Conventional wisdom says that in the ever-evolving cybersecurity landscape, attackers and defenders are locked in a perennial, never-ending death match: increasing threat sophistication battling it out with corresponding shifts in corporate and governmental responses. The showdown rages on in 2026, made all the more interesting by the rise of AI-augmented everything.
But what don’t we expect? Dark Reading canvassed a range of industry-watchers and threat-intelligence specialists about the more cutting-edge happenings for security teams to pay attention to. This includes garage APTs, ransomware becoming less lucrative, data embassies, corporate accountability, and CEOs in South Korea taking responsibility for major data breaches.
Read on for our full compilation of these forward-thinking responses.
Garage APTs
Sophisticated cyberattacks will emerge from small groups and nations with minimal resources, enabled by AI-driven tools. Already, vibe-coded malware is emerging, albeit with mixed efficacy.
“Open source models like Llama, Mistral, and their derivatives have eliminated the technical barrier — you no longer need state-sponsored research labs to access frontier capabilities.”
— Christine Gadsby, Vice President of Product Security, BlackBerry
Data Embassies Go Mainstream
Sovereign-hosted data banks will replace cloud-based trust as governments prioritize control over infrastructure and data.
“In the public sector, AI governance isn’t just a compliance checkbox; it’s a matter of sovereignty. Governments around the world are realizing they can’t outsource accountability to algorithms. When AI makes or influences a decision that impacts a citizen, there needs to be full traceability — from the model’s provenance to every prompt and output. That means data loss prevention on inputs and outputs, human adjudication for determinations, and transparent disclosure whenever someone interacts with AI. True sovereignty means knowing not just where your data resides, but who holds the keys to it.”
— Bill Church, CTO at F5
Ransomware Loses Its Luster
Ransomware is becoming less lucrative for attackers as enterprises increasingly refuse to pay ransoms.
“Ransomware is becoming more dangerous and less lucrative for threat actors, and I think next year we will see many of the key indicators definitively suggest that the defenders are actually winning. Per Coveware’s Q3 ransomware report, big enterprises are paying the ransom less, and ransom payment success rates overall are plummeting. This suggests that something is working, be it the sanctions or the police action or the insurance premiums. I predict next year’s ransomware stats will be even more dramatic (in a good way).”
— Alex Culafi, Senior News Reporter, Dark Reading
Cyber Resilience in Startup Valuation
Investors will prioritize cyber-resilience as a key factor in startup valuation, alongside growth metrics.
“Investors are expected to treat cyber-risk as a core factor in startup valuation, alongside revenue growth and market potential. Predictions highlight that AI-driven threats, identity risk, and regulatory requirements will reshape how startups are assessed, with cyber resilience becoming a differentiator for funding and long-term viability.
“Startups will no longer be valued solely on growth metrics. Cyber resilience will be a boardroom-level differentiator. Investors are expected to apply a “cyber-risk discount” to startups lacking strong defenses, while rewarding those that integrate AI-native security, compliance frameworks, and identity-first strategies into their operating model.
— Melina Scotto, Veteran CISO & Executive Vice President/Founder at Mastin & Associates
Physical Security Weaknesses
Physical security vulnerabilities in accredited environments will remain a critical challenge without mandated threat-led simulations.
“Organizations will be caught off guard when they realize the access-control systems they paid for and installed can be trivially cloned using public tools and information.”
— Mark Frost, Principal Security Consultant at NCC Group
Industrial Network Vulnerabilities
Ransomware targeting ICS controllers and safety systems will increase, requiring OT segmentation and anomaly detection.
“In October, the pressured the company to pay while production lines remained idle. This highlighted the vulnerability of industrial networks and the cascading impact on suppliers and logistics.”
— Floris Dankaart, Lead Product Manager, Managed Extended Detection & Response at NCC Group
Developer Role Evolution
Developers will shift from “move fast and break things” to becoming precision experts at ensuring AI-generated code security.
“The role [of developers] is at a pivot point with the introduction of AI code, but humans still have a crucial role to play in ensuring the code is secure.”
— Becky Bracken, Senior Editor, Dark Reading
Hybrid Work in the Doghouse
Hybrid work will lose favor as security concerns drive a return to office-based strategies.
Hybrid work will become a security hazard. Hybrid work, once seen as a productivity booster, will lose its halo as security, not convenience, drives a return to the office. The cost of remote breaches and unmanaged devices will force CEOs and boards to rethink flexibility. My advice: start planning for a security-first workplace strategy today. Lock down endpoints, enforce managed devices, and prepare for cultural pushback because this shift will come from the top.”
— John DiLullo, CEO at Deepwatch
Israeli Cybersecurity Investments
Geopolitical tensions will drive increased investment in cybersecurity, especially in Israeli technologies.
“ As a VC that primarily focuses on the Israeli cyber market, it has been quite interesting to see the desire of many countries, in all regions of the world, to overlook past (and even present) geopolitical tensions to gain access to the cybersecurity technologies coming out of Israel. In the year ahead, I expect that continued investment in cybersecurity, especially in Israeli cybersecurity companies, will be one of the hottest topics in the industry.”
— Seth Spergel, Managing Partner at Merlin Ventures
Post-Quantum Cryptography (PQC)
Enterprises will focus on cryptographic asset discovery and automation as PQC standards and certificate deadlines approach.
“2024 marked the industry’s awakening to post-quantum cryptography (PQC), as NIST locked in core standards and initial protections surfaced in platforms like Apple iMessage, Cloudflare, and Google Chrome. Enterprises spent 2025 catching up, confronting dual pressures from PQC migration and shrinking certificate validity periods, prompting 90% to budget for cryptographic inventories and assessments. In 2026, action takes center stage, with funding secured and March’s key certificate deadline approaching, companies will shift to hands-on cryptographic asset discovery, PQC pilots, and full automation for true agility.”
— Tim Callan, Chief Compliance Officer at Sectigo
“The biggest security failure for tomorrow isn’t ‘weak cryptography,’ it’s the lack of crypto-agility. Systems being deployed now will still be running when quantum-era attacks arrive, yet most are built on fixed-function security that cannot evolve.”
— Seth Reinhart, Security Market Lead at Altera
“In 2026, control will become the new foundation of trust. Governments and critical-infrastructure operators will favor platforms built for autonomy—where infrastructure, keys, and data remain fully within their own authority.”
— Christine Gadsby, Vice President of Product Security, BlackBerry
Modern SOC Evolution: Shattered Glass Replaces Single Pane
Security operations centers (SOCs) will transform into distributed, API-driven environments leveraging AI for real-time security telemetry.
“By 2026, the SOC is no longer a physical room of screens and browser tabs, but a distributed mesh of portable code, data pipelines, autonomous agents and humans building all of the above and checking on how it runs. This ‘shattered glass’ architecture replaces the ‘single pane’ lie (that frankly never existed) with a knowledge graph that connects identity, asset, and security telemetry in real-time, moving us away from ‘grab a coffee and wait’ log searches to ‘down a 5-Hour Energy’ and immediately dive into high-context results that machines can act on.
“The primary interface becomes a virtual ‘workbench’ — a headless, API-driven (and MCP!) environment that runs on cloud and uses AI heavily. Ultimately, the modern SOC functions as an engineering factory, where the “product” is resilient, vendor-agnostic detection logic that lives in a pipeline rather than a proprietary vendor database.”
— Anton Chuvakin, Senior Staff Security Consultant at Google Cloud
AI Bubble Set to Burst — Then Recover
The AI market will experience a correction, but AI will continue to penetrate cybersecurity and other industries.
“The AI bubble will indeed burst, not because AI itself is a bad idea or a pipe dream, but rather because unfounded exuberance in the markets always precedes a moment of correction in prices, valuations, etc. However, just as the Internet survived and thrived after the dot-com crash, AI will go on, emerging from the trough of disillusionment/despondency to penetrate ever more areas of the economy, including of course cybersecurity.
“The first and most obvious area for ‘AI-ification’ in cyber is SecOps, and fortunes will be spent adding AI capabilities to SOC environments. It will in no way reduce the number or the gravity of cyber incidents, however. Most exploits will continue to take advantage of vulnerabilities that are years if not decades old, and have simply gone unpatched.”
— Rik Turner, Chief Analyst for Cybersecurity at Omdia
South Korea as a Cyber Canary
South Korea’s CEOs are taking responsibility for major data breaches, signaling a global shift in accountability for cyber health.
In 2025 three Korean CEOs have accepted responsibility due to large data breaches, representing an unacceptably large loss of data and an existential threat to their business (at Korea Telecom, South Korea Telecom, and e-commerce giant Coupang). Each CEO took ultimate responsibility for the loss of data and trust. The fate of telecom giant LG Uplus’ CEO remains uncertain after they were victims of a recent cyberattack.
— John Hughes, Head of Network Security at Enea
Related: CISOs will face career consequences for failures, with cybersecurity becoming a shared responsibility across the C-suite.
“Historically, CISOs who experienced breaches often became more desirable candidates for battle-tested leaders. In late 2026, this narrative will shift: Breaches tied to poor decisions or underinvestment will no longer be forgiven. Accountability will extend beyond technical competence to strategic foresight and governance.
“CISOs will face real consequences for failures, including stalled career progression. Organizations will demand transparency, proactive risk management, and demonstrable outcomes, not just reactive heroics. What does this mean for organizations? Cybersecurity will become a shared responsibility across the C-suite. Expect stronger regulatory frameworks and personal liability for executives in certain jurisdictions. The CISO role will evolve from ‘technical guardian’ to ‘business risk leader.’”
— Gary Cannon, Transport Practice Lead at NCC Group
