Sysdig has released its 2026 Cloud-Native Security and Usage Report. It shows that organizations are moving from human-driven security operations to machine-speed detection and response.
The findings are based on an analysis of billions of software packages and hundreds of thousands of cloud identities. Sysdig claims that security teams are adapting to faster attack cycles as adversaries use artificial intelligence to exploit vulnerabilities within hours of disclosure.
Loris Degioanni, founder and chief technology officer at Sysdig, said security teams are reaching the limits of what they can handle with manual processes.
“Security teams have been optimizing human workflows, but they have reached a limit. AI-assisted threats are too fast for dashboards, alerts, and manual triage. The era of human-driven cloud security is over, and the rise of AI autonomy will define the next generation of cyber defense,” said Degioanni.
Popularization of AI
One of the report’s clearest findings is the growth of artificial intelligence software in cloud environments. AI-specific packages grew 25% year-over-year, and enterprises used six times more machine learning packages when building the secure development foundation Sysdig describes.
Despite this growth, the proportion of publicly available AI-related assets remained low. Only 1.5% is publicly accessible, suggesting a cautious approach to securing emerging AI workloads.
The report also highlighted regional differences in recruitment. European organizations accounted for over 50% of all AI and machine learning packages tracked in this study. It also accounts for over 34% of adoption of Falco, an open source runtime threat detection tool used in containers and Kubernetes environments.
This pattern suggests that regulatory and data sovereignty rules are not slowing down the adoption of AI in Europe. Rather, these requirements appear to be associated with stricter security practices and more disciplined cloud operations.
automation shift
The second theme in the report is the increased use of automated security controls. More than 70% of security teams now use behavior-based detection, and these tools protect 91% of cloud environments with high-fidelity runtime alerts, described by Sysdig.
The report also found a sharp increase in automated responses. According to Sysdig, 140% more organizations now automatically terminate suspicious processes when detection rules are triggered compared to a year ago.
This represents a notable shift in the way cloud security teams operate. Rather than having analysts review dashboards and investigate alerts before taking action, more and more companies are enabling systems to respond directly when anomalous behavior is detected.
Crystal Morin, senior cybersecurity strategist at Sysdig and author of the report, said the balance between attackers and defenders is shifting.
“Threat actors did not wait for the green light to start weaponizing AI. Defenders cannot afford to continue fighting an asymmetric battle. Organizations must rely on machine-speed defenses and automated responses if they want to close the gap,” Morin said.
growth of identity
The report points to another structural change in cloud environments: the increasing dominance of machine identities over human users. Currently, only 2.8% of managed identities across cloud assets are human users.
This reflects the proliferation of automated services, applications, bots, and software agents that require credentials to access systems and data. As organizations deploy automation tools such as AI coding agents, the number of non-human identities is growing much faster than the number of employees managing them.
This creates a different challenge for security teams than traditional identity and access management. If permissions are too broad or credentials are exposed, each machine identity can become a route to the cloud infrastructure. The report suggests that this is now one of the core issues in cloud security operations.
Sysdig’s findings come as enterprises face pressure to protect increasingly complex cloud environments without expanding their security teams at the same pace. The report shows that many are responding with a greater emphasis on runtime monitoring, automated enforcement, and systems that work without human review.
Sysdig presents this change as a practical response to shorter attack windows and increased use of AI by both defenders and attackers. Human oversight is still part of the process, but as environments grow and threats move faster, direct human control is becoming less central to day-to-day cloud defense.
