Sign in Subscribe
5 min read predictions

2026 security predictions

2026 cybersecurity forecast: China's PLA centenary looms, AI turns anyone into a malware developer, and economic pressure pushes more people toward cybercrime. Shift-left finally start working—but only for modern code. The rest of the internet? A triage trash fire.
2026 security predictions
A Honey Badger defends their territory against a pride of Lions.

Ah, the lull... That glorious stretch between Festive Season chaos and the clock ticking over into a new year.

I've had an unusually quiet run-up to 2026, and this combined with a chunk of time spent in an investor and advisory capacity this year has given me space to think about what's coming around the next few corners—in 2026 and beyond.

Core Ingredients

At a high-level, I see the main players as:

  • The acceleration of technology itself: Building, attacking it, and defending it. I'm not talking about technology getting faster, more the increasing rate AT WHICH it's getting faster. Commoditized GenAI is at the center of driving most of this, but I still see it as a speed issue–not an issue that is constrained to a particular type of technology.
  • The legacy infrastructure that powers the Internet, and the commercial and technical issues involved in securing it. See also: Critical Infrastructure.
  • Increasing global instability, unstable alliances, and a general trend towards "war footing". Related to this, a general trend towards "sovereign capability" at the nation, state, and even personal level.
  • Macro-economic instability, especially around the touch points between the USD and the global economy.
  • A Western cyber-industrial complex that has, at this point, largely and fairly obviously conflated shareholder value with solution value–and in many places abandoned it's core mission as a result.
You might notice a lack of reference to "the crowd" and predictions relating to the role of security research in here... That's because from my perspective, it's a given. The specifics will probably surface in other posts over the coming months.

Predictions

So, here we go... Most of these are targeted in the 2026 timeframe, but all of them have implications beyond that:

  1. China’s 100-year anniversary of the People’s Liberation Army (PLA) looms large: August 1st, 2027—the hundredth anniversary of the PLA—is a date President Xi has tied to a mandate for modernizing Chinese military capability, including in cyberspace. Whether the CCP takes specific action on or before this date is outside this article's scope, but the buildup is clearly making competitor nations nervous and heightening geopolitical tension. 2026 brings us within 12 months of that deadline, and we can reasonably expect an increase in cyber skirmishes—whether through deliberate strategic action or as a byproduct of rising tension. This will include nation-targeted mis and disinformation, prepositioning activity, more overt reconnaissance, and other generalized ruckus on the internet. We've already seen this with Salt Typhoon, Volt Typhoon, and Flax Typhoon, and watched the U.S. respond with both rhetoric and legislation aimed at building offensive cyber capability and shifting toward a "defend forward" active security posture.
  2. Shift left might actually start working… If we're being honest about it, earlier iterations of shift left were pretty limited—mostly because they foisted the security team's burden onto an already overburdened development team. With GenAI and fresh momentum from innovators in the space, 2026 may be the year security finally succeeds in making security easy and insecurity hard for engineering.
  3. …while we continue to forget that the internet is still basically a pile of turtles: If that's the good news, the bad news is it only applies to modern code—CI/CD-native and cloud-native companies and products. The vast majority of systems comprising the Internet's attack surface won't benefit from these solutions in 2026, and will remain targetable through aged vulnerabilities, trivial exploits, and n-days against unpatched systems.
  4. The tale of two internets: The "two internets" contrast is a well-established issue of internet physics, but 2026 will make the global attack surface's dual nature more apparent. On one side: the newer, more dynamic, maintainable attack surface—currently threatened by reckless vibe-coding, and heavily targeted by defensive innovators leveraging AI to shift left and prevent vulnerabilities at the source. On the other: the older, static attack surface powering the rest of the internet, steadily accumulating technical debt (essentially any company founded before 2008 or so, plus the vast majority of underlying infrastructure). Nation-states and state-adjacent actors will target the old stuff; IABs and cybercriminals will focus on the new.
  5. AI-enabled attacks (More vibecrime-y than Skynet-y): AI has put software development in the hands of just about anyone. Given that malware is basically just spicy software, this democratized capability combined with growing economic pressure will trigger a new wave of "garden-variety" malware creation—folks vibecoding together crimeware tools like malicious browser extensions. I expect AI-powered active offense to feature more heavily in 2026, but I believe we've already seen a lot of it in 2024 and 2025 without recognizing it—at least crimeware allows for effective attribution.
  6. AI-induced job scarcity will trigger a rise in freelancing, crowdsourcing: We've seen this movie before—we worked with university researchers after COVID-19 to study the effects of external shock on crowdsourcing ecosystems. While AI-driven disruption to knowledge workers differs from the pandemic, there are similarities, and I expect a fresh influx of folks wanting to turn security research and bug hunting into a full-time gig. The challenge, of course, is that as AI and automation reduce discovery costs for certain vulnerability classes (and grows more effective over time), available liquidity for bug hunters will shift—pivoting the REAL question back to "what is a bug actually worth?"
  7. …and crime too: Two big factors to call out: Necessity, and the blurring of ethical lines. The first is job scarcity and increasing economic pressure—now a global phenomenon. When survival is at stake and opportunity presents itself, people will choose crime. The second, more nuanced dynamic is how rising geopolitical tensions are blurring the definition of "bad guy." For overt cybercriminal work, that distinction is probably clear to someone applying for the job—but their ethical threshold may have shifted from where it once was. A good "gray" example is the IT Army of Ukraine operating against Russia. In many jurisdictions, participants' actions are legally gray if not outright illegal, yet people engage anyway because they believe in the cause.
  8. Triage, anti-fragility, and defense-in-depth will (re)surface as cybersecurity's biggest challenges: More attack surface, easier attacks, more builders on the playing field, more attackers, increased detection capabilities, the ability to decorate reports and alerts... All of this nets out to more data to wade through—the absolute last thing defenders need. The optimist in me would like to think this drives the market toward anti-fragility and defense-in-depth (some of that shift-left progress will help), but realistically we're headed for a triage trash fire in 2026 across all blue-team disciplines—and no, I'm not just talking about vulnerability management.
tl;dr: It's gonna get Ungentlemanly.

I know, I know... This is a pretty pessimistic assessment.

That said, the opportunities to innovate and make a dent on the problem are most present in the gaps—and if you're reading this, that's probably pretty motivating for you. As for me, these areas are definitely going to inform my focus as we round the corner into 2026.

Happy New Year to you and yours, and all those around you that you love. I hope you get a good break, and looking forward to seeing you in the trenches next year!

Published by:

caseyjohnellis

Member discussion