booking system, your CRM. If there's an update available and you haven't applied it, that's a door that might be open. Set a monthly reminder to check for updates across everything your business uses online.
2. Turn on two-factor authentication (MFA) everywhere. Two-factor means that even if someone steals your password, they still can't get in without your phone. Turn it on for email, banking, and any business tool that holds customer or financial data. It takes 30 minutes to set up and closes one of the biggest doors hackers walk through [1].
3. Check who has access to your tools. Former employees, old contractor accounts, tools your business no longer uses — these are all windows that might still be open. Do a quick audit: who can log into what? Remove access for anyone who doesn't need it.
4. Know what your vendors are doing. The tools and software your business pays for — your accounting software, your email provider, your IT support — are part of your security. Ask them: "Do you notify customers if you have a security incident?" If they say no or don't know, that's worth a conversation.
5. Treat your AI tools like business tools. If your team uses ChatGPT or similar tools for work, add two-factor authentication to those accounts too. Be thoughtful about what business information gets typed into them. Stolen AI account credentials are now a real thing attackers sell [1].
FAQ
Yes — increasingly so. The rise of automated scanning tools means attackers don't choose targets by hand. They run software that sweeps millions of internet-connected systems at once, flags the vulnerable ones, and then attacks those regardless of size. According to IBM's 2026 data, smaller, more fragmented ransomware groups are specifically filling the gap left by larger gangs — and they're going after businesses of all sizes [2].
A vulnerability is a flaw or weakness in software. Think of it like a crack in a window — it might not be visible from the outside until someone looks for it. When software companies find cracks, they release "patches" (repairs) to fix them. The problem is that many businesses don't apply those patches quickly, leaving the crack open for attackers to use. IBM found that in 2025, vulnerability exploitation was the #1 way businesses got breached [1].
AI is being used by both attackers and defenders. On the attacker side, AI lets them scan for weaknesses much faster and automate parts of the attack process. On the defender side, AI is helping security tools detect threats more quickly. The net result is that businesses that keep up with the basics are still well-protected — and those that don't are more exposed than before [4].
Ransomware is software that locks you out of your own files and demands payment to restore access. The number of ransomware groups grew 49% in 2025 because AI and cheap, leaked criminal tools made it easier to start one. IBM identified 109 distinct groups in 2025 [2]. More groups means more automated campaigns targeting more businesses.
A good starting point is running a free external scan using a tool like Shodan (shodan.io) — you can search your business name or website and see what's visible to the public internet. For a thorough review, a professional security assessment will look at your full setup and tell you specifically what needs fixing. lil.business can run that assessment for you.
References
[1] L. Kessem, "2026 X-Force Threat Intelligence Index: Making the case for securing identities, AI-enhanced detection and proactive risk management," IBM Think, Feb. 2026. [Online]. Available: https://www.ibm.com/think/x-force/threat-intelligence-index-2026-securing-identities-ai-detection-risk-management
[2] IBM Security, "IBM 2026 X-Force Threat Index: AI-Driven Attacks are Escalating as Basic Security Gaps Leave Enterprises Exposed," PR Newswire, Feb. 25, 2026. [Online]. Available: https://www.prnewswire.com/news-releases/ibm-2026-x-force-threat-index-ai-driven-attacks-are-escalating-as-basic-security-gaps-leave-enterprises-exposed-302696274.html
[3] IBM Security, "X-Force Threat Intelligence Index 2026," IBM Reports, 2026. [Online]. Available: https://www.ibm.com/reports/threat-intelligence
[4] A. Kovacs, "44% Surge in App Exploits as AI Speeds Up Cyber-Attacks, IBM Finds," Infosecurity Magazine, Mar. 3, 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/app-exploits-surge-ai-speeds/
[5] FIRST, "2026 Vulnerability Forecast," Forum of Incident Response and Security Teams, Feb. 11, 2026. [Online]. Available: https://www.first.org/blog/20260211-vulnerability-forecast-2026
[6] A. Kovacs, "FIRST Forecasts Record-Breaking 50,000+ CVEs in 2026," Infosecurity Magazine, Mar. 3, 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/first-forecasts-record-50000-cve/
[7] CISA, "Known Exploited Vulnerabilities Catalog," Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[8] Link11, "European Cyber Report 2026," Link11, Mar. 2, 2026. [Online]. Available: https://www.link11.com/en/european-cyber-report/
[9] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[10] NIST, "National Vulnerability Database," National Institute of Standards and Technology, 2026. [Online]. Available: https://nvd.nist.gov/
The businesses that stay secure aren't the ones with the biggest budgets — they're the ones that sorted out the basics before something went wrong. lil.business helps SMBs do exactly that: find the open doors, close them, and build a security routine that runs without eating your week. Get in touch and we'll show you exactly where you stand.
