Data & research · 2 MIN READ · SCOUT SCHOLES · FEB 24, 2026 · TAGS: Resource
TL;DR
- Expel’s latest Annual Threat Report is live, and it’s a deep analysis of all the 2025 incident data our SOC collected, triaged, and resolved–read it here
- This year the report also features new op-ed style excerpts we’re calling “Field notes,” coming directly from our practitioners themselves
- We’re also mapping Expel detections to the MITRE ATT&CK framework to highlight where and how we’re making an impact for our customers
What to expect in the Expel 2026 Annual Threat Report
Another year, another Expel threat report. However, this year, in its fifth year of the report’s existence, we’re bringing you something new. And just like the attackers we observed in 2026, we’re not overhauling what we’ve been doing—we’re perfecting what already works.
Every year, our Annual Threat Report draws on the data our SOC has collected over the last calendar year as they’ve triaged and resolved alerts and incidents for our customers. This data is a rich resource for identifying trends and patterns spanning vendors and industries. It’s both broad and deep.
And, of course, this edition comes with practical takeaways. These “resilience recommendations” aren’t just suggestions–they’re tried-and-true strategies we practice ourselves, and recommend to our customers. Sharing these successes is critical in cybersecurity. It’s a team sport, and rising tides lift all boats.
But we aren’t just giving you the same old report–we’ve added new features and content for you this year. That includes a timeline of the year’s major cybersecurity events, op-ed style stories from the trenches, and an analysis of Expel’s detection work map directly to MITRE ATT&CK tactics. It’s all to give you a richer understanding of what we’re seeing and why it should matter to you, so you can take this information and inform your own security strategies for the better.
A sneak peek into this year’s data
Here’s a glimpse into this year’s research (and that includes why you should care):
- Identity-based attacks remain the most frequent and persistent threat that organizations face. In 2025, nearly half (47.7%) of all identity incidents resulted in attackers successfully gaining account access using stolen credentials. The good news? Security controls like MFA and conditional access policies already exist…and work. Let 2026 be the year you lock down identities.
- Endpoint attacks were less about innovation and more about refinement. Attackers stuck with what worked. Malware remained the dominant threat, with well-tested delivery methods like ClickFix and backdoored productivity apps. The takeaway? These established tactics will continue to find success against orgs that haven’t shored up their defenses against them.
- Cloud infrastructure threats may be low in volume, but they’re high in risk. The presence of threats that, at first glance, are more annoying than malicious (like cryptocurrency miners) often point to larger security gaps that must be addressed. Because there’s little stopping attackers from swapping them out with something more diabolical.
How to use the report
If you’re looking for the TL;DR, we suggest you read the executive summary and then skip to the end for defense strategies. And there’s more to come–if you don’t have time to read the full report just yet, you can expect more resources (like a resilience recommendation checklist), or for our more technical audiences, scroll through the report to our “Field notes” sections to get deeper dives with our analysts themselves on what they saw and how they handled it.
While you wait, take a look and let us know what your thoughts are–drop a comment on social media, or connect with us here.
