HarfangLab, the European cybersecurity provider, introduces its yearly ThreatScape report, which predicts trends and analyzes 2026’s most impactful cyberthreats. This report highlights the key evolutions and emerging risks set to reshape the threat landscape this year and beyond. The full detailed report offers examples and detailed explanations on which predictions made by HarfangLab’s CTR team last year came to fruition.
Pierre Delcher, Head of the CTR Team at HarfangLab, explains: “Our predictions are intended to help our readers anticipate developments in cyberspace. Although it is becoming increasingly difficult every year to imagine plausible trends that we have not already forecast, we are committed to providing decision-makers and cybersecurity professionals with opportunities to tackle uncertainty.”
He adds: “We are entering 2026 with a new military operation, resulting in the abduction of the president of Venezuela. During a press conference on January 3, the US Chairman of the Joint Chiefs of Staff and the President of the US suggested that the operation may have been supported by cyberattacks against critical infrastructure and foreign defense systems. Our predictions already stated in 2024 that “critical global infrastructures – most notably energy – were exposed to global disruptions as conflicts erupt”.
Key trends and predictions for 2026
In 2026, our team predicts the following trends will likely shape the cyber threat landscape:
- Towards further erosion of states’ power in cyberspace: state authority in cyberspace will erode further as democratic oversight is replaced with a business oligarchy and a professionalized criminal economy. The current observation tends to demonstrate that the imbalance between the states and the “digital giants” is growing, especially with the rapid development of AI integrations and the dependency of critical infrastructures on private IT assets. Also, current public decisions made by governments, including the USA tend to illustrate that there’s an increasing preference for corporate “tech dominance” over public oversight. The growing demand for intrusion tools by intelligence agencies, security services, and military forces also drive the global agreement for maintaining a deregulated “grey zone” market for offensive capacities – further exacerbating the loss of power of regulators over private actors.
- Continued efforts by the commercial cyber intrusion industry to shape regulations: the commercial cyber intrusion industry will continue to expand through investment and state adoption, leading firms to intensify lobbying efforts to weaken future oversight and protect their interests. We can look to the example of mobile spyware, increasingly acquired by countries, despite the attempts to limit the proliferation of such tools.
- More direct state responses to cyberattacks: states will try to implement a more direct posture against cyber threats by increasing criminal prosecutions, publicly attributing attacks, and disrupting actors through exposure and offensive operations. As part of a stronger response to cyberattacks from foreign adversaries, we also expect that existing cooperation between states will intensify in the near future. As the fight against cyberthreats are not limited to cyberspace itself, states will respond with greater firmness.
- Forced pivot to an “assume leak” strategy: as organizations face ever-increasing data breaches and data processing delegation, they may reduce their protection efforts in favor of attempts to make accessed data more difficult to use. “Assume leak” refers to a mindset where defenders operate under the premise that an adversary has already bypassed the perimeter and obtained sensitive data. The goal therefore shifts to making that stolen data impossible to use or monetize. Some possible recent breakthroughs in the field of anamorphic cryptography give hope that, ultimately, exposure could be drastically reduced, as data would remain encrypted while computations are performed.
- AI-driven acceleration of fraud and cyber-extorsion: proliferation of generative AI will further lower the entry barrier for low-skilled actors and enable hyper-personalized, automated, and convincing deception campaigns, at a pace and scale which will increasingly outmatch organizations who fight against such threats.
- First physical damage or disruption resulting from AI exploitation: integration of autonomous agents into industrial processes and physical operations will enable exploitation of traditional AI vulnerabilities to achieve first “real-world” damage, error, or disruption. This risk may escalate as the gap between digital instructions and the physical world narrows. Consequently, we may begin seeing kinetic manipulation enabled from cyberattacks with effects such as misdirection of freight or localized physical damage to infrastructures.
- Development of systemic vulnerabilities in cyber detection and response processes: the delegation of critical cybersecurity tasks to autonomous agents will create systemic risks and vulnerabilities which will negatively alter detection and response. Among those issues, HarfangLab’s threat researchers anticipate a rise in low-quality threat intelligence flooding the market.
- Reaching maturity: systematic and automated “advanced” attacks (also known as “more of the same”): as threat actors are industrializing “advanced” attacks by automating vulnerability exploitation, scaling mobile and supply-chain compromises, and intensifying data poisoning operations, they will achieve unprecedented speed and reach. Their experience in conducting cyberattacks, as well as their use of AI, may help malicious actors scale their attacks for a lower human cost. What was already considered “advanced” malicious activities in the cyberspace will be industrialized and accelerated.
- For instance, the time between the disclosure of a vulnerability and its exploitation has collapsed from weeks to hours.
- Exploitation of vulnerabilities against mobile phones is expected to grow significantly.
- Growing exploitation of supply-chain compromise opportunities, including attacks affecting cloud-based provision and SaaS.
- Significant acceleration of data poisoning and information influence operation.
- Making “Advanced” Great Again: state organizations have had the time and opportunities to develop and test cyberattacks. This long-term maturation of government-backed cyber capabilities is expected to culminate in the discovery of a highly sophisticated and synchronized cyber operation. As tensions have intensified and conflicts have emerged across much of the globe since 2022, these actors have strong motives to leverage even dormant capabilities.
In conclusion, the tense global geopolitical climate, accelerated by the continued adoption of AI capacities, is expected to have a strong negative impact on this year’s threat landscape. Armed with vast experience and driven by their states’ growing interest, many infamous malicious actors may intensify their activities, resulting in more cyberattacks shifting from “digital only” to the physical world. Anticipating such threats and being aware of the risks should help organizations prepare accordingly and remain one-step ahead of adversaries. The good news, should there be any, is that maturity is also growing in the defense sector, and the tools used by one side, including AI, can also become an asset for the counterpart.
You can read the full report on Inside the Lab.
You can also read last year’s predictions here.
About HarfangLab
HarfangLab is a global cybersecurity provider specialized in endpoint protection against known and unknown threats. Founded in 2018, HarfangLab detects 100% of attacks and neutralizes them on workstations and servers, all while providing a comprehensive mapping of your IT infrastructure. Its EDR was the first to be certified by the French National Cybersecurity Agency (ANSSI) and by the German Federal Office for Information Security (BSI). Together with its EPP and ASM solutions, HarfangLab protects hundreds of customers worldwide, including public administrations, companies of all sizes, and international organizations across highly sensitive sectors.
Your security, your choice. Deploy via the Cloud, Hybrid, or On-Prem. The HarfangLab platform integrates natively with industry-leading security tools, leverages in-house AI technology, is fully operable via API, and ensures complete transparency into data and detection rules – delivering strategic autonomy for SOC and VOC teams and the organizations they defend.
More information on https://harfanglab.io/