10 cybersecurity trends to watch in 2026

1. Attackers harness the power of AI

In the past few years, malicious actors have ramped up their use of AI to craft more potent attacks -- and it has CISOs worried. A 2025 Boston Consulting Group survey found 80% of CISOs list AI-powered cyberattacks as a top concern.

They have good reason to be concerned, said Damon McDougald, global security services lead at Accenture. While AI-powered and AI-augmented cyberattacks have been present for the past few years, he said 2026 will see such attacks proliferate.

"The bad actors are using this technology to scale to get more done in less time," McDougald said.

They're also using AI to automate attacks. In November 2025, Anthropic announced it had disrupted a large-scale cyberespionage campaign that had been significantly automated by AI.

Kris Lovejoy, global head of strategy at IT infrastructure services provider Kyndryl, said fully autonomous cyberattacks are on the way and will redefine cybersecurity.

"By 2027, fully autonomous, AI-driven cyberattacks will be successfully executed against enterprises, achieving the objective from initial penetration to data exfiltration without any direct human command," she said. "This event will render traditional, human-in-the-loop incident response timelines obsolete and prove that machine-speed defense is the only viable path forward."

2. Defenders hone their use of AI

CISOs and their teams are likewise adopting AI to work at a volume and speed that humans cannot, said Paddy Harrington, analyst at Forrester Research.

"In the security tools themselves, there are a lot more AI components coming in," he said.

Indeed, AI is aiding security teams in multiple core tasks, from threat detection and response to threat intelligence analysis and event summarization.

According to the World Economic Forum's Global Cybersecurity Outlook 2026 report, 77% of surveyed organizations have adopted AI for cybersecurity, primarily to enhance phishing detection (52%), intrusion and anomaly response (46%), and user behavior analytics (40%).

3. Securing enterprise AI deployments becomes a higher priority

In his security predictions for 2026, Harrington forecasted that an agentic AI deployment will cause a public breach and lead to employee dismissals.

"As companies begin building agentic AI workflows, these issues will only become more prevalent. Without the right guardrails, systems of autonomous AI agents may sacrifice accuracy for speed of delivery, especially when interacting directly with customers. When these failures occur, some treat AI agents as their own entities while others point fingers at individual employees, but breaches like these are due to a cascade of failures, not a single individual," he wrote.

To best guard against such an incident, Harrington told SearchSecurity that CISOs must do a better job securing their AI agents. He suggested following the AEGIS framework, ensuring appropriate identity and access management controls, and implementing other guardrails.

Tony Velleca, CISO of UST, a digital technology and transformation services provider, said he expects more organizations to place greater emphasis on securing AI deployments of all types in 2026. He said most organizations have spent the past several years racing to deploy AI, thinking that they could go back and strengthen security later. Now, as attacks on AI systems are happening, organizations are prioritizing security in a way they hadn't before.

4. Attacks on OT ramp up

Security experts said that malicious actors will ramp up attacks on operational technology this year.

"In 2026, we anticipate the primary disruptive threat to industrial control systems and OT will remain cybercrime," researchers wrote in Google Cloud Security's "Cybersecurity Forecast 2026." "We expect to see ransomware operations specifically designed to impact critical enterprise software, such as ERP systems, severely disrupting the supply chain of data essential for OT operations. This vector is effective because compromising the business layer cripples the industrial environment, forcing quick payments. Meanwhile, poor hygiene, like insecure remote access, will continue to allow common Windows malware to breach OT networks. Targeted nation-state attacks, though less frequent, will remain highly sophisticated and tied directly to specific geopolitical conflicts."

Harrington offered similar warnings, noting that many organizations with OT systems had introduced internet connections into their OT environments over the years, creating vulnerabilities that attackers are eager to exploit. And while many of those organizations are focused on strengthening their security, they're still extremely vulnerable to attacks that could shut down their operations.

5. Adoption of continuous threat exposure management grows

Continuous threat exposure management (CTEM) is a security strategy that centers on continuously monitoring an organization's digital environment for potential threats.

Some security experts view this as an essential discipline for modern security operations because malicious hackers can breach and launch attacks at an ever-increasing pace, making point-in-time penetration testing and traditional vulnerability management approaches less effective.

According to the "2025 State of Exposure Management" from tech company Brinqa, 93% of security leaders now view exposure management as a top business priority, and 82% want to take a more proactive approach.

UST's Velleca said CTEM helps security chiefs take a more proactive approach, correctly configure security platforms and ultimately better protect their organizations. He said progressive CISOs have already adopted CTEM, "and the rest will follow suit in 2026. It will be a fast-moving trend."

6. Current geopolitical environment ups cyber-risk

The authors of the World Economic Forum's "Global Cybersecurity Outlook 2026" said deepening geopolitical fragmentation is accelerating cyber-risk in 2026.

The report also noted that 64% of surveyed organizations said they were accounting for geopolitically motivated cyberattacks, such as disruption of critical infrastructure or espionage. And 91% of the largest organizations have adjusted their cybersecurity strategies in response to geopolitical volatility.

Leading organizations are taking action. According to the report, "52% of CEOs of highly resilient organizations are prioritizing threat intelligence on nation-state actors, compared to 13% of CEOs of insufficiently resilient organizations. Similarly, 48% of CEOs of highly resilient organizations are increasing collaboration with government agencies and information sharing groups, whereas only 6% of CEOs of insufficiently resilient organizations report doing so."

Forrester's Harrington said geopolitically motivated attacks often target critical infrastructure, such as the electric grid, water supply facilities and transportation infrastructure, but they also go after private-sector entities, often with the aim of disrupting everyday life.

7. Ransomware remains a significant threat

AI and geopolitics are reshaping the risk landscape, but such emerging issues haven't displaced longstanding threats. As such, ransomware remains a significant risk for organizations of all kinds.

"For companies that are less mature from a cybersecurity perspective and that have glaring gaps in their security posture, they're going to be targeted. And for bigger, more mature companies, the message is, 'Ransomware is not going anywhere.' Ransomware has been a successful attack method for bad actors, so they're still going with this strategy," said Virginia Romero, global delivery lead of incident response at cybersecurity and intelligence firm S-RM.

Figures bear this out. For example, Verizon's "2025 Data Breach Investigations Report" found that ransomware was present in 44% of breaches, a 37% increase over the prior year's findings.

Although the risk of ransomware remains constant, its typical victim is changing, said Josh Schmidt, a partner in the advisory practice at professional services firm BPM. He said large organizations in recent years have reinforced their defenses against such attacks, but small and midsize firms have not had the same budget and skills to similarly mature, making them prime targets even if attackers ultimately get lower ransomware payments from SMBs.

Verizon's 2025 DBIR spoke to this trend, reporting that ransomware was a component of 39% of breaches in larger organizations compared to 88% for SMBs.

8. Deepfakes emerge as a significant threat

IBM's "Cost of a Data Breach Report 2025" revealed that, on average, 16% of data breaches involved attackers using AI. They most commonly use AI-generated phishing schemes (37%), but they're also using it for deepfake impersonation tactics (35%).

And just as attackers have learned to use generative AI to craft email messages that look and read like legitimate messages, they've learned to use GenAI to make convincing deepfakes, Romero said. Moreover, attackers have had success with these deepfakes, she added, giving them an incentive to keep using the tactic as part of their attack arsenal.

The National Cybersecurity Alliance warned of this in its 2026 cybersecurity predictions white paper. "Deepfakes will be impossible to spot," the NCA wrote. "This is essentially our AI-generated deepfake reality, and the technology is only going to get better. Anyone who tells you there are 'rules' for spotting AI photos, video, or text in 2026 (check the hands, bro) is, unfortunately, suffering from wishful thinking. There is just no easy way to spot AI deepfakes."

9. Harvest now, decrypt later makes quantum security an immediate concern

"Adversaries are actively collecting encrypted data with the expectation that future advances will enable decryption," said Katrina Rosseini, a cybersecurity expert whose professional roles include serving as executive board chair for the Civilian Reserve Information Sharing and Analysis Center.

Harvest now, decrypt later has organizations assessing their current data retention and data protection strategies, as well as their plans for implementing post-quantum encryption standards, Rosseini said, noting that leading CISOs are alerting their colleagues to the increasing risks of retaining unnecessary data, advocating for stronger data protection policies and practices, and fast-tracking the use of post-quantum cryptography standards.

"Enterprises should not wait for quantum breakthroughs to begin preparing," Lovejoy said. "Instead, they should treat quantum risk as a multiyear change program across networks [and] applications."

10. CISOs feel pressure to cut staff

Despite the increasing complexity and challenges that cybersecurity teams are facing, CISOs will likely contend with demands to trim staff, Harrington said.

CEOs and boards often see AI tools as not just augmenting staff members, but replacing them, so more of them will be asking CISOs to adjust their staffing needs accordingly, he explained, adding that "it's not a positive trend in my view, it's a negative trend."

As Harrington explained, AI automates tasks that have historically been handled by junior security professionals, so it's these junior analyst roles that are at risk of elimination. But junior roles are critical training grounds, he said, because they give early-career security pros the experience they need to hold senior analyst and other high-level security positions that won't be replaced by AI.

"As you peel off those junior analysts and then your senior analysts leave, you won't have anyone who has been gaining knowledge on staff to move up to the empty seat," Harrington said. "And the market won't have [that talent] either. This has already been happening."

Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.