SANS Digital Forensics and Incident Response

2026 Threat Landscape Reality Check: Turning Threat Intelligence Into Analytic Advantage

The SANS "Threat Analysis Rundown" live stream highlighted a pivotal shift in 2026: identity‑based intrusions have become the primary attack vector, eclipsing traditional malware. Host Sean O'Connor, joined by veterans Rebecca Brown and John Doyle, referenced recent reports—CrowdStrike, Unit 42, Microsoft—showing 80‑90% of detections now involve credential misuse. Key insights included the rise of credential theft and information‑stealing as defenders harden perimeter defenses, pushing adversaries toward legitimate logins. The panel stressed that AI can streamline data collection but cannot substitute human judgment, warning against over‑reliance on automated summaries. Community evolution was also noted, with the STAR series moving from scripted webcasts to authentic, unscripted live discussions. Notable moments featured Katie Nichols reflecting on past over‑complication of threat intel and John Doyle emphasizing how defensive actions unintentionally create new attack surfaces. Rebecca highlighted the pandemic‑driven remote‑work boom as a catalyst for identity exploitation, while participants underscored the growing overlap of geopolitical conflict and cyber operations. Implications are clear: CTI teams must prioritize credential‑focused detection, integrate AI as an assistive tool, and maintain skilled analysts to interpret nuanced threats. Organizations that adapt to the “identity is the new perimeter” paradigm will better safeguard assets amid an increasingly politicized cyber landscape.