AI-Driven attacks reshape the MSP threat landscape

Guardz has released its 2026 State of MSP Threat Report, revealing how AI is rapidly reshaping the threat landscape while exposing persistent gaps in identity, authentication, endpoint and cloud security. The findings point to a growing imbalance between the speed at which  threats are evolving and the ways that security operations are structured to respond, particularly for security tools that still rely on manual processes and lack agentic workflows to automate triage, enrichment, and remediation.

Drawing on Guardz data across SMB environments over the past two quarters,, the report shows that while AI has dramatically increased the speed and scale of cyberattacks, the underlying points of compromise remain unchanged. Instead, attackers are exploiting the same weaknesses more efficiently, especially across identity systems, authentication flows, and misconfigured cloud environments.

Key findings from the report include:

Widespread Identity Compromise: 89% of monitored SMBs had at least one user with confirmed credential compromise at any given time, with nearly one-third of users (31%) exposed to compromised passwords monthly

Session Hijacking Surging: Session hijacking incidents increased by 23% over a 180-day period, emerging as the fastest-growing attack vector and enabling attackers to bypass MFA entirely

Non-Human Identities Expand Attack Surface: Machine identities now outnumber human users by 25:1 in Microsoft 365 environments, creating a largely unmonitored and high-risk entry point for attackers

Ransomware and Fileless Attacks Rise: Ransomware behavioral detections surged 190% over a 50-day window, while attackers increasingly shifted away from traditional malware toward “living-off-the-land” techniques

BEC Losses Escalate Dramatically: Confirmed business email compromise (BEC) incidents ranged from $140,000 to $1.5 million, a significant increase from the ~ roughly $40,000 average seen in early 2025

The threat is particularly acute for MSPs because the attack surface is multiplied across every client they manage. The report found that RMM tool abuse was the single largest endpoint threat campaign, accounting for 26% of all detections. Tools including ScreenConnect, AteraAgent, and MeshAgent were observed being deployed for unauthorized persistent access. A single compromised MSP tool doesn't affect one business; it opens a direct path into every client in their portfolio. The Guardz Threat Hunting team predicts MSP supply chain attacks will intensify in H2 2026 as threat actors increasingly impersonate legitimate RMM infrastructure to establish that access.

The report highlights a critical shift in attacker behavior: rather than expanding their reach, threat actors are increasingly deepening access within compromised accounts. This is reflected in the rise of session-based attacks, OAuth abuse, and post-authentication persistence techniques that evade traditional defenses. Simultaneously, the adoption of AI by defenders is becoming essential to keep pace. Guardz’s research shows that AI-driven detection and response systems can significantly improve speed and accuracy, enabling security teams to triage, investigate, and respond to threats at scale.

“Threat data shows that entry points haven’t changed;attackers are still getting in through identity gaps, weak controls, and misconfigurations,just faster and at greater scale. What determines outcomes now is how security is structured, whether signals across identity, email, endpoints, and cloud are connected and can be acted on in time.” said Dor Eisner, CEO and Co-founder of Guardz. “For MSPs, that means leveraging AI the same way attackers are, at scale, across every client environment, simultaneously. Our research shows AI-driven detection achieves 92.4% accuracy compared to 67% for human analysts alone. That gap is where MSPs either win or lose their clients' trust.”

The findings reinforce a central challenge facing MSPs: attackers are now using AI to move faster than any human-led security operation can match. For MSPs managing dozens of client environments with limited staff, the answer isn't more tools, but rather a unified visibility and AI-assisted response that works at the same scale as threats do. The 2026 State of MSP Threat Report makes the case that for MSPs, AI is no longer optional infrastructure. It's the only way to stay ahead.

With AI-driven attacks accelerating across every layer of the SMB stack, understanding where the gaps are is the first step. Download the full 2026 State of MSP Threat Report for the complete findings, threat-by-threat breakdowns, and Guardz's predictions for what MSPs will face in the second half of 2026.