Lumen Research Paints a Dark Picture of the Threat Landscape in 2026

by Amy Larsen DeCarlo, posted in Secure
A professional headshot of a woman with long blonde hair, smiling gently while wearing a black jacket over a light-colored top.
Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

/Summary Bullets:

• As the operator of one of the world’s largest global internet backbones, Lumen has a view into 99% of the public IPv4 addresses; its threat research team Black Lotus Labs monitors 2.3 million threats daily.

• Lumen’s 2026 Defender Threatscape Report underscores the highly organized and effective tactics cybercriminals are using to infiltrate the enterprise by exploiting network and edge vulnerabilities.

Long gone are the days when it was a question of if, not when, an organization would be breached. Most enterprise security practitioners are painfully aware of how successful threat actors have become in evolving their techniques to outwit some of the best defensive tools. But if anything, Lumen’s 2026 Defender Threatscape report, highlights that the real security challenge is only beginning. Leveraging research from its Black Lotus Labs threat intelligence unit including data from investigations, network telemetry, and campaigns between September 2024 and January 2026, Lumen notes that in response to the increasing effectiveness of endpoint detection solutions, cybercriminals have changed their strategies to leverage camouflaged proxies, vulnerable edge devices, and generative AI (GenAI) to set up attacks.

Using its visibility into global Internet activity, Black Lotus Labs found cybercriminals acting in a highly organized fashion by first standing up assets to leverage later in highly sophisticated campaigns. Cybercriminals are leveraging AI to create and propagate malicious infrastructure at breakneck speed. Using automation, bad actors can support campaigns, tightening the time between breach and impact. Frequently, adversaries seek out vulnerable internet-connected edge devices including routers, VPN gateways, and firewalls. These resources ofter privileged access to enterprise assets and typically can supply minimal forensic tracing data.

Organized cybercrime is certainly not new, but Black Lotus Labs observes a significant uptick in nation state and for-profit adversaries building up proxy networks exploiting compromised consumer devices. This allows bad actors to assimilate with legitimate infrastructure, in some cases helping them skirt zero trust and geolocational restrictions.

State-affiliated adversaries often seize criminal infrastructure, known as “stolen staging,” to execute their own campaigns. This can obscure their true identities, making it harder to assign responsibility for attacks.

The 2026 Defender Threatscape report offers up some practical guidance, noting the criticality of having insight into network activity and securing edge devices as critical assets. Organizations need to conduct a comprehensive inventory of all Internet-connected services and interfaces, including legacy resources. Enterprise IT should track unusual authentication efforts and edge configuration changes, even if it appears to come from a “safe” IP address.

Essentially, organizations need to take the concept of preemptive security to another level, instead of looking just for potentially malicious activity they need to apply infrastructure awareness and protection. Security teams need to see proxy networks as potentially dangerous threats, and treat them as such with respect to access. They should also turn the thing threat actors use against them – scale – to their advantage. This requires gaining perspective beyond their enterprise assets into network activity that can show the earliest indicators of an encroaching threat.

Leave a Reply