AI & Emerging Tech

Most Dangerous Cyberattack Techniques in 2026: Insights from SANS

March 26, 2026 / 5 Min Read

SANS Institute researchers made an unprecedented disclosure at RSAC 2026: artificial intelligence features in every single one of this year’s five most dangerous new attack techniques. The annual threat intelligence briefing, delivered to a packed audience at Moscone West on 24 March, marked the first time AI has dominated the entire list rather than appearing as one isolated trend.

“We would be lying to you if we pointed out a trend in attacks that did not involve AI,” Ed Skoudis, SANS president and presentation moderator, told the audience. “That is just where we are in the industry.” The shift represents a fundamental break from previous years, when the five techniques typically spanned different attack categories including physical security, social engineering, network exploitation and malware deployment with perhaps one AI-related entry.

Zero-Day Research No Longer Requires Nation-State Resources

The barrier to zero-day exploitation has collapsed, according to Joshua Wright, SANS faculty fellow and senior technical director. “Zero-day exploits used to belong solely to well-funded nation-state actors stacked with sophisticated researchers,” Wright explained during the keynote. “But that barrier to entry into the zero-day game has been shattered by AI.”

This democratisation creates a direct challenge to European firms relying on “defence by obscurity” around their bespoke enterprise applications. If AI can accelerate vulnerability discovery across previously unaudited codebases, companies running custom software without regular penetration testing face substantially higher risk than they did 18 months ago. The assumption that attackers need months of reverse engineering to find exploitable flaws in niche applications no longer holds.

SANS Positions Automated Recon and Self-Rewriting Malware as Key Threats

Among the specific techniques SANS highlighted were AI-driven reconnaissance campaigns that can map enterprise attack surfaces at machine speed and malware that rewrites itself to evade detection signatures. “AI makes attackers faster automated recon, self-rewriting malware, phishing campaigns testing a thousand variants before lunch,” according to SANS research cited in the session documentation. “They’re running at machine speed, not asking for permission.”

The self-rewriting malware category deserves particular attention from Nordic security teams. Traditional signature-based detection which is still widely deployed across Scandinavian enterprises become largely irrelevant when malware can mutate its binary structure faster than signature databases update. This puts organisations that have delayed migration to behaviour-based detection at immediate disadvantage.

The Forensics Challenge That Nobody Is Talking About

Heather Mahalik Barnhart, SANS DFIR Curriculum Lead, used the session to highlight a blindspot that should concern every enterprise security team: modern threat actors are perfecting techniques to erase forensic artifacts or prevent their creation entirely. Barnhart highlighted a growing blindspot as attackers erase forensic artifacts, investigations become slower and insurance claims harder to defend.

The business implication is stark. If your organisation cannot produce a reliable forensic timeline following a breach, your cyber insurance claim becomes significantly harder to defend and regulatory reporting under frameworks like NIS2 becomes more complex. This is not a technical challenge that IT teams can solve with better logging alone, it requires legal and compliance teams to understand the evidentiary gaps that AI-accelerated attacks can create.

SANS Offers AI Defence Framework, But Reality Check Required

SANS CEO James Lyne used his separate RSAC keynote on 26 March to address what he called “The Great Cyber Misconceptions.” His message to security leaders: vendor-driven threat narratives often diverge from operational reality and organisations need to build defenses around verified attack patterns rather than hypothetical scenarios.

That sceptical approach should extend to AI defense frameworks. SANS promoted what it calls a “blueprint for secure AI deployment” throughout the conference, but any framework launched at a vendor conference deserves scrutiny before enterprise adoption. The fundamentals such as proper access controls, network segmentation and incident response procedures remain more important than AI-specific security controls that have not been tested in real breach scenarios.

What Security Teams Should Do This Week

Start with an AI inventory. Document every AI tool, service and integration currently deployed across your organisation including shadow AI usage by individual teams. If you cannot list them, you cannot secure them. Nordic companies that have allowed departments to deploy AI tools independently which is common across Swedish and Danish enterprises, need this visibility immediately.

Test your forensic readiness against evidence-destruction scenarios. Can your logging infrastructure capture sufficient detail to reconstruct an attack if the attacker deliberately targets your security tools and log aggregation systems? If the answer is uncertain, assume it cannot.

Evaluate your threat intelligence sources. If your security team relies primarily on vendor threat reports rather than government agency advisories from NCSC, CISA or MSB, you are operating with commercially motivated threat assessments rather than objective analysis.