Facing a dangerous threat landscape, enterprises must expand visibility in network

It is no secret that threat actors have always been stealthy in their methods of infiltrating the enterprise. Like the security practitioners who defend IT assets, adversaries are keen on adapting the latest technology to advance their campaigns.  With the arrival of generative AI and progress in automation, cybercriminals have become even more effective in their attack tactics.

But if anything, Lumen’s 2026 Defender Threatscape report highlights that the real security challenge is only beginning.  Leveraging research from its Black Lotus Labs threat intelligence unit, including data from investigations, network telemetry, and campaigns between September 2024 and January 2026, Lumen notes that in response to the increasing effectiveness of endpoint detection solutions, cybercriminals have changed their strategies to leverage camouflaged proxies, vulnerable edge devices, and generative AI to set up attacks.

Using its visibility into global Internet activity, Black Lotus Labs found cybercriminals acting in a highly organised fashion, first standing up assets to leverage in later, highly sophisticated campaigns. Cybercriminals are leveraging AI to create and propagate malicious infrastructure at breakneck speed.   Using automation, bad actors can support campaigns, tightening the time between breach and impact.  Frequently, adversaries seek out vulnerable Internet-connected edge devices, including routers, VPN gateways and firewalls.  These resources ofter privileged access to enterprise assets and typically can supply minimal forensic tracing data.

Organised cybercrime is certainly not new, but Black Lotus Labs observes a significant uptick in nation-state and for-profit adversaries building up proxy networks, exploiting compromised consumer devices.  This allows bad actors to assimilate with legitimate infrastructure, in some cases helping them skirt Zero Trust and geolocational restrictions.

State-affiliated adversaries often seize criminal infrastructure, known as “stolen staging,” to execute their own campaigns. This can obscure their true identities, making it harder to assign responsibility for attacks.

“The 2026 Defender Threatscape report offers up some practical guidance, noting the criticality of having insight into network activity and securing edge devices as critical assets,” says Amy DeCarlo, principal analyst at GlobalData.

“Organisations need to conduct a comprehensive inventory of all Internet-connected services and interfaces, including legacy resources. Enterprise IT should track unusual authentication efforts and edge configuration changes, even if it appears to come from a “safe” IP address.”

Essentially, organisations need to take the concept of preemptive security to another level; instead of looking just for potentially malicious activity, they need to apply infrastructure awareness and protection.  Security teams need to see proxy networks as potentially dangerous threats and treat them as such with respect to access.  They should also turn the thing threat actors use against them – scale – to their advantage.  This requires gaining perspective beyond their enterprise assets into network activity that can show the earliest indicators of an encroaching threat.