Fortinet prediction 2026 there will be shift that will drive an explosion in capacity.
Entry-level criminals will be able to manage complex campaigns, while experienced actors will scale operations across thousands of targets. Automation will continue to lower costs while amplifying both reach and frequency.
The AI arms race AI is accelerating the tempo of cyber conflict. Offensive models are already identifying and exploiting weaknesses in defensive systems faster than human analysts can respond. The result is a continuous feedback loop of adaptation between attack and defense.
Detection, containment, and mitigation must increasingly be automated, as a human-led response alone cannot match the speed of machines.
GenAI will accelerate data monetization and extortion: GenAI will become more central to post-compromise operations. Once
attackers gain access to large datasets (through infiltration or by purchasing access on the dark web), AI tools will analyze and
correlate massive volumes of data in minutes, pinpointing the most valuable assets for extortion or resale.
These capabilities will enable adversaries to identify critical data, prioritize victims, and generate tailored extortion messages at
scale. By automating these steps, attackers can quickly transform stolen data into actionable intelligence, increasing efficiency
and profitability.
For defenders, this trend underscores the importance of integrating SecOps capabilities, such as NDR, EDR, and CTEM, to
detect unusual data movement and flag early signs of AI-assisted extortion before damage escalates.
Critical infrastructure in the crosshair: Attackers are expected to increasingly focus on high-impact sectors, such as
manufacturing, healthcare, and utilities. The Ransomware-as-a-Service (RaaS) model is already expanding into OT
environments, where data theft, extortion, and service disruption now converge in a single playbook, and this trend will continue.
Destructive payload development: Techniques once limited to military or nation-state use, such as firmware corruption and
device bricking, will increasingly be repurposed by criminal syndicates for financial leverage. Industrial IoT environments are
especially vulnerable as Sat-to-Cell infrastructure expands, providing new vectors for remote disruption.
Shifts in the cybercriminal ecosystem
The fourth generation of cybercrime: Cybercrime is entering its fourth industrial phase, blending automation, integration,
and specialization. Credential dumps will continue to evolve into curated “intelligent combo lists” enriched with metadata and
behavioral analytics. Dark web marketplaces already operate like legitimate e-commerce platforms, complete with customer
service, reputation systems, and escrow services powered by AI, and these systems will become more refined.
The human supply chain: By compromising trust within the organization, attackers gain persistence that technology alone
cannot easily detect. As a result, insider recruitment will intensify, and ransomware operators will increasingly target employees
through coercion, blackmail, or financial incentive.
Converged crime: Fraud, trafficking, and money laundering networks now overlap, creating resilient, hybrid enterprises that
diversify risk and profit streams while complicating enforcement efforts. To capitalize on this, traditional organized crime and
cybercrime will continue to merge.
Botnets as the hidden infrastructure of industrialized cybercrime: Botnets will remain the backbone of cybercrime. Preinfected endpoints and IoT devices traded as ready-made access kits accelerate the rapid deployment of ransomware or data
exfiltration. As this underground economy expands, it will enable attackers to integrate services—such as credential theft,
botnet rental, and data extortion—into scalable business models.
Integrated SecOps capabilities, including NDR, EDR, and CTEM, will be crucial in providing continuous visibility into lateral
movement, command-and-control activity, and exposure posture, enabling defenders to disrupt attacks before they escalate.
The expanding cybercrime economy: According to the World Economic Forum, the average annual cost of cybercrime is
expected to increase to more than $23 trillion by 2027.
1
Industrialized ransomware, automated fraud networks, and converged
crime models will drive this growth. Over time, however, sustained international cooperation and targeted disruption campaigns
may begin to constrain this expansion.
5
Cyberthreat Predictions for 2026: Industrialized Cybercrime and the Acceleration of the Attack Life Cycle REPORT
Offensive Capabilities Overview
Defending at Machine Speed: 2026 Defensive Capabilities Predictions
Adversaries in 2026 will operate as integrated industries, scaling attacks through automation, shared infrastructure, and AIaugmented decision-making. The key shift is not in how they will attack but in how efficiently they execute. Success will now be
determined by operational throughput: the speed at which intelligence can be monetized.
The most capable threat groups will function as semi-autonomous enterprises, supported by AI agents, access brokers, and
botnet operators who provide services on demand. Their advantage lies in their ability to continue to industrialize every stage of
the attack chain, from reconnaissance and intrusion to extortion and laundering.
In this environment, the distinction between advanced persistent threat and organized cybercrime will continue to blur.
The same automation pipelines, machine learning models, and infrastructure can serve espionage or financial objectives
interchangeably. Attackers will continue to refine their efficiency by reusing proven playbooks and layering AI-driven adaptations
on top.
For defenders, understanding these industrial dynamics is essential. The adversary’s edge will increasingly be measured in
velocity and scale, not ingenuity. Countering that advantage will require visibility into how these ecosystems operate and
disruption of the automation supply chains that sustain them.
Adversaries now operate as industries. Standardized playbooks, automation pipelines, and AI augmentation will continue to
define their advantage. As a result, the defining variable for cyber defenders in 2026 will not be sophistication, but throughput.
Because attackers will continue to exploit the same AI and cloud platforms that defenders rely on, capabilities diffuse quickly.
Productivity, not innovation, will determine impact. The key risk metric for defenders will be velocity. Adversaries will continue to
accelerate their ability to quickly move from reconnaissance to ransom. Defensive strategies must be calibrated to interrupt that
cycle before it completes.
Adopting a threat-informed defense strategy
As adversaries automate, defenders must do the same. Resilience will depend on a threat-informed defense model that
connects intelligence, exposure management, and incident response within a unified operational framework.
Operationalizing SecOps to machine speeds: Defending at the velocity of today’s threats requires more than automation.
It requires context. Threat-informed defense must leverage real-world intelligence to anticipate attacker behavior and guide
decisions across every stage of operations.
FortiGuard Labs intelligence enables defenders to map active threats using frameworks such as MITRE ATT&CK and CTEM.
Through continuous validation and simulation, defenders will need to measure how their controls perform against observed
tactics and techniques.
At the same time, incident response must evolve from a standalone function to a coordinated capability. Unified visibility across
endpoints, networks, and clouds, combined with external attack surface intelligence, will enable faster containment and more
comprehensive situational awareness.
Identity Will Become the Core of Security Operations in 2026: In 2026, identity will shift from a supporting control to the
operational backbone of security. As organizations adopt more automation, AI-driven workflows, and autonomous decisionmaking systems, security teams will need to manage not only human identities but a rapidly expanding range of non-human
identities across their environments.
These include automation agents, ephemeral identities created during CI/CD or cloud deployments, AI-powered processes
executing SecOps tasks, and machine-to-machine workflows that require authentication, authorization, and auditing—just like
human users.
6
Cyberthreat Predictions for 2026: Industrialized Cybercrime and the Acceleration of the Attack Life Cycle REPORT
Two critical realities will shape this evolution:
1. Every automated action will require its own identity. Agents, scripts, and AI processes will need unique credentials,
policies, and behavioral baselines to ensure accountability and prevent cross-contamination between systems.
2. Identity will become a primary attack surface. The compromise of a single automated identity could enable large-scale
lateral movement, privilege escalation, or data exposure in seconds.
To counter these risks, security operations must integrate identity across every detection and response layer by:
• Applying strict least-privilege and time-bound access controls for both human and non-human identities.
• Monitoring identity behavior across EDR, NDR, SIEM, SOAR, and CNAPP platforms to detect deviations—not only anomalies
from endpoints or networks.
• Enforcing strong governance, auditing, and privacy controls as automated identities interact with sensitive or regulated
data.
Identity—human and machine—will become the central control point for trust, accountability, and automation in 2026.
Organizations that operationalize identity within their security operations will be better prepared for the next wave of
industrialized, AI-driven threats.
Next-generation threat Intelligence models: Predictive intelligence will become foundational to effective defense. Frameworks
such as MITRE CTID and Attack Flow extend beyond mapping known tactics to modeling adversary intent. By combining global
telemetry with AI-driven analytics, defenders can anticipate attacker movement and allocate resources accordingly.
Accelerated operational cycles: Speed is the other critical element of threat-informed defense. CTEM will need to play a
more central role in supporting continuous discovery, validation, and remediation to link exposure data directly to operational
workflows. Integrated SecOps capabilities must enable detection and containment to occur in minutes, transforming readiness
from a reactive to an anticipatory process.
