SANS: Top 5 Most Dangerous New Attack Techniques to Watch

The RSAC 2026 Conference in San Francisco revealed a transformative shift in the cybersecurity threat landscape. For the first time in SANS Institute's annual assessment of top attack techniques, all five identified methods share a common denominator: artificial intelligence.

"We would be lying to you if we pointed out a trend in attacks that did not involve AI," explained Ed Skoudis, SANS president and presentation moderator, during the keynote session. "That is just where we are in the industry."

Attack Technique #1: AI-Generated Zero Days Transform Threat Landscape

The exclusive domain of zero-day exploits has been fundamentally disrupted. Previously reserved for well-funded nation-state actors with sophisticated research teams, these critical vulnerabilities are now accessible through artificial intelligence assistance.

Joshua Wright, faculty fellow and senior technical director at the SANS Institute, highlighted the dramatic shift in accessibility. Independent researchers have successfully identified zero-day vulnerabilities in production software for as little as $116 in AI token costs—a fraction of the millions previously required for such discoveries.

"Attackers were already faster than us," Wright observed. "AI has made the gap unbridgeable at our current pace."

Organizations must accelerate their defensive strategies through enhanced patching procedures, automated systems, and AI-powered security tools to maintain competitive protection levels.

Attack Technique #2: Supply Chain Vulnerabilities Extend Beyond Direct Vendors

Supply chain attacks have reached unprecedented levels, affecting two-thirds of organizations within the past year. The threat extends far beyond immediate suppliers, encompassing the entire ecosystem of dependencies.

Wright cited the Shai-Hulud worm as a prime example, which infiltrated over 1,000 open source packages and compromised 14,000 credentials across 487 organizations. Additionally, a China-affiliated threat group maintained access to Notepad++ update infrastructure for six months, strategically deploying backdoors to targets in energy, finance, government, and manufacturing sectors.

"Your attack surface is not the software you chose," Wright emphasized. "It is the entire ecosystem of suppliers behind it."

Organizations should proactively prepare for supply chain compromises by requiring verifiable proof of software development processes and treating every update channel and developer tool as potential attack vectors.

Attack Technique #3: Operational Technology Faces Critical Visibility Gap

Robert Lee, SANS Institute fellow and CEO/founder of Dragos, identified a growing accountability crisis within operational technology environments. Critical evidence and network activity data frequently becomes unavailable following OT compromises, creating significant investigative challenges.

Lee referenced a December 2025 attack on Poland's distributed energy resources, where investigators confirmed system disruption but lacked visibility into attacker activities due to inadequate OT monitoring capabilities.

In a more concerning case, a state-level threat actor targeting critical infrastructure with destructive intent operated undetected in systems without proper monitoring. When the facility subsequently exploded a month later, investigators remained unable to determine whether the destruction resulted from the cyberattack or accidental causes.

"Governments are not going to be comfortable not knowing what happened in their critical infrastructure and why someone died," Lee stated. "That scenario is unacceptable, and it is already happening."

With agentic AI already present in OT environments, organizations must prioritize enhanced visibility into these critical systems immediately.

Attack Technique #4: AI Misuse in Digital Forensics Creates New Risks

Heather Barnhart, head of faculty and senior forensics expert at the SANS Institute, warned against the irresponsible deployment of AI in digital forensics and incident response activities.

Organizations implementing AI tools without proper training, validation frameworks, and investigative protocols risk compromising their security response capabilities and potentially creating legal vulnerabilities in forensic investigations.