Blackpoint Cyber's 2026 Annual Threat Report reveals that modern intrusions increasingly rely on legitimate access paths rather than exploits. SSL VPN abuse accounted for 32.8% of identifiable incidents, RMM tool abuse (especially ScreenConnect) appeared in 30.3% of cases, and fake CAPTCHA/ClickFix-style social engineering campaigns drove 57.5% of all incidents. Even MFA-protected cloud accounts were compromised via adversary-in-the-middle phishing that captured post-authentication session tokens. Defensive recommendations include treating remote access as high-risk, maintaining RMM tool inventories, restricting unapproved software, and applying conditional access controls.
Table of contents
Key Findings From the 2026 Annual Threat ReportFrom Initial Access to Network PivotingWhat These Findings Mean for Security TeamsSort: