Current events · 7 MIN READ · SCOUT SCHOLES · DEC 31, 2025 · TAGS: leadership & management
TL;DR
- We’ve consulted our internal experts and leaders to ask them for predictions for 2026
- These predictions cross oceans, and include hot takes from our European Field CISO, Pierre Noel
- What they agree on? AI isn’t going anywhere; if anything, it’s bringing new capabilities, and naturally, new threats into the new year
2026 is almost here, and what better way to start the new year than with some predictions?! We asked our leaders and experts what they’re expecting to see in 2026, and we’re sharing that guidance with you–take it or leave it (but honestly, they know what they’re talking about).
On federal and regulatory changes
Spoiler alert: Wait and see.
“Chaos. The administration has dismantled a lot of cyber capability that faces the public markets (CISA, most notably) and is [strange] when it comes to foreign policy related to our most aggressive nation-state adversaries (notably North Korea, China, and Russia; on, Iran we’ve been more consistent). As for regulation, I’d say that’s not something this admin, or this Supreme Court, does. At all.”
– Dave Merkel, CEO
“NIS2 has the potential to significantly improve the way most organizations with business in Europe, small or big, will approach their cybersecurity programs.
“However, the jury is very much out at this stage. At the moment, only 15 EU countries (out of 27) have transposed the NIS2 directive into a law, and several big ones are missing (Germany, Poland, France, Spain, Netherlands, Ireland, and Portugal, for example).
“Similar to what happened initially with GDPR, companies have adopted a “wait and see” attitude towards NIS2. It’s only once some companies are significantly fined for non-compliance that the rest will suddenly deem NIS2 an important budget item. The coming 12 months should clarify the situation.”
– Pierre Noel, Field CISO
On if AI will remain the number one buzzword (and what it will and won’t do)
AI isn’t going anywhere. If anything, its presence (and capabilities) are expanding.
“I don’t think we’ll see AI eliminating existing cyber jobs. We may see fewer open positions as companies navigate AI usage for efficiency, but you can bet those open positions will be filled by people that have cyber and AI skillsets.
“The adversary is still a human being. That human being will figure out how defenders are using AI, and exploit those behaviors to their advantage. That will require a human defender to identify and counter.”
– Dave Merkel, CEO
“We need to avoid falling into the trap of thinking that 2026 will be the year AI is battling AI. The current battle for defenders is getting the security basics right because offensive-focused AI will look for every misconfiguration, amplifying their risk. There are far too many companies that will continue to struggle to quickly patch an external device while attackers further automate existing attack playbooks to take advantage of that gap.
“Defenders need to focus on automating the boring, mundane security tasks that are hard for humans to manage at scale. These foundational security areas, like securing identities, patching applications, and monitoring systems are ripe for innovation and will pay dividends for companies in the long run.
“In 2026, we won’t have more front doors to our systems and data. We just have more attackers who can jiggle the handle to see if it’s unlocked faster than we’ve seen in the past.”
– Jason Rebholz, Advisory CISO
“AI strategy and how to protect it is the topic for every board, and this is only the beginning. Similar to the public cloud explosion a few years ago, embedding AI into the organization is now inevitable. Some will do it by themselves, requiring in-house AI cyber expertise. Some will use existing solutions, but will need assurance on the protection of their crown jewels once in the hands of third-party suppliers.
“As for buzzwords that will be retired, I anticipate that technical cyber terms will not find their way to the board anymore, as they don’t serve CISOs in building a trusted relationship with the board and other leadership.”
– Pierre Noel, Field CISO
“Organizations’ own AI tools will be used against them. We’ve seen this a few times already in 2025, but it will accelerate in 2026 as more organizations have AI tools in all stages of their infrastructure: built into user workflows, integrated into individual tools, and installed on end-user devices. Each instance is implemented with varying quality of security, giving many opportunities for attackers to leverage them for themselves.”
– Aaron Walton, Threat Analyst
Thoughts on cyberattackers and their tactics in the new year
The gist? AI creates a new way to access attack surfaces, but attackers are lazy and won’t fix what’s not broken.
“Well, AI remains a trend, whether for defense or efficiency. Attackers will do what they always do: go for the weak spots. AI in your browser? That’s a target. Have a bunch of sensitive stuff in OpenAI or Gemini? Attackers will try to get to it either directly or via their favorite mechanism—end users (i.e., your employees). The attack surface is getting bigger all the time, and the ways you can exploit it are myriad.”
– Dave Merkel, CEO
“The attackers have the easier part of the game, always have, always will. It’s asymmetrical warfare with no reasonable path in the private sector for attribution or enforcement of consequences on threat actors. I don’t think 2026 will be any different from previous years.
“I actually don’t buy the thesis that there aren’t enough available defenders. There are, it’s just that businesses and other entities are either unwilling or unable to make the investments required. AI won’t fix this. It might make parts of the security pie more economical to implement, but it will come at a different cost (i.e. the expertise to properly implement it).
“AI will enable scale for attackers but its sophistication isn’t necessary in many cases because very simple technical and human-based threats still work. Why use an expensive AI agent when you can just bribe a low-level employee for access or send the CFO a phishing email?”
– Greg Notch, CSO
“Why change what’s working? Threat actors are going to broadly continue the lines of effort that are delivering results to them. That’s going to be the undercurrent of 2026: more of the same.
“Threat actors will develop new AI-driven threats and continue to exploit the weak state of identity verification and access controls. For targeted and high profile attacks, threat actors are going to see a similar benefit from using AI as legitimate companies: a human-in-the-loop implementation where outputs are reviewed. For commodity attacks, AI for code and technique obfuscation may become more prevalent. While there are better tools available for these functions, AI lowers the barrier to entry and allows for cheaper implementation than the previously existing techniques, further driving adoption.
“AI in attackers’ hands also makes it easier to develop exploits. In 2026, we’ll see increasing exploit-based compromise continue. With this lowered barrier to entry, we could also see an increase in damaging attacks by skids, activists, and terrorist-aligned groups. These groups have a latent desire to cause damage and mayhem but generally lack the capabilities. If AI makes it easier, 2026 may see a surge in destructive attacks.”
– James Shank, Director, Threat Operations
“Agentic red-teaming and automated attacks will become more prevalent. Anthropic’s recent report on AI-orchestrated cyber espionage is an early picture of what these agentic AI-powered attacks can look like and as AI continues to accelerate at a fast pace, so will the capabilities of these types of intrusions. Some in the community down-played the report, but to me, it represents the surface of what is possible.”
– Aaron Walton, Threat Analyst
Predicted trends for cybersecurity in 2026
If you guessed we’d be discussing AI and geopolitics, you get a gold star!
“I still think that identity, particularly machine (NHI) or API key identity security is going to be one of the biggest headaches for security teams going forward. The proliferation of interoperability, driven by AI, MCP servers, agentic tooling, and the like will only exacerbate this trend. These are difficult to govern, difficult to build detection capabilities around, and contain long-living credentials with access to critical systems.
“Looking further out, and at the higher end of attacker behavior, I believe we’ll start to see automated weaponization of so-called “one day” or patch diffing vulnerability exploitation. A bunch of promising (and scary) research around AI-driven development of PoC code from patch diffs means we’ll soon see attackers building software exploits faster than companies can apply patches. This research also significantly lowers the expertise needed to build the exploits. The bad news is that even if AI is used to find bugs and build patches faster, most enterprises will struggle to match attackers’ tempo to deploy patches in their environments.”
– Greg Notch, CSO
“As the AI agent mania continues, organizations will find the right design patterns to unlock ROI. These agents will present the next major visibility gap for security teams. We will start to see companies grant agents greater access, which will slowly expand the attack surface. What will start off as a slow but steady drip of agents has the potential to grow into a firehose, reshaping how security teams need to rethink their threat profile in the age of AI agents.”
– Jason Rebholz, Advisory CISO
“The current geopolitical dynamic is having a significant impact across Europe (including the UK). Trusted cybersecurity solution providers are being re-evaluated under the lens of a new threat landscape prism. Who to trust in the medium- to long-term? Friend or foe? But, more importantly, what are the alternatives? The internet is becoming incredibly segmented. There is a growing desire to ‘buy local’ cybersecurity solutions, even though effective European-made options are scarce. Consequently, geopolitics and cybersecurity strategy are now mandatory discussion topics at the executive board level.”
– Pierre Noel, Field CISO
“The biggest trend I’m seeing is increased pressure to prove ROI in cybersecurity. Companies are looking to further optimize their spend. This might be driven in part by attempts to offload some risk management to cybersecurity insurance, but it most likely will be driven by pressure to innovate and adopt AI into other areas within the business.
“Attackers are continuing to see success with old techniques, with simple techniques, and with identity based/human interaction techniques. This low tech focus by attackers flies in the face of the high tech focus of security vendors. This is going to stay steady or increase as we move into 2026. It may increase precisely because defenders take their eyes off the ball and overfocus on AI.”
– James Shank, Director, Threat Operations
“In 2025, attackers started targeting developers more directly. We saw this through targeted phishing, supply-chain attacks targeting package managers, and the distribution of malicious development environment extensions. This attack surface is only growing, with very little attention given to it over the past few decades. Many security tools are coming to market to solve this, but the problem puts the supply-chain at risk: even if one’s own organization implements these tools, third-party risk can’t be fully mitigated. These threats will continue to grow into 2026.”
– Aaron Walton, Threat Analyst
