The 2026 ExtraHop Global Threat Landscape Report paints a stark picture of today’s cyber‑defense environment. Surveyed across seven countries, more than 1,800 senior security and IT leaders from enterprises with at least 1,000 employees reveal that ransomware attackers are staying hidden for almost 2½ weeks before detection, and that AI‑related infrastructure now tops the list of perceived cyber‑risk surfaces. These findings underscore a paradox: while organizations are investing heavily in AI‑driven security tools, the majority of security operations centers (SOCs) remain mired in manual, reactive workflows. For CIOs, CISO‑level decision‑makers, and security architects, the data suggests that budgeting must balance AI adoption with the need for skilled analysts, richer network visibility, and tighter control of high‑privilege accounts.
ExtraHop Reports Prolonged Ransomware Dwell Times and Data Theft
ExtraHop®, a leader in modern network detection and response (NDR), released its 2026 Global Threat Landscape Report based on a survey of more than 1,800 security and IT leaders from organizations with 1,000+ employees across the United States, United Kingdom, France, Germany, Singapore, Australia, and the United Arab Emirates. The report shows that threat actors remained in enterprise networks for an average of 2.5 weeks before detection in ransomware incidents. 49% of organizations did not discover the breach until after data had been stolen, up from 31% the previous year, and 14% learned of an attack only after receiving a ransom demand, compared with 6% last year.
The survey also identified the primary causes of delayed alerts:
- Encrypted channels (41%) – attackers tunnel traffic through SSL/TLS or VPNs, masking malicious payloads from traditional inspection tools.
- Activity that mimics legitimate workflows (38%) – threat actors replicate normal user behavior, making anomalous activity harder to spot.
- Use of high‑privilege accounts (34%) – compromised admin credentials grant unrestricted movement and reduce the chance of triggering alerts.
- Alert fatigue (30%) – overwhelming volumes of low‑value alerts cause analysts to deprioritize or miss critical signals.
- Undefined baseline behavior (27%) – without a clear model of “normal” network traffic, subtle deviations slip through unnoticed.
These factors collectively extend dwell time and increase the likelihood that data exfiltration occurs before remediation. The report further notes that average ransom payments fell to $2.8 million (down from $3.6 million in 2025), yet 83% of victims still paid, reflecting the growing pressure to resolve incidents quickly once data loss is confirmed.
AI Infrastructure Identified as Top Cybersecurity Risk
When respondents were asked which attack surfaces posed the greatest risk, 55% cited AI agents, agentic infrastructure, and generative AI applications. A majority (85%) reported at least one security incident, data exposure, or near miss where an AI system was the root cause. Specific AI‑related threat vectors included:
- AI‑enhanced external attacks – 40%
- Compromised AI identity and session theft – 38%
- Third‑party vendor or supply‑chain breaches involving AI – 36%
- Shadow AI exposure – 35%
- Agentic/API logic failures – 31%
These figures illustrate that AI is no longer a peripheral concern; it is now a primary attack vector that spans external exploitation, internal credential theft, and supply‑chain weaknesses. The report highlights that ransomware groups such as LockBit and RansomHub—the two most frequently detected threat groups for the second consecutive year—are actively leveraging AI to accelerate attack speed and increase volume. In contrast, state‑linked APT41 detections fell by 50% year‑over‑year, and the group appears to limit AI use to supportive, rather than primary, functions.
The broader AI risk landscape also includes shadow AI—unsanctioned AI tools deployed by business units without security oversight—and agentic logic failures, where poorly designed APIs or autonomous agents behave unpredictably, creating new avenues for exploitation.
Manual Intervention Still Dominates SOC Workflows
Despite the surge in AI‑driven attacks, SOCs continue to rely heavily on human effort. The survey found that 42% of respondents needed manual intervention for detection, 43% for alert triage, 49% for investigation, and 47% for response. Consequently, analysts spend only 44% of their time on proactive activities such as threat hunting; the remainder is consumed by reactive triage and data gathering.
AI‑generated alerts also contribute to operational noise: 30% of respondents said false positives from AI tools have lengthened investigation timelines. This underscores a gap between the promise of “machine‑speed” detection and the reality of limited contextual awareness in many AI security solutions. As Raja Mukerji, Co‑founder and Chief Scientist at ExtraHop, put it, “the thread connecting every major challenge… is a fundamental lack of situational awareness, or ground truth.” Without deep, real‑time network context, AI alerts cannot reliably distinguish malicious activity from benign noise.
The report therefore recommends that organizations prioritize solutions that integrate network telemetry with AI analytics, enabling automated correlation of suspicious behavior with concrete communication patterns. Such integration can reduce reliance on manual triage, lower false‑positive rates, and free analysts to focus on higher‑value threat‑hunting work.
Key Takeaways
- Ransomware victims discovered threats on average 2.5 weeks after initial compromise, with 49% learning of data theft only after it occurred.
- 55% of surveyed leaders named AI agents and generative AI applications as the biggest cybersecurity risk, and 85% reported at least one AI‑related incident.
- Manual effort remains prevalent in SOCs, with 42‑49% of respondents requiring human intervention across detection, triage, investigation, and response stages.
TechInsyte's Take
The report confirms that longer dwell times and AI‑centric attack surfaces are converging, putting pressure on security budgets and staffing. While AI tools are being deployed, their current inability to provide reliable, context‑rich alerts means enterprises must continue to invest in skilled analysts and robust network visibility. Buyers should watch for solutions that integrate real‑time network context with AI, and monitor how vendors address false‑positive rates as AI adoption matures.
Source: Businesswire