What if we told you the biggest known vulnerability of 2026 isn’t your tech, but your trust?
Welcome to the next era of cyber risk in all its genre-bending, chaotic glory. 

• People remain the easiest way in for malicious attackers, and AI just made social engineering nearly impossible to stop.
• Quantum and cloud threats are coming in a lot faster than we can prepare, and old playbooks just aren’t going to cut it.
• In 2026, resilience won’t depend on having the most tools or protections, but rather on confidently knowing what (and who) you can actually trust. 

What sets these trends apart is they’re set to converge across the upcoming year. And in a future that’s sure to test every layer of defense you thought was secure, next year’s threats have gotten personal. 

Read ahead to learn five emerging trends the Symantec and Carbon Black Threat Hunter team are tracking in 2026.

5 Trends redefining everyone’s security risk

1. People are the key to unlocking a company’s secrets

A trend we have seen in multiple attacks this year is attackers gaining access to victim networks not by leveraging zero-day vulnerabilities or using sophisticated software supply chain attacks, but rather by taking advantage of organizations’ biggest weakness—the people who work there.

The breach of the Salesforce instances of multiple companies and organizations worldwide by an attack group called Shiny Hunters in mid-2025 was a prime example of this. The wave of attacks impacted numerous well known companies. These attacks were conducted by the Shiny Hunters extortion group, which targeted Salesforce customers with vishing (voice phishing) attacks to compromise credentials or to trick employees into authorizing a malicious OAuth app in order to gain access to companies’ Salesforce portals—no malware or fancy tactics needed. The attackers would then steal data and attempt to extract a ransom from the affected company. These attacks echo similar attacks we saw being carried out by the Scattered Spider attack group, which is also known to primarily gain access to victim networks by carrying out sophisticated social engineering attacks. They compromised numerous casinos in Las Vegas in 2023, while in 2025, they deployed the DragonForce ransomware onto the networks of multiple well-known UK retailers.

The success of these groups using tactics like this mean it is highly likely we will see further attacks of a similar nature in 2026. Artificial intelligence—which can be used to spoof voices and make scam emails appear more authentic—also presents attackers with the opportunity to make social engineering attacks appear even more believable, and makes them an even greater danger for organizations. 

2. Russia and Iran may make cyber reply to real-world pressures 

Ongoing geopolitical pressures on Russia and Iran could provoke threat actors in those countries to initiate disruptive or aggravating cyberattacks on their adversaries, such as Ukraine, Israel, the E.U. and the U.S. If they are unable to establish military dominance over their rivals then they may use cyberspace to make a point. Attackers from these countries may in some cases lack the skills and resources to perpetrate truly destructive attacks against their foes, but distributed-denial-of-service (DDoS) attacks, the spreading of disinformation, and other disruptive activity could be deployed against entities cyber attackers in those countries perceive to be acting in opposition to the country’s regime.

Recently, drone incursions in EU airspace have caused issues for multiple airports, with drones that were operating in Polish airspace shot down, while other European airports, including in Copenhagen, were also disrupted by drone activity in their airspace. The finger of blame for these incidents has been pointed at Russia, though it has denied any involvement in the activity.

A ransomware attack against Collins Aerospace also severely disrupted operations at multiple European airports in September 2025. The ransomware impacted the Muse software used by Collins Aerospace, which is described as a “next-generation common-use passenger processing system solution that allows multiple airlines to share check-in desks and boarding gate positions at an airport rather than having their own dedicated infrastructure.” The incident meant that multiple airlines were impacted and only manual check-in was available for intending passengers, which caused major delays. While this incident isn’t believed to be linked to nation state activity, it does underline the kind of chaos nation state actors could potentially cause with a similar attack of such a nature.

With the global geopolitical situation likely to remain unstable for some time to come, disruption
and aggravation may be the name of the game for cyber attackers in 2026.

3. Agentic AI will change the threat landscape (but not in the way you think)

There is absolutely no doubt that Agentic AI will become a potent tool in the hands of attackers
and this could happen as early as 2026.

When people think of AI in the hands of malicious actors, it naturally raises fears of it being used to create novel threats with unprecedented levels of sophistication. What is far more likely is that Agentic AI will affect the quantity of attacks more than the quality. In short, it has the potential to radically lower the barrier to entry for attackers.

Currently, a successful attack requires an investment of time and a minimum level technical expertise. Agentic AI could obliterate these prerequisites. Where attackers previously needed to be able to write or acquire code, identify infection vectors, build out attack toolkits, stand up infrastructure and, in many cases, layer in some level of phishing or social engineering, autonomous agents could potentially handle these complexities, with minimal interaction or instruction from the attacker.

The outcome could be a significant uptick in automated attacks launched by opportunists with
limited skills.

4. Breaking the unbreakable: The looming quantum computing challenge

Quantum computing is coming and, while it will be a transformational technology, it also poses a serious challenge to today’s security infrastructure. Simply put, quantum computers pose an existential risk to the current encryption standards that protect everything from financial transactions to secure communications.

Current encryption methods rely on mathematical problems that are computationally impossible for the current generation computers to solve. However, quantum computers could break these systems within minutes.

Adversaries are already implementing "harvest now, decrypt later" (HNDL) attacks, systematically collecting encrypted data with the intention of decrypting it once quantum computing becomes viable. This strategy is a clear threat, as attackers don't need current decryption capabilities—they simply store encrypted communications, financial records, and sensitive data until quantum computers can break the encryption.

This process of transitioning to post-quantum encryption is not without its challenges. Decades of work have gone into refining and protecting the implementation of existing encryption methods, and we now face the task of revising and rewriting code using new, post-quantum standards. This will inevitably introduce a new generation of bugs, but we will have the benefit of AI to mitigate them.

5. Gathering clouds on the horizon

There are some signs that 2026 could be the year a critical mass of attackers turn their attention
to attacks against enterprise cloud environments.

To date, attacks against the cloud have amounted to a small subset of malicious activity. While most cloud services are undoubtedly robust, two other factors limited the number of attacks: Malicious actors were still profiting handsomely from attacks on conventional networks and there was no depth of knowledge on how cloud services could be breached.

There is evidence that a growing number of attackers are now deepening their understanding of cloud platforms and beginning to identify viable attack strategies. It is only a matter of time before that knowledge spreads.

Identity and Access Management (IAM) exploitation is already bearing fruit. Attackers are now combing code repositories to find forgotten access keys. Using these, they can create new IAM users and attach elevated policies, establishing persistent access to cloud environments.

Infrastructure-as-Code (IaC) has made it easier for organizations to quickly and automatically spin up new infrastructure as needed. However, attackers are already beginning to probe for weaknesses such as hardcoded secrets in IaC templates or misconfigurations that lead to publicly exposed resources.

As attackers broaden their knowledge of the cloud attack surface, organizations need to keep pace, identifying potential vulnerabilities and implementing zero-trust architectures.

The best strategy won’t just fall into your lap

If 2025 taught us anything, it’s that complexity breeds opportunity for attackers and defenders alike. But protected under tried, trusted, and true layers of security, our machines (and people) can become a source of strength and lasting resilience. 

Join our next global webinar this 17-18 December, 2026’s Biggest Cyber Threats, for more Threat Hunter insight on effective strategies for next year’s security playbook.