Once again, it’s predictions season. We spoke to experts from across the cybersecurity industry about what the future of cyber may look like as we head into 2026. From AI ethics and API governance to the UK’s Cyber Security and Resilience Bill and exponentially increasing threats, there’s set to be a big shake up to the industry next year (again). What it means to be cyber resilient, against a tide of increased threats, is, once again, changing.
So, let’s hear what the experts thing:
Rising Ransomware
Rebecca Moody, Head of Data Research at Comparitech:
“Even with a couple of weeks to go, ransomware attacks have increased significantly from 2024 to 2025. According to our statistics, 2024 saw 5,621 attacks, while 2025 has already seen 7,042 – a 25 percent year-on-year increase.
I expect the level of ransomware attacks to remain high throughout 2026 as hackers continue to exploit vulnerabilities, target key infrastructure, public services, and manufacturers, and seek to steal large quantities of data in the process.
If 2025 has taught us anything, it’s that hackers see third-party service providers as the perfect target because they not only give them potential access to hundreds of companies through one source but also enable large-scale data breaches. Key examples include the recent attack on Marquis Software Solutions which has seen one of the largest data breaches of 2025 (1.35 million and counting) and has affected hundreds of banks and credit unions, and Clop’s Oracle zero-day vulnerability exploit which has seen over 100 companies affected to date.
While companies are going to want to make sure they’re on top of all the key basics (carrying out regular backups, patching vulnerabilities as soon as they’re flagged, providing employees with regular training, and making sure systems are up to date), 2026 will hopefully bring increased awareness of the vulnerability companies face through the third party services they use. Although utilising third parties for various services is essential for a lot of organisations, it’s crucial these organisations are vetting and testing the software they’re using (where possible). Even with the most robust systems in place, this is irrelevant if the third parties they’re using aren’t adhering to the same standards.”
Compliance, Industry Guidance and Regulations
Jamie Akhtar, CEO and Co-Founder of CyberSmart:
“The cyber market and its regulatory landscape are shifting quickly and organisations are starting to feel the pressure of a more demanding regime. This will continue throughout 2026. As the Cyber Resilience Bill comes into force, it brings with it mandatory adoption of the Cyber Assessment Framework across critical sectors. The scope of regulation expands as the definition of Relevant Managed Service Providers is broadened, placing managed service providers (MSPs) directly in the regulatory spotlight. This change introduces new duties around incident reporting, baseline security controls and formal assurance, meaning that both service providers and their customers must operate with far greater transparency and discipline. The CyberSmart 2025 MSP survey saw that this was already starting to happen. 77% of MSPs reported that their businesses’ security capabilities were already coming under greater scrutiny by prospects and customers. This suggests that MSP customers are more aware than ever of the importance of good cyber credentials in a potential partner – and this will only continue.”
Bill Dunnion, CISO at Mitel, said:
“The future of cybersecurity lies in thinking like the adversary. Traditional defensive postures, firewalls, monitoring, and compliance checklists, are no longer sufficient against threats that move faster and learn continuously. Offensive security practices such as red teaming, threat hunting, and penetration testing will evolve from optional exercises to essential functions of risk management.
The guiding principle is simple: what you don’t know can hurt you. Proactively testing systems exposes blind spots before attackers do. The next generation of programs will combine structured frameworks, such as NIST and ISO, with continuous offensive assessments to create dynamic, adaptive defence ecosystems.
Mature organisations will recognise that compliance does not equal security. Instead, they will integrate continuous testing into their operations, utilising real-world attack simulations to enhance defences and quantify risk in business terms. The result is smarter, faster decision-making that results in better protection.”
Quantum Computing
Daniel dos Santos, Senior, Director, Head of Research at Forescout:
“[I predict that there will be] escalating attacks on unmanaged devices. Edge devices such as routers and firewalls, as well as IoT in the internal network such as IP cameras and NAS are all becoming prime targets for initial access and lateral movement, with a growing number of zero-days and custom malware. These devices are usually unmanaged and unagentable, so organisations need to invest in other forms of visibility, threat detection and incident response based mainly on network signals. This will ensure they can proactively mitigate the growing risk from these devices, detect when attacks leverage them and respond to those quickly to prevent them from becoming major incidents.
Growing number of hacktivist attacks. Most organisations have a threat model based on defending against cybercriminals and state-sponsored actors. Hacktivists until recently were treated as a “nuisance” because of their focus on DDoS and simple defacements. Now these groups have been growing in number and sophistication – targeting critical infrastructure at alarming rates. This will extend into 2026 and organisations need to ensure their threat models include these groups too.
Starting the migration to post-quantum cryptography (PQC). 2025 was the year when commonly used technologies, from web browsers to SSH servers, started implementing post-quantum cryptography. 2026 will be the year when organisations will need to inventory their network assets and understand what is already supporting the technology, what isn’t and what are the timelines to migrate. Especially in government, financial services and critical infrastructure, the migration to PQC will soon move from “something we should think about” to “we need to act now”. Organisations will need tools that can automatically and continuously inventory their network assets, since it’s not realistic to expect hundreds of thousands of devices to be manually checked.”
Simon Pamplin, CTO – Certes:
“If we’re talking about cyber challenges for 2026, I think the thing businesses really need to get their heads around is the widening gap between the pace of quantum-age cryptography and the speed at which most organisations update their production systems. Attackers don’t need a working, large-scale quantum computer right now to cause trouble. Many of them are already quietly collecting encrypted data, sticking it in storage, and waiting for the day they can crack it. That turns anything with a long shelf life, financial records, personal data, IP, into a liability on a timer.
The problem is that too many organisations still behave as though the encryption they use today will protect them forever. It won’t. Shifting to post-quantum cryptography is potentially challenging and slow to deploy, and most businesses massively underestimate how many of their legacy systems, third-party integrations and data flows rely on algorithms that simply won’t stand up to what’s coming.
So, preparation has to begin before the threat is fully realised. Quantum computing isn’t some distant sci-fi concept anymore; it’s getting close enough that organisations can’t ignore it. Start by working out where your sensitive data actually goes, sort out the long-life data first, and separate out your truly critical data streams so one weak spot doesn’t bring the whole lot down. PQC isn’t something you bolt on, it’s a phased transition, and the ones who start early won’t be the ones panicking later.”
Darren Guccione, CEO and Co-Founder of Keeper Security:
“The quantum era will usher in extraordinary innovation and unprecedented risk. In 2026, business leaders will be faced with the reality that preparing for the post-quantum future can no longer wait.
“Harvest now, decrypt later” attacks are already underway as cybercriminals intercept and archive encrypted traffic for future decryption. Large-scale quantum computers running Shor’s algorithm will shatter existing encryption standards, unlocking a time capsule of sensitive data. From financial transactions and government operations to information stored in cloud platforms and healthcare systems, any data with long-term value is at risk.
While the timeline for practical use of quantum computers capable of breaking public-key cryptography remains uncertain, business leaders must take action now. Regulators worldwide are urging enterprises and public-sector organisations to inventory cryptographic systems, prepare for migration and adopt crypto-agile, quantum-resistant strategies.
In 2026, expect the conversation around quantum risk to shift from theoretical to tactical. Organisations will begin treating encryption not as a background control, but as a measurable component of operational resilience. Discussions once limited to cryptographers will move into boardrooms and procurement teams, as leaders demand visibility into how long their data can remain secure under existing models. The focus will broaden from purely technical readiness to governance, understanding where every key, certificate and encryption method is deployed across the enterprise and how quickly each can be replaced.
Forward-looking organisations will also start piloting hybrid cryptography that blends classical and post-quantum algorithms, testing performance, integration and cost. These early implementations will surface new challenges around key management, compatibility and standardisation, driving broader collaboration between governments, technology providers and enterprises.”
Experts at KnowBe4 said:
“Q-Day, the day when quantum computers become sufficiently capable of cracking most of today’s traditional asymmetric encryption, will likely happen in 2026. The security of these systems has never been more important. Organisations must strengthen human authentication through passkeys and device-bound credentials while applying the same governance rigor to non-human identities like service accounts, API keys and AI agent credentials.”
Agentic AI and Deepfakes
Ruth Azar-Knupffer, Founder at VerifyLabs.AI:
“By 2026, deepfakes will continue to be an accepted part of everyday life, like it is today. Not all of them will be harmful. Satire, memes and creative uses of AI will continue to entertain and even inform, but the real risk lies in how easily the same technology can be misused. We will see a sharp rise in deeply personal scams, impersonation and online abuse that feels more convincing than anything we have experienced before, because it looks and sounds real.
The impact will go far beyond financial loss. Deepfakes will increasingly damage relationships, reputations and mental well-being, eroding trust between people and in the information we consume. In an age where seeing is no longer believing, society will be forced to rethink what trust looks like online.
This shift will redefine digital literacy. It will no longer be enough to know how to use technology; people will need the confidence to question it. Verification, context and authenticity will become everyday considerations, not specialist concerns. Those who adapt will navigate AI with resilience, while those who don’t risk becoming overwhelmed by doubt and deception. Trust won’t disappear, but it will have to be rebuilt on new foundations, built on ones that recognise both the power and the limits of artificial intelligence.”
Eric Schwake, Director of Cybersecurity Strategy at Salt Security:
“Agentic AI will create a fundamental shift in how internal systems behave. As autonomous agents begin acting on behalf of users and applications, they will trigger a surge in internal API calls that far exceeds traditional human-driven traffic patterns. The impact will not be felt at the perimeter first. It will surface deep inside the stack, where shadow interfaces, legacy services, MCP servers and automation endpoints sit without the instrumentation needed to distinguish noise from legitimate business activity. Security teams will discover that their monitoring models, built for predictable and comparatively low-volume interactions, cannot interpret agent-generated activity. This will accelerate the move toward context-aware runtime protection and real-time behavioural baselining rather than static rules or credential checks.
As this shift unfolds, discovery will become the single most important capability in the API security budget. AI agents do not wait for formal onboarding processes before invoking new endpoints. They identify and call whatever interfaces appear relevant, whether sanctioned or not. In response, CISOs will transition from periodic inventory exercises to continuous, automated discovery across the entire API fabric. Visibility will need to extend into MCP infrastructures, internal endpoints and interfaces generated dynamically by agentic workflows. The guiding principle is straightforward: security cannot exist where visibility does not.”
James Moore, Founder & CEO of CultureAI:
As we move into 2026, the biggest risk isn’t AI itself, rather it’s the blind spots organisations still have around how their people and their tools are actually using it. Almost everybody is now using AI platforms, often without knowing what data those tools retain or how it’s used. With an abundance of AI comes an abundance of data loss. I predict three major threat shifts that will define 2026:
- The rise of invisible AI usage, especially in everyday SaaS.
What people think of as ‘AI tools’ is too narrow. An AI app is any SaaS application that takes data and passes it into a model. Most organisations haven’t even scratched the surface of understanding that. I believe that embedded AI features within SaaS apps, beyond common AI tools like ChatGPT or Copilot, could contribute to enterprise data-loss incidents next year.
- Legacy controls will continue to fail, not because they’re bad, but because they weren’t built for this problem.
To solve AI data-loss, you have to understand the contents of every request going to an AI app. DLPs and CASBs simply weren’t built for that. You can’t just turn those apps off and block them all and hope for the best.
- Agentic AI will create a new class of blind spots.
I expect that we will see the emergence of AI agents that act, browse, and make API calls independently. When AI starts taking actions on your behalf, you move from securing human behaviour to securing autonomous behaviour. Most organisations aren’t remotely ready for that.
However, I also believe that 2026 will be the year that enterprises unlock AI at scale. This can only be done if they treat usage as a governance and enablement problem, not a blocking problem. Our job isn’t to scare people away from AI. It’s to give them the visibility and control to use it safely, at speed. The organisations that win in 2026 will be the ones that move to the top-right quadrant: high adoption and high security, not one or the other.”
Simon Gooch, Field CIO & SVP Expert Services at Saviynt:
“AI is forcing organisations to rethink what identities are critical to manage and if they have the right tools and approaches to ensure they are able to support their organisation’s AI and technology transformation priorities. Identity has always been central to protecting systems and data, but AI is altering how we think about this construct. There is a growing realisation that identity is the single most critical currency of all technology transactions and having an integrated technology, security and identity strategy that is designed to this reality is key. In the new reality of our evolving tech ecosystem we’re no longer solely dealing with employees, partners, providers, privileged users and non-human constructs; we’re entering a world where automated processes, bots and AI agents hold access, make decisions and interact across networks, systems, supply chains and organisations. The adoption of AI-powered capabilities is happeing at a pace that the reality and implications of which is still not well understood. Often, organisations are still in a phase of discovering and testing what they can deliver, yet each deployment introduces a new point of possible risk. The result is an expanding and increasingly complex set of identity security challenges.
This shift has pushed identity out of the back office and into the heart of business operations, risk management and long-term planning. The difficulty, of course, is that most organisations are still managing legacy systems, hybrid environments and thousands of human identities while preparing for an AI-driven future, not to mention the non-human identities they already rely on. Identity security must now not only protect AI agents, but also harness AI itself if it’s to keep pace.
Amid all this change, we’re watching identity security evolve from a compliance exercise to a core security discipline, and now into an essential enabler for business transformation and AI adoption. Security and business leaders alike are working at pace to manage and govern human, non-human and AI agent identities in a way that is both resilient and scalable.”
Dipto Chakravarty, Chief Technology Officer at Black Duck:
“The traditional approach to vulnerability management and security testing will certainly be disrupted, primarily driven by the increasing adoption of AI in cybersecurity. The old software world is gone, giving way to a new set of truths defined by AI. AI will significantly alter how organisations identify and mitigate vulnerabilities, becoming both a tool for attackers and defenders. Threat actors will leverage AI to automate and scale attacks, while defenders will use AI to enhance detection and response capabilities. Organisations will need to invest in AI-driven vulnerability scanning and predictive analytics to stay ahead of emerging threats. AI-powered security tools will enable security teams to analyse vast amounts of data, identify patterns, and predict potential threats before they materialise. The role of AI in AppSec will be transformative, and organisations that fail to adapt risk being left behind. As AI continues to evolve, it’s essential for security leaders to prioritise AI-driven security measures and invest in the necessary skills and technologies to stay ahead of the threats.”
Next Generation Hackers
Anthony Young, CEO at Bridewell, said:
“Unfortunately, it’s unlikely that 2025’s headline breaches are not the peak, they’re the warning signs. As we move into 2026, the legacy of these cuts will continue to degrade organisations’ defensive posture. We’ll likely see fewer, but far more impactful, attacks focused on shared platforms, third-party suppliers and critical infrastructure.
Cybersecurity is now facing the same kind of social and economic pressures that drive crime in the physical world. When times get tough and oversight weakens, the barrier to entry for malicious activity falls. If we continue underinvesting in resilience and accountability, we risk normalising cyber aggression as a form of expression or protest.
Many organisations have been forced to delay modernisation, freeze hiring and reduce investment in defensive capabilities. The result is fewer defenders, slower detection, and weakened resilience, just as adversaries become more aggressive and technologically advanced.
This new wave of attackers doesn’t always fit the traditional profile. We’re seeing a generation that grew up online, with access to open-source data, leaked credentials and automated tools that make disruption easy. What’s changed is the lack of deterrence. In online communities, the reputational rewards of causing chaos often outweigh the perceived risk by these individuals of getting caught.”
The post We Asked the Experts: 2026 Predictions appeared first on IT Security Guru.
Login
platform.