Annual Threat Dynamics 2026: Cyber threats in motion

The Australian threat landscape reflects the same global shifts highlighted in PwC’s Annual Threat Dynamics 2026 report, but with a local profile shaped by ransomware pressure, identity-driven intrusion, regulatory change, and targeting of sectors critical to the Australian economy.

The most effective response is not just stronger prevention, but faster detection, clearer governance, and better resilience across identity, cloud, data, and third-party risk. The report frames today’s environment as identity-driven, AI-accelerated and inseparable from wider business and geopolitical risk.

Key Takeaways

Identity is the key battleground
AI is accelerating both sides of the race
Cyber risk is inseparable from business and geopolitical strategy

"In Australia, the cyber threat landscape is evolving at an unprecedented pace. Lines are blurring and the rules of engagement have changed. Australian organisations that treat cyber resilience as a boardroom priority, not just a technical one, will be the ones that stay ahead"

Pete Malan, Partner, Cybersecurity & Privacy Practice Leader, PwC Australia

Identity is the key battleground

Adversaries across a wide range of motivations are increasingly choosing to log in rather than break in, exploiting credentials, session tokens, and federated access to bypass traditional perimeter defences.
Social engineering is evolving in sophistication, with AI-generated deepfakes, IT helpdesk impersonation, stolen identities for illicit remote worker operations, and multi-stage phishing campaigns targeting human and machine identities alike.
As organisations expand their SaaS ecosystems and cloud dependencies, the attack surface is widening — with a single compromised identity capable of unlocking cascading access across entire environments.

Looking ahead

Identity will remain in pole position as the primary attack vector. As organisations adopt zero-trust architectures, adversaries will iterate with techniques to spoof device posture, abuse non-human identities (NHIs), and target AI-driven automated workflows. Treating identity governance as a strategic, board-level priority — not a technical checkbox — will be critical to staying ahead of the field.

Download the report

In October 2025, PwC Threat Intelligence observed suspected Russia-based threat actor White Dev 229 conducting device code phishing activity against individuals across government, defence, education and NGO sectors in Europe, the United States and Australia. The campaign did not rely on malware or technical exploitation. Instead, it focused on identity compromise. The actor used compromised email accounts to engage targets, then directed them to spoofed OneDrive infrastructure hosted via Cloudflare Workers to abuse legitimate authentication workflows through device code phishing and deliver a decoy document.

PwC Threat Intelligence identified a likely related URL linked to a academic whose public research focused on defence strategy. This indicates the activity was not simply broad phishing reaching Australia, but was consistent with selective targeting of an Australia-based individual whose professional profile, institutional access and subject matter focus aligned with the actor’s apparent intelligence requirements.

This case study shows that local organisations are exposed not only to cyber crime, but also to identity-focused intrusion activity associated with broader geopolitical targeting. It also reinforces a central theme from the Annual Threat Dynamics Report: threat actors increasingly seek to gain access through legitimate authentication processes rather than technical intrusion. As a result, authentication workflows, helpdesk procedures, federated identity and user trust remain central elements of the attack surface.

AI is accelerating both sides of the race

Threat actors are embracing AI not as an enhancement but as a core component of their tradecraft, using it to automate reconnaissance, generate convincing phishing lures, accelerate malware development, and scale social engineering across languages and platforms.
The time between an AI capability being publicly released and its weaponisation by threat actors is shrinking dramatically, whilst autonomous AI agents capable of executing entire attack sequences without human intervention are a prime concern (the recent Anthropic Mythos announcement is a example of this potential capability).
AI also represents the single greatest opportunity for defenders to match the pace, enabling faster detection, automated containment, and intelligence-led decision-making at scale.

Looking ahead

AI-driven threats may outpace traditional detection and response models, and quantum advancements will change the track entirely. Organisations should anticipate malware that natively incorporates AI to evade detection and target high-value data, alongside a widening pool of less skilled threat actors leveraging AI to punch above their weight. This concern is reflected in Australia, where according to the PwC Digital Trust Insights (DTI) 2026, 50% of Australian organisations rank AI-powered malware as the key AI attack scenario they are most concerned about over the next year. Investing in AI-enhanced defence, embedding frameworks into threat modelling, and becoming post-quantum ready will be essential to keeping pace.

Cyber risk is inseparable from business and geopolitical strategy

Geopolitical turbulence continues to influence the threat landscape, with more threat actors blending espionage, influence operations, and disruption at strategic inflection points seen around the world.
Financial crime, insider threats, digital-to-physical security concerns, and supply chain compromise are converging into a single pressure point, with threat actors simultaneously targeting executives, developers, vendors, hiring processes, and financial workflows from multiple angles.
The boundaries between motivations continued to blur, as ransomware operators sold strategically sensitive data, espionage motivated threat actors leveraged cyber criminal tooling, and North Korea-based threat actors industrialised fraudulent employment and cryptocurrency theft at unprecedented scale.

Looking ahead

No cyber intrusion exists in a vacuum. Trade disputes, elections, conflicts, and shifting alliances will continue to shape threat actor targeting and tempo. This is increasingly reflected in business decision-making in Australia, where 62% of Australian business and tech leaders ranked cyber risk investment in their top three strategic priorities in response to ongoing geopolitical uncertainty, and 74% of Australian organisations predict an increase in their cyber budget for 2026 in the PwC DTI survey. Organisations that embed geopolitical and supply chain risk into strategic decision-making; aligning cyber, legal, HR, finance, and communications capabilities — will be positioned to navigate the turbulence ahead.

Australia at a glance

Ransomware

Australia remains part of the broader global rise in ransomware activity, but with a local pattern shaped by sector concentration, growing threat actor diversity, and a response environment increasingly influenced by regulation. We have observed Australia was the 9th most targeted country by ransomware, by victim count.

Number of Australian ransomware victims observed on leak sites increased from 93 in 2024 to 124 in 2025;
Most prominent ransomware actors observed targeting Australia were White Kore (a.k.a. Qilin), White Imp (a.k.a. INC Ransom), White Lilith (a.k.a. Akira), White Dev 207 (a.k.a. Lynx), and White Hod (a.k.a. SAFEPAY); and,
In 2025, Healthcare became the most impacted sector in Australia.

Regulatory shift in Australia

Australia’s ransomware cyber response environment has materially changed from encouragement to obligation as of 30 May 2025. The Cyber Security Act 2024 and the Cyber Security (Ransomware Payment Reporting) Rules 2025 now require organisations with annual turnover of at least AUD 3 million in the previous financial year, or with select critical infrastructure assets, to notify the Commonwealth within 72 hours if they make, or become aware that another party has made a ransomware or a cyber extortion payment on their behalf.

This is a notable uplift in Australia’s ransomware posture because it creates a specific, mandatory reporting regime tied to ransom payments, rather than relying only on broader cyber incident or sector-specific notification obligations. The immediate takeaway for applicable organisations is that ransomware response plans should now expressly cover payment decision-making, 72-hour reporting triggers, evidence capture, and coordination across legal, cyber, crisis management and any third parties acting on the organisation's behalf.

Australia is currently the first in the Five Eyes nations (intelligence-sharing alliance consisting of Australia, Canada, New Zealand, the United Kingdom, and the United States) with an active mandatory reporting regime specifically for ransomware and cyber extortion payments.

United Kingdom - has been consulting on proposed ransomware payment and incident reporting laws however is yet to formalise.

United States - Critical Incident Reporting for Critical Infrastructure Act (CIRCIA) includes ransomware obligations however only applies to the critical infrastructure entities.

Canada and New Zealand - Currently encourage reporting of ransomware incidents and payments rather than imposing a mandatory reporting requirement.

What Australian organisations should prioritise

The challenge is no longer only to prevent compromise. It is to reduce the blast radius, contain access abuse, and respond quickly when incidents cross technical, legal, and executive boundaries.

Deploy phishing-resistant MFA, review federated access, and harden helpdesk and identity verification processes to prevent against identity compromise, as this is one of the fastest and most reliable ways for threat actors to gain access, escalate privileges, and move across environments.

Authentication mechanisms, privileged integrations, vendor access, and service account exposure, because trusted connections can provide indirect access into core systems and may be overlooked in traditional security reviews. This is particularly relevant, given we have identified that 30% of Australian organisations said cloud related threats were among the cyber threats they are least prepared for, while 30% also identified attacks on connected products and third parties.

Build legal, executive, and cyber workflows that can support ransomware payment reporting decisions under pressure. This will enable organisations to act quickly and meet statutory reporting requirements within compressed timeframes.

Maintain isolated backups, test recovery pathways, and reduce dependency on in-environment restoration methods. This can minimise operational disruption and avoid recovery options that may also be compromised in the event of an incident.

There has been an increase in incidents involving data theft and misuse of legitimate access as opposed to only disruptive encryption. Organisations should implement capability to monitor and alert on exfiltration paths, privilege escalation, session abuse, and cloud-native forms of silent extraction.

What this means for leadership

In Australia, cyber resilience is no longer solely a technical challenge, it has become a critical governance priority. Cyber risk now spans far beyond traditional IT and security teams, touching on all aspects of an organisation including identity management, third-party access, regulatory reporting, sector-specific vulnerabilities, legal considerations, and executive accountability. A failure or weakness in any one of these areas can rapidly cascade into operational disruptions, mandatory breach notifications, regulatory investigations, and reputational damage.

This evolving landscape is especially relevant for organisations experiencing growth, embracing new technologies, and operating across diverse business units, vendors, and cloud environments. Security protocols that once sufficed in smaller or centralised organisations can become fragmented with this growth, leading to blind spots and unclear ownership. Threat actors will be able to exploit these gaps as they do not target organisations based on their internal organisational chart and will attack weak connections between teams, inconsistent controls, and slow response processes.

The organisations that succeed in managing cyber risk holistically are those that maintain clear visibility of threats end to end regardless of teams and act decisively on access control and containment when an incident occurs. Achieving this requires streamlining fragmented processes, defining clear accountability at every level, and enabling early, informed decision-making before a cyber incident escalates into a costly regulatory, commercial, or reputational crisis.