Forecasting the Threat Landscape in 2026: Did We Get Last Year’s Predictions Right?
Almost all the predictions made by the Hornetsecurity Security Lab in its 2025 report on cybersecurity have now become reality. Ideas that seemed forward-thinking 12 months ago, such as AI-assisted phishing, automated reconnaissance and deepfake-driven social engineering, are now part of the everyday threat landscape.
This article compares the 2026 predictions from our latest Cybersecurity Report with what actually happened in 2025. Rather than listing abstract trends, we focus on how attackers have operationalized AI and broader artificial intelligence tooling on a large scale, how Ransomware 3.0 and identity-centric attacks are evolving, and the areas in which SaaS, browser and supply-chain weaknesses are already being exploited.
For IT leaders, CISOs and Microsoft 365 administrators, the message is clear: you can no longer treat a forecast as a thought experiment. Modern threat actors are reading the same research, weaponizing it, and turning yesterday’s cybersecurity predictions into today’s playbooks. The sooner you implement controls, cultural changes and training, the better your chances of staying ahead of the next wave of cyber threats.
AI Misuse Evolved Faster Than Expected
Novel uses include Claude Code being used to automate reconnaissance, harvesting credentials and penetrating networks. The exfiltrated financial data was also analyzed by AI to decide on ransom amounts. North Korean IT workers are now a widespread threat, and they used both Claude and ChatGPT to create fake personas, automate resume generation, complete technical and coding assessments during the hiring process as well as delivering work once employed.
Whilst this was an easy prediction, and we got it right, it’s interesting to see how attackers’ experiment with different uses of AI during various phases of their attacks.
Cybersecurity Report 2026
The AI-Driven Acceleration of Global Threats
Deepfakes and Influence Operations Accelerated
We also predicted the use of more convincing deepfakes for spear-phishing and influence operations (IO) and again this has been borne out over the last 12 months. New releases of video creation tools have brought a deluge of AI “slop” that’s blurring ordinary user’s ability to separate fact from fiction, a reality that societies (and businesses) around the world are already struggling with.
What’s most concerning is how quickly attackers adapted. Deepfake videos once required specialized skills. Now they can be produced in minutes, giving threat actors a powerful psychological weapon.
Legal and Regulatory Predictions Also Proved Accurate
Last year’s report also predicted legal cases around AI, and, again we were spot on, including the $1.5 billion class action lawsuit against Anthropic. Due to politically changing winds the US is unlikely to rein in the worst excesses of AI companies there, but the EU has passed the AI Act.
The relentless march of new and updated regulatory frameworks continues across most of the world and our prediction that this will increase the workload and challenges for businesses (and their suppliers) was also accurate, with the NIS2 Directive taking budget from recruitment and emergency reserves, whereas the Digital Operational Resilience Act (DORA) and the UK’s Prudential Regulation Authority (PRA) compliance costs businesses over a €1million.
Open-Source Supply Chain Risks Intensified
Our look at the free and open-source software ecosystem (FOSS) was also quite prescient, with regular reports of hundreds or thousands of malicious packages reported across NuGet, PyPI, RubyGems and npm (35,000 malicious packages in npm in August 2025 taking the top spot) in the last year. This seems to be a worsening trend and if your business develops software in-house, you must track these malicious packages before they are included in your applications. The days of nerds worldwide contributing code to FOSS for the benefit of humanity at large voluntarily may be coming to an end.
This shift signals a turning point: attackers now view open-source ecosystems as high-yield infiltration points rather than opportunistic targets.
Memory-Safe Language Adoption Happened, Slowly but Surely
Our final prediction around the adoption of memory safe languages (Rust / Swift) appears also to be accurate, although it’s slower going. Rust is appearing in Windows third-party drivers, in the OS kernel (where about 70% of all CVE’s come from memory safety issues), as well as Hyper-V, Azure and Microsoft 365. Linux is also incorporating Rust, as is Android, where it’s led to a 52% reduction in memory vulnerabilities over the last six years. Apple meanwhile is charting a slightly different route, as they’ve got control over all of the hardware and software, with their Memory Integrity Enforcement but the result is the same – avoid exploitable memory issues.
Overall, all of our predictions have materialized, which says more about the predictability of cybersecurity criminals than our power to prophesize.
Strengthen Your First Line of Defense – Your People
Would you like to transform cybersecurity predictions into practical risk reduction measures rather than just another slide in a yearly strategy presentation? Hornetsecurity’s Security Awareness Service helps your users identify AI-assisted phishing, deepfakes, and social engineering lures before they click, through short, ongoing training that fits around how people actually work.
Combine the Security Awareness Service with Hornetsecurity’s email and collaboration security solutions to create a robust defense for your identities and data.
Fill out the form to schedule your demo and start building a resilient workforce today.
Conclusion
In retrospect, it’s striking how many of last year’s cybersecurity predictions have already materialized, often at a greater scale and speed than most teams anticipated. AI-enhanced phishing, agentic automation, the erosion of legacy multi-factor authentication (MFA) and the evolution of ransomware into ‘Ransomware 3.0’ are no longer niche phenomena; they’re shaping the day-to-day threat landscape in which your organization operates.
This is why it is risky to treat cybersecurity predictions as an annual curiosity. They act as early warning signals, enabling you to strengthen identity management, revisit email and SaaS controls, improve data governance, and reconsider how you foster human resilience before attackers fully exploit new techniques. In other words, anticipating attacker evolution has become a core pillar of modern cyber defense.
Hornetsecurity’s Security Awareness Service, together with our broader protection stack, is designed to turn those warnings into concrete defensive measures, particularly against human-targeted attacks. If you base your 2026 strategy on the insights gained from this forecast and our ongoing prediction work, you won’t just be reacting to the next wave of threats; you’ll be making your people, processes, and platforms much harder to exploit.
FAQ
How accurate were Hornetsecurity’s predictions for 2025?
Our predictions have largely been validated by what we observed in the real world. The goal of highlighting this is not to say “we were right” but to show that using research-driven cybersecurity predictions as part of planning genuinely helps organizations prepare for shifts in the threat landscape.
Which AI-driven attack trends matter most for 2026?
The most important AI-driven attack trends for 2026 build directly on what we saw in 2025: large-scale, AI-crafted phishing and business email compromise, agentic AI automating reconnaissance and exploitation steps, deepfake-driven social engineering, and more targeted abuse of SaaS and browser-based sessions. Rather than completely new attack types, you should expect existing threat patterns to become more efficient, more personalized and harder for untrained users to recognize.
How should IT leaders use cybersecurity predictions in their 2026 planning?
Treat predictions as an operational planning tool, not just an annual report. Map each major prediction to concrete controls – for example, upgrading from legacy MFA to phishing-resistant options, tightening SaaS and browser session protection, and preparing for Ransomware 3.0 with strong backup and recovery. Then layer on user-focused controls and training so that your people can recognize the new attack patterns before they succeed.
Why is forecasting the threat landscape still useful if attackers keep evolving?
Attackers will always adapt, but accurate predictions narrow the range of surprises. By understanding how AI tools are likely to be operationalized, which ransomware models are emerging, and where identity and SaaS weaknesses are heading, you can prioritize investments before issues become headline incidents. Forecasting doesn’t eliminate uncertainty, but it lets you move first instead of reacting after attackers define the rules of the game.
