One Thousand Days of Rising Cyber Risk: The Boardroom’s New Reality

This article was authored by Dave Burg

I recently wrote about how today’s cyber risk is defined less by breakthrough innovation and more by the industrialization of existing weaknesses. Given this, I wanted to dig a little deeper. Over a weekend I conducted some analysis on a longitudinal Aggregate Cyber Risk Index that scores six core threat vectors daily for 1,000 days on a 0–100 scale, drawing on six macro categories: active exploitation activity, identity and trust-system risk, operational disruption potential, infrastructure and supply-chain exposure, geopolitical and strategic cyber activity and the accelerating impact of artificial intelligence (AI) on offensive capability.

One Thousand Days of Rising Cyber Risk

Figure 1: Modeled Aggregate Cyber Risk Heat Map

Over the last thousand days, something fundamental has shifted in the cyber threat landscape, and the data reveals a stark pattern: cyber risk doesn’t ebb and flow, it compounds. The darkest bands on our heat map aren’t isolated spikes. We see that they are clusters, each driven by the convergence of multiple threat types. In early 2024, for example, the simultaneous exploitation of identity platforms, healthcare infrastructure and cloud providers drove cyber risk to levels with no prior precedent.

The resulting index, depicted above, shows a structural, sustained escalation of cyber risk and a clear signal that we are entering a new, more dangerous phase.

The Patterns Are Not Random

When we look back across the index, the highest-risk periods share a consistent signature: multiple macro risk factors converging simultaneously. The sustained elevations of early 2024 driven by the Ivanti Connect Secure exploitation, the Midnight Blizzard intrusion into Microsoft’s systems and the Change Healthcare disruption were not coincidental. They reflected a moment when centralized trust systems, critical healthcare infrastructure and state-sponsored adversary operations all intensified at once.

Later that same year, the Snowflake credential compromise campaign, the CDK Global outage paralyzing automotive dealerships nationwide and the CrowdStrike platform disruption created a three-month window of extraordinary operational fragility across sectors with no historical precedent. By fall 2024, the Salt Typhoon espionage campaign which embedded persistent access inside major U.S. telecommunications carriers pushed the index into high-risk territory again, this time on geopolitical and strategic grounds.

The lesson I take from a thousand days of data is that when adversaries find leverage against centralized systems, such as identity platforms, telecom carriers, cloud orchestration layers and managed service providers, the blast radius becomes an ecosystem event.

Three Forces Are Driving the New Phase

What makes the current environment different and more dangerous is the convergence of three structural forces that are now reinforcing one another.

Identity Has Become the Primary Battlefield

Across the thousand-day period, we watched a decisive shift away from malware-centric attacks toward credential theft, token abuse, MFA bypass, session hijacking and cloud identity compromise. Credential theft and cloud compromise have eclipsed malware as the attacker’s first move. This matters enormously for executives and boards: identity-based attacks are stealthier, harder to detect and create enterprise-wide exposure without triggering traditional alarm systems.

Attackers who compromise an identity can move laterally, persist quietly and escalate privileges in ways that legacy defenses simply were not designed to catch. If your organization has not treated identity security as a first-order strategic priority, the data from the past thousand days says that is the most consequential gap you have.

Operational Dependency is Now a Liability

Modern enterprises run on an interconnected web of SaaS platforms, cloud providers, telecom carriers and managed third-party ecosystems. That concentration creates extraordinary efficiency and fragility. The CDK and CrowdStrike disruptions were not inherently cybersecurity failures but were concentration-risk events. A single vendor outage can paralyze an industry overnight, as the CDK and CrowdStrike events proved.

AI Has Turbocharged the Offense

The time from vulnerability disclosure to active exploitation is now measured in minutes, not days.

The late-stage risk elevation captured in the index reflects AI-assisted exploit discovery, automated reconnaissance, machine-speed attack operations and the dramatic lowering of barriers to sophisticated offensive capability. Attackers who previously needed deep technical expertise to develop or weaponize vulnerabilities can now compress that timeline significantly. I see a lot of thought leadership describing this as a theoretical future risk but after looking at this index, it’s clear that this is measurable today and intensifying.

Boards need to ask a pointed question: where are our single points of failure, and what is our operational continuity posture if one of them goes down?

The Remediation Window Is Closing

One finding from the index deserves particular attention at the executive level; the compression of exploit weaponization timelines. Across the thousand-day period, the gap between a vulnerability being disclosed and adversaries actively exploiting it has narrowed dramatically. CrowdStrike’s 2026 Global Threat Report stated that the average eCrime breakout time in 2025 was 29 minutes. Kroll’s own report on Bridging the Cyber Resiliency Gap found that only 19% of companies believe they can respond to an incident within minutes. The operating assumption that there is time to evaluate, prioritize, test and deploy patches in a measured fashion is no longer safe.

Three Boardroom Imperatives

The remediation window is closing. Boards must act, not deliberate. Here’s what to do:

Harden Your Identity Infrastructure Now

Implement phishing-resistant MFA, enforce privileged access controls, invest in visibility and access enforcement of cloud and non-human identities including agentic identities, and establish a clear response playbook for credential compromise. Identity is where the largest share of high-impact intrusions began over the past thousand days, and that will only escalate with increased adoption of AI models.

Audit Your Supply Chain and Third-party Concentration Risk

Identify and stress-test your single points of failure. Map your critical operational dependencies. This includes every SaaS platform, managed service provider, cloud ecosystem and telecom carrier your business cannot function without, and stress-test your resilience posture against their failure. This is a board-level conversation, not an IT conversation.

Integrate AI Into Defense, Before It’s Used Against You

The organizations that will navigate the next phase of cyber risk most effectively are those that build AI into their defense posture now while simultaneously ensuring they are not introducing AI into operations before the security fundamentals are in place. Anything less is an open invitation to disaster.

The Data Has Spoken

A thousand days of aggregate cyber risk data does not lie. Cyber risk is a persistent, systemic operational resilience challenge that belongs to the agenda of every board, every CEO and every CFO in every sector. The elevated index readings we are seeing today are not noise and reflect a structural acceleration driven by faster adversaries, more concentrated dependencies and AI-amplified offensive capability.

The organizations that survive this new phase won’t be the biggest or the most technologically advanced: they’ll be the fastest to adapt. The data is clear. The time to act is now.

Connect with Us

Dave Burg

Global Group Head of Cyber and Data ResilienceWashington DC

Dave Burg [email protected]+1 2024491844

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Learn more