AI drives shift to persistent, low‑level cyber conflict

Recorded Future warns that cyber operations have become a routine tool of geopolitical competition, with constant, fragmented activity replacing the high-profile attacks that often dominate headlines.

In its 2026 State of Security Report, the threat intelligence firm describes a shift in which cyber activity now sits alongside physical conflict, coercion, and espionage as a practical way to gain leverage.

The report cites geopolitical fragmentation and wider use of artificial intelligence as key drivers of instability. It argues that persistent activity is now the norm, rather than waves of discrete incidents.

"Uncertainty is no longer episodic-it's the operating environment," said Levi Gundert, Recorded Future's Chief Security & Intelligence Officer.

"As geopolitical norms weaken, state objectives, criminal capability, and private-sector technology are increasingly reinforcing one another, compressing warning timelines and expanding plausible deniability. AI is accelerating that dynamic not through autonomous attacks, but by scaling deception and eroding trust inside decision-making processes. In 2026, cyber risk will be defined less by singular events and more by persistent, fragmented pressure that reshapes competition, escalation, and stability over time."

Inflection point

Recorded Future calls 2025 an inflection point, when cyber activity became more closely tied to real-world geopolitical outcomes. The report links the shift to broader use of AI in security and influence operations, alongside criminal markets for access and credentials.

It also distinguishes between autonomous AI cyber operations and current reality. Fully autonomous operations have not yet emerged, but AI is already amplifying deception, social engineering, and identity abuse.

Identity is a central theme. The report says many serious intrusions now begin with stolen credentials rather than software vulnerabilities, increasing pressure on identity and access controls and on detecting suspicious use of legitimate accounts.

It also argues that states are placing greater emphasis on gaining and maintaining access, rather than deploying destructive malware. According to the report, cyber access at the edge of networks and in connectivity infrastructure is increasingly used as strategic leverage that can be activated during crises.

Connectivity leverage

The report predicts connectivity disruption will become a more common form of coercion, with states favouring brief, reversible disruption to cables, satellites, and telecom infrastructure. It frames this as a signalling tool that can stay below traditional escalation thresholds.

That focus on connectivity aligns with a broader expectation of persistent pressure. Recorded Future expects nation-state operations to shift further toward quiet pre-positioning, credential theft, and identity access-approaches it says provide continuous leverage and a path to rapid escalation with limited warning.

The report also describes "durable state-aligned ecosystems," citing Russian influence operations backed by criminal infrastructure, mercenary spyware, and North Korean activity linked to sanctions evasion. It argues these ecosystems adapt quickly and are hard to dismantle through policy pressure alone.

Smaller cybercrime

On criminal threats, the report forecasts further fragmentation of ransomware and extortion, with large groups splintering into smaller, more modular crews. It expects them to prioritise speed, persistence, and visibility rather than large payouts.

It attributes the trend to a landscape in which access brokering, credential theft, and data theft can be separated from the final stage of extortion. Smaller crews can operate with fewer exposed assets and can change branding and tooling more quickly, making disruption and attribution more difficult.

The report also predicts a shift in influence operations, with hacktivists and influence networks using AI to flood the information environment. It expects high volumes of exaggerated or mixed-authenticity claims that can sustain confusion even when narratives lack credibility.

Overall, the report frames these trends as part of a move away from single, decisive incidents. It predicts 2026 will be defined by always-on threats, with overlapping activity by states, criminals, and proxies-many designed to remain low-visibility while still causing disruption.

Access over exploits

Recorded Future co-founder Christopher Ahlberg also points to a shift in how intrusions occur, with adversaries increasingly relying on access gained through credentials rather than technical exploitation.

"Cyber operations are no longer preparation for conflict - they are part of conflict," said Ahlberg. "What we're seeing is that adversaries are logging in, not hacking in. This is a shift toward access, influence, and leverage that can be activated at moments of political or military tension, often below the threshold of traditional response."

Recorded Future says its 2026 outlook centres on persistent access, decentralised criminal ecosystems, influence operations, and synthetic identities. It expects these factors to replace single attacks with continuous, low-visibility disruption across sectors and regions.