AI-Fuelled Cyber Attacks Surge 70% as Automation Reshapes the Threat Landscape, Check Point Warns

Cyber attacks are accelerating at a pace few organisations were prepared for, driven in large part by the growing use of automation and artificial intelligence by threat actors. New findings from Check Point Software suggest that the mechanics of cybercrime are shifting rapidly, challenging long-held assumptions about how attacks are launched, scaled, and defended against.

According to the company’s Cyber Security Report 2026, organisations worldwide faced an average of 1,968 cyber attacks per week throughout 2025. That figure represents a 70% increase compared with 2023, underscoring how quickly the threat environment has intensified.

Automation Changes the Rules of Engagement

Check Point researchers say the increase is not just about volume. Automation and AI are allowing attackers to move faster, operate with greater consistency, and strike across multiple attack surfaces simultaneously.

Techniques that once required highly skilled and well-resourced groups are now more widely accessible. As a result, smaller teams and loosely organised actors are able to launch campaigns that appear highly coordinated and, in many cases, tailored to specific organisations or individuals.

“AI is changing the mechanics of cyber attacks, not just their volume,” said Lotem Finkelstein, vice president of research at Check Point Software. “We are seeing attackers move from purely manual operations to increasingly higher levels of automation, with early signs of autonomous techniques emerging.”

Risky AI Use Inside Organisations

The report also highlights a parallel risk emerging from within organisations themselves. As AI tools become embedded in everyday business workflows, they are creating new opportunities for data exposure and abuse.

Over a three-month period, 89% of organisations analysed encountered what Check Point described as risky AI prompts. Roughly one in every 41 prompts fell into a high-risk category, suggesting that sensitive information or unsafe instructions are regularly being fed into AI systems.

This internal activity widens the attack surface, particularly when employees use unsanctioned tools or fail to understand how data submitted to AI platforms may be stored, processed, or reused.

AI Across the Attack Workflow

Check Point’s researchers observed AI being applied at multiple stages of cyber operations. These included reconnaissance, where automation accelerates the mapping of targets, as well as social engineering, where AI helps craft convincing and context-aware messages.

AI is also increasingly involved in decision-making during attacks, allowing threat actors to adjust tactics in near real time. The result is more integrated campaigns that blend human deception with machine-driven efficiency.

Ransomware Becomes More Fragmented

The report notes that ransomware operations continue to splinter into smaller, more specialised groups. Rather than a handful of dominant gangs, the ecosystem is becoming decentralised, with distinct players handling access, negotiation, or infrastructure.

Extorted victims increased by 53% year on year, while the number of new ransomware-as-a-service groups rose by 50%. Check Point says AI is now being used not only for targeting but also during negotiations, helping attackers optimise pressure tactics and operational efficiency.

Social Engineering Moves Beyond Email

While phishing emails remain a staple, attackers are increasingly coordinating social engineering across multiple channels. Campaigns now routinely span email, websites, phone calls, and collaboration platforms.

Check Point highlighted a sharp rise in ClickFix techniques, which surged by 500%. These attacks rely on fraudulent technical prompts designed to manipulate users into taking harmful actions. Phone-based impersonation has also evolved, becoming more structured and closely tied to broader intrusion attempts.

The digital workspace has emerged as a focal point, mirroring the rapid integration of AI into browsers, software-as-a-service platforms, and collaboration tools.

Edge and Infrastructure Exposure

The report points to growing weaknesses at the network edge. Unmonitored edge devices, VPN appliances, and internet-of-things systems are increasingly being used as relay points during attacks.

By routing activity through these systems, attackers are able to blend malicious traffic with legitimate network flows, making detection more difficult.

Check Point also flagged risks tied to AI infrastructure itself. Analysis conducted by Lakera, a Check Point company, found security weaknesses in 40% of 10,000 Model Context Protocol servers reviewed, highlighting the exposure created as AI agents and services are embedded deeper into enterprise environments.

Reassessing Security Priorities

In response to these trends, Check Point urges security leaders to reassess controls across networks, endpoints, cloud environments, and email systems. It also points to secure access service edge as a key area requiring renewed scrutiny.

The company emphasises the need for governance and visibility into AI usage, covering both sanctioned and unsanctioned tools. Blocking AI outright, it warns, may drive risky behaviour underground rather than reducing exposure.

Additional priorities include securing the digital workspace across collaboration tools, browsers, SaaS applications, and voice channels, as well as inventorying and protecting edge assets such as VPN appliances and IoT systems. Consistent visibility and enforcement across on-premises, cloud, and edge environments is becoming essential as AI-driven threats continue to evolve.