Full Report
This week, Joe laments on 2025, and what we can think of in 2026 in the wild world of cybersecurity.
Analysis Summary
# Main Topic
Forecasting and Analysis of Key Cybersecurity Threats Expected in 2026, based on trends and incidents observed throughout 2025.
## Key Points
- Ransomware activity is predicted to remain extremely high in 2026 due to its high profitability, compounded by global macroeconomic instability and geopolitical tensions.
- Attackers are increasingly targeting the Operational Technology (OT)/Industrial Control System (ICS) sector, exemplified by the significant financial impact a cyber attack had on Jaguar Land Rover.
- The threat landscape is seeing increased sophistication, with blurring lines between state-sponsored actors and Advanced Persistent Threats (APTs) due to professionalization (e.g., Ransomware-as-a-Service).
- While AI-orchestrated espionage campaigns are being reported (e.g., state-sponsored actor using Claude), analysts cautioned that some reports lack substantive evidence, though the potential for hyper-advanced AI attacks in 2026 remains a serious concern.
- Defensive focus in 2026 should prioritize strengthening fundamentals, particularly Identity and Access Management (IAM) and securing proliferating service accounts.
## Threat Actors
- **Qilin:** Identified as an aggressive ransomware cartel showing a very active dark web presence in 2025, potentially leading lists for lucrative criminal activity reviewed in 2025 year-end reports.
- **State-sponsored Adversaries:** Implicated in the first reported AI-orchestrated cyber espionage campaign, though details surrounding this specific activity lack full transparency.
## TTPs
- **Ransomware Extortion:** Continuing high-tempo deployment facilitated by the "as-a-service" model, making operations more organized and efficient.
- **Industrial Disruption:** Targeted attacks against manufacturing sectors where IT and OT environments converge, leading to costly operational disruptions.
- **AI Integration (Emerging):** Utilization of large language models (LLMs) like Claude to orchestrate portions of the cyber kill chain, indicating potential for more sophisticated, automated attacks in 2026.
## Affected Systems
- **Manufacturing/Industrial Control Systems (ICS):** Critical infrastructure and physical production environments are becoming prime targets due to the high financial levers involved.
- **General IT Infrastructure:** Standard business enterprise systems remain vulnerable to ransomware, with a specific emphasis on defending identity infrastructure.
## Mitigations
- **Strengthen Identity and Access Management (IAM):** This is highlighted as a core defensive area requiring renewed focus.
- **Service Account Management:** Implement strict controls and regular auditing for multiplying service accounts.
- **Team Support and Training:** Ensure security personnel are trained, supported, and encouraged to take breaks ("step away from the keyboard") to combat burnout complexity.
- **Focus on Fundamentals:** Resist distraction from hype (like overly relying on AI as a sole defense) and double down on proven security basics.
## Conclusion
The outlook for 2026 suggests a continuation of aggressive ransomware campaigns and increased convergence of cyber attacks targeting physical operations. Defenders must maintain grounding in core security principles (especially identity), manage team well-being, and prepare for rapidly evolving threat technologies, including increased automation driven by AI tools. Staying grounded, curious, and human will be essential for readiness.