The 2026 Lumen Defender Threatscape Report argues that the most critical threat signals now reside not on endpoints but upstream in the network fabric itself. The report, authored by Lumen’s threat research division, Black Lotus Labs, draws on the company’s position as a major internet backbone operator to document how cybercriminals have evolved into highly coordinated “heist crews” using disguised proxies, compromised edge devices and generative AI to pre‑stage attacks.
The report says attackers increasingly target internet‑exposed edge infrastructure—routers, VPN gateways and firewalls—bypassing mature endpoint detection and response (EDR) controls.
Generative AI is being used to automate the creation and rotation of malicious infrastructure, shortening the window between exposure and impact. The report also highlights the rise of residentially disguised proxies, where hijacked SOHO devices are weaponised to mimic legitimate residential traffic and evade Zero Trust and geolocation checks.
Asia Pacific’s heterogeneous, highly distributed environments—branch offices, manufacturing sites, regional data centres and partner ecosystems—amplify these risks. Rapid AI adoption in the region is reshaping the threat landscape, with IDC identifying AI‑enhanced phishing and impersonation, large‑language‑model prompt attacks and AI‑powered ransomware with real‑time negotiation among the top AI‑driven threats to APAC businesses.
“Asia Pacific organisations are navigating a threat landscape that is growing in both scale and sophistication, with attackers operating well upstream of traditional defences,” said Wai Kit Cheah, APAC CISO & connected ecosystem leader at Lumen.
Wai Kit Cheah
“The 2026 Defender Threatscape Report reinforces that effective defence now begins before the attacker reaches the enterprise. Network‑layer visibility upstream gives security teams the ability to detect and disrupt adversaries earlier and at scale.” Wai Kit Cheah
The report profiles several high‑profile campaigns, including Raptor Train, a nation‑state botnet leveraging over 200,000 IoT devices, the Kimwolf DDoS botnet, which scaled to hundreds of thousands of bots in weeks, and Rhadamanthys, a large “malware‑as‑a‑service” platform with subscription‑style offerings.
“Threat intelligence is needed to find the adversary as early as possible and as close to the point of origination as possible,” said Chris Kissel, vice‑president of Security & Trust at IDC. “Lumen’s massive infrastructure and the quality of Black Lotus Labs provide optimal visibility of the IP backbone, greatly reducing the odds of successful cyber‑attack campaigns.”
