CrowdStrike’s 2026 Global Threat Report calls 2025 “the year of the evasive adversary” (see the full report here: https://www.crowdstrike.com/en-us/global-threat-report/) — and for anyone leading detection engineering, that phrase should land heavily.
What the report ultimately describes is not just a rise in attacks. It’s a structural shift in how adversaries operate: faster breakouts, identity-first access, cross-domain movement, supply chain compromise, and AI-assisted tradecraft. The attack surface is no longer confined to endpoints. The adversary is no longer dependent on malware. And the timeline between initial access and impact is shrinking to minutes.
For detection engineering teams, this isn’t incremental change. It’s a mandate to rethink how detection coverage is built, measured, and validated.
Speed Has Become the Primary Evasion Technique
One of the most sobering statistics in the report is the average eCrime breakout time: 29 minutes in 2025, a 65% acceleration from the prior year. The fastest observed breakout took just 27 seconds.
This fundamentally changes the detection equation. When adversaries move laterally, escalate privileges, and begin exfiltration in under half an hour, the traditional model of “detect, investigate, then respond” collapses under its own latency.
At the same time, the report highlights that 82% of detections were malware-free. Adversaries are operating through valid credentials, administrative tools, SaaS integrations, and federated identity flows. They are exploiting trust rather than deploying payloads.
This is the critical shift: stealth is no longer about obfuscation, it’s about legitimacy.
Detection engineering must evolve accordingly. Static signatures and isolated endpoint detections cannot keep pace with adversaries who blend into normal activity. Coverage must center on behavioral analytics across identity, SaaS, cloud, and infrastructure and it must be validated continuously, not assumed.
AI Is Accelerating Attacks — But Not Reinventing Them (Yet)
The report documents an 89% increase in attacks by AI-enabled adversaries year over year. Threat actors are using AI to enhance social engineering, generate malware code, troubleshoot exploits, automate reconnaissance, and scale phishing operations.
But there’s nuance here. CrowdStrike emphasizes that AI is currently amplifying existing tactics rather than creating entirely new classes of attack. The impact of AI, for now, is acceleration.
That acceleration matters enormously.
Less sophisticated actors can now execute more convincing campaigns. Moderately capable groups can iterate faster. Highly resourced adversaries can compress reconnaissance, exploitation, and lateral movement timelines. The time between intent and execution has narrowed dramatically.
For detection engineering, this creates a feedback problem. If adversaries can adapt and iterate faster, detection development cycles must shrink as well. Rule creation cannot be reactive and quarterly. Detection validation cannot be annual. Coverage gaps cannot remain undiscovered until after an incident.
AI may not yet be transforming tradecraft but it is compressing the timeline in which detection engineering must operate.
Identity Has Become the Primary Attack Surface
According to the report, cloud-conscious intrusions rose 37% in 2025, with a 266% increase among state-nexus actors. Valid account abuse accounted for 35% of cloud incidents.
These numbers confirm what many detection engineers already suspect: identity is now the control plane of the enterprise and the control plane is under attack.
Adversaries are abusing OAuth flows, hybrid identity synchronization, conditional access policies, device registration processes, and federated trust relationships. The report outlines how actors systematically exploit trust at multiple layers, from user-level authentication flows to tenant-level federation configurations.
What makes this particularly dangerous is that many organizations assume identity controls are inherently secure because they are managed by cloud providers or IAM platforms. In reality, visibility into identity misuse is uneven, and detection coverage across hybrid identity environments is often fragmented.
Detection engineering must explicitly account for this. It is no longer sufficient to rely on “built-in” identity alerts. Teams must validate whether they can detect anomalous device registrations, token abuse, conditional access manipulation, and federation trust changes and they must test those assumptions regularly.
Edge Devices and Zero-Days Are Still Winning
The report also notes a 42% increase in zero-day exploitation year over year. China-nexus actors, in particular, demonstrated the ability to weaponize newly disclosed vulnerabilities within days, frequently targeting VPN appliances, firewalls, and other internet-facing edge systems.
These systems share a dangerous combination of traits: they are exposed, lightly monitored, inconsistently patched, and often lack EDR coverage.
Detection engineering programs frequently focus on endpoints and cloud workloads while perimeter infrastructure remains under-instrumented. Yet edge exploitation serves as the initial access vector for many sophisticated campaigns.
Zero-day resilience is not only about patch speed. It is about detection during the patch window. Can your telemetry detect anomalous behavior on a VPN appliance? Can you correlate suspicious authentication events originating from compromised perimeter systems? Do you know what visibility you lack?
If detection engineers cannot answer those questions confidently, the edge remains a blind spot.
Supply Chain and SaaS: Trust as an Attack Vector
Supply chain compromise continues to be a defining tactic, whether through CI/CD systems, npm package ecosystems, or SaaS OAuth token abuse.
These attacks succeed not because defenders lack tools, but because defenders trust software updates, third-party integrations, and developer workflows by default. That trust is precisely what adversaries exploit.
In 2025, threat actors leveraged malicious packages, compromised developer credentials, and OAuth token theft to pivot into downstream environments. SaaS applications — especially CRM and collaboration platforms — became high-value targets for data discovery and exfiltration.
Detection engineering must extend into these domains. Monitoring CI/CD logs, API token usage, anomalous SaaS access patterns, and dependency changes is no longer optional. Yet many detection teams have limited validated coverage in these areas.
The uncomfortable truth is this: organizations often assume supply chain detections exist. Very few can prove it.
The Cross-Domain Attack Is the New Normal
The report repeatedly emphasizes how adversaries chain activity across identity, SaaS, endpoint, virtualization, and edge infrastructure. Ransomware operators gain initial access via social engineering, pivot through cloud identities, exfiltrate data from SaaS, and deploy ransomware exclusively on VMware ESXi hosts to avoid heavily monitored endpoints.
These are not isolated techniques. They are connected attack paths.
Detection engineering must mirror that reality. Coverage cannot be siloed by technology stack. It must be mapped to adversary tradecraft across domains, correlating signals from identity providers, SaaS logs, endpoint telemetry, and network infrastructure into coherent detection logic.
This is where many programs struggle. Teams may have dozens — even hundreds — of detections. But without clear mapping to adversary TTPs and cross-domain attack chains, coverage is opaque.
In the era of evasive adversaries, opacity equals risk.
The Detection Engineering Imperative
CrowdStrike describes an “agentic era” in which both enterprises and adversaries operate at machine speed. That framing applies equally to defenders.
Detection engineering can no longer be a reactive function that creates rules in response to yesterday’s incident. It must become a continuously measured control plane that answers one core question:
Can we actually detect how adversaries operate today?
This requires moving beyond detection creation toward detection validation. It requires mapping detections to real-world tradecraft, identifying coverage gaps systematically, and continuously testing whether telemetry, correlation logic, and alerting workflows hold up against evolving attack techniques.
The adversary is iterating faster. AI is compressing timelines. Trust relationships are being weaponized across identity and SaaS. Edge devices remain exposed. Malware is increasingly optional.
In that environment, detection resilience becomes a competitive advantage.
The organizations that succeed in 2026 will not be the ones with the most tools or the longest rule lists. They will be the ones that can prove — continuously — that their detection coverage matches the evasive adversary.
And in a world where breakout can happen in under 30 minutes, that proof cannot wait until after the breach.