Uncertainty has become the operating environment for business. And this year, fragmentation is driving it.

The global threat landscape didn't simplify in 2025; it shattered. Geopolitical alliances strained. Criminal enterprises splintered under law enforcement pressure, then regrouped into smaller, faster, and harder-to-track operations. State-sponsored cyber actors shifted from dramatic disruptions to quiet pre-positioning, embedding themselves in networks and waiting. Hacktivist groups and influence networks amplified conflicts, blurring the line between genuine intrusions and perception warfare.

But here's what makes this moment dangerous: as long-established norms unwind, fragmentation is paradoxically enabling greater interoperability across domains that were once distinct. State objectives, criminal capability, and private-sector technology increasingly reinforce one another. That convergence creates uncertainty, compresses warning time, and expands plausible deniability.

Today, Recorded Future's Insikt Group releases the 2026 State of Security report, our most comprehensive annual analysis of the forces shaping global security.

Drawing on proprietary intelligence, network telemetry, and deep geopolitical analysis, this report examines how 2025's fractures are reshaping the threat environment — and what security leaders must prepare for in the year ahead.

The End of Stability as a Baseline Assumption

For decades, organizations built risk models around a core premise: that the international order would hold, diplomatic mechanisms would constrain escalation, and major powers would avoid direct confrontation.

That premise no longer applies.

In 2025, the international geopolitical order fragmented as hard-power competition, transactional diplomacy, and the testing of red lines became defining features of state behavior. The Russia–Ukraine war ground into its fourth year, with Moscow maintaining a strategic advantage despite minimal territorial gains. Israel and Iran clashed directly in a twelve-day conflict that reshaped regional power dynamics. India and Pakistan escalated to ballistic missile exchanges before a US-brokered ceasefire intervened. Thailand and Cambodia exchanged fire along disputed borders, triggering the most intense fighting in nearly fifteen years.

The pattern is clear: states are increasingly willing to use force to advance objectives when diplomatic mechanisms appear unreliable. As modern power struggles threaten institutions like international law, risk is spreading across domains that have historically had clearer boundaries.

For organizations, this means geopolitical crises are increasingly likely to spill over into corporate networks, supply chains, regulatory environments, and digital infrastructure with limited warning. Resilience, not stability, became the baseline operating assumption.

State-Sponsored Actors: Risk Moves to the Edges

While kinetic conflicts dominated headlines, some of 2025's most consequential state-sponsored activity unfolded quietly in digital environments — at the edges of networks where oversight is weakest.

China, Russia, Iran, and North Korea, also known as the four most capable and consistently active hostile state cyber actors Insikt Group tracks, focused not on dramatic attacks but on the covert accumulation of access. They targeted identity systems, cloud environments, and edge infrastructure: the poorly monitored network devices, VPN appliances, and perimeter systems that organizations struggle to patch and defend.

Insikt Group's reporting on RedMike highlighted disciplined pre-positioning in telecommunications infrastructure: access built selectively and held quietly for intelligence value by threat actors ready to pivot quickly when timing and pressure align. Chinese state-sponsored actors targeted telecommunications providers worldwide, with one campaign exploiting unpatched Cisco devices across more than 100 countries. Russian GRU-linked groups intensified operations against critical infrastructure in Ukraine and NATO member states. Iranian operators blended espionage with hack-and-leak campaigns. North Korean actors merged revenue generation with espionage, deploying fraudulent IT workers embedded in foreign companies as an access vector.

The strategic shift is profound: the primary risk is no longer a single, large-scale cyber incident. It's sustained pre-positioning that enables persistent espionage in peacetime and creates latent capacity for disruption during crises. Warning timelines are compressing, as the adversaries are already inside.

Hacktivists and Influence Operators: Convergence Across Domains

Every major conflict in 2025 had a digital front, and unsurprisingly, the combatants weren't always who they claimed to be.

Hacktivist groups, patriotic volunteers, and influence networks played growing roles in conflicts involving Israel–Iran, India–Pakistan, Thailand–Cambodia, and Russia–Ukraine. These actors operated with varying degrees of state alignment but consistently contributed to a threat landscape where genuine intrusions, exaggerated claims, and disinformation reinforced one another.

Regional escalation involving Israel and Iran showed how cyber operations, influence campaigns, and commercial surveillance tools can operate alongside military force, as domains converge in ways that would have seemed implausible just years ago. During the India–Pakistan escalation, both sides deployed large-scale influence networks that spread coordinated narratives, forged military documents, and amplified hacktivist claims of grid disruptions. Russian-aligned hacktivists targeted NATO countries with DDoS campaigns, with investigations revealing that portions of this "hacktivist" ecosystem function as state-directed fronts.

The implication for defenders: perception is now contested terrain. Even low-sophistication attacks can generate outsized reputational and psychological impact when amplified through coordinated information operations.

Cybercrime: Fragmented, Modular, Resilient

Law enforcement achieved significant wins against cybercriminal infrastructure in 2025. Forum takedowns, arrests, and sanctions disrupted major operations. Ransomware payments declined for the second consecutive year.

But the criminal ecosystem just adapted to these new conditions.

Sustained pressure fractured large criminal enterprises into smaller, more decentralized operations. Insikt Group identified 289 new ransomware variants this year (a 33% increase from 2024), most of which were derived from leaked source code. Groups adopted subscription models, outsourced operations, and relied on specialized services for laundering and negotiation. The result: a distributed criminal supply chain that's resilient, decentralized, and increasingly difficult to track.

Cybercrime groups increasingly aligned with national strategic objectives, blurring the boundaries between criminal and state activity. In Venezuela, state action eroded legal, political, and cyber boundaries, challenging assumptions about sovereignty and accountability. Mercenary spyware pursued the same persistent-access goals as state actors, embedding where oversight was weakest and adapting under pressure.

English-speaking criminal actors, such as the Scattered LAPSUS$ Hunters collective, demonstrated that low-tech social engineering tactics — particularly help desk impersonation — remain devastatingly effective. Meanwhile, organized crime in Southeast Asia industrialized fraud at an unprecedented scale, with Chinese-speaking transnational criminal organizations running call center compounds using coerced labor augmented by AI-driven automation.

For organizations, the takeaway is stark: threat actors are adapting faster than defenders. Modular criminal ecosystems that share tools, infrastructure, and access can reconstitute rapidly even after disruptions.

Emerging Technologies: Verification Failure at Scale

2025 was not a breakout year for AI-driven cyber operations.

To separate hype from signal, Insikt Group developed AIM3 — our framework for assessing AI malware maturity. It shows that most observed use remains at an early stage of development. Threat actors experimented with malicious AI models tailored for cyber operations, but the results were incremental rather than transformative.

The immediate risk is not autonomous attacks. It's verification failure at scale, where deception becomes faster, cheaper, and more convincing as AI is embedded into decision workflows.

Deepfake-enabled fraud has increased more than tenfold since the start of 2024. Synthetic identity fraud rose 300% in Q1 2025 alone. Adversaries began testing prompt injection attacks and "generated-SEO" manipulation to poison AI search results. As AI becomes empowered to take real-world actions through autonomous agents, the attack surface for fraud and manipulation will expand dramatically.

At the strategic level, the US–China race for AI dominance intensified, with China pursuing an aggressive diffusion strategy that's embedding Chinese LLMs into the global software ecosystem. Competition over quantum computing, advanced robotics, and space systems is extending beyond commercial markets into sustained geopolitical rivalry.

The organizations that act now to establish AI governance, inventory cryptographic dependencies, and prepare for post-quantum migration will hold significant advantages as these technologies mature.

What 2025 Teaches Us About 2026

Looking ahead, diplomatic friction, selective enforcement of norms, and accelerating technology adoption will continue to widen the gap between how risk is assumed to behave and how it actually behaves.

The patterns of 2025 point toward a 2026 threat environment defined by sustained uncertainty:

1. Simultaneous regional crises will become the norm. As enforcement of established norms becomes more selective, regional and emerging powers will pursue objectives more aggressively, and external intervention in internal conflicts will expand.
2. Connectivity disruptions will emerge as a primary tool of coercion. Undersea cables, satellite systems, and positioning/navigation/timing infrastructure are becoming strategic targets, with even limited interference capable of cascading across critical sectors.
3. Ransomware will fragment further. Declining payments will push threat actors toward shorter attack cycles, lower demands, and disruption-focused tactics designed to compel engagement.
4. The synthetic identity crisis will deepen. AI-enabled deepfakes and compromised identity verification systems will make business email compromise and social engineering more convincing and scalable.
5. AI will become the next great attack surface. Prompt-based manipulation will increasingly replace code-based exploits as the preferred intrusion method against AI systems.
6. Quantum readiness will move from planning to spending. Organizations will begin allocating dedicated budgets for cryptographic inventories, vendor transitions, and post-quantum migration pilots.
7. Robots and space systems will become contested cyber-physical terrain. In 2026, humanoid robots and space infrastructure will move from experimentation to operational deployment, increasing economic and strategic reliance on network-connected cyber-physical systems.

The Path Forward

Intelligence does not eliminate uncertainty; having more access to more data points means nothing without context. Rather, intelligence makes the uncertainty more manageable.

Fragmentation creates complexity. But complexity rewards those who can see connections others miss, such as how risks across geopolitics, cyber operations, and criminal ecosystems converge to shape exposure. That's the purpose of the 2026 State of Security report: not just to catalog threats, but to help leaders reduce surprise, prioritize effectively, and act with confidence.

The 2026 State of Security report was produced by Recorded Future's Insikt Group, which comprises analysts and security researchers with deep experience in government, law enforcement, the military, and intelligence agencies.