TLDR: CrowdStrike’s 2026 Financial Services Threat Landscape Report confirms what offensive practitioners already know: attackers are spending more time inside networks, moving faster, and targeting the things that matter most. The compliance checklist won’t stop them. This post breaks down what the report actually means for defenders and where to focus first.

Financial institutions have never faced a more operationally complex threat environment. The recently released CrowdStrike 2026 Financial Services Threat Landscape Report covers activity from April 2025 through March 2026, and its findings are worth sitting with carefully; not for the alarming statistics, but for what they reveal about how attackers are operating and what defenders need to stop treating as optional.

Financial institutions experienced 43% more hands-on-keyboard intrusions in 2025 than two years earlier. In North America specifically, the number was 48%. That trend deserves more attention than it typically gets. Hands-on-keyboard intrusions mean a human operator is inside your environment, making real-time decisions, adapting to your defenses, and pursuing specific objectives. These are not automated scans or commodity malware infections that your EDR catches and quarantines. They are skilled adversaries doing exactly what a red team does, except with intent to cause harm.

The report also notes that financial services ranked as the fourth most targeted sector, accounting for 12% of total observed activity by Q1 2026. For an organization in this sector, that is not an abstract statistic. It means your environment is being studied, probed, and in some cases already accessed by adversaries who understand your architecture better than many of your internal teams do.

The Threat Mix Has Changed

One of the more operationally significant findings in the report is the diversity of adversary motivation. Defenders tend to think about ransomware groups because ransomware is loud and disruptive. But the 2026 threat picture is substantially more complicated.

In 2025, targeted intrusion activity against the financial services sector was driven by a range of strategic objectives. China-nexus adversaries posed the most significant espionage threat, consistently exploiting edge devices to target financial institutions for economic intelligence collection. DPRK-nexus adversaries stole a record $2.02 billion in digital assets. Non-state hacktivist groups conducted widespread DDoS campaigns and data breach operations driven by geopolitical conflicts.

This matters for defenders because these threat actors require different defensive priorities. A ransomware group and a nation-state intelligence collection operation enter your environment differently, move differently, and pursue different objectives. A security program built entirely around detecting ransomware deployment will miss the Chinese state actor that has been quietly collecting economic intelligence from your investment management division for months. That kind of intrusion does not announce itself.

What the Report Confirms About Attack Paths

Across the adversary profiles in the report, several consistent entry points and techniques emerge.

Edge devices remain a preferred initial access vector. Financial sector intrusions increasingly begin with the exploitation of vulnerable edge devices, VPN appliances, internet-facing systems, and virtual infrastructure. This is not new information, but it persists as a gap because patching and monitoring perimeter infrastructure consistently falls behind the pace at which adversaries identify and exploit vulnerabilities in it.

Social engineering and identity abuse are equally persistent. The most active threat to the financial services sector during the reporting period gained initial access primarily through voice phishing campaigns over Microsoft Teams, often impersonating internal IT support to manipulate users into resetting credentials and MFA. This technique bypasses email-based defenses entirely and exploits the help desk workflows organizations depend on. It works repeatedly because organizations have not built adequate identity verification controls around those workflows.

Supply chain and trusted software paths represent a third category worth specific attention. The largest single financial theft reported to date during this period was executed by compromising a digital asset management platform through a software developer’s machine via a trojanized Python project, likely delivered through social engineering, with development credentials exfiltrated from there. The attack did not start at the financial institution. It started at a trusted third party and traveled inward through access that the institution had granted and was not monitoring closely.

What Defenders Should Actually Do

The report’s recommendations map directly to where offensive assessments consistently find the largest gaps. Rather than restate them generically, it is worth being specific about what these recommendations require in practice.

Defending against social engineering and identity-based access abuse requires more than security awareness training. Training tells employees not to give out passwords. Adversaries are not asking for passwords. They are calling the help desk, claiming to be a traveling executive locked out of their MFA device, and exploiting the fact that help desk staff are trained to be helpful. The control that stops this is a verified callback procedure with an out-of-band authentication step, applied consistently to every privileged account reset request. Most organizations have a policy. Far fewer have an enforced process.

Prioritizing edge device patching and monitoring sounds obvious until you look at how most organizations actually handle perimeter infrastructure. Patch cycles that work for endpoint operating systems do not keep pace with the cadence at which VPN appliances, firewalls, and load balancers receive critical vulnerability disclosures. These devices also often lack the logging and detection coverage that endpoints have, which means when an adversary exploits one, defenders frequently have no visibility into what happened next. Extending detection coverage to these environments, not just patching them, is what makes the difference.

Strengthening resilience around high-value systems requires first knowing what those systems are. Organizations need to strengthen data access governance, segment payment and transaction systems, monitor access to sensitive data stores, and test incident response and recovery plans against disruptive scenarios. An intelligence-led approach helps organizations focus on the adversaries, access paths, and systems most likely to be targeted, rather than spreading defenses too broadly.

The Underlying Problem the Report Does Not State Directly

CrowdStrike’s report is written carefully and its recommendations are sound. What it does not say directly is that most of the gaps it identifies are not gaps in security products. They are gaps in security testing. Organizations do not know that their help desk verification process will fail under a sophisticated vishing call because they have never tested it under realistic adversary conditions. They do not know which of their edge devices have active exploitation paths because their annual vulnerability scan does not simulate how an attacker would chain vulnerabilities together. They do not know which of their vendors have access to their most sensitive systems because they have never mapped third-party access against their most critical assets.

The 2026 threat landscape for financial services demands continuous, intelligence-driven defense rather than reactive posture. That kind of defense is built on a foundation of knowing where you are actually exposed, not where your policy says you are protected. That knowledge comes from offensive assessment conducted with attacker-level rigor, not from compliance frameworks or vendor dashboards.

The adversaries documented in this report are patient, skilled, and well-resourced. Some of them have been operating in the financial sector for years. The organizations that will limit their impact are the ones that test themselves before the attackers do.

One Thing Security Leaders Can Do Today

Read the report. Not the executive summary. The full report.

CrowdStrike’s 2026 Financial Services Threat Landscape Report is available at no cost and contains specific adversary profiles, attack techniques, and defensive recommendations grounded in observed activity over the past 12 months. The adversary profiles alone, particularly the DPRK-nexus and China-nexus sections, offer a level of operational detail that most internal threat briefings never surface.

After reading it, take one concrete step: map the top three attack paths described in the report against your own environment and ask, honestly, whether your current controls would detect or interrupt each one. Not whether a policy exists that addresses them. Whether the actual technical and procedural controls you have in place today would stop a skilled human operator executing those techniques against you.

If you cannot answer that question with confidence, that is the starting point.

Access the full CrowdStrike 2026 Financial Services Threat Landscape Report here: https://www.crowdstrike.com/resources/reports/

Satine Technologies is a veteran-owned offensive cybersecurity firm founded by former U.S. Cyber Command operators. We help organizations understand their security from an attacker’s perspective, across assessment, incident response preparedness, strategic advisory, and response. Learn more at satinetech.com.