Every new year brings apocalyptic predictions about the future of cybersecurity: AI will win the offensive arms race; quantum computers will reveal all of our secrets; the Cloud will fail and bring down the global economy with it.
2026 is no different.
Having worked at the sharp end of security, Cloud and enterprise technology, I don’t believe this year will be defined by a single catastrophic event or breakthrough.
Instead, I think it will be the year in which many comfortable assumptions are finally exposed. This is healthy.
AI isn’t the Supervillain — but it is Changing the Game
Let’s start with AI, because that’s where most of the noise is.
There have been recent claims — and even academic papers — suggesting we’ve already seen fully autonomous, end-to-end cyberattacks conducted entirely by AI. Those claims have been hotly debated, and in many cases heavily criticised, by people who actually work in security.
The truth, as usual, sits somewhere in the middle.
AI does make certain things much easier for both attackers and defenders. It’s very good at doing basic work at huge scale, which includes finding anomalous behaviour in large data volumes, analysing codebases for vulnerabilities, finding valuable information in gigabytes of stolen data, and generating well-targeted and convincing phishing lures.
What it can’t yet replace is the deep human expertise of an attacker or pentester.
Today’s high-end, sophisticated attacks still require nuance, context, and judgement: the ability to handle edge cases and adapt when things don’t go to plan. Large Language Models can be a powerful accelerator for sophisticated humans – in exactly the way top programmers use AI coding assistants – but when attackers have tried to hand too much control to large language models, the output has often been clumsy, noisy, and easy to detect.
AI is often described as “an infinite number of interns”: industrious, fast, tireless – but requiring careful instruction, oversight and management.
That will change one day – but we’re not quite there yet.
The same logic applies to quantum computing. Yes, it will eventually force a rethink of classical encryption. No, it’s not about to trigger Armageddon. The value of any secret is time-limited and organisations should be planning for, and transitioning to, quantum-resistant approaches like double-encryption that can be expected to protect those secrets for as long as they have value. This is pragmatic planning, not a cause for panic.
The first practical quantum computers will be rare and expensive and, in the offensive role, will consequently be targeted at the most-valuable national and commercial secrets. It will be some time before quantum computing becomes commoditised to the point where most organizations are at risk.
In the meantime – as ever – the most important thing a company can do to keep itself safe is getting the basics right: applying least privilege principles, segregation, managing vulnerabilities, and so on. This will go a long way to protecting them from the majority of attackers - human or otherwise.
Cybercrime is Becoming Quieter — and More Sustainable
One interesting shift I expect to continue into 2026 is how cybercriminals operate.
For a long time, ransomware followed a familiar pattern: break in, encrypt systems, demand payment. Then came double extortion: encrypt the systems and steal the data for a further ransom.
Now we’re seeing more-mature criminal groups drop the encryption part altogether.
Instead, they just steal data and threaten to release it.
The reason is quite simple: disruption attracts a significant response.
When systems go down, production stops. Headlines follow, and governments get involved. The Jaguar Land Rover attack is a good example: the impact was so significant it reportedly showed up in national productivity figures. That kind of attack triggers law enforcement action, the involvement of intelligence agencies, and international scrutiny.
From a criminal’s point of view, that’s bad for business.
Data extortion, on the other hand, is discreet. A CEO receives a message. The attacker has probably stolen a copy of the company’s cyber insurance policy and carefully calibrated the ransom to match its level of cover. A small group of executives handles it quietly. No outage. No press. No national response.
It’s efficient, repeatable, and it’s hard for us to measure: how do we quantify this threat if few of these attacks are even reported?
In 2026 I expect fewer noisy ransomware attacks from organised crime groups, and more “hack and leak” incidents that never make the news. The disruptive attacks won’t disappear, but they’ll increasingly come from immature threat actors chasing notoriety, or from nation states with strategic motives.
The Cloud Has Changed Expectations — and Now Those Expectations Are Changing Again
The final shift I’m watching closely is around resilience and accountability.
For years, organisations were told that moving to the Cloud meant availability guaranteed – or at least that it was someone else’s problem. If it was SaaS, or hosted across multiple hyperscaler regions, it would “just work”.
Recent outages have challenged that assumption. In 2025 we saw exactly how this approach has engineered shared dependencies into our global economy. When one of these systems fails – often one critical system in a single region – it can knock out thousands of unrelated services across the globe, from large enterprise platforms to cheap consumer devices. People outside our industry are now asking reasonable questions about these single-points-of-failure.
Furthermore, the rush to AI has often overridden hard-won security wisdom.
AI-driven tools that promise to connect everything together certainly deliver convenience, but at what cost? Giving them broad system access across trust boundaries has resulted in attackers gaining levels of access we thought we’d long since engineered away.
In 2026, “trust us” won’t wash.
Customers will expect providers to explain how they’ve engineered for resilience, how they manage security, and what happens when something fails. Availability – long treated as the poor relation of the “CIA triad” – is moving back to center stage.
What 2026 will really expose
So What’s My Prediction For 2026?
Not collapse – but increasing expectations, and the exposure of weaknesses.
The organisations that succeed won’t be the ones reacting to headlines. They’ll be the ones that have already reframed their decisions around risk, resilience, and accountability.
The question isn’t whether technology will fail – it’s who has planned for when it does.
