1. Phishing & Social Engineering
Still #1 by volume and by consequence. AI-tailored phishing has roughly doubled click rates over generic blasts. The defense isn't training alone — it's phishing-resistant MFA (FIDO2, passkeys) so a clicked link doesn't equal a compromised account.
2. Credential Stuffing & Token Theft
Billions of leaked credentials are tested daily against login endpoints. Worse: session-token theft via infostealer malware bypasses MFA entirely. Controls that work: device-bound credentials, session-binding to client certificates, and short-lived tokens with refresh detection.
3. Internet-Exposed Vulnerability Exploitation
Public-facing servers with unpatched CVEs are still a top entry point. The window between disclosure and mass exploitation is usually under 72 hours. Asset inventory + an SLA on internet-exposed patches (24h critical) is non-negotiable.
4. Software Supply Chain
Compromised npm/PyPI packages, malicious GitHub Actions, and trojanized AI models. SBOMs and signed-artifact verification (Sigstore, in-toto) are the structural defenses; lockfile hygiene and pinning to immutable versions are the tactical ones.