Recent findings from the Picus Red Report 2026 highlight a meaningful shift in attacker behaviour that security leaders cannot ignore. According to the report, classic ransomware incidents have declined by 38%, while attackers are increasingly prioritising stealth, persistence, and long-term access within compromised environments. In fact, Picus estimates that around 80% of attacker activity now focuses on remaining undetected rather than causing immediate disruption.
This evolution does not indicate reduced cyber risk. Instead, it reflects a change in attacker strategy. Quiet compromise enables threat actors to move laterally, access sensitive data, and maintain control for extended periods often without triggering traditional security alerts.
Importantly, Picus aligned its analysis to the MITRE ATT&CK framework, reinforcing a broader industry movement toward Continuous Threat Exposure Management (CTEM). The implication is clear: security validation must evolve in the same way attacker behaviour has evolved.
Why Point-in-Time Testing Falls Short
Traditional security assurance models such as annual penetration tests or periodic vulnerability scans provide only a snapshot of exposure at a single moment. In environments that change daily across cloud, identity, and applications, that snapshot quickly becomes outdated.
If attackers are operating continuously and quietly, periodic testing cannot provide reliable confidence in real-world resilience.
From Industry Insight to Practical Security
The shift described in the Picus report points toward a clear operational requirement:
organisations need continuous, evidence-based validation of their security posture, not intermittent assessment.
This is where Penetration Testing as a Service (PTaaS) becomes increasingly relevant.
Rather than producing a static report, PTaaS enables:
In the context of stealth-driven threats, this continuous approach helps organisations understand true exposure today, not what was exploitable months ago.
The Picus Red Report does more than describe attacker behaviour it signals a wider industry transition toward continuous security assurance. As threats become quieter and more persistent, confidence in security must come from continuous validation, aligned to real attack techniques.
Need a partner that’s proactive about your security?
Let’s start a conversation.
