Menu

Featured

Climate risk, resilience and adaptation

Business transformation

Artificial intelligence

Loading Results

Annual Threat Dynamics 2026: Cyber threats in motion
Engineers discussing supercar in sports car factory
  • Insight
  • 3 minute read
  • March 24, 2026

In an identity-driven, AI-accelerated threat landscape, resilience belongs to organisations that govern identity at speed, validate trust continuously, and treat cyber risk as inseparable from business and geopolitical strategy.


The takeaways

  • Identity is the key battleground
  • AI is accelerating both sides of the race
  • Cyber risk is inseparable from business and geopolitical strategy

The cyber threat landscape has shifted into high gear, with identity-centric attacks taking pole position as adversaries chose to log in rather than break in. AI is increasingly being used by both attackers and defenders, and threat actors across a wide range of motivations found new ways to accelerate through the blind corners of edge devices, supply chains, and cloud ecosystems — turning trusted dependencies into high-speed attack paths with cascading impact.

From record-level ransomware leak site victimisation and crypto heists, to pervasive compromises of technologies and sustained espionage campaigns targeting critical infrastructure, we are seeing an increasingly capable and adaptive threat landscape in which adversaries employ full-stack tradecraft and are fluidly navigating identity, cloud, edge, and application layers with unprecedented precision.

In this environment, the advantage belongs to organisations that treat security not as a fixed set of controls, but as a high-performance system — governing identity at speed, validating trust at every turn, and aligning cyber, business, and geopolitical strategy to stay ahead of an ever-faster field.

Our report “Annual Threat Dynamics 2026: Cyber threats in motion” examines the threat actors, trends, and motivations defining the cyber threat landscape. It includes an overview of the factors influencing an overall increase in threat activity as well as emerging trends, the evolving tools, techniques, and procedures (TTPs) of notable threat actors across a wide range of motivations, and the impact of wider geopolitics and technological innovation. 

Trends

The cyber threat landscape is evolving at an unprecedented pace. Lines are blurring and the rules of engagement have changed.

Identity is the key battleground

  • Adversaries across a wide range of motivations are increasingly choosing to log in rather than break in, exploiting credentials, session tokens, and federated access to bypass traditional perimeter defences. 
  • Social engineering is evolving in sophistication, with AI-generated deepfakes, IT helpdesk impersonation, stolen identities for illicit remote worker operations, and multi-stage phishing campaigns targeting human and machine identities alike.
  • As organisations expand their SaaS ecosystems and cloud dependencies, the attack surface is widening — with a single compromised identity capable of unlocking cascading access across entire environments.

Looking ahead

Identity will remain in pole position as the primary attack vector. As organisations adopt zero-trust architectures, adversaries will iterate with techniques to spoof device posture, abuse non-human identities (NHIs), and target AI-driven automated workflows. Treating identity governance as a strategic, board-level priority — not a technical checkbox — will be critical to staying ahead of the field.

AI is accelerating both sides of the race

  • Threat actors are embracing AI not as an enhancement but as a core component of their tradecraft, using it to automate reconnaissance, generate convincing phishing lures, accelerate malware development, and scale social engineering across languages and platforms.
  • The time between an AI capability being publicly released and its weaponisation by threat actors is shrinking dramatically, whilst autonomous AI agents capable of executing entire attack sequences without human intervention are a prime concern.
  • AI also represents the single greatest opportunity for defenders to match the pace, enabling faster detection, automated containment, and intelligence-led decision-making at scale.

Looking ahead

AI-driven threats may outpace traditional detection and response models, and quantum advancements will change the track entirely. Organisations should anticipate malware that natively incorporates AI to evade detection and target high-value data, alongside a widening pool of less skilled threat actors leveraging AI to punch above their weight. Investing in AI-enhanced defence, embedding frameworks into threat modelling, and becoming post-quantum ready will be essential to keeping pace.

Cyber risk is inseparable from business and geopolitical strategy

  • Geopolitical turbulence continues to influence the threat landscape, with more threat actors blending espionage, influence operations, and disruption at strategic inflection points seen around the world.
  • Financial crime, insider threats, digital-to-physical security concerns, and supply chain compromise are converging into a single pressure point, with threat actors simultaneously targeting executives, developers, vendors, hiring processes, and financial workflows from multiple angles.
  • The boundaries between motivations continued to blur, as ransomware operators sold strategically sensitive data, espionage motivated threat actors leveraged cyber criminal tooling, and North Korea-based threat actors industrialised fraudulent employment and cryptocurrency theft at unprecedented scale.

Looking ahead

No cyber intrusion exists in a vacuum. Trade disputes, elections, conflicts, and shifting alliances will continue to shape threat actor targeting and tempo. Organisations that embed geopolitical and supply chain risk into strategic decision-making — aligning cyber, legal, HR, finance, and communications capabilities — will be positioned to navigate the turbulence ahead.

Sectors

Threat actors vary in motivation and sophistication, tailoring operations and opportunistic attacks in different sectors. The following is a view of sector-specific motivations summarised by PwC Threat Intelligence from 2025 case studies and in-house analytics.

Motivations

Threat actors that conduct their cyber or cyber-enabled operations for financial gain, whether that be through theft, fraud, or other means.

Often referred to as “Advanced Persistent Threats” (APTs), these threat actors typically seek access and information to address intelligence collection requirements and provide an economic or political advantage to their benefactor.

Hacktivists conduct attacks to increase their public profile and raise awareness of their cause. This is typically done through the disruption of services, such as denial-of-service (DoS) attacks, and website defacements.

Saboteurs seek to damage, destroy or otherwise subvert the integrity of data and systems.

The aerospace and defence sector, considered critical national infrastructure in most countries, has been persistently targeted by threat actors for sensitive data concerning military operations, plans, and capabilities. Further, innovation like the advancement of AI, drone technologies, and space-based capabilities alongside the continued growth of defence contracting have expanded this sector’s attack surface, including for cyber crime. We observed threat actors targeting entities around the world, highly likely in response to geopolitical tensions and conflicts, with certain conflicts spreading and others not abating.

The asset and wealth management (AWM) sector plays a vital role in managing the world’s financial capital, dealing in significant transactions across many industries – with levels of wealth garnering much attention from threat actors of multiple motivations, particularly cyber criminals. The significant funds managed by the AWM sector, including in cryptocurrency, are likely to attract attempts at high-value, cyber-enabled fraud and theft, such as business email compromise (BEC), ransomware attacks, and heists targeting cryptocurrency and related platforms. As the sector innovates and leans into emerging technologies, including those powering fintech, the attack surface impacting AWM organisations will continue to expand. 

The automotive sector continues to evolve with tech transformation and innovation permeating organisations and increasing competition for consumer demands. Operational technology (OT) environments and manufacturers have emerged as a particularly lucrative target for financially motivated threat actors, including those conducting ransomware attacks. As companies continue to invest in electric, AI, and autonomous vehicle technologies, espionage motivated threat actors will increasingly target this sector for intellectual property theft and surveillance operations.

Financially motivated threat actors, particularly those engaging in ransomware and BEC attacks, have capitalised on opportunities to target organisations in the construction sector, which maintains sensitive information, including the application of emerging technologies, financial and business information, infrastructure plans, and project schematics. Construction projects with links to government or other public interest entities, including critical national infrastructure or other strategic projects, make this sector attractive for espionage motivated threat actors as well, including those seeking to pre-position for future possible malicious activity, including sabotage attacks, or to address intelligence requirements.

The education sector continues to digitise its operations as academic institutions require a constant flow of digital communication and readily accessible information, typically achieved through large networks with thousands of connected devices across users, including administration, researchers, and students. With an ever-expanding attack surface and a philosophy of openness and ease of access, this sector has increasingly faced targeted and opportunistic cyber attacks. Espionage motivated threat actors target education organisations for access to sensitive data about academics and research projects, and financially motivated threat actors impacted school systems and operations, particularly through ransomware attacks.

The energy sector continues to evolve its OT and invest in renewable energy sources, driving innovation, investments, and the adoption of new technologies around the world, whilst cyber attacks targeting this sector are often aligned with evolving geopolitical tensions and intelligence requirements. Espionage motivated threat actors have taken an interest in the intellectual property and security implications of energy issues and technologies, whilst some threat actors have resorted to sabotage attacks and hacktivism to disrupt operations. Financially motivated threat actors and ransomware attacks remain a major concern to energy sector organisations around the world.

The financial services sector continues to face challenges from financially motivated threat actors seeking to steal customer credentials and conduct attacks, such as ransomware and BEC, to extort and steal from institutions. These attacks are growing in sophistication and prevalence due to threat actor adoption of AI to generate deepfakes and phishing lures. Threat actors of other motivations continue to target financial services organisations as the sector increasingly innovates, digitises its operations, and embraces fintech. Further, geopolitical issues and the growing adoption of AI remain top concerns for this sector’s threat landscape.

The food and agriculture sector has faced more advanced cyber threats, as well as an increasing number of financially motivated threat actors specifically, as organisations continue to digitise their operations. Further, food and agriculture organisations routinely intersect with other sectors for manufacturing, retail, and distribution operations. Cyber incidents involving food and agricultural organisations have broad-ranging effects across other sectors, exacerbating supply chain, pricing, sustainability, and food safety and security challenges.

Government sector entities, ranging from federal agencies to local levels and municipalities, continue to be a prime target for a range of threat actors seeking to fulfil intelligence requirements, respond to geopolitical shifts, and launch attacks alongside geopolitical tensions and conflict. We observed threat actors targeting entities around the world, highly likely in response to geopolitical tensions and conflicts, with certain conflicts spreading and others not abating. Threat actors also used AI to generate content for information operations targeting a range of government entities and political parties around the world.

The healthcare sector plays a vital role in society and is often focused on cutting edge innovation, which propagates across new equipment and treatments, making the attack surface increasingly populated with Internet of Things (IoT) devices and other emerging technologies. This sector is also impacted by rigorous regulatory standards and handles highly sensitive personal data, which is of interest to a range of threat actors. Ransomware remains a top concern, as these attacks can cause significant, life-threatening disruptions.

The hospitality and leisure sector has experienced significant growth in recent years as travel continues to expand around the world and organisations increasingly embrace digitisation and technological innovation. Espionage motivated threat actors have targeted the sector for sensitive information and intelligence collection, whilst financially motivated threat actors have conducted attacks against the sector to disrupt operations and extort companies for data theft, service degradation, and harming brand reputations. Ransomware attacks in particular have caused operational disruptions to hotel chains and remain a top concern for this sector.

The legal sector continues to face a variety of cyber threats, in part due to its adoption of various technologies, but also due to the inherent nature of dealing with sensitive legal information for a wide range of third parties. As the legal sector has transitioned to digital platforms for storing, managing, and transmitting confidential data, it has become more vulnerable to various cyber risks. Much of those risks are defined by likely threat scenarios which include compromising client confidentiality, jeopardising case integrity, stealing intellectual property, and incurring financial losses or reputational damages from data extortion attempts by cyber threats.

The manufacturing sector continues to face an increasing number of cyber attacks, particularly by ransomware threat actors and other cyber criminals employing schemes such as BEC, as organisations continue to integrate historically isolated OT environments into increasingly connected systems. Further, this sector underpins a wide tranche of other industries, and incidents involving manufacturing organisations have broad ranging effects across other sectors, exacerbating supply chain challenges and industries reliant upon manufacturing operations.

The media and entertainment sector faces a unique threat landscape consisting of a range of threat actors targeting reporters, artists, content creators, publishers, distributors, production studios and staff, consumers, and others. Espionage motivated threat actors in particular have targeted media and entertainment organisations and individuals, such as investigative journalists and entertainment studios, for intelligence collection against corporate networks as well as through the deployment of commercial spyware against mobile devices. Media and entertainment organisations have also been targeted by cyber criminals as well as hacktivism and sabotage motivated threat actors, particularly in the context of heightened geopolitical tensions seen around the world. Intellectual property and sensitive communications and data associated with media and entertainment organisations have been targeted by threat actors of multiple motivations. With technological developments, such as GenAI, threat actors are exploiting these tools to generate malicious content for information operations and other attacks (such as deepfakes for cyber criminal schemes) targeting or exploiting media and entertainment sector entities.

Pharmaceuticals and life sciences organisations experience particular security challenges due to the nature of the sector, such as research into lifesaving treatments, the production of medications, patented methods and data, cutting edge innovation, and intellectual property. The application of emerging technologies (such as AI) and this sector's growing reliance on third-party suppliers, increased digitisation, and a shift toward hybrid and multi-cloud environments, its cyber attack surface will also continue to expand. A range of threat actors have targeted this sector for intelligence collection, as well as for financial motivations through ransomware and extortion.

The professional services sector continues to integrate new technologies, such as cloud solutions and AI, as threat actors increasingly employ supply chain attacks, social engineering, and other tactics to circumvent identity and privileged access management and gain access to victim networks directly or through third parties. Certain industries within this sector face stricter requirements and regulations for data privacy and protection, making this sector a lucrative target for financially motivated threat actors. With vast amounts of commercially confidential data traversing professional services networks, espionage motivated threat actors have targeted these organisations for intelligence and intellectual property theft.

The resources and mining sector remains critical to a number of industries, particularly manufacturing and key technologies such as semiconductors, and is of interest to a range of threat actors. The attack surface continues to expand for this sector as systems are increasingly interconnected and OT bridges historically isolated systems. Espionage motivated threat actors have targeted the sector for intelligence collection and informing investments and trade concerning critical minerals. Financially motivated threat actors have targeted organisations in this sector as part of wider opportunistic campaigns that have had an outsized impact on manufacturing entities and their operations connected to resources and mining.

Numerous threat actors, varying in sophistication and motivation, have targeted the retail sector via identity-centric attacks to gather customer and other sensitive data for extortion, fraud, and theft. E-commerce remains a highly competitive space, requiring retailers to innovate and deploy new technologies at speed. To stay competitive, many retailers have developed and patented their own software and technologies. This type of intellectual property, as well as the data (including advertising data) gathered from customers, can be the target of espionage motivated threat actors to facilitate intellectual property theft or fingerprint users and their digital footprints and behaviours.

The technology sector remains a high value target for both financially and espionage motivated threat actors, as organisations within this sector drive cutting edge innovation (including advancements in AI quantum computing) and maintain sensitive user data and intellectual property. Whilst sensitive data is targeted for a number of motivations, intellectual property is valuable to those seeking to replicate products and services in a competitive market, or attempting to exploit common vulnerabilities in emerging technologies, such as those powering the growth of mobile applications. The technology sector also powers many industries and intersecting organisations, making it a strategic target for threat actors attempting to compromise supply chains and gain access to technology clientele and downstream environments. With more organisations adopting various technologies, such as cloud services and infrastructure, and more companies developing these solutions, the attack surface of the technology sector is expanding. Threat actors from a wide range of motivations are increasingly targeting the sector to compromise supply chains and developer ecosystems, target high value organisations and individuals, scale their access operations, and exploit AI tools.

The telecommunications sector includes companies involved with the long-distance transmission of information across various media, enabling communication services such as telephony and the internet. As such, the sector includes organisations providing broadband and mobile services through a physical medium which includes cables, telephone wires, satellites, and mobile networks. Financially motivated attacks against this sector continue to be prevalent in the form of ransomware and data extortion attacks. Considered a key component of critical infrastructure, this sector is also a high value target for espionage motivated threat actors due its unique, intelligence-rich data and telemetry, which can provide attackers with copious amounts of data and enable surveillance operations.

The transport and logistics sector continues to be a crucial component of the global supply chain and economy. Industries and organisations within this sector leverage OT and industrial control systems (ICS), leading to a broader attack surface across environments and increasing the potential for higher impact incidents to occur. Financially motivated threat actors have sought to compromise and monetise customer information or disrupt operations impacting client deliveries, such as rail and cargo transport. Other threat actors motivated by espionage, sabotage, and hacktivism have capitalised on geopolitical tensions and conflict in their targeting and attacks against this sector.

About the team

Kris McConkey
Kris McConkey

Global Threat Intelligence Lead Partner, PwC United Kingdom

Email
Matt Carey
Matt Carey

Global Threat Intelligence Lead, Director, PwC Sweden

Email
Rachel Mullan
Rachel Mullan

Global Threat Intelligence Lead, Director, PwC United Kingdom

Email
Jason Smart
Jason Smart

Director, Threat Intelligence APAC, PwC Australia

Email
Allison Wikoff
Allison Wikoff

Global Threat Intelligence Lead, Director, PwC United States

Email
View More

Cyber Threat Intelligence

Learn more about our team and our services.

Follow us

© 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.