Cyber Index #62 - Phishing cost per analyst, AI attackers level up, and the insecure-code reality
This week's Cyber Index roundup: 13 reports on rising phishing costs, AI attackers leveling up, insecure AI-generated code, agent-security gaps, and AI governance falling behind.
This Week’s Cybersecurity Eye-Openers
A more typical week for research after the early-summer lull, with 13 new reports landing in the feed. The throughline is AI on both sides of the fight: attackers are measurably more capable, AI-written code is shipping faster than anyone can review it, and AI governance keeps lagging behind deployment. Three stats that stood out:
1. Phishing is eating more of your team’s time and budget
Handling potential phishing now consumes 36.5% of a security team’s working hours, up from 33.5%, and costs $51,948 per analyst per year.
2. AI-powered attackers leveled up fast
In Anthropic’s study of 832 accounts banned for malicious cyber activity, the share rated medium-risk or higher jumped from 33% to 56% in six months, and 67.3% were using AI to write malware.
3. AI-generated code is shipping faster than it’s reviewed
67% of organizations say AI coding assistants are now everywhere, yet 38% still review that code by hand and 29% call insecure patterns their top new risk.
Big Picture Reports
The Security Maturity Benchmark Report (AlertMedia)
Data on what separates the security teams that stay ahead of threats from the ones perpetually playing catch-up.
You’re probably less ready than you think:
- 92% of organizations have experienced consequences tied to security readiness gaps.
- Only 31% operate a centralized, highly automated security ecosystem.
- 47% say they would not respond to a serious security incident as quickly as they should.
AI Governance & Risk
CISO Pulse Check Report: AI, the New Superpower and the New Super-Risk (Sprinto)
More than a third of US organizations have already dealt with a major AI security incident, and most CISOs are at least tracking AI as a dedicated risk now.
The incidents are already happening:
- More than 30% of US organizations report a major AI-related security incident in the past 12 months.
- Nearly 70% of US CISOs and senior security leaders are actively following AI-related regulations or standards.
- Over half of US CISOs track AI as a dedicated risk category.
2026 AI Maturity Report (Ivanti)
Organizations are deploying AI broadly. Governance is a long-tail priority.
Speed over governance:
- 56% of organizations now deploy AI broadly across multiple IT workflows or at business-critical scale.
- 68% of IT professionals have personally seen AI generate hallucinations with potential operational impact.
- Only 24% say AI policies are followed very consistently in day-to-day work.
The State of Enterprise Agentic AI in 2026: Agentic Reality Check (ChapsVision)
AI agents sound great, but almost nobody has made them deliver business value at scale, and the hype is eroding trust.
The pitch doesn’t match production:
- Only 10% of large enterprises have moved autonomous AI agents from pilot into full-scale production.
- 88% of executives say agent-washing has negatively affected their trust in AI broadly.
- 86% cite reliability, security, privacy, and accuracy as the top blockers to implementation.
The Data & AI Trust Gap (Veeam)
Most organizations can’t see what their AI systems are doing, can’t reliably stop a rogue agent, and aren’t sure they have a full inventory of their AI.
Nobody knows what they have:
- 88% of organizations are already using or piloting AI agents.
- Only 28% are confident they can detect AI systems operating outside approved parameters.
- Only 25% of organizations running AI can identify, within minutes, which actions an AI took.
AI Threats & Agent Security
AI Risk Quadrant for Agent Security (Adversa AI)
Most claims about AI agent defenses turn out to be unverifiable.
Don’t believe the marketing:
- 83% of claimed AI agent defenses are not publicly verifiable.
- 38% of AI agents complete irreversible actions before any monitoring path can plausibly fire.
- More than a third of agents score well on logging and observability while scoring poorly on the four defense components that actually prevent or limit harm.
What We Learned Mapping a Year’s Worth of AI-Enabled Cyber Threats (Anthropic)
Anthropic analyzed 832 accounts banned for malicious cyber activity and mapped the attacker techniques to the MITRE ATT&CK framework.
Threat actors got better in six months:
- 67.3% of the banned accounts were using AI to write malware.
- The share of actors rated medium risk or higher rose from 33% to 56% across the two six-month periods studied.
- AI use for account discovery rose notably while AI-assisted phishing fell.
AI-Generated Code
AI Coding Assistants and the New Security Challenge (Salt Security)
Nearly every development team is using AI to write code now, and security teams are not thrilled about it.
Code quality is suspect:
- 67% of organizations report AI coding assistants are now widely adopted across development teams.
- 38% still rely primarily on manual review for AI-generated code.
- 29% of security leaders name insecure coding patterns as the leading risk introduced by AI coding assistants.
What’s In America’s Code? (Booz Allen)
Some Chinese AI models appear to change their behavior depending on whether you mention working for the US government.
Some models may have an agenda:
- Three of four Chinese LLMs generated hidden security vulnerabilities when prompted with a US government persona.
- All four Chinese-built models refused to generate code for mock US government tasks Beijing would oppose.
- When one model was told the code was for a US government agency, it produced significantly more vulnerabilities than for the same task without that context.
Phishing
The (Higher) Business Cost of Phishing (IRONSCALES)
Phishing is taking up more of security teams’ time than ever, even as they get faster at remediation.
Working harder for the same result:
- Phishing consumes 36.5% of security team working hours, up from 33.5% three years ago.
- Phishing costs $51,948 per security analyst annually, a 13.6% increase from $45,726 in 2022.
- Teams remediate phishing incidents 16% faster but spend 9% more of their annual hours on remediation.
Enterprise Perspective
The State of Physical Security Operations in 2026 (HiveWatch)
A benchmark of how enterprise physical security programs perform against operational reality.
A lot of the signal is noise:
- Large enterprises report false alarm rates approaching 44%.
- Nearly 30% of organizations rely on manual device health checks instead of fully automated monitoring.
- 97% of US-based physical security operations professionals are using or actively evaluating AI.
The 2026 State of Digital Risk Report (Outtake)
A benchmark of how enterprises handle digital risk, and how far behind most of them are.
Most never see it coming:
- 84% of organizations experienced material digital risk incidents in the past year.
- 44% say AI-generated attacks are already indistinguishable from legitimate activity.
- 53% had an executive or employee impersonated in the past year.
Industry-Specific
2026 State of Financial Services: The Dual Storm of Ransomware and Vendor Ecosystem Risk (Black Kite)
Direct ransomware attacks on banks are climbing again, but the bigger problem sits in the supply chain.
Hit from two directions:
- Half of all financial services vendors carry high-severity CVEs.
- From 2024 to 2025, the number of critical vulnerabilities across vendors serving the financial sector increased 387%.
- Critical-level patch management failures were present in 78% of vendors whose client base is meaningfully concentrated in finance.
