Nine emerging technologies are reshaping the cyber threat landscape, with AI-enhanced attacks and IoT botnets already reaching commodity status while quantum computing and brain-computer interfaces remain nation-state research domains. This mapping reveals a clear bifurcation: AI and IoT threats are democratizing rapidly across all actor types, while quantum, space, and bionic threats remain highly specialized. The most urgent finding is that 80%+ of phishing now uses AI assistance (ENISA 2025), and nation-states are actively harvesting encrypted data for future quantum decryption.
1. AI Supported
commodity-level threat enabling social engineering at scale
AI-enhanced attacks have reached commodity maturity faster than any other emerging technology, with malicious LLMs like WormGPT available for €60/month with customer support. The democratization is complete—script kiddies now deploy AI-generated phishing indistinguishable from legitimate corporate communications.
TLCTC Clusters Enabled:
- #9 Social Engineering (Primary): ENISA confirms 80%+ of phishing emails use AI; CrowdStrike reports 442% increase in voice phishing between H1/H2 2024
- #7 Malware: WormGPT generates polymorphic malware with evasion capabilities; malware code quality improving rapidly
- #4 Identity Theft: Deepfake fraud confirmed in $25.5 million Arup incident (February 2024) via multi-person video call impersonation
- #2/#3 Exploiting Server/Client: AI vulnerability discovery achieving 87% success rate on one-day CVEs in research settings
| Capability | Maturity | Evidence |
|---|---|---|
| AI Phishing/BEC | Commodity | WormGPT, FraudGPT on darknet; ENISA 80%+ statistic |
| Deepfakes | Established | Arup $25.5M; Ferrari CEO attempt; 1,740% increase NA 2022-23 |
| AI Malware | Established | Polymorphic code generation; requires human refinement |
| AI Vuln Discovery | First Movers | Google Big Sleep found first AI zero-day in SQLite (2024) |
Actor Types: N, E, F, H, A — Microsoft documented Forest Blizzard (Russia/GRU) and Charcoal Typhoon (China) using LLMs for reconnaissance. Financial fraud groups are primary deepfake operators.
Trend: ↑ Up
2. Agentic AI
research demonstrates capability but no confirmed malicious deployment
Autonomous AI agents that independently navigate networks, exploit vulnerabilities, and escalate privileges represent the next evolution—but remain in the research-to-deployment gap. University of Illinois demonstrated 53% zero-day exploitation success with hierarchical agent teams (HPTSA) at approximately $24 per attempt.
TLCTC Clusters Enabled:
- #2 Exploiting Server (Primary): Autonomous web application exploitation demonstrated
- #1 Abuse of Functions: Agent-driven privilege escalation and lateral movement
- #7 Malware: Morris 2.0 AI worm concept demonstrated—self-propagating through email systems
- #10 Supply Chain Attack: Theoretical automated targeting of software dependencies
| Capability | Maturity | Evidence |
|---|---|---|
| Autonomous Hacking Agents | First Movers | HPTSA 53% zero-day success; NSA developing APT platform |
| Self-Directed Attack Chains | Not Seen | Morris 2.0 research demo only; no wild deployment |
| Autonomous Network Navigation | Specialized | Defensive tools (PentAGI, Tanuki) demonstrate capability |
Actor Types: N — Nation-states developing capabilities; no confirmed attribution to specific attacks yet
Trend: ↑ Up (accelerating)
3. Quantum Computing
"harvest now, decrypt later" is an active intelligence operation
Nation-states are currently stockpiling encrypted data for future quantum decryption—this is not theoretical. The Federal Reserve confirms ongoing collection, and expert consensus places cryptographically relevant quantum computers at 2030 ± 2 years with ~34% probability by 2034.
TLCTC Clusters Enabled:
- #4 Identity Theft (High): Digital signatures and PKI infrastructure compromise would enable mass identity impersonation
- #5 Man in the Middle (High): Breaking TLS/SSL key exchange (RSA, ECDH) enables retrospective decryption of harvested traffic
- #10 Supply Chain Attack (High): Code signing, firmware validation, software verification all rely on quantum-vulnerable algorithms
- #1 Abuse of Functions (Medium): Forged authentication tokens enabling unauthorized access
| Capability | Maturity | Timeline |
|---|---|---|
| HNDL Data Collection | Active Now | NSA, Federal Reserve confirm ongoing |
| CRQC Capability | First Movers | ~34% probability by 2034 (GRI 2024) |
| PQC Standards | Available | NIST FIPS 203, 204, 205 finalized August 2024 |
Actor Types: N — China and Russia identified as primary actors; $15 billion Chinese government quantum investment; China first to deploy operational quantum satellite network
Trend: ↑ Up (accelerating)
4. Quantum Sensing
nation-state surveillance capabilities emerging from research
Quantum sensors exploit quantum mechanics for unprecedented measurement precision—enabling advanced side-channel attacks, counter-stealth detection, and physical security bypass. Germany's Cyberagentur is actively researching quantum sensor side-channel attacks on microchips.
TLCTC Clusters Enabled:
- #8 Physical Attack (High): Detection/bypass of physical security systems; DARPA states quantum sensing will enable "tracking things virtually anywhere, anytime"
- #5 Man in the Middle (High): Detecting electromagnetic emanations from computing devices to extract encryption keys
- #1 Abuse of Functions (Medium): Enhanced reconnaissance capabilities for targeted access
| Capability | Maturity | Status |
|---|---|---|
| Quantum Side-Channel | First Movers | German SCA-QS program active; TRL 3-4 |
| Quantum Radar | First Movers | China claims 100km prototype; Western skepticism |
| Quantum Navigation/PNT | First Movers | GPS-denial resilience applications |
Actor Types: N — DARPA Strategic Technologies Office, China's CETC, UK Quantum Sensing Initiative; no non-state actor access
Trend: ↑ Up
5. IoT/Edge
commodity botnets and critical infrastructure compromise
IoT represents the most mature emerging technology threat with Mirai code in 72% of new IoT malware. Edge devices are now the #1 initial access vector per Darktrace 2024, with Volt Typhoon maintaining 5+ year persistence in US critical infrastructure.
TLCTC Clusters Enabled:
- #6 Flooding Attack (DDoS) (Primary): Mirai variants power massive DDoS; Gayfemboy, LZRD, Murdoc_Botnet active in 2024-25
- #7 Malware: FrostyGoop caused 600+ heating outages in Ukraine (January 2024); PIPEDREAM/Incontroller targeting ICS
- #2 Exploiting Server: CVE-2024-21762 (Fortinet), CVE-2024-3400 (Palo Alto) enable unauthenticated RCE on edge devices
- #8 Physical Attack: ICS manipulation—Cyber Av3ngers attacked Unitronics PLCs at water utilities (2023-24)
| Capability | Maturity | Evidence |
|---|---|---|
| IoT Botnets (Mirai) | Commodity | Source code public since 2016; BaaS available |
| Edge Device Exploitation | Established | 40% of H1 2024 attacks targeted internet-facing devices |
| IIoT/OT Attacks | Established | 241 new ICS-CERT advisories 2024; Volt Typhoon 5-year persistence |
Actor Types: N, E, H, A — Volt Typhoon (China) in critical infrastructure; Cyber Av3ngers (Iran-affiliated) targeting water utilities; script kiddies deploying Mirai variants
Trend: ↑ Up
6. Robotics
drones are established threat while industrial robots remain first movers
Drone-based attacks are now established with confirmed credential theft, military base incursions, and physical payload delivery. Industrial robot manipulation remains largely theoretical despite demonstrated vulnerabilities.
TLCTC Clusters Enabled:
- #8 Physical Attack (Primary): Drone smuggling (37kg heroin India), explosive delivery, November 2024 UK military base coordinated incursions
- #5 Man in the Middle: Drones with Wi-Fi Pineapple for airborne credential theft—confirmed at East coast investment firm
- #4 Identity Theft: Airborne credential harvesting via network spoofing
- #2 Exploiting Server: Autonomous vehicle telematics—409 incidents in 2024 (up from 295 in 2023)
| Capability | Maturity | Evidence |
|---|---|---|
| Drone-Based Attacks | Established | 100+ incidents tracked; Nov 2024 UK military base events |
| Industrial Robot Manipulation | First Movers | ABB IRB140 research demo; no confirmed attacks |
| Autonomous Vehicle | Specialized | CDK Global ransomware $1.02B impact; research exploits |
Actor Types: N, E, F, H for drones — Modified COTS drones probed UK/US military bases; criminal smuggling operations confirmed; N only for industrial robots
Trend: ↑ Up (drones)
7. Bionics
14 years of demonstrated vulnerabilities, zero confirmed lethal attacks
Medical implant vulnerabilities have been demonstrated since 2011 (Black Hat insulin pump hack), yet no confirmed lethal cyberattacks have occurred. FDA FDORA requirements (March 2023) now mandate cybersecurity plans for all networked medical devices. Brain-computer interfaces represent highest theoretical stakes with Neuralink human trials beginning January 2024.
TLCTC Clusters Enabled:
- #3 Exploiting Client (Primary): Firmware exploitation, unsigned updates, Bluetooth vulnerabilities in BCIs
- #8 Physical Attack: Demonstrated ability to manipulate pacemaker shocks, insulin dosages—potentially lethal
- #5 Man in the Middle: Wireless communications interception between implant and programmer device
- #4 Identity Theft: BCI research shows neural data could reveal PINs, passwords, geographic location
| Capability | Maturity | Evidence |
|---|---|---|
| Pacemaker/Defibrillator | Specialized | Black Hat 2018 demo; FDA 500K Abbott recall; no attacks |
| Insulin Pumps | Established | 2011 demo; FDA warnings; Medtronic exchanges; no attacks |
| BCIs/Neural Implants | First Movers | Neuralink human trial 2024; academic vulnerability research |
| Cochlear Implants | Not Seen | Theoretical only; no confirmed vulnerabilities exploited |
Actor Types: N (theoretical) — Dick Cheney disabled defibrillator wireless over assassination concerns; researchers only confirmed
Trend: ↑ Up
8. XR/Spatial
vulnerabilities discovered within months of device launches
Apple Vision Pro received multiple CVEs within six months of its February 2024 launch, including GAZEploit (CVE-2024-40865) which allowed inferring virtual keyboard inputs by analyzing avatar gaze patterns. INTERPOL launched a Metaverse Expert Group (October 2022) and published a "Metacrime" White Paper (January 2024).
TLCTC Clusters Enabled:
- #3 Exploiting Client (Primary): "Inception attacks" on Meta Quest; GAZEploit on Vision Pro; CVE-2024-27812 "first spatial computing hack"
- #4 Identity Theft: Biometric data harvesting (eye tracking, movement patterns, voice); Optic ID exposure
- #9 Social Engineering: Immersive phishing, avatar impersonation, documented grooming/radicalization in metaverse platforms
- #5 Man in the Middle: ARSpy demonstrated real-time location tracking via network traffic
| Capability | Maturity | Evidence |
|---|---|---|
| VR Platforms (Meta Quest) | Specialized | University of Chicago "Inception attack" 2024 |
| Apple Vision Pro | Specialized | GAZEploit, CVE-2024-27812; multiple patches within 6 months |
| Metaverse Platforms | Established | INTERPOL "Metacrime"; British police virtual rape investigation 2024 |
Actor Types: F, H, A — Fraud groups targeting virtual assets; extremist recruitment on gaming platforms (Australian Federal Police warning); harassment actors documented
Trend: ↑ Up
9. Space/Satellite
Viasat attack demonstrated devastating ground-to-orbit reach
The Viasat KA-SAT attack (February 24, 2022) remains the defining satellite cyber incident—Russian GRU (Sandworm) wiped 40,000-45,000 modems via AcidRain malware, disrupting Ukrainian military communications and disabling 5,800 German wind turbines. GPS spoofing incidents increased 500% in 2024, affecting 1,500 flights daily.
TLCTC Clusters Enabled:
- #7 Malware: AcidRain wiper deployed via Viasat ground infrastructure; Secret Blizzard targeting Starlink-connected devices
- #5 Man in the Middle: GPS spoofing creating false positioning—430,000 incidents in 2024 per IATA
- #6 Flooding Attack: Viasat attack included sustained DDoS; Killnet 41% Starlink disruption
- #8 Physical Attack: Cyber-ASAT can cause satellite collisions via manipulated situational awareness
- #10 Supply Chain Attack: Viasat exploited software update delivery mechanism; Starlink $25 modchip attack
| Capability | Maturity | Evidence |
|---|---|---|
| Ground Station Attacks | Specialized | Viasat attributed to Russian GRU; APT capability required |
| GPS Spoofing/Jamming | Established | 46,000 Baltic incidents; Israel operational use since Oct 2023 |
| LEO Constellation Attacks | Specialized | Starlink vulnerabilities; Killnet DDoS; Secret Blizzard targeting |
Actor Types: N, H — Russian GRU (Sandworm) for Viasat; Israeli Defense Forces GPS spoofing; Killnet hacktivist DDoS on Starlink
Trend: ↑ Up (Space ISAC maintains Level 3/High)
Maturity and actor distribution reveals technology democratization patterns
The research reveals a clear pattern: technologies requiring significant infrastructure investment (quantum, space, bionics) remain nation-state domains, while software-centric technologies (AI, IoT) rapidly democratize to all actor types.
| Technology | Maturity | Actors | Key Differentiator |
|---|---|---|---|
| AI Supported | Commodity | N,E,F,H,A | Low barrier via darknet LLMs |
| IoT/Edge | Commodity | N,E,H,A | Public Mirai source code |
| Robotics (Drones) | Established | N,E,F,H | COTS availability |
| XR/Spatial | Specialized | F,H,A | Platform vulnerabilities |
| Space/Satellite | Specialized | N,H | Ground station access required |
| Bionics | Specialized | N | Medical device complexity |
| Agentic AI | First Movers | N | Research-to-deployment gap |
| Quantum Computing | First Movers | N | $15B+ infrastructure investment |
| Quantum Sensing | First Movers | N | Laboratory-only capability |
All nine technologies show upward trends, with AI-supported attacks and GPS spoofing experiencing the most dramatic increases (80%+ AI phishing, 500% GPS spoofing growth). The convergence of cyber and physical threats—demonstrated by Amazon's June 2025 research on Iranian cyber-enabled kinetic targeting—represents an emerging paradigm requiring integrated security approaches.
Conclusion
The TLCTC mapping reveals that Social Engineering (#9), Malware (#7), and Man in the Middle (#5) are the most frequently enabled clusters across emerging technologies, while Physical Attack (#8) is uniquely enabled by IoT/OT, robotics, bionics, quantum sensing, and space systems. Organizations should prioritize: immediate AI-enhanced phishing defenses, accelerated post-quantum cryptography migration planning, and critical infrastructure OT security given Volt Typhoon's confirmed 5-year persistence. The 12-24 month window before agentic AI deployment and the ~2030 quantum computing timeline provide actionable planning horizons.
References
- Kreinz, B. Top Level Cyber Threat Clusters (TLCTC), White Paper V1.9.1.
- ENISA. Threat Landscape 2025 Report.
- CrowdStrike. 2025 Global Threat Report.
- Microsoft Security. Staying ahead of threat actors in the age of AI, Feb 2024.
TLCTC Actor Enabler Radar: structured data for visualization
{
"instances": [
{
"uid": "ai-c9-l1",
"typeId": "AI",
"cellKey": "l1-c9",
"activeActors": [
"N",
"E",
"F",
"H",
"A"
],
"trend": "up"
},
{
"uid": "ai-c7-l1",
"typeId": "AI",
"cellKey": "l1-c7",
"activeActors": [
"N",
"E",
"F",
"H",
"A"
],
"trend": "up"
},
{
"uid": "ai-c4-l2",
"typeId": "AI",
"cellKey": "l2-c4",
"activeActors": [
"N",
"E",
"F"
],
"trend": "up"
},
{
"uid": "ai-c2-l4",
"typeId": "AI",
"cellKey": "l4-c2",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "ai-c3-l3",
"typeId": "AI",
"cellKey": "l3-c3",
"activeActors": [
"N",
"E"
],
"trend": "up"
},
{
"uid": "ag-c2-l4",
"typeId": "Ag",
"cellKey": "l4-c2",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "ag-c1-l4",
"typeId": "Ag",
"cellKey": "l4-c1",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "ag-c7-l4",
"typeId": "Ag",
"cellKey": "l4-c7",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "qc-c4-l4",
"typeId": "QC",
"cellKey": "l4-c4",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "qc-c5-l4",
"typeId": "QC",
"cellKey": "l4-c5",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "qc-c10-l4",
"typeId": "QC",
"cellKey": "l4-c10",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "qs-c8-l4",
"typeId": "QS",
"cellKey": "l4-c8",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "qs-c5-l4",
"typeId": "QS",
"cellKey": "l4-c5",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "iot-c6-l1",
"typeId": "IoT",
"cellKey": "l1-c6",
"activeActors": [
"N",
"E",
"H",
"A"
],
"trend": "up"
},
{
"uid": "iot-c7-l1",
"typeId": "IoT",
"cellKey": "l1-c7",
"activeActors": [
"N",
"E",
"H"
],
"trend": "up"
},
{
"uid": "iot-c2-l2",
"typeId": "IoT",
"cellKey": "l2-c2",
"activeActors": [
"N",
"E",
"H"
],
"trend": "up"
},
{
"uid": "iot-c8-l2",
"typeId": "IoT",
"cellKey": "l2-c8",
"activeActors": [
"N",
"H"
],
"trend": "up"
},
{
"uid": "iot-c1-l2",
"typeId": "IoT",
"cellKey": "l2-c1",
"activeActors": [
"N",
"E"
],
"trend": "up"
},
{
"uid": "robo-c8-l2",
"typeId": "Robo",
"cellKey": "l2-c8",
"activeActors": [
"N",
"E",
"F",
"H"
],
"trend": "up"
},
{
"uid": "robo-c5-l3",
"typeId": "Robo",
"cellKey": "l3-c5",
"activeActors": [
"N",
"F"
],
"trend": "up"
},
{
"uid": "robo-c4-l3",
"typeId": "Robo",
"cellKey": "l3-c4",
"activeActors": [
"N",
"F"
],
"trend": "up"
},
{
"uid": "bio-c3-l3",
"typeId": "Bio",
"cellKey": "l3-c3",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "bio-c8-l3",
"typeId": "Bio",
"cellKey": "l3-c8",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "bio-c5-l4",
"typeId": "Bio",
"cellKey": "l4-c5",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "bio-c4-l4",
"typeId": "Bio",
"cellKey": "l4-c4",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "xr-c3-l3",
"typeId": "XR",
"cellKey": "l3-c3",
"activeActors": [
"F",
"H",
"A"
],
"trend": "up"
},
{
"uid": "xr-c4-l3",
"typeId": "XR",
"cellKey": "l3-c4",
"activeActors": [
"F",
"H",
"A"
],
"trend": "up"
},
{
"uid": "xr-c9-l2",
"typeId": "XR",
"cellKey": "l2-c9",
"activeActors": [
"F",
"H",
"A"
],
"trend": "up"
},
{
"uid": "sat-c7-l3",
"typeId": "Sat",
"cellKey": "l3-c7",
"activeActors": [
"N",
"H"
],
"trend": "up"
},
{
"uid": "sat-c5-l2",
"typeId": "Sat",
"cellKey": "l2-c5",
"activeActors": [
"N",
"H"
],
"trend": "up"
},
{
"uid": "sat-c6-l3",
"typeId": "Sat",
"cellKey": "l3-c6",
"activeActors": [
"N",
"H"
],
"trend": "up"
},
{
"uid": "sat-c8-l3",
"typeId": "Sat",
"cellKey": "l3-c8",
"activeActors": [
"N"
],
"trend": "up"
},
{
"uid": "sat-c10-l3",
"typeId": "Sat",
"cellKey": "l3-c10",
"activeActors": [
"N"
],
"trend": "up"
}
],
"config": {
"clusters": [
{
"id": "c1",
"label": "#1 Abuse"
},
{
"id": "c2",
"label": "#2 Exp Svr"
},
{
"id": "c3",
"label": "#3 Exp Clnt"
},
{
"id": "c4",
"label": "#4 Identity"
},
{
"id": "c5",
"label": "#5 MitM"
},
{
"id": "c6",
"label": "#6 Flood"
},
{
"id": "c7",
"label": "#7 Malware"
},
{
"id": "c8",
"label": "#8 Physical"
},
{
"id": "c9",
"label": "#9 Soc Eng"
},
{
"id": "c10",
"label": "#10 Supply"
}
],
"levels": [
{
"id": "l1",
"label": "Commodity / As a Service",
"color": "bg-red-50 border-l-4 border-red-500"
},
{
"id": "l2",
"label": "Established",
"color": "bg-orange-50 border-l-4 border-orange-500"
},
{
"id": "l3",
"label": "Specialized / Targeted",
"color": "bg-fuchsia-50 border-l-4 border-fuchsia-500"
},
{
"id": "l4",
"label": "First Movers",
"color": "bg-indigo-50 border-l-4 border-indigo-500"
},
{
"id": "l5",
"label": "Not Seen",
"color": "bg-slate-100 border-l-4 border-slate-400"
}
],
"techs": [
{
"id": "AI",
"label": "AI Supported",
"color": "#2563eb"
},
{
"id": "Ag",
"label": "Agentic AI",
"color": "#9333ea"
},
{
"id": "QC",
"label": "Q-Computing",
"color": "#059669"
},
{
"id": "QS",
"label": "Q-Sensing",
"color": "#0d9488"
},
{
"id": "Robo",
"label": "Robotics",
"color": "#ea580c"
},
{
"id": "IoT",
"label": "IoT/Edge",
"color": "#f59e0b"
},
{
"id": "Bio",
"label": "Bionics",
"color": "#dc2626"
},
{
"id": "XR",
"label": "XR/Spatial",
"color": "#4f46e5"
},
{
"id": "Sat",
"label": "Space/Satellite",
"color": "#6366f1"
}
],
"actors": [
{
"id": "N",
"label": "Nation State",
"pos": "pos-tl"
},
{
"id": "E",
"label": "Extortion (Ransom)",
"pos": "pos-tr"
},
{
"id": "F",
"label": "Fraud (Financial)",
"pos": "pos-bl"
},
{
"id": "H",
"label": "Hacktivist",
"pos": "pos-br"
},
{
"id": "A",
"label": "Amateur",
"pos": "pos-cc"
}
],
"appearance": {
"actorFontSize": 10,
"trendArrowColor": "#ffffff",
"trendArrowSize": 14
}
}
}