Cybersecurity Professionals Struggle to Keep Pace with AI-Driven Threats and a Growing Attack Surface, New Bitdefender Report Finds

BUCHAREST, Romania & SAN ANTONIO--(BUSINESS WIRE)--Bitdefender, a global cybersecurity leader, today released the 2026 Cybersecurity Assessment Report, an annual report based on an independent survey and analysis of cybersecurity professionals revealing the most urgent concerns, key challenges, and threat perceptions shaping business security.

The findings in this report make clear that modern security strategies must go beyond reactive defenses to continuously reduce risk, govern AI adoption, and ensure compliance across environments.

Share

The report is based on an independent survey and analysis of over 1,200 IT and security professionals, split equally between cybersecurity practitioners and decision-makers ranging from IT manager and chief information security officer (CISO) to security analysts, architects, and engineers who work in companies with 500 or more employees across France, Germany, Italy, Singapore, the United Kingdom (U.K.), and the United States (U.S.).

Key findings from the 2026 Cybersecurity Assessment Report:

• Nearly half of organizations lack full visibility into employee AI tool usage – While 51.8% of respondents report full visibility into sanctioned and unsanctioned AI usage, 47.4% acknowledge only partial or no visibility into individual Shadow AI tools or personal accounts used for work. The numbers tell a more troubling story at the leadership level: 57.8% of managers believe they have full visibility compared to only 45.9% of practitioners, and just 0.5% of managers report zero visibility versus 4.5% of practitioners, suggesting leaders may be significantly underestimating their organization's true exposure.
• Securing internal AI systems and cloud infrastructure top security concerns – When asked which environments are of most concern, 45% of respondents identified internal AI systems and Large Language Models (LLMs) as their primary concern, followed closely by cloud infrastructure and application environments at 44%. Identity and access management (IAM) systems rounded out the top three at 33.3%. Notably, despite ranking AI systems as their top security concern, 20.4% of respondents rated employees leaking sensitive data into public LLMs as a low or extremely low risk, revealing a significant gap between perceived threat and actual exposure.
• More than half who experienced a breach were told to keep it confidential – More than half (55.2%) of respondents who experienced a security incident or breach in the past 12 months stated they were told to keep it confidential despite believing it should have been reported to authorities. While slightly down from 57.6% in 2025, the figure remains dramatically higher than the 42% reported in 2023, pointing to a deeply entrenched culture of breach suppression globally. The U.S. led all regions at 68.6%, followed by Germany and U.K. both at 57.2%, and the pattern holds across organizational levels with managers (56.8%) and practitioners (53.5%) reporting similar pressure to stay silent.
• Unauthorized access and business email compromise (BEC) dominated security incidents – Cloud infrastructure or application breaches topped the list of security incidents experienced in the past 12 months at 41.8%, followed by BEC resulting in financial or data loss at 35.9%, and ransomware at 25.6%. U.S. organizations stood out sharply, with 54.7% reporting BEC incidents, nearly 19 percentage points above the overall average. Adding to the picture, 59.2% of all respondents confirmed experiencing AI-driven social engineering attacks in the past 12 months, a strong signal that the use of AI in cybercrime has moved from industry hype to reality.
• Organizations struggle to reduce the attack surface despite knowing the risks – The top barriers to reducing the attack surface are high overhead in maintaining hardening rules and exceptions (38%), fear of operational disruption (35.4%), and resource constraints (34.6%), suggesting organizations understand the need to reduce exposure but struggle to act without impacting operations. Difficulty securing legacy systems (34.5%) and visibility gaps, defined as uncertainty about which legitimate tools are essential for each user (33.8%), deepen the challenge, with 48.8% of U.S. organizations reporting marked gaps in visibility compared to the overall average of 33.8%.
• Data sovereignty has become a decisive factor in vendor selection – Over three-quarters (76.1%) of respondents say they would likely switch cybersecurity vendors due to concerns about data sovereignty, jurisdiction, or foreign government access to their data. The U.S. led all regions at 87%, followed by the U.K. at 85% and Germany (77%). Managers expressed even greater urgency than practitioners, at 79.4% versus 72.8% respectively. As regulations such as NIS2, DORA, and evolving U.S.-EU data frameworks continue to expand compliance obligations, organizations are increasingly prioritizing vendors that offer transparent data-processing models and clear answers on where their data lives and who can access it.
• AI-related threats are viewed as high or extreme risk across the board – Organizations rate a broad spectrum of AI-driven scenarios as serious threats, with attackers using AI to generate self-mutating malware topping the list at 55.9%, followed by employees leaking sensitive data into public LLMs (53.5%), AI-driven evasion techniques bypassing traditional endpoint detection and response (EDR) signatures (52.5%), and deepfakes or voice cloning used in fraud or BEC (51.9%). Notably, while self-mutating malware ranks as the top concern, current threat intelligence suggests adversaries are using AI to accelerate and refine attacks rather than create fundamentally new malware. Concern extends beyond these scenarios, with agentic AI expanding the attack surface emerging as a regional flashpoint, particularly in Singapore (64%) and the U.S. (61.6%).

"The expanding attack surface, the rapid proliferation of AI-powered threats, and persistent operational pressures are forcing organizations to rethink how they approach security from the ground up," said Andrei Florescu, president and general manager of Bitdefender Business Solutions Group. "The findings in this report make clear that modern security strategies must go beyond reactive defenses to continuously reduce risk, govern AI adoption, and ensure compliance across an environment where adversaries are faster, more adaptive, and increasingly automated."

Data Sources

Bitdefender commissioned Censuswide, a leading international market research consultancy firm, to survey and analyze responses from 1,201 IT and security professionals who work in companies with 500 or more employees across various industries. The survey and analysis took place from April 2026 through June 2026. The respondents were geographically split equally between France, Germany, Italy, Singapore, U.K., and the U.S.

To download a complimentary copy of the Bitdefender 2026 Cybersecurity Assessment Report, visit here.

About Bitdefender

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry's most trusted experts for eliminating threats, protecting privacy, digital identity, and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence. Its technology is licensed by more than 180 of the world's most recognized technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world. For more information, visit https://www.bitdefender.com.

Trusted. Always.