ExtraHop has released its 2026 Global Threat Landscape Report, warning that many Australian organisations affected by ransomware are discovering breaches only after data has been stolen, as attackers move faster and security teams struggle with detection and response delays.
The report says adversaries had access to enterprise networks for more than 2.5 weeks on average before being detected in ransomware incidents. It also claims 56% of Australian organisations did not detect the threat until after data was already stolen, up from 23% last year. A further 12% reportedly only became aware of an attack when they received a ransom demand, compared with 3% in the prior year.
ExtraHop’s survey data also points to AI-related systems and workflows as a growing concern. When asked which attack surfaces represent the biggest cybersecurity risk, 40% of Australian respondents cited AI agents and agentic infrastructure, while 30% pointed to generative AI applications.
According to the report, 89% of Australian respondents said they had identified security incidents, data exposures, or near misses where the root cause was an AI system. Examples listed include compromised AI identity and session theft (46%), third-party vendor or supply chain breaches linked to integrated AI or agents (44%), AI-enhanced external attacks (41%), shadow AI exposure (25%), and agentic or API logic failure (25%).
The report also highlights threat actor activity observed in Australian enterprise environments. It names Lazarus Group, which it describes as state-sponsored and tied to North Korea, and RansomHub as the two most detected groups, followed by Lockbit, DarkSpectre, and Akira.
ExtraHop links delayed detection to a mix of technical and operational factors. Australian respondents cited attackers using encrypted channels to bypass detection (47%), attacker activity mirroring legitimate processes (37%), use of valid high-privilege account permissions (25%), alert fatigue (23%), and a lack of baseline behaviour that could flag anomalies (23%).
On ransomware payments, ExtraHop reports that while the average ransom payment dropped year-over-year for Australian organisations, the frequency of payment rose slightly, with 79% of victims paying compared with 76% previously. The report also claims average downtime per incident was 32 hours for Australian organisations, the highest of any region covered.
The findings also suggest that AI-enabled security operations have not eliminated manual work in incident handling. ExtraHop says Australian respondents reported mid-to-high levels of manual intervention across detection (40%), alert triage (42%), investigation (50%), and response (44%). It also found SOC analysts in Australia spend 39% of their time on proactive work such as threat hunting and detection engineering, with the rest focused on reactive tasks.
ExtraHop adds that AI implementations can contribute to operational noise. The report says 27% of respondents reported AI-generated alerts producing false positives that negatively impacted investigation timelines.
“When you look at the big picture of modern cyber risk, the thread connecting every major challenge, from missed detections and prolonged dwell times to AI false positives, is a fundamental lack of situational awareness, or ground truth,” said Raja Mukerji, Co-founder and Chief Scientist, ExtraHop. “As threat actors leverage AI to scale their operations, defenders are countering with automated operations that don’t have the context required to make definitive decisions. The network bridges this critical gap, revealing exactly how threats are moving and communicating so security teams have the full picture. Until we enrich our security tooling and AI agents with deep, real-time network context, attackers will continue to have the upper hand.”
ExtraHop said the report was conducted in partnership with Censuswide and is based on a survey of more than 1,800 security and IT leaders at organisations with more than 1,000 employees across the US, UK, France, Germany, Singapore, Australia and the UAE.
You can read the full report here.
