As cyber threats evolve faster than businesses can adapt, the security landscape is bracing for another year of rapid disruption. The lines between human expertise and machine intelligence are blurring, attackers are industrializing their operations, and organizations are racing to close widening exposure gaps.
Discover what the experts from the companies we surveyed for our 2026 security predictions foresee, so you can prepare confidently and start the new year with peace of mind.
Memory Exhaustion Attack
We’ll see the first major “memory exhaustion attack” in Q2 2026 where attackers deliberately flood AI systems with edge cases that max out available memory, forcing sensitive data into poorly-secured overflow storage that they’ve already compromised. It’s like a DDoS attack, but instead of taking systems offline, it pushes your crown jewels into the attacker’s lap.
John Overton, CEO, Kove
Insider threats will overtake external attacks as the #1 breach source
This isn’t about malicious employees–it’s about good people making mistakes in increasingly complex environments. When you’ve got 16,000+ client touchpoints like we do, you see how often legitimate users accidentally expose data or misconfigure access. Companies are adding cloud tools faster than they’re training people to use them securely, and 2026 is when that bill comes due.
Orrin Klopper, CEO, Netsurit
Credential-as-a-Service Platforms are About to Weaponize Biometric Data
I’ve trained thousands of law enforcement and intelligence professionals globally, and here’s what I’m seeing from the ground level that should terrify every CISO: **credential-as-a-service platforms are about to weaponize biometric data**. We’re already tracking cases where threat actors are using deepfake technology combined with stolen biometric templates to bypass multi-factor authentication. When facial recognition becomes your “something you are,” you can’t just reset it like a password.
Joshua McAfee, CEO & Founder, McAfee Institute
A Board-level Metric
Cyber-resilience will become a board-level metric, not just an IT KPI. By 2026, cyber-resilience will be measured in minutes of downtime, speed of recovery, and ability to operate under compromised scenarios. Boards and CEOs will treat cyber-resilience as equally strategic as supply-chain resilience or ESG compliance, with constant simulations and live-fire exercises.
Anupa Rongala, CEO, Invensis Technologies
Shift Towards Assuming You’re Already Breached
Working with dental practices, I see ransomware gangs getting more specific. They’re encrypting patient data now because they know it’s their best leverage. Just checking the HIPAA box won’t save you anymore. We’ve had to shift to assuming we’re already breached and monitoring everything constantly. It’s the only way to protect patient info and keep the practice running.
Tom Terronez, CEO, Medix Dental IT
AI-driven Defense
By 2026, cybersecurity will be all about an AI-driven defense system because cybercriminals are also using AI to plan, adapt and execute attacks more efficiently. So there will be more attacks by AI, like data breaches, in the coming years. To counter this, companies will need to use strong frameworks like AEGIS to control what AI can do, who can access what and how data is shared.
Jignen Pandya, CEO, Expert App Devs
AI Deep Fakes
AI fakes go real time; payments move to “call-back by default” – In 2026, deepfake voice and video will be live, cheap, and good enough to pass a quick Zoom to mimick the real situations. Threat actors will drop a cloned “CFO” into a call for 30 seconds to rush a bank-detail change. We have already seen the playbook this year : a Hong Kong firm losing $25M after a video call with a deepfake CFO and “colleagues”; police later said the participants were all fakes. The fix is simple and strict: out-of-band call-backs using a known number as in extra step verification, two-person approval for changes, and a short cool off window. We can expect banks to expand payee confirm APIs and regulators to mandate verification above set amounts. The breach is your process, not your firewall.
Harman Singh, Director, Cyphere
Leak-First Extortion
Ransomware isn’t going away and is becoming cheaper to launch and costlier to ignore. By 2026, automation will drive a new phase: “leak-first” extortion. Attackers will bypass complex encryption campaigns in favor of stealing data and threatening to publish it — a method that is faster, cheaper, and far more likely to force payment. We can expect to see the rise of tiered ransom menus, which price extortion based on recovery time and business impact rather than just data access, restructuring attacker incentives. Victims will find themselves stuck between regulatory and legal mandates and the relentless, increasingly merciless efforts of cybercrooks to extort.
For defenders, this means that the economic battleground must shift from prevention to resilience. Boardroom conversations will pivot from “how do we stop every breach?” to “how fast can we recover without paying?” This demands a significant change in investment strategy.
Identity, Weaponized AI & Legacy VPN End of Life
In 2026, the entire cybersecurity conversation is gonna center on identity and weaponized Artificial Intelligence, and frankly, we’re seeing the old security perimeter collapse entirely. The biggest threat is the rise of agentic AI, which lets attackers create flawless deepfake social engineering campaigns and automate attacks that used to require massive human effort, forcing organizations to treat every interaction like it’s the very first time with a zero trust posture. What’s more, the focus will turn inward as heightened identity security efforts unearth “ghost” accounts and privilege sprawl from years ago, showing that the skeletons in the identity and access management closet are finally catching up to everyone.
You’ll also see the official ‘End of Life’ for legacy Virtual Private Networks as they’re correctly identified as a critical vulnerability that grants far too much access once compromised; modern security demands identity-based, least-privilege remote access instead. In addition to this, the push for quantum-safe encryption will transition from an academic concept to a mandatory, budget-line item for critical sectors, as the threat of ‘store-now, decrypt-later’ data harvesting becomes a very real and pressing concern.
Michael Gargiulo, Founder, CEO, VPN
AI powered, autonomous attacks will ramp up in 2026. They’ll use self-learning malware and custom tailored phishing attacks to breach high value systems. We will counter with AI powered threat detection and response, and the fight will continue.
Quantum security is an abstract concept at the moment, but with each passing year, gets closer and closer to reality. When the time comes, the wrong person will develop their own quantum computer, and as soon as that happens, encryption is an outdated security tool. 2026 will see a greater focus on quantum security.
An identity first approach to security is becoming more and more necessary. Least privilege and zero trust are already being applied to all networks, and this trend will continue. It is only a matter of time before our physical identification is tied to our digital identification in order to verify our identities on every system we use, and keep them secure. However, someone will reverse engineer this technology and the fight will continue.
Arif Ali, Technical Director, Just After Midnight
Accountability Fallout
The real danger is the false sense of control. Internal teams will assume these AI agents are secure because they follow internal policies. However, the truth is that agentic models are prone to social engineering just like humans. A cleverly worded API response/document can trigger the agent to perform harmful actions while still believing it is complying with internal policies and instructions.
I predict we’ll see a massive wave of accountability fallout when that happens. Employees will lose their jobs and policy overhauls will be initiated. Executives will look for someone to blame, but the root cause will be a lack of AI governance and human-in-the-loop validation.
Roman Milyushkevich, CEO and CTO, HasData
Mobile Becomes the New National Attack Surface
In 2026, the mobile device will officially graduate from being a personal security risk to a vector of national concern. What once appeared as isolated consumer scams or rogue apps has grown into a structural enterprise vulnerability — and a public-sector one, too. The same compromised mobile app that leaks user data can just as easily infiltrate corporate systems through bring-your-own-device (BYOD) policies and SaaS integrations. As organizations continue to blend personal and professional ecosystems, the boundary between consumer and enterprise exposure will fully collapse, forcing security leaders to treat mobile as critical infrastructure.
Vijay Pawar, SVP, Product, Quokka
Sophisticated Attacks Will Increase
Zach Varnell, Security Consulting Lead, Asteros
Convergence of Physical and Cyber Security
In 2026 we’ll see increased blending of physical security systems (CCTV, access control) with cyber monitoring tools. Security teams will need to adopt unified platforms that cover both realms, because attacker vectors move seamlessly between digital and physical domains.
Joe Orsak, President, 24 & 7 Security & Investigations
A Rise in Device Isolation Policies
We’re going to see a rise in device isolation policies. Encryption and MDM aren’t enough when every device constantly broadcasts metadata. Organizations will start establishing “offline-only” zones for sensitive work, travel, and operational planning. Faraday sleeves and signal-management practices will move from niche to standard security posture. Privacy stops being an app setting — it becomes a physical isolation protocol.
AI Agent Hickups
The Death of Perimeter Security
By 2026, the concept of “perimeter security” will finally die and good riddance. Firewalls, endpoint tools, and manual access policies can’t protect a world where AI applications constantly move, replicate, and generate new data. The real battlefront isn’t at the edge anymore; it’s deep inside the data layer.
Enterprises will shift from guarding systems to guarding intelligence the data, models, and pipelines that power their AI ecosystems. Security will become autonomous, self-healing, and invisible, embedded directly into the data fabric. AI will govern AI: continuously classifying, encrypting, and enforcing compliance policies without human intervention.
The winners of 2026 won’t be the ones who build taller walls, they’ll be the ones who teach their data to defend itself.
Cyber Resilience Will Become a Regulated, Auditable Standard of Trust
By 2026, cyber resilience will become a verifiable condition for doing business. New regulations like the SEC cybersecurity rules and the EU’s NIS2 directive will require organizations to prove recoverability, not just report incidents.
At the same time, cyber insurers will tighten underwriting, embedding technical audits that demand evidence storage and recovery controls actually work. Storage infrastructure will sit at the center of this new accountability model. To stay compliant and insurable, enterprises will adopt immutable storage by default, cryptographically verifiable retention, and automated recovery validation. Features like object lock, versioning, and tamper-proof logs will move from “nice-to-have” to mandatory proof of data integrity.
As insurers codify resilience benchmarks, architectures will converge around verifiable resilience — immutable object stores for long-term protection, fast recovery tiers for business continuity, and audit-ready metadata for claims validation. In 2026, cyber resilience will determine who gets insured, who stays compliant, and who customers ultimately trust.
Browser Security
Keep your eye on browsers, which is where the cybersecurity spotlight continues to shift. Traditional perimeter/server defenses typically get the most attention and resources, and attackers have been pivoting to the user’s browser in response. The strategy has been paying off, since security and visibility have historically been weaker there. With hundreds of thousands of websites already compromised this year, the threat vector is getting even more challenging to defend as generative AI automates phishing, SEO poisoning, and fake content delivery networks.
WordPress and mobile browsers will remain prime targets next year, but every organization that relies on embedded third-party JavaScript (from myriad web scripts running everything from chatbots to payment portals) will face elevated risk. Security teams will need to treat every script as untrusted, monitor real-time browser behavior, and expand compliance programs to include client-side telemetry.
AI Governance
Transformation of vCISO Services
IP Rotation Will Accelerate
Offensive and Defensive Predictions
On the offensive side, expect agentic AI attacks where autonomous agents can execute full MITRE ATT&CK sequences, adapt dynamically, and even emulate known APTs. Deepfakes will reach near-undetectable realism, fueling fraud, misinformation, and executive impersonation incidents that force enterprises to adopt stronger validation mechanisms such as rotating verification codes for high-risk actions. Model poisoning of open-source AI models, already underway in 2025, will accelerate as adversaries slip malicious payloads into trusted repositories, amplifying software supply chain risk.
Defensively, cyber teams will have no choice but to evolve. Agentic workflows will become standard as top OEMs embed these capabilities into their platforms, allowing constrained teams to automate detection and response at scale. Non-human identities will demand stronger visibility and privilege control, where organizations will acquire tools to specifically handle this. Finally, as work continues to shift into browsers, last-mile security will emerge as the final frontier of zero trust, protecting users in SaaS and AI-heavy environments.
Bryan Sacks, Field CISO, Myriad360
Little Reason for Optimism
Henry Adams once said, ‘I always expect the worst, and it’s always worse than I expected.’ That’s how I feel about cybersecurity heading in 2026: there’s little reason for optimism, significant risks that most organizations still haven’t addressed, and nearly every trend we see is headed in the wrong direction, with the one major outlier being the trend of ransomware victims being more reluctant to pay up. This year we released a global survey of more than 2,100 cybersecurity and identity experts which found that 69% of organizations experienced an identity-related breach in the last three years, a 27-percentage-point increase since last year’s report. And given that we found that 90% of organizations still face challenges in implementing passwordless authentication, we expect that many of the same risks—including weak passwords, phishing, social engineering—will continue to put organizations in danger.
Organizations should resolve to change that pattern this year. Remove passwords, emphasize Zero Trust, and prioritize the identity security capabilities that will help you stay safe in 2026 and beyond.
A Blind Spot for CISCOs
Cyber Insurance
Layering Security
I think one of the big stories for 2026 will not be new threats but a frustrating persistence of old ones. Phishing, credential theft, and insider errors continue to dominate because too many organizations still depend on perimeter defense. The real progress in 2026 will come from strategic maturity, as layered security (encompassing layered encryption, layered antivirus, and access controls that protect against exfiltrated data exposure) becomes a de facto operating model rather than an aspiration. These same layers will also blunt the impact of ransomware 2.0 attacks that rely on data theft and extortion instead of just encryption.
Compliance frameworks, which strengthened considerably in 2025 and will continue to do so next year, are reinforcing this approach by requiring proof of resilience instead of prevention alone. Good security is good security, and we expect to see more regulated and unregulated businesses alike required to maintain a documentable, measurable, and standardized security posture. The organizations that succeed will need to think several moves ahead. They will expect breaches, contain them, and keep operating while attackers waste time searching for another opening (or, more likely, move on to an easier target).
A Rise in Social Engineering Attacks
Social engineering already is, and has been, a leading cause of modern cyberattacks. While we may like to think otherwise, people are the weakest link when it comes to an organization’s overall security posture. However, with advancements in AI, it’s become far too easy to attack people.
I recently spoke to over seventy CISOs at the Paris KKR CISO Summit, and a key issue on everyone’s mind was the blurring line between what is real and what is fake. When it comes to cases like believing an AI-generated video of bunnies jumping on a trampoline is real, while not ideal, the resulting “harm” is minimal. But what about when a CEO deepfake videocalls an employee and instructs them to move large sums of money in real time? Or think of those AI-generated images of the Pentagon under attack that quickly went viral in 2023. They caused an actual dip in the stock market. When cases of AI-powered misinformation and disinformation play out in higher stakes environments, internal and external trust can easily drop, and financial losses can become frequent and significant, impacting revenue and even potentially company valuations.
In the coming year, we can expect to see a rise in social engineering attacks. For the security community-at-large, there will be a greater focus on how to manage the amount of misleading AI-generated content, including how to protect employees so they don’t fall for it and, more importantly, don’t act on it.
Nabil Hannan, Field CISO, NetSPI
The Year of Agentic and Machine Identity Sprawl
If 2025 was the year of AI, 2026 will be the year of agentic and machine identity sprawl. Machine identities – from workloads and service accounts to IoT devices – now vastly outnumber human identities in the enterprise. Further, most operate unseen and overprivileged. Machine identities are already the primary source of privilege misuse, creating an urgent need to expand threat identification coverage to non-human accounts. The rapid growth of AI-driven systems and the explosion of connected IoT ecosystems will push organizations beyond their ability to track and manage machine identities effectively, creating prime opportunities for attackers to exploit unmanaged or forgotten identities. 2026 will force security teams to confront the reality that identity-first security can’t stop with humans.
Phil Calvin, Chief Product Officer, Delinea
Enterprises Will Need to Adopt Nation-state-grade Defenses
Nation-state operations will expand to target commercial enterprises. Advanced persistent threat actors will increasingly target private-sector companies for economic disruption, IP theft, and espionage aligned with geopolitical goals. Enterprises must adopt nation-state-grade defenses and treat geopolitical risk as part of their cyber threat model.
Josh Taylor, lead security analyst, Fortra
Postmortems of Project Failures and L&D in the Boardroom
Leaders are under pressure to implement AI, and IT wants to say “yes” as much as they can, but organizations that move too far and too fast with AI risk getting in over their head and drowning. When that happens, it’s not pretty for the organization. We’re going to see more signs of fallout from such events throughout 2026, including where blame will be placed, whether that is on the technology itself or on individuals tasked with building or leading it. This is a breaking point for AI strategy to become a boardroom conversation and the focus needs to be “Are we ready to do this right now and do we have checks and balances to determine if we are ready?” Organizations that are more mature will be better positioned to weather these challenges than younger businesses and startups that aren’t yet firmly established but still are still trying to harness AI. To some degree, leaders will need to have something akin to a postmortem to identify problems that they should have discovered sooner, before the situation got out of hand. By establishing stronger foundations, readiness assessments, and shifting away from L&D consumption metrics, organizations can better determine how ready or not ready they are to effectively implement AI tools into their processes.”
Drew Firment, Vice President of Enterprise Strategy, Pluralsight
Identity-first Defense Is No Longer Optional
Visibility has become the single most critical factor in cybersecurity resilience—and the shift to an identity-first defense is no longer optional. As Gartner predicts, ‘By 2028, 70% of CISOs will leverage an Identity-Verification and Intelligence Platform (IVIP) to reduce their IAM attack surface.’
The real threat isn’t the breach itself–it’s the invisible sprawl of permissions lurking inside systems like SharePoint.
Continuous visibility across every identity—human and machine—is essential to enforce least privilege and stop credential-based intrusions before attackers gain persistence.
Identity security is no longer an IT task—it’s a core security discipline demanding full-spectrum visibility, privilege control, and behavioral monitoring. The path of least resistance is no longer the network–it’s identity.
Ransomware and Extortion Groups as Evolving Businesses
Keep Your Eye on Browsers
Keep your eye on browsers, which is where the cybersecurity spotlight continues to shift. Traditional perimeter/server defenses typically get the most attention and resources, and attackers have been pivoting to the user’s browser in response. The strategy has been paying off, since security and visibility have historically been weaker there. With hundreds of thousands of websites already compromised this year, the threat vector is getting even more challenging to defend as generative AI automates phishing, SEO poisoning, and fake content delivery networks.
WordPress and mobile browsers will remain prime targets next year, but every organization that relies on embedded third-party JavaScript (from myriad web scripts running everything from chatbots to payment portals) will face elevated risk. Security teams will need to treat every script as untrusted, monitor real-time browser behavior, and expand compliance programs to include client-side telemetry.
