The New Cyber Threat Landscape: Connected, Trusted and Faster Than Ever

Published: 29^th May 2026

Attacks have not suddenly become unrecognisable or technically alien, but the space that defenders assume they must work within has quietly shrunk to the point where it no longer behaves like it used to.

Listen to the podcast episode in full here: https://open.spotify.com/episode/1vuSZ0A33r7H2WL1AzBLFx

Speed has removed the buffer defenders used to rely on

Breakout time is now measured in minutes, and in some cases seconds. CrowdStrike’s averages sit around the half-hour mark, but that figure is almost misleading in isolation. What matters more is the tail end of the distribution, where lateral movement starts almost immediately after initial access.

In practical terms, that changes the shape of an intrusion. There is no longer a meaningful “settling in” period where attackers slowly explore while analysts have time to notice something unusual building up. Once access is achieved, movement tends to follow straight away, often blending into what looks like normal internal activity.

That creates a quieter but more difficult operational issue for security teams, because detection cycles are still often designed around human processes: alerts being raised, triaged, passed between teams, and then acted on. The intrusion does not wait for that chain to complete, which means the first reliable opportunity to respond is often already after meaningful damage has been done.

Identity has become the easiest way in, because it does not look like an attack

The most important shift is not that attackers are doing anything especially novel, but that they are increasingly using access that appears legitimate at every layer of inspection.

Stolen credentials, active sessions, authentication tokens, reused identity flows. This is not exploitation in the traditional sense, but the reuse of what already works.

That is what makes this difficult to detect. From the system’s perspective, nothing abnormal is happening. Logins succeed, sessions are valid, access is granted through expected mechanisms. Even when behaviour is slightly off, it often still sits within the boundaries of what is considered “normal enough” to pass.

Modern identity architecture also unintentionally reinforces this. Single sign-on reduces friction for users, but it also concentrates trust. Cloud services extend that trust across multiple systems. Helpdesk and recovery processes are built around restoring access quickly, not continuously challenging it. None of these are design flaws in isolation, but together they create an environment where identity becomes both the entry point and the multiplier.

Once that identity is compromised, the attacker is operating through them, rather than trying to break them.

Cross-domain movement is what compromise looks like now

Once inside, attackers are not confined to a single environment in the way older models of security tend to assume. Movement now spans cloud platforms, SaaS applications, identity providers, endpoint systems, and increasingly AI-driven services and automation layers.

It is less accurate to think of this as a series of distinct hops. In most modern environments those domains are already interconnected through identity and integration, so movement feels continuous rather than segmented. From the attacker’s perspective, they are simply following the paths that already exist.

The difficulty for defenders is that visibility rarely exists in the same shape. Cloud telemetry, endpoint alerts, identity logs, and SaaS activity are often handled separately, sometimes by different teams with different tools. The attacker does not see those boundaries, and so naturally moves through the gaps between them.

Ransomware has shifted away from encryption as the main event

One of the more significant changes highlighted in both the report and the discussion is that ransomware is no longer consistently defined by encryption.

In a growing number of cases, encryption never happens at all or only appears at the very end of an intrusion chain that has already achieved its primary objective.

The early stages now matter far more: access is typically gained through stolen credentials or brokered entry, followed by quiet internal exploration using whatever tools already exist in the environment. Remote administration tools, legitimate IT utilities, and standard access mechanisms are often enough to move data without ever triggering obvious malicious indicators.

The attacker often already has what they were after by the time encryption is considered. Their goal is usually data, leverage, or persistent access rather than disruption itself.

The underlying issue is trust, not tooling

Across all these shifts, the common thread is trust.

Identity systems assume that a successful login represents a trusted actor. Cloud platforms extend that trust across services. SaaS integrations rely on it. Internal processes are built around it because it is what makes modern IT usable at scale.

They are operating inside the model directly, using the fact that once access is granted, most systems will continue to behave exactly as designed.

That is why the signal has changed. It is no longer just about clearly malicious actions, it is about legitimate actions occurring in contexts that do not match the person or system performing them.

What changes defence in practice

What emerges from both the report and the conversation is not a call for more tools, but a shift in assumptions about what “secure” looks like in practice.

Identity can no longer be treated as a fixed checkpoint at login. It needs to be continually re-evaluated based on behaviour and context. Visibility also needs to move away from isolated domains, because attackers are not operating within those boundaries in the first place.

More than anything, compromise must be treated as a normal operating condition rather than an exception. The question is no longer whether access will be abused, but how quickly that abuse can be identified once it starts.

The shift is not that attackers have become dramatically more advanced in isolation.

It is that they are now operating inside systems that are already connected, already trusted, and already fast, which leaves very little distance between access and impact once the initial entry point is found.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
crisp-clientsession/*	6 months	Session ID for existing chat through Crisp chat
li_gc	2 years	No description

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-3109036-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Send a message

Contact details

Social media