Last month, I argued that the cybersecurity industry was about to be flattened by AI, and that our org chart of red teams, blue teams, AppSec, IAM, GRC, and the long list of acronyms had a shelf life shorter than most milk.
Then Flashpoint dropped its 2026 Global Threat Intelligence Report. The polite version of the report says “the threat landscape is converging.” The less polite version says “you are very behind.”
The Number That Should Have Caused a Holiday
Between November and December 2025, illicit AI-related discussions on criminal forums went up by 1,500 percent. In December alone, Flashpoint logged 6 million separate mentions of AI in criminal contexts. (Flashpoint, 2026 GTIR, pp. 4–6.)
The criminals were not debating whether AI was the future. Flashpoint’s tagged topics from the surge include “deepfake,” “KYC bypass,” “jailbreak prompts,” and new words that did not need to exist a year ago: slopsquatting (faking software packages so AI assistants recommend them), AI sidebar spoofing, and steganographic prompting (hiding malicious instructions inside an AI model). (p. 5.)
While they were running that syllabus, the rest of the industry was still arguing about whether penetration tests and red teams are technically different roles.
“Logging In” Is Doing a Lot of Heavy Lifting
Flashpoint coined a phrase in this year’s report that I cannot stop thinking about.
“The fundamental mechanics of cybercrime have shifted from breaking in to logging in.” (p. 4.)
In 2025, 11.1 million machines were infected with infostealer malware. The take: 3.3 billion stolen credentials, session cookies, and cloud tokens are currently for sale on illicit marketplaces. (p. 10.) Most attackers no longer need to escalate privileges. They have valid credentials with active session cookies. They walk in like an employee returning from PTO.
Identity is no longer a department. Identity is the perimeter. Every browser, every personal phone with a work app on it, every contractor account that was supposed to be turned off last quarter but is “still being audited.”
Half the people now operating inside your security perimeter never signed up to be in security. Your helpdesk did not. Your HR coordinator did not. The VS Code extension your senior engineer installed yesterday absolutely did not. Flashpoint catalogued ten different AI plugin and agentic IDE vulnerabilities actively exploited in 2025, including issues in Claude Code, Microsoft Visual Studio Copilot Chat, Google Gemini Cloud Assist, and Perplexity Comet. (p. 17.)
I will let you guess which org chart those vulnerabilities sit on.
The 24-Hour Clock
44,509 vulnerabilities were disclosed in 2025, with about a third shipping alongside publicly available exploit code on day one. Zero-days like CitrixBleed 2 and React2Shell were mass-exploited within 24 hours of disclosure. CISA, in a move that probably aged the agency a year, issued a one-day remediation deadline. (pp. 14–16.)
Compare that to the average corporate patch cycle. Identify. Triage. Assign. Schedule. Get pushback. Schedule again. Push during a maintenance window at 2 a.m. on a Saturday.
Most companies treat patching like they are mailing a postcard. The attackers are sending Signal messages.
The Part Where Bribing Beats Hacking
Flashpoint counted 91,321 instances of threat actors openly recruiting insiders in 2025. Groups like Scattered Spider, LAPSUS$, and their offshoots run actual workflows for it. (pp. 22–23.)
You can spend a lot of money on a security stack. The stack will not show you the moment a contractor at a managed service provider you have never met decides to monetize their access. Your stack was not designed to defend against compensation. It was designed to defend against ports.
Ransomware Is Now a Franchise
Ransomware attacks climbed 53 percent year over year. RaaS groups now run 87 percent of all ransomware activity, and the largest operators are pivoting from encryption to what Flashpoint calls “pure extortion”: steal the data, threaten to leak it, skip the malware part entirely. Encryption was the hard part. Trust was the soft part. Trust scales better. (pp. 4, 22.)
We segmented our security teams to specialize. They franchised theirs to scale.
The Polite Part of the Report
Flashpoint closes with three recommendations that, read between the lines, say the categories the industry uses to organize itself are a bad map of the actual terrain: prioritize context over noise, treat the human and machine identity layer as a single connected surface, and let automation support human-led analysis instead of replacing it. (p. 28.)
For added context, they also flag that the CVE program contract is set to expire in March 2026. The closest thing the security industry has to a master schedule may go offline in a few months. (p. 19.)
I called this de-segmentation. Flashpoint calls it convergence. According to the SecurityWeek piece I cited last time, the offensive security community calls it continuous integrated security. Three framings, one conclusion.
What I Am Building, Since You Asked
I know how this part of the article usually goes. The founder spends 1,000 words diagnosing a problem and politely refuses to tell you what they are doing about it. I am not going to do that because the diagnosis above is the entire reason WireWolf exists.
WireWolf is being built as a single AI-native security operating system. Not a stack of tools that pretend to integrate over drinks at RSA. One workspace. One sight picture. Offensive findings, exposure data, identity context, validation, and remediation guidance, all moving through the same pipe and acted on by the same operator.
The Flashpoint data is, more or less, the receipt for why the current model no longer scales. Humans were the integration layer in every legacy stack: carrying context between teams, translating alerts into runbooks, typing scores into registers. The criminals already replaced their humans with software. Defenders who do not are running the slowest workflow in the fight.
I think cybersecurity needs a force redesign, the way every domain that introduced fast machines eventually needed one. Not “the SOC plus AI.” Not the existing org chart with a chatbot duct-taped to the side. Something built natively, where AI is the operating layer and a small team can operate at the same tempo as the people trying to break the things they care about.
I think WireWolf is what redefines that force. I will be wrong about some of it. Most founders are. But the bet is straightforward: in five years, the modern security organization will not look like a stack of named teams with quarterly handshakes. It will look like one operator, one workspace, and an AI partner holding the entire picture, so the human can spend their time on the only thing that scales: judgment.
If that idea pulls at you, my inbox is open.
Works Cited
Flashpoint. 2026 Global Threat Intelligence Report. Flashpoint, 2026.
Orton, Larry R. “The Cybersecurity Org Chart Is About to Get Run Over by AI.” LinkedIn, 8 May 2026.
Townsend, Kevin. “Cyber Insights 2026: Offensive Security; Where It Is and Where It’s Going.” SecurityWeek, 28 Jan. 2026.