Four Threat Shifts That Will Define the 2026 Security Landscape

Updated January 2025

Third-party breaches now account for 30% of all data breaches, a 100% increase from prior levels (Verizon DBIR 2025). As we closed out 2025, the data reveals something security leaders suspected but couldn't quite quantify: the fundamental assumptions underlying traditional security architectures are obsolete. There were four distinct threat shifts which have accelerated simultaneously, knowing these will help organisations identify blind spots and use this information to stay ahead of the curve.

Use this article to navigate the shifts which are likely to continue into 2026, I linked to lots of other useful articles that expand on the threat landscape so you have a comprehensive and updated view and not just another commentary that lacks evidence.

1. Supply Chain Attacks Became Industrialised Operations

What began as sophisticated nation-state tactics has transformed into commoditised, automated operations. Supply chain attacks doubled beginning in April 2025, averaging 26 incidents per month compared to 13 per month in the prior period (Cyble). This wasn't gradual escalation it was systematic industrialisation.

The Shai-Hulud worm targeting the npm ecosystem demonstrates this evolution. The attack automatically harvests credentials, publishes malicious versions of other packages, and creates persistent GitHub Actions workflows all without human intervention. The worm compromised 500+ npm packages in the first successful autonomous attack on the JavaScript ecosystem (Unit 42).

Attackers employed "typosquatting" and "slopsquatting" registering malicious packages with plausible names that AI coding assistants might suggest combined with remote dynamic dependencies designed specifically to bypass static analysis tools. Nation-state actors compromised F5's source code, creating a blueprint for zero-day exploits against 600,000+ internet-exposed devices (CISA Emergency Directive ED 26-01).

The financial impact validates the severity. Supply chain breaches cost an average of $4.91 million globally, with U.S. organisations facing $10.22 million per incident (IBM Cost of a Data Breach Report 2025). These breaches cost 17 times more to remediate than direct attacks.

If you have in house capabilities around software development and managing code then its worth paying close attention to the risks, of course this is just one type of supply chain attack but an important one.

2. Cloud Identity Replaced Network Perimeter as Primary Target

The traditional network perimeter evaporated in 2025, this will continue into 2026 as more organisation move away from traditional networks, the concept of the office being a "coffee shop" that provides internet access to cloud and SaaS based applications is the new reality. Adversaries systematically prioritise compromising cloud identities over network breaches, exploiting the concentration of high-value assets within cloud IAM frameworks.

Threat actors use legitimate penetration testing tools like AzureHound for rapid reconnaissance of Microsoft Entra ID environments, mapping privilege escalation paths in minutes. This discovery phase directly precedes campaigns that achieve persistence by registering rogue devices or deploying malicious OAuth applications.

These "Stealthware" apps trick users into granting persistent, broad access through permissions requests users have been conditioned to approve without scrutiny. The technique worked so well because organisations haven't adapted security controls to cloud identity models they're still thinking about network segmentation while attackers are exploiting OAuth scopes.

The October 2025 CISA emergency directive regarding the F5 breach underscores this reality: when nation-state actors steal source code and vulnerability information, traditional patch management becomes reactive damage control rather than proactive defence. Cloud infrastructure requires identity-centric security models, not retrofitted perimeter controls.

3. Social Engineering Professionalised Into Automated Services

Social engineering evolved from rudimentary phishing into professionalised services delivering sophisticated, automated campaigns at scale. The commoditisation of tools like the IUAM ClickFix Generator has made nation-state-level tactics accessible to ransomware groups and cybercriminal syndicates.

These automated phishing kits create cross-platform lures that manipulate users into executing malicious commands in their own terminals bypassing email security controls entirely by exploiting the trust users place in legitimate-looking technical support workflows.

North Korean groups like BlueNoroff deploy modular information stealer suites using multiple coordinated techniques: fake software updates, trojanised legitimate applications, and supply chain compromises delivered through social engineering precursors.

The Microsoft WSUS vulnerability (CVE-2025-59287) exploitation demonstrates how quickly professional threat actors operationalise new attack vectors. Attackers were probing exposed endpoints within hours of the proof-of-concept release (Huntress) a timeline that renders traditional monthly patch cycles inadequate.

The sophistication extends to data theft operations. Bling Libra claimed theft of over 1 billion Salesforce records (Unit 42), demonstrating how attackers combine social engineering, cloud access exploitation, and automated data exfiltration into integrated campaigns.

I would recommend a read of Why Conventional Training Programs Fail if you wish to dive deeper into this topic.

4. AI Adoption Created New Attack Surfaces Faster Than Defenses

Enterprise AI adoption in 2025 created attack surfaces that existing security stacks weren't designed to address. Organisations deployed AI-powered tools without governance frameworks, creating vectors that bypass traditional controls.

Research into prompt injection demonstrated these attacks can manipulate an agent's persistent memory, turning AI tools into espionage assets. The fundamental challenge: large language models lack reliable mechanisms to differentiate trusted instructions from malicious input embedded in processed data.

But AI represents a dual threat. Threat actors leverage AI to accelerate their operations from generating convincing phishing content to automating reconnaissance and vulnerability analysis. The asymmetry is stark: attackers need only automate one successful technique, while defenders must secure every possible attack vector.

The Salesforce breach illustrates how attackers exploit AI-powered platforms for data exfiltration at scale, using the same API integrations and automation capabilities that make these platforms valuable to legitimate users.

How These Shifts Work Together

These four threat shifts aren't isolated trends they're interconnected attack vectors that compound each other's effectiveness. Consider a typical 2025 breach chain:

1. Social engineering gains initial access through automated phishing
2. Compromised cloud identity provides lateral movement and persistence
3. AI-powered tools accelerate data discovery and exfiltration
4. Supply chain access enables second-stage payload delivery through trusted channels

Traditional security models assumed a defensible perimeter, trusted internal resources, and human-operated attacks requiring sequential execution. Modern threats assume none of these constraints. Attackers operate simultaneously across all four vectors, automatically adapting when one path encounters resistance.

The Career Roadmap is where I discuss exactly what to align on with the shifting trends in cybersecurity

Threat Landscape In 2026

The data from 2025 validates what security practitioners suspected: 75% of organisations experienced supply chain attacks (BlackBerry), far exceeding earlier predictions. Only 1 in 3 organisations feel prepared to protect themselves from these threats (Ivanti).

This preparedness gap explains why threat actors succeeded despite widespread awareness. Organisations implemented point solutions; EDR for endpoints, CASB for cloud, email security for phishing without addressing the integrated nature of modern attacks.

Summary

Effective security in 2026 requires a holistic or multi-faceted approach that I like to breakdown into four domains that makes sense to me, and a good way to frame success for any security programme.

1. Governance & Policy - Formal frameworks for AI usage, supply chain vetting, cloud access management, and third-party risk assessment
2. Technical Controls - Runtime monitoring for dependencies, prompt injection prevention, IAM governance, DLP enforcement, and continuous authentication
3. Data Security - Classification systems and access controls that follow data across all environments, including AI training data and cloud storage
4. People & Awareness - Continuous training that evolves with threat tradecraft, covering social engineering, cloud security, and AI risks

Your security posture is only as strong as your weakest domain. Supply chain monitoring doesn't protect you if users fall for automated social engineering. Cloud identity governance fails if AI systems bypass access controls.

Ready to identify where your defenses have gaps? Take the free AI Security Maturity Assessment to evaluate your organisation's readiness across all four domains and get prioritised recommendations for closing critical vulnerabilities.

I will continue to monitor trends going into 2026 and as shifts happen expect to see updates to this article, subscribe below to get notified when that happens.

Key Resources:

• Understanding Supply Chain Security in Modern Development
• AI Security Best Practices for Enterprise Deployment
• Cloud Identity Security Framework

References:

• Verizon (2025). "Data Breach Investigations Report (DBIR)." Analysis showing third-party breaches doubled to 30% of all data breaches.
• Cyble (2025). "Supply Chain Attack Trend Analysis." Documentation showing attacks doubled beginning April 2025, averaging 26 incidents per month.
• Unit 42, Palo Alto Networks (2025). "Shai-Hulud Worm Compromises npm Ecosystem." Analysis of self-propagating supply chain attack affecting 500+ packages.
• IBM (2025). "Cost of a Data Breach Report." Showing average supply chain breach costs of $4.91 million globally and $10.22 million in the U.S.
• CISA (2025). "Emergency Directive ED 26-01: Mitigate Vulnerabilities in F5 Devices." Response to nation-state breach affecting 600,000+ devices.
• Unit 42, Palo Alto Networks (2025). "The Golden Scale: Bling Libra and the Evolving Extortion Economy." Report on theft of 1+ billion Salesforce records.
• Huntress (2025). "Exploitation of Windows Server Update Services CVE-2025-59287." Documentation of active exploitation within hours of PoC release.
• BlackBerry (2024). "Software Supply Chain Security Survey." Survey revealing 75% of organizations experienced supply chain attacks.
• Ivanti (2025). "State of Cybersecurity Report." Survey showing only 1 in 3 organizations feel prepared for supply chain threats.