2026 and the Changing Threat Landscape: ExtraHop Predictions to Strengthen Your Cybersecurity Posture

This coming year will test every layer of enterprise defense.

In 2025, adversaries reshaped the threat landscape significantly: Supply chain exploitation became routine, nation-state operations grew stealthier, and ransomware groups shifted from smash-and-grab tactics to deliberate, strategic campaigns.

For 2026, the ExtraHop team is spotlighting priority focus areas based on emerging threats.

Identity: The Gateway to Supply Chain Compromise

Credential theft has become as pervasive as it is accessible to attackers, requiring the low-effort task of deceiving their victims. “Even with perfect patching and verification tools, a single convincing phishing attack can undo everything,” warns Jamie Moles, Senior Manager.

As the number of stolen credential multiplies, “Scattered Spider type attacks will become the norm,” predicts Heath Mullins, Sr. Principal.

Once threat actors compromise credentials, they’re able to pivot to connected systems, turning a single breach into a supply chain event. 

Says CISO Chad LeMaire, “Rather than having to [gradually and manually] gain access to hundreds of organizations, threat actors can get immediate access to hundreds or even thousands of organizations.”

Ransomware: The Shift From Opportunism to Strategy

The sophistication of ransomware attacks reached new heights in 2025, causing supply chain chaos for Marks & Spencer, major operational disruption at Jaguar Land Rover, and significant data theft at Qantas Airways.

Amid these high-profile, high-impact incidents, LeMaire anticipates a strategic shift in 2026, predicting a decline in quick, opportunistic "smash-and-grab" ransomware attacks as adversaries increasingly prioritize calculated, strategic operations.

The industry is already seeing a move towards this trend. According to the 2025 Global Threat Landscape Report, organizations experienced 5-6 ransomware incidents on average in 2025, down from 8 the previous year.

Says LeMaire, “While the overall number of incidents may be decreasing, the sophistication and financial impact of each attack are rising sharply.”

Data shows that ransom payments are up; enterprises paid $3.6 million+ on average in ransom payments per incident, up $1 million from the prior year.

VP of Product Marketing, Anthony James, agrees that we will see “more targeted ransomware seeking large rewards,” as attackers launch more customized campaigns.

LeMaire emphasizes that nation states, in particular, are pursuing this approach, dwelling quietly inside systems and waiting for the most advantageous moment to strike – often combining data theft, extortion, and operational disruption.

We can expect to see this specifically within the critical infrastructure sector. Mullins confirms the enduring appeal of select targets: “Critical infrastructure has long been a favorite of nation state attacks.” He expects focus on this vertical to continue in light of the current trade wars between the U.S. and China.

“Proactive threat hunting and intelligence-driven defense will be essential to counter the next wave of ransomware campaigns,” says LeMaire. 

AI & Agentic Operations: Risk vs. Reward

The shift from isolated use of AI to enterprise-wide integration is redefining how security teams approach exposure. AI adoption across departments creates new operational dependencies, where a single model’s failure or drift can cascade across business functions.

“With new standards like ISO 42001 emerging, it’s clear that AI must be treated as part of overall cyber risk, not a standalone innovation. Every AI system interacts with your network, your data, and your people, which means it falls squarely within the CISO’s domain,” says LeMaire. 

AI as an Attack Multiplier

Security leaders warn that artificial intelligence is rapidly reshaping the offensive playbook for adversaries. AI will “supercharge the attackers’ ability to pivot their attacks and develop at an alarming rate,” predicts James. “The technology enables threat actors to scale operations with unprecedented speed and sophistication.”

“Our opponents are smart, well-financed, and motivated. Worst of all, they are ahead of us in the use of generative AI,” says Director of Engineering, Todd Kemmerling. Concerns include AI-driven social engineering and attack orchestration, potentially increasing the attack tempo anywhere between 10X and 100X.

This acceleration is even more dangerous when adversaries weaponize the enterprise’s own attack tools. “AI agents are increasingly being integrated into business workflows and already becoming a new attack surface, as most organizations still have no idea how to govern them,” says Moles. “If an attacker compromises one, they’ll get all the access without any of the scrutiny.” 

Ken Chen, ExtraHop’s VP of Sales for the APAC region, reinforces the severity of this internal threat, noting, “We just saw with Anthropic how their agentic AI was used to carry out an attack. Deployed AI agents can quickly understand internal network architecture and give threats intel to evade detections, resulting in rapid escalation of threat campaigns. We will see more attacks next year that rely on AI agents or tools to carry out the majority of an attack, whether from misuse of legitimate services or built by attackers.”

The Defender’s Dilemma

AI introduces additional challenges for defenders. “An attacker loses nothing by relying on agentic AI to complete large campaigns with a high rate of failure, whereas the defender must be plugged in to ensure that nothing slips by,” says Mullins.

This shift means security operators will spend more time training and validating AI results than investigating threats, says James – a fundamental change in how SOC teams allocate resources.

Successful deployments will require teams to schedule time to learn and train alongside their new AI and agentic systems. It will not be a "lightswitch" moment, but the dedicated work will yield the most impactful long-term results.

AI-Driven SOC Transformation

Despite initial challenges, 2026 is poised to mark significant acceleration towards AI-driven security operations. “I predict that a majority of security triage will be managed by self-governing AI agents, freeing up human analysts to focus on complex, high-impact threat hunting and governance,” says Chen.

This will enable defenders to “cover a dramatically larger volume of alerts” that currently go uninvestigated, says James. SOC teams presently investigate only a small fraction of alerts due to resource limitations, a factor that attackers account for and abuse when designing attacks.

Strengthening investigation capacity can also bring other meaningful organizational benefits. From a cost perspective, Kemmerling identifies increased automation and AI adoption as the highest-impact action for sustainable cost reduction in 2026.

SOC Modernization: The Legacy Challenge 

Given the confluence of external risk factors, internal pressures, and new technology adoption, modernization is a key directive for reducing organizational risk in 2026.

“Legacy systems are becoming signposts for attackers. Everyone knows they’re fragile, everyone’s scared to touch them, and that hesitation is exactly what criminals exploit,” says Moles. “Modernization is now imperative to risk reduction, it’s not just a nice-to-have. The systems you’re too nervous to change are the ones threat actors will target first.”

To meet this challenge, security leaders will need to take a comprehensive approach to security operations, ensuring that systems and capabilities work together to provide a holistic picture of threat activity. 

The urgency here is evident in two ways: in what customers are demanding from security solutions, and in how the market itself is evolving to meet the demands.

“Expect to see NDR or XDR vendors partnering (up to and including via acquisition) in 2026,” predicts Mullins. 

For 2026’s Expanding Threat Landscape: Adaptive Defense

If 2025 taught us anything, it’s that adversaries – from supply chain attackers to nation-state groups – inflict maximum damage when they operate undetected across environments. That insight now frames how leaders need to prepare for 2026.

For deeper context around these predictions and 2026 strategy inspiration, explore ExtraHop’s 2025 Global Threat Landscape Report.