IBM's X-Force Threat Intelligence Index 2026 tracks where cybercriminals concentrate their efforts across the globe. The picture it paints for 2025 is not reassuring. Every major region saw sustained attack activity, credential harvesting dominated incident impacts on multiple continents, and AI tools are compressing the time between vulnerability discovery and exploitation to a degree the industry has never had to contend with.
The report logged a 44% increase in attacks that began with the exploitation of public-facing applications, driven by missing authentication controls and AI-enabled vulnerability discovery. Of the nearly 40,000 vulnerabilities X-Force tracked during the year, 56% could be exploited without any form of authentication. No credentials required. No human interaction needed. Just scanning and striking.
Against that backdrop, the regional breakdown tells a story about where attackers see the richest targets and the weakest defences.
North America reclaims the top spot
North America accounted for 29% of all incidents X-Force responded to in 2025, up from 24% the previous year. It became the most attacked region for the first time in six years. The most common actions on objective were malware and the use of legitimate tools, each at 33%, followed by server access at 26%.
Credential harvesting was the dominant impact, accounting for 43% of incidents. Data theft and data leaks followed at 29%. The manufacturing sector took the heaviest hit at 21% of incidents, with wholesale (19%) and finance and insurance (17%) close behind.
The primary entry point was the exploitation of public-facing applications at 28%, followed by the exploitation of valid local accounts at 22%. For a region with the deepest cybersecurity budgets on the planet, these are not sophisticated attack vectors. They are open doors.
Asia-Pacific is a manufacturing battleground
Asia-Pacific came in a close second at 27% of global incidents. But one number stands out above all others. Manufacturing represented 65% of all incidents investigated in the region. No other region or sector combination in the report comes close to that concentration.
Attackers in Asia-Pacific leaned heavily on malware (45%) and relied on exploitation of public-facing applications (50%) and valid accounts (30%) as initial access vectors. The region's rapid digital expansion, its density of supply chains and logistics networks, and persistent geopolitical tensions make it a target-rich environment where operational technology downtime translates directly into financial loss.
Data theft and brand reputation damage each accounted for 14% of impacts, with credential harvesting at 7%, a lower proportion than other regions but still a consistent feature of the threat picture.
Europe's financial sector under pressure
Europe accounted for 25% of incidents, holding steady as the third most targeted region. But the sectoral split tells a sharper story. Finance and insurance led at 39% of European incidents, a higher proportion than in any other region.
Credential harvesting dominated at 40% of impacts, followed by data leaks at 27% and data theft at 13%. Malware was the most common action on objective at 43%, with legitimate tools and server access tied at 26%. The leading initial access vector was exploitation of public-facing applications at 40%.
Europe's concentration of financial services, combined with strict regulatory environments that make breaches costly and complex enterprise IT estates that create wide attack surfaces, keeps the region firmly in the crosshairs.
The Middle East and Africa face twin-sector risk
The Middle East and Africa accounted for 10% of global incidents, but the pattern of attack is distinct. Finance and insurance and the energy sector were tied at 38% each, reflecting a region where critical infrastructure and financial systems face parallel threats.
Attackers used malware and legitimate tools in equal measure, each at 34%, with a focus on stealthy persistence. The leading initial access vector was exploitation of public-facing applications at 50%. Phishing and spear phishing attachments accounted for 15%, a higher share of social engineering than most other regions.
The combination of ambitious digital transformation programmes and persistent regional conflict creates an environment where advanced threats, including espionage-focused campaigns, find consistent opportunities.
Latin America is catching up, and not in a good way
Latin America accounted for 9% of incidents, a slightly increasing share of global activity. The finance and insurance sector led at 47% of incidents, with energy at 27%.
The initial access picture was spread across four vectors in equal measure at 25% each: exploitation of public-facing applications, valid accounts, external remote services, and supply chain compromise. That last category is significant. Supply chain attacks appearing as a leading vector in Latin America reflects the broader global trend that IBM's report identifies as one of the defining shifts of the past five years, a nearly fourfold increase in large supply chain and third-party compromises since 2020.
Credential harvesting led impacts at 40%, with brand reputation damage at 20%. As organisations across the region expand their digital capabilities, they are doing so in environments where cybersecurity practices are still maturing, and attackers are taking advantage.
AI is the accelerant across every region
The geographic breakdown matters, but the unifying thread across all regions is the role AI now plays in offensive cybersecurity. X-Force observed that AI tools are helping attackers identify weaknesses faster, automate reconnaissance, and scale operations. Active ransomware and extortion groups surged 49% year over year, with collapsing barriers to entry allowing smaller operators to reuse leaked tooling and established playbooks while using AI to automate their campaigns.
Infostealer malware drove the exposure of more than 300,000 ChatGPT credentials observed for sale on dark web marketplaces in 2025. AI platforms have reached the same credential risk as core enterprise SaaS systems. That is not a forecast. It is already happening.
The IBM report's central warning applies everywhere on the map. The most consequential security failures in 2025 were not the result of brilliance. They were the result of basics. Missing authentication controls, unpatched vulnerabilities, and fragile supply chains provided the access. AI provided the speed.
No region is exempt. No sector is immune. And the pace is only accelerating.