IBM 2026 X-Force Threat Index: AI-Driven Attacks are Escalating as Basic Security Gaps Leave Enterprises Exposed

Rhea-AI Summary

IBM (NYSE: IBM) released the 2026 X-Force Threat Intelligence Index on Feb 25, 2026, showing AI-driven attacks and basic security gaps are increasing enterprise risk.

Key findings: 44% rise in attacks starting with public-facing app exploits, 49% surge in active ransomware groups, vulnerability exploitation caused 40% of incidents, and >300,000 ChatGPT credentials were exposed in 2025.

Positive

• Vulnerability exploitation accounted for 40% of incidents in 2025
• Active ransomware groups increased by 49% year-over-year
• Large supply chain compromises rose nearly 4X since 2020

Negative

• Attacks exploiting public-facing apps rose 44%
• Over 300,000 ChatGPT credentials exposed in 2025
• Manufacturing accounted for 27.7% of observed incidents

Key Figures

App exploitation increase: 44% Ransomware groups growth: 49% Victim counts rise: 12% +5 more

8 metrics

App exploitation increase 44% Increase in attacks exploiting public-facing applications

Ransomware groups growth 49% Year-over-year increase in active ransomware and extortion groups

Victim counts rise 12% Increase in publicly disclosed victim counts

Supply chain compromises 4X Nearly fourfold increase in large supply chain or third-party compromises since 2020

Vulnerability exploitation share 40% Share of incidents caused by vulnerability exploitation in 2025

ChatGPT credentials exposed 300,000+ ChatGPT credentials exposed by infostealer malware in 2025

Manufacturing incident share 27.7% Share of X-Force observed incidents targeting manufacturing sector

North America case share 29% Share of total cases in North America, up from 24% in 2024

Market Reality Check

Price: $229.32 Vol: Volume 13,033,779 is 1.79...

high vol

$229.32 Last Close

Volume Volume 13,033,779 is 1.79x the 20-day average of 7,287,338, indicating elevated interest ahead of this report. high

Technical Shares at 229.32 are trading below the 200-day MA of 280.15, despite a 2.67% gain.

Peers on Argus

IBM gained 2.67% while key IT services peers like ACN (-1.9%), FI (-0.17%), INFY...

IBM gained 2.67% while key IT services peers like ACN (-1.9%), FI (-0.17%), INFY (-0.14%) and FIS (-0.39%) mostly declined, pointing to company-specific interest in this AI security report.

Previous AI Reports

5 past events · Latest: Feb 10 (Positive)

Same Type Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
Feb 10	AI storage launch	Positive	-1.6%	Introduced agentic AI-powered FlashSystem portfolio with efficiency and ransomware features.
Feb 04	AI impact RFP	Positive	-1.8%	Opened global RFP for AI solutions in education and workforce via IBM Impact Accelerator.
Jan 07	AI retail study	Positive	-1.9%	Released NRF study on AI’s role in consumer decisions and retailer capability gaps.
Jan 06	AI sports partnership	Positive	+2.5%	Renewed long-term AI and cloud partnership with Wimbledon to expand digital reach.
Dec 11	AI learning alliance	Positive	-0.6%	Partnered with Pearson to build AI-powered personalized learning tools globally.

Pattern Detected

Recent AI-tagged announcements have often seen muted or negative next-day moves, with most AI news items followed by small declines.

Recent Company History

Over recent months, IBM’s AI-related news has spanned product launches, partnerships and market research. Events include an agentic AI-powered FlashSystem portfolio, an AI-focused global RFP for education and workforce programs, a retail AI behavior study with the NRF, a multi‑year Wimbledon digital partnership using watsonx, and an AI learning collaboration with Pearson. These updates show IBM embedding AI across infrastructure, customer experience and education, while today’s X‑Force report highlights AI’s role in escalating cyber threats and security demand.

Historical Comparison

-0.7% avg move · In the past several AI-tagged releases, IBM’s average next-day move was -0.66%. Today’s +2.67% gain ...

AI

-0.7%

Average Historical Move AI

In the past several AI-tagged releases, IBM’s average next-day move was -0.66%. Today’s +2.67% gain stands out as a stronger-than-usual reaction to an AI-focused announcement.

AI news has evolved from partnerships and studies to productized agentic AI offerings and now a security report tying AI directly to cyber risk trends.

Market Pulse Summary

This announcement details IBM X-Force’s 2026 Threat Intelligence Index, highlighting how AI accelera...

Analysis

This announcement details IBM X-Force’s 2026 Threat Intelligence Index, highlighting how AI accelerates cyberattacks and exposes basic security gaps. The report cites figures like a 44% rise in application exploitation and over 300,000 exposed ChatGPT credentials, underlining structural demand for cybersecurity and identity controls. In the context of recent AI product launches and partnerships, it reinforces IBM’s narrative around AI and security. Investors may watch future security revenues, adoption of IBM’s AI-driven defenses, and evolving regulatory and cyber-risk disclosures.

Key Terms

ransomware, supply chain, saas, infostealer malware, +4 more

8 terms

ransomware technical

"Active ransomware and extortion groups surged (49%) year over year..."

Ransomware is malicious software that locks or encrypts a company’s computer files and systems, then demands payment for their release — like a thief changing the locks on a business and asking for a ransom. It matters to investors because attacks can halt operations, trigger large cleanup costs, damage customer trust, lead to regulatory fines or legal claims, and reduce future revenue, all of which can hurt a company’s financial value.

supply chain technical

"Large supply chain and third-party compromises nearly quadrupled since 2020..."

A supply chain is the series of steps involved in producing and delivering a product or service, from raw materials to the final customer. It includes all the processes, such as sourcing materials, manufacturing, and distribution, that ensure products reach consumers. For investors, understanding the supply chain helps gauge how efficiently a company can meet demand and manage costs, impacting its profitability and stability.

saas technical

"same credential risk as other core enterprise SaaS solutions."

SaaS, or Software as a Service, is a way of delivering computer programs over the internet, allowing users to access and use them through a web browser without needing to install or maintain the software themselves. For investors, it highlights a business model where companies generate recurring revenue by providing ongoing access to their software, often leading to predictable income and growth potential.

infostealer malware technical

"Infostealer malware led to the exposure of over 300,000 ChatGPT credentials..."

Infostealer malware is a type of malicious software that quietly copies sensitive information from computers or networks—like passwords, banking details, customer lists, or proprietary files—and sends it to attackers. Think of it as a digital burglar that sneaks into a business’s locked rooms and takes documents and keys; for investors this matters because stolen data can lead to fraud, operational disruption, customer loss, regulatory fines and damage to a company’s value and reputation.

ci/cd automation technical

"driven by attackers exploiting trust relationships and CI/CD automation across development workflows..."

CI/CD automation is a set of software practices and tools that automatically build, test, and deploy code changes so updates move from developer work to live systems quickly and reliably. For investors, it matters because faster, lower-risk releases reduce downtime and development costs, speed product improvements and competitive response, and make technical operations more predictable and scalable—like an automated assembly line that increases output while cutting mistakes.

penetration tests technical

"X-Force Red penetration tests reveal persistent weaknesses in credential hygiene..."

Penetration tests are controlled, simulated cyberattacks carried out by security professionals who try to break into a company’s computer systems, networks or applications to find weak spots before real criminals do. For investors, they matter because successful testing shows a company is actively managing cyber risk—reducing the chance of costly data breaches, regulatory fines, operational disruption and damage to reputation—much like a fire drill reveals weaknesses in a building’s emergency response.

multimodal ai models technical

"As multimodal AI models mature, X-Force expects adversaries to automate complex tasks..."

Multimodal AI models are artificial intelligence systems that can process and generate more than one type of data—such as text, images, audio, or video—together instead of only handling a single kind. For investors they matter because these models can enable new products, streamline operations, and cut costs across a business—like a Swiss Army knife replacing several single-use tools—so their adoption and performance can materially affect a company's revenue potential and competitive position.

conditional access controls technical

"enforce strong authentication, and conditional access controls."

Conditional access controls are security rules that allow or block user access to systems, apps, or data based on specific conditions such as device health, location, time, or user role. For investors this matters because these controls reduce the risk of data breaches and downtime, help companies meet regulatory requirements, and protect intellectual property and customer information much like a smart bouncer who checks ID and conditions before letting someone into a secure area.

AI-generated analysis. Not financial advice.

ARMONK, N.Y., Feb. 25, 2026 /PRNewswire/ -- IBM (NYSE: IBM) today released the 2026 X-Force Threat Intelligence Index, revealing that cybercriminals are exploiting basic security gaps at dramatically higher rates, now accelerated by AI tools that help attackers identify weaknesses faster than ever. IBM X‑Force observed a 44% increase in attacks that began with the exploitation of public-facing applications, largely driven by missing authentication controls and AI-enabled vulnerability discovery. 

Some of the key highlights include:

• Active ransomware and extortion groups surged (49%) year over year, marking ecosystem fragmentation, while publicly disclosed victim counts rose roughly 12%.
• Large supply chain and third-party compromises nearly quadrupled since 2020, as attackers increasingly exploit environments where software is built and deployed or SaaS integrations.
• Vulnerability exploitation became the leading cause of attacks, accounting for 40% of incidents observed by X-Force in 2025.

"Attackers aren't reinventing playbooks, they're speeding them up with AI," said Mark Hughes, Global Managing Partner for Cybersecurity Services, IBM. "The core issue is the same: businesses are overwhelmed by software vulnerabilities. The difference now is speed. With so many vulnerabilities requiring no credentials, attackers can bypass humans and move straight from scanning to impact. Security leaders need to shift to a more proactive approach, using agentic-powered threat detection and response to identify gaps and catch threats before they escalate."

AI's Mounting Identity Problem

Infostealer malware led to the exposure of over 300,000 ChatGPT credentials in 2025, signaling that AI platforms have reached the same credential risk as other core enterprise SaaS solutions.

Compromised chatbot credentials create AI-specific risks beyond simple account access. Attackers can manipulate outputs, exfiltrate sensitive data or inject malicious prompts. This underscores the need to assess enterprise-wide AI adoption and enforce strong authentication, and conditional access controls.

AI, Leaked Tooling Lower Barriers to Ransomware Ecosystem

In 2025, X-Force observed a 49% increase in active ransomware groups compared to the prior year, as smaller, transient operators whose low volume campaigns complicate attribution. This trend is accelerated by collapsing barriers to entry as threat actors reuse leaked tooling, rely on established playbooks and increasingly tap AI to automate operations. As multimodal AI models mature, X-Force expects adversaries to automate complex tasks like reconnaissance and advanced ransomware attacks, driving faster-moving, more adaptive threats.

Pressure on Supply Chains Poised to Grow

X-Force identified a nearly 4X increase in large supply chain or third-party compromises since 2020, mainly driven by attackers exploiting trust relationships and CI/CD automation across development workflows and SaaS integrations. With AI-powered coding tools accelerating software creation, and occasionally introducing unvetted code, the pressure on pipelines and open‑source ecosystems is expected to grow in 2026.

This rise is also attributed to the blurring line between nation-state and financially motivated actors. As tactics and techniques spread across underground forums, and AI streamlines reconnaissance and exploitation, techniques once reserved for nation-state actors are now being adopted by financially motivated groups.

Additional findings from the 2026 report include:

• AI accelerating attacker lifecycle. Attackers are using AI to speed research, analyze large data sets and iterate on attack paths in real time. For example, North Korean IT worker schemes are using AI to scale operations, including AI-driven image manipulation for synthetic identities and translation tools to interact across global marketplaces.
• Security fundamentals still lacking. X-Force Red penetration tests reveal persistent weaknesses in credential hygiene and software configuration, with misconfigured access controls as the most common entry point for these engagements.
• Manufacturing tops the target list for the fifth year. The sector accounted for 27.7% of incidents observed by X-Force, with data theft being the most common.
• North America emerged as the most‑attacked region. Accounting for 29% of total cases observed by X-Force, and up from 24% in 2024, North America became the most attacked region for the first time in 6 years.

Additional resources:

• Read the full IBM X-Force Threat Intelligence Index 2026.
• Sign up for the IBM X-Force Threat Intelligence 2026 webinar on March 17 at 11 am ET.
• Connect with the IBM X-Force team for a tailored review of the findings.
• Read more about the report's top findings in this blog.

About IBM
IBM is a leading provider of global hybrid cloud and AI, and consulting expertise. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain a competitive edge in their industries. Thousands of governments and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM's hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM's breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and consulting deliver open and flexible options to our clients. All of this is backed by IBM's long-standing commitment to trust, transparency, responsibility, inclusivity and service. Visit www.ibm.com for more information.

Media Contact:
Michele Brancati
IBM Communications
Mbrancati@ibm.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/ibm-2026-x-force-threat-index-ai-driven-attacks-are-escalating-as-basic-security-gaps-leave-enterprises-exposed-302696274.html

SOURCE IBM

FAQ

What did IBM report about AI-driven attacks in the 2026 X-Force Index (IBM)?

AI is accelerating attacker speed and scale, according to the company, driving faster reconnaissance and exploitation. The report says AI helps attackers automate research, identify vulnerabilities and iterate attack paths in real time, increasing operational tempo across threat actors.

How much did attacks exploiting public-facing applications increase in 2025, per IBM (IBM)?

Attacks that began with public-facing app exploitation rose 44% in 2025, according to the company. Missing authentication controls and AI-enabled discovery were cited as primary drivers of that increase.

What did IBM X-Force find about ransomware group activity in 2025 (IBM)?

Active ransomware and extortion groups surged 49% year over year, according to the company. The report notes fragmentation and smaller transient operators reusing leaked tooling and AI to scale campaigns.

How prevalent was vulnerability exploitation in incidents observed by IBM X-Force (IBM)?

Vulnerability exploitation became the leading cause, making up 40% of incidents in 2025, according to the company. Many exploits required no credentials, enabling rapid attacker impact after automated scanning.

What did IBM report about exposed AI credentials like ChatGPT in 2025 (IBM)?

X-Force reported over 300,000 ChatGPT credentials were exposed in 2025, according to the company. The finding highlights credential hygiene gaps and AI-specific risks such as prompt injection and data exfiltration.

Which sectors and regions were most targeted in the 2026 IBM X-Force Index (IBM)?

Manufacturing was the top sector at 27.7% of incidents, and North America led regions at 29%, according to the company. The report notes North America's share rose from 24% in 2024.