FY26 SOTU Report Background

research report

2026 State of the Underground

The threat landscape isn't quieting down. It's reorganizing.

Some indicators declined in 2025, but a lower number is not a safer number. Ransomware groups attacks increased 19%, compromised credentials reached 2.8 billion unique sets, and AI is beginning to compress the time between vulnerability disclosure and active exploitation. The 2026 Bitsight State of the Underground draws on Bitsight Threat Intelligence (TI) to map where underground activity is shifting, who is driving it, and what that means for your organization. Highlights include:

  • Ransomware volume and payment dynamics, and what declining payments signal about attacker strategy.
  • Why a 41% decline in observed breaches demands more scrutiny, not less.
  • How geopolitical tensions are shaping hacktivism, APT activity, and critical infrastructure targeting.
  • The role of frontier AI in shrinking the defender window between disclosure and exploit.

Download the report to understand how threats are evolving and where your organization may be exposed.

Ransomware Word Cloud

Gain unparalleled visibility into key underground trends

    • We will use your information to communicate with you about this contact form and other solutions and related resources that may be of interest to you. You may unsubscribe at any time. For more information, please see our Privacy Policy.

  • required
    Read more

    I consent to sharing this information with BitSight Technologies, Inc. (“Bitsight”) for sales and marketing communications, as detailed in our Privacy Policy. I understand I may unsubscribe.

Bitsight AI

See how the underground is reorganizing in 2026

Breach visibility shifted

41% fewer observed breaches points to lower visible breach activity, not necessarily lower risk. Reporting gaps, non-disclosure, disruption efforts, and changing attacker behavior may all be shaping what defenders can see.

5.1M AI mentions

Mainstream AI tools are becoming part of underground workflows, reflecting how attackers are experimenting with faster research, planning, and malware-related activity.

6,883 ransomware attacks

Ransomware remains one of the most dependable ways to create pressure, with actors continuing to scale operations and expand leak-site activity.

2.8B compromised credentials

Identity exposure continues to fuel account takeover, fraud, and broader intrusion, making compromised credentials a persistent entry point for attackers.

SOTU 2026 Image

report reveals

What security teams need to focus on now

Key trends demand immediate attention, with deeper insights available in our full report.

  • Exposed AI-related services surged 360% in 2025, expanding the attack surface and increasing the urgency of faster, threat-informed prioritization.
  • Active ransomware leak sites grew 34%, signaling a market that continues to expand even as disruption efforts target major groups.
  • Malware remains modular and accessible, with RATs, stealers, bots, and crypters dominating underground listings and lowering the barrier to entry for less sophisticated actors.
  • The United States accounted for 59.4% of definitively identified ransomware victims, showing how concentrated targeting remains in high-value markets.
  • The defender window is shrinking, making it more important to prioritize the exposures most likely to lead to real-world business impact.