Out-of-the-Box Expectations for 2026 Reveal a Grab Bag of Risk - Dark Reading

Threat IntelligenceCyber RiskCybersecurity OperationsData PrivacyNewsOut-of-the-Box Expectations for 2026 Reveal a Grab Bag of RiskSecurity teams need to be thinking about this list of emerging cybersecurity realities to avoid rolling the dice on enterprise security risks (and opportunities).Tara Seals,Managing Editor, News,Dark ReadingJanuary 30, 20269 Min ReadSource: Dennis Hallinan via Alamy Stock PhotoConventional wisdom says that in the ever-evolving cybersecurity landscape, attackers and defenders are locked in a perennial, never-ending death match: increasing threat sophistication battling it out with corresponding shifts in corporate and governmental responses. The showdown rages on in 2026, made all the more interesting by the rise of AI-augmented everything. But what do we not expect? Dark Reading canvassed a range of industry-watchers and threat-intelligence specialists about the more cutting-edge happenings for security teams to pay attention to. This includes garage APTs, ransomware becoming less lucrative, data embassies, corporate accountability, and CEOs in South Korea taking responsibility for major data breaches.Read on for our full compilation of these forward-thinking responses. Garage APTsSophisticated cyberattacks will emerge from small groups and nations with minimal resources, enabled by AI-driven tools. Already, vibe-coded malware is emerging, albeit with mixed efficacy.Related:SANS: Top 5 Most Dangerous New Attack Techniques to WatchOpen source models like Llama, Mistral, and their derivatives have eliminated the technical barrier—you no longer need state-sponsored research labs to access frontier capabilities. You need a laptop and a VPN.By 2027, we'll see the first documented cyberattacks attributed to nations that have never appeared on a threat intelligence radar—countries with minimal GDP and no historical cyber capability suddenly executing campaigns that would have required nation-state resources two years ago. We'll also see the emergence of what I'd call "garage APTs"—small ideological groups, regional separatist movements, extremist factions—running sophisticated operations that previously required government backing.— Alan LeFort, CEO & Co-Founder, StrongestLayerData Embassies Go MainstreamSovereign-hosted data banks will replace cloud-based trust as governments prioritize control over infrastructure and data.“In the public sector, AI governance isn't just a compliance checkbox; it’s a matter of sovereignty. Governments around the world are realizing they can't outsource accountability to algorithms. When AI makes or influences a decision that impacts a citizen, there needs to be full traceability — from the model's provenance to every prompt and output. That means data loss prevention on inputs and outputs, human adjudication for determinations, and transparent disclosure whenever someone interacts with AI. True sovereignty means knowing not just where your data resides, but who holds the keys to it.”Related:Iran Hacktivists Make Noise but Have Little Impact on War— Bill Church, Chief Technology Officer (CTO) at F5Ransomware Loses Its LusterRansomware is becoming less lucrative for attackers as enterprises increasingly refuse to pay ransoms.“Ransomware is becoming more dangerous and less lucrative for threat actors, and I think next year we will see many of the key indicators definitively suggest that the defenders are actually winning. Per Coveware's Q3 ransomware report, big enterprises are paying the ransom less, and ransom payment success rates overall are plummeting. This suggests that something is working, be it the sanctions or the police action or the insurance premiums. I predict next year's ransomware stats will be even more dramatic (in a good way).”— Alex Culafi, Senior News Reporter, Dark ReadingCyber Resilience in Startup ValuationInvestors will prioritize cyber resilience as a key factor in startup valuation, alongside growth metrics.“Investors are expected to treat cyber-risk as a core factor in startup valuation, alongside revenue growth and market potential. Predictions highlight that AI-driven threats, identity risk, and regulatory requirements will reshape how startups are assessed, with cyber resilience becoming a differentiator for funding and long-term viability.Related:How a Large Bank Uses AI Digital Twins for Threat Hunting“Startups will no longer be valued solely on growth metrics. Cyber resilience will be a boardroom-level differentiator. Investors are expected to apply a “cyber-risk discount” to startups lacking strong defenses, while rewarding those that integrate AI-native security, compliance frameworks, and identity-first strategies into their operating model.— Melina Scotto, Veteran CISO & Executive Vice President/Founder at Mastin & Associates Physical Security WeaknessesPhysical security vulnerabilities in accredited environments will remain a critical challenge without mandated threat-led simulations."Organizations will be caught off guard when they realize the access-control systems they paid for and installed can be trivially cloned using public tools and information."— Mark Frost, Principal Security Consultant at NCC GroupIndustrial Network VulnerabilitiesRansomware targeting ICS controllers and safety systems will increase, requiring OT segmentation and anomaly detection."In October, theJaguar Land Rover ransomware attackers pressured the company to pay while production lines remained idle. This highlighted the vulnerability of industrial networks and the cascading impact on suppliers and logistics."— Floris Dankaart, Lead Product Manager, Managed Extended Detection & Response at NCC GroupDeveloper Role EvolutionDevelopers will shift from "move fast and break things" to becoming precision experts at ensuring AI-generated code security."The role [of developers] is at a pivot point with the introduction of AI code, but humans still have a crucial role to play in ensuring the code is secure."— Becky Bracken, Senior Editor, Dark ReadingHybrid Work in the DoghouseHybrid work will lose favor as security concerns drive a return to office-based strategies.Hybrid work will become a security hazard. Hybrid work, once seen as a productivity booster, will lose its halo as security, not convenience, drives a return to the office. The cost of remote breaches and unmanaged devices will force CEOs and boards to rethink flexibility. My advice: start planning for a security-first workplace strategy today.  Lock down endpoints, enforce managed devices, and prepare for cultural pushback, because this shift will come from the top.” — John DiLullo, CEO at DeepwatchIsraeli Cybersecurity InvestmentsGeopolitical tensions will drive increased investment in cybersecurity, especially in Israeli technologies."As a VC that primarily focuses on the Israeli cyber market, it has been quite interesting to see the desire of many countries, in all regions of the world, to overlook past (and even present) geopolitical tensions to gain access to the cybersecurity technologies coming out of Israel. In the year ahead, I expect that continued investment in cybersecurity, especially in Israeli cybersecurity companies, will be one of the hottest topics in the industry.”— Seth Spergel, Managing Partner at Merlin VenturesPost-Quantum Cryptography (PQC)Enterprises will focus on cryptographic asset discovery and automation as PQC standards and certificate deadlines approach.“2024 marked the industry's awakening to post-quantum cryptography (PQC), as NIST locked in core standards and initial protections surfaced in platforms like Apple iMessage, Cloudflare, and Google Chrome. Enterprises spent 2025 catching up, confronting dual pressures from PQC migration and shrinking certificate validity periods, prompting 90% to budget for cryptographic inventories and assessments. In 2026, action takes center stage, with funding secured and March's key certificate deadline approaching, companies will shift to hands-on cryptographic asset discovery, PQC pilots, and full automation for true agility.”— Tim Callan, Chief Compliance Officer at Sectigo"The biggest security failure for tomorrow isn’t 'weak cryptography,' it’s the lack of crypto agility. Systems being deployed now will still be running when quantum-era attacks arrive, yet most are built on fixed-function security that cannot evolve."— Seth Reinhart, Security Market Lead at Altera"Driven by national-security imperatives, jurisdictional control concerns and regulatory mandates about where data is processed and who can access it, 2026 will see the accelerated migration toward sovereign-hosted communications and cloud infrastructure. In 2026, control will become the new foundation of trust. Governments and critical-infrastructure operators will favor platforms built for autonomy—where infrastructure, keys, and data remain fully within their own authority."— Christine Gadsby, Vice President & Chief Security Advisor, BlackBerry Secure CommunicationsModern SOC Evolution: Shattered Glass Replaces Single PaneSecurity operations centers (SOCs) will transform into distributed, API-driven environments leveraging AI for real-time security telemetry."By 2026, the SOC is no longer a physical room of screens and browser tabs, but a distributed mesh of portable code, data pipelines, autonomous agents, and humans building all of the above and checking on how it runs. This ‘shattered glass’ architecture replaces the ‘single pane’ lie (that frankly never existed) with a knowledge graph that connects identity, asset, and security telemetry in real-time, moving us away from ‘grab a coffee and wait’ log searches to ‘down a 5-Hour Energy’ and immediately dive into high-context results that machines can act on.“The primary interface becomes a virtual ‘workbench’ — a headless, API-driven (and MCP!) environment that runs on cloud and uses AI heavily. Ultimately, the modern SOC functions as an engineering factory, where the 'product' is resilient, vendor-agnostic detection logic that lives in a pipeline rather than a proprietary vendor database.” — Anton Chuvakin, Senior Staff Security Consultant at Google CloudAI Bubble Set to Burst — Then RecoverThe AI market will experience a correction, but AI will continue to penetrate cybersecurity and other industries.“The AI bubble will indeed burst, not because AI itself is a bad idea or a pipe dream, but rather because unfounded exuberance in the markets always precedes a moment of correction in prices, valuations, etc. However, just as the Internet survived and thrived after the dot-com crash, AI will go on, emerging from the trough of disillusionment/despondency to penetrate ever more areas of the economy, including of course cybersecurity.“The first and most obvious area for ‘AI-ification’ in cyber is SecOps, and fortunes will be spent adding AI capabilities to SOC environments. It will in no way reduce the number or the gravity of cyber incidents, however. Most exploits will continue to take advantage of vulnerabilities that are years if not decades old, and have simply gone unpatched."— Rik Turner, Chief Analyst for Cybersecurity at OmdiaSouth Korea as a Cyber Canary South Korea's CEOs are taking responsibility for major data breaches, signaling a global shift in accountability for cyber health."In 2025, three Korean CEOs have accepted responsibility due to large data breaches, representing an unacceptably large loss of data and an existential threat to their business (at Korea Telecom, South Korea Telecom, and e-commerce giant Coupang). Each CEO took ultimate responsibility for the loss of data and trust. The fate of telecom giant LG Uplus’ CEO remains uncertain after they were victims of a recent cyberattack."— John Hughes, Head of Network Security at EneaRelated: CISOs will face career consequences for failures, with cybersecurity becoming a shared responsibility across the C-suite.“Historically, CISOs who experienced breaches often became more desirable candidates for battle-tested leaders. In late 2026, this narrative will shift: Breaches tied to poor decisions or underinvestment will no longer be forgiven. Accountability will extend beyond technical competence to strategic foresight and governance.“CISOs will face real consequences for failures, including stalled career progression. Organizations will demand transparency, proactive risk management, and demonstrable outcomes, not just reactive heroics. What does this mean for organizations? Cybersecurity will become a shared responsibility across the C-suite. Expect stronger regulatory frameworks and personal liability for executives in certain jurisdictions. The CISO role will evolve from ‘technical guardian’ to ‘business risk leader.’”— Gary Cannon, Transport Practice Lead at NCC GroupRead more about:CISO CornerAbout the AuthorTara SealsManaging Editor, News, Dark ReadingTara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.See more from Tara SealsWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space