7 Cybersecurity Predictions for 2026 from Vedere Labs

What will the cybersecurity landscape look like next year?

Rather than speculation, these cybersecurity predictions represent logical progressions of current attack methodologies and threat actor behaviors already evident in today’s landscape. Our Vice President of Security Intelligence, Rik Ferguson, and Vice President of Research, Daniel dos Santos, weigh in on the top challenges and new trends you are likely to see soon enough.

Take these predictions as helpful tips to prepare your defenses in advance.

 

1. Threat Actors Will Exploit Saas App Permissions Instead of Passwords

Attackers are shifting focus from stolen passwords to the permissions granted to connected apps. By abusing OAuth consents and refresh tokens from legitimate integrations in platforms, including Microsoft 365, Salesforce, and Slack, they can quietly move between tenants and keep access even after passwords are reset.

In 2026, these ‘token-hopping’ campaigns will rival traditional phishing as the most effective path to compromise. With password-less authentication gaining ground, the day OAuth abuse surpasses phishing is getting ever closer. Defenders should build an inventory of authorized apps, limit what each can do, and regularly revoke unused or suspicious tokens.

 

2. Attackers Won’t Just Use AI for Social Engineering—They’ll Sell It As a Service

In 2026, SEaaS—“Social-Engineering-as-a-Service”— will become the criminal world’s hottest subscription model. We’ll see SEaaS take off, with ready-made, buyable kits that bundle AI voice cloning, scripted call flows, and fake ‘authorize app’ links. ‘Premium’ options will offer the services of experienced social engineering experts who are looking to distance themselves from subsequent incidents and the interest of law enforcement.

These turnkey packages will let even inexperienced attackers impersonate employees and bypass multifactor authentication through convincing helpdesk or chat interactions. As voice and chat automation proliferate, defenders must treat every conversation as untrusted input and bake verification into every workflow.

 

3. Quantum Readiness Will (Finally) Move to the Forefront

Quantum risk is no longer theoretical, and anyone treating it as such is in for a big wake-up call. Next year is the year that forward-leaning organizations will finally realize that every unmanaged device they deploy today is a future emergency waiting to happen.

Networks with at least five-year hardware lifespans must begin crypto migration planning, mapping which assets can’t support post-quantum algorithms, isolating crypto-fragile systems, and discussing PQC-ready roadmaps with vendors.

 

4. Ransomware Will Target Supply Chains for Maximum Leverage

Attackers are learning that the fastest way to make money isn’t necessarily by encrypting or leaking files… it’s by holding supply chains hostage.  In 2026, we’ll see the birth of ‘reverse ransom’ campaigns that disrupt smaller upstream manufacturers, logistics providers, or service hubs, then pressure downstream partners to pay to keep operations moving. This tactic enables the attacker to target smaller organizations where security may be weaker and demand money from the organization most able to pay.

This tactic could exploit the financial and functional interdependence between companies, turning one breach into an industry-wide crisis. Protecting your partners is now part of protecting yourself.

Here’s a fake, made-up example of a ransom note as an email to illustrate how this might work:

 

5. Attackers Will Accelerate the Exploitation of Edge Devices and IoT

Expect routers, firewalls, VPN appliances, and other edge devices, as well as IP cameras, hypervisors, NAS, and VoIP in the internal network—all outside the reach of endpoint detection and response—to further become prime targets. Custom malware for network and edge devices is rising, frequently abusing legitimate admin tools for stealthy command-and-control.

In 2025, over 20% of newly-exploited vulnerabilities targeted network infrastructure devices. In 2026, that number could grow to over 30% as the exploitation of unmanaged assets provides the perfect foothold for initial access and lateral movement. Extending inventory and enforcement to every device, agented or not, will define the next phase of exposure management.

 

6. Cybercrime Will Further Fragment Into Specialists—But Rely on Shared Toolkits

Next year, will see cybercrime continue to splinter into an industry of specialists, with initial access brokers, data launderers, and extortion operators dividing the work and trading access between one another. As foreshadowed by the Lockbit leak, many of the groups that make headlines will fragment into franchise-style brands rather than unified organizations. Yet, under all that variety, most groups will still depend on heavy reuse of the same small set of frameworks, toolchains, and exploits.

In 2026, this mix of specialization and shared tools will blur the lines between threat groups, making shared behaviors, not brand names, the best indicator of who’s behind an attack.

 

7. Hacktivists Will Turn Confusion Into a Weapon

Hacktivist campaigns have learned that sowing doubt can be just as disruptive as causing downtime. Recently, our research honeypot caught a hacktivist claiming to have disrupted a Dutch water utility. See what we discovered in “Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS”.

In 2026, hacktivists, faketivists, and state-aligned actors will increasingly pair public claims with light hands-on interference in OT systems, forcing operators into precautionary shutdowns even when no actual damage occurs. This will affect critical infrastructure sectors, including water, energy, and healthcare.

Many of these ‘announce-first, prove-later’ operations will exaggerate their impact to pressure operators into shutting systems down voluntarily. The only defense is clear visibility, threat detection, and segmentation that separate rumor from reality.