Cloud Threats Retrospective 2026
How systemic weaknesses and AI amplified the impact of proven cloud threats.
Classic weaknesses remained the dominant factor in cloud threat actor activity in 2025. Across publicly documented incidents included in Wiz’s Cloud Threat Landscape, initial access most often involved weaponized vulnerabilities, exposed secrets, and misconfigurations.
But the familiarity of these vectors should not be mistaken for limited impact or stagnation in attacker behavior. Beyond individual intrusions, critical incidents such as Shai-Hulud and React2Shell demonstrated how systemic weaknesses across shared infrastructure, software dependencies, and trusted integrations could be weaponized to produce an outsized impact. These events showed how inherited trust and ecosystem-wide exposure can amplify the consequences of otherwise well-understood attack techniques.
AI also influenced cloud-focused threat actor activity in 2025, not by introducing fundamentally new attack techniques, but by expanding cloud attack surfaces and enabling threat actor workflows in select cases. As AI-driven infrastructure, tooling, and automation became more common, familiar security risks increasingly appeared in new contexts and at greater scale.
Fact 1
Classic cloud risks still dominate
Across publicly documented cloud incidents analyzed by Wiz Research, initial access in 2025 most often relied on long-standing weaknesses rather than new or exotic techniques. Vulnerabilities, exposed secrets, and misconfigurations continued to define how cloud intrusions began.
Fact 2
AI is expanding the cloud attack surface
AI adoption introduced new services, identities, data paths, and automation layers into cloud environments. The primary impact of these additions was not to create new risk categories, but rather to increase the number of places where familiar weaknesses could appear—often closer to sensitive data and privileged resources.
Fact 3
Threat actors used AI to enhance proven techniques
Threat actors haven’t replaced established intrusion techniques with AI-driven ones, instead they have used AI to accelerate reconnaissance, automate common actions, and scale familiar workflows. The result was reduced effort and increased speed across otherwise well-understood attack paths.
Fact 4
Systemic weaknesses lead to amplified impact
Some of the most consequential cloud incidents did not rely on sophisticated entry techniques, but on weaknesses that were widely present in shared software, integrations, and automation. When these trusted components were compromised or vulnerable, a single failure was able to cascade across many environments.
Conclusions
The findings in this report point to a clear takeaway: cloud risk in 2025 was shaped less by new attack techniques than by how widely and quickly familiar ones could spread. Proven weaknesses remained the most common entry points, systemic dependencies amplified their impact, and AI accelerated attacker workflows without changing their fundamentals. Security teams that maintain visibility across exposure, identities, integrations, and cloud activity are best positioned to detect and disrupt these paths before they escalate.