Adversaries now operate as industries. Standardized playbooks, automation pipelines, and AI augmentation will continue to define their advantage. As a result, the defining variable for cyber defenders in 2026 will not be sophistication, but throughput. Because attackers will continue to exploit the same AI and cloud platforms that defenders rely on, capabilities diffuse quickly.
Productivity, not innovation, will determine impact. The key risk metric for defenders will be velocity. Adversaries will continue to accelerate their ability to quickly move from reconnaissance to ransom. Defensive strategies must be calibrated to interrupt that cycle before it completes.
Adopting a threat-informed defense strategy
As adversaries automate, defenders must do the same. Resilience will depend on a threat-informed defense model that connects intelligence, exposure management, and incident response within a unified operational framework.
Operationalizing SecOps to machine speeds: Defending at the velocity of today’s threats requires more than automation. It requires context. Threat-informed defense must leverage real-world intelligence to anticipate attacker behavior and guide decisions across every stage of operations.
FortiGuard Labs intelligence enables defenders to map active threats using frameworks such as MITRE ATT&CK and CTEM. Through continuous validation and simulation, defenders will need to measure how their controls perform against observed tactics and techniques.
At the same time, incident response must evolve from a standalone function to a coordinated capability. Unified visibility across endpoints, networks, and clouds, combined with external attack surface intelligence, will enable faster containment and more comprehensive situational awareness.
Identity Will Become the Core of Security Operations in 2026: In 2026, identity will shift from a supporting control to the operational backbone of security. As organizations adopt more automation, AI-driven workflows, and autonomous decisionmaking systems, security teams will need to manage not only human identities but a rapidly expanding range of non-human identities across their environments These include automation agents, ephemeral identities created during CI/CD or cloud deployments, AI-powered processes executing SecOps tasks, and machine-to-machine workflows that require authentication, authorization, and auditing—just like human users.
Two critical realities will shape this evolution:
1. Every automated action will require its own identity. Agents, scripts, and AI processes will need unique credentials, policies, and behavioral baselines to ensure accountability and prevent cross-contamination between systems.
2. Identity will become a primary attack surface. The compromise of a single automated identity could enable large-scale lateral movement, privilege escalation, or data exposure in seconds.
• Applying strict least-privilege and time-bound access controls for both human and non-human identities.
• Monitoring identity behavior across EDR, NDR, SIEM, SOAR, and CNAPP platforms to detect deviations—not only anomalies from endpoints or networks.
• Enforcing strong governance, auditing, and privacy controls as automated identities interact with sensitive or regulated data.
Identity—human and machine—will become the central control point for trust, accountability, and automation in 2026. Organizations that operationalize identity within their security operations will be better prepared for the next wave of industrialized, AI-driven threats. Next-generation threat Intelligence models: Predictive intelligence will become foundational to effective defense. Frameworks such as MITRE CTID and Attack Flow extend beyond mapping known tactics to modeling adversary intent. By combining global telemetry with AI-driven analytics, defenders can anticipate attacker movement and allocate resources accordingly.
Accelerated operational cycles: Speed is the other critical element of threat-informed defense. CTEM will need to play a more central role in supporting continuous discovery, validation, and remediation to link exposure data directly to operational workflows. Integrated SecOps capabilities must enable detection and containment to occur in minutes, transforming readiness from a reactive to an anticipatory process.
Industry disruption and collaboration
Incentivizing the disruption of cybercrime: Innovation in defense should not be limited to technology. Incentive-based models are expected to emerge further to better align private-sector efforts with public enforcement. Cybercrime bounty programs that reward infrastructure takedowns and intelligence sharing will need to continue to narrow the gap between private and public missions.
Holding threat actors accountable: Attribution and disruption efforts will gain further traction. Operations such as Serengeti 2.0 (an INTERPOL-led anti-crime campaign in Africa supported by partners including Fortinet) will continue to demonstrate how coordinated international action can dismantle criminal infrastructure and enable high-impact arrests.
Such operations have already marked a turning point. Law enforcement and private-sector collaboration are becoming more synchronized, combining intelligence, technical expertise, and legal authority to disrupt cybercrime ecosystems from within. We expect this trend to continue.
Enhancing resilience
Strengthening deterrence and prevention: To effectively combat cybercrime, prevention must begin long before the first compromise. To that end, FortiGuard Labs anticipates the expansion of education and deterrence programs targeting youth and at-risk populations, especially those drawn into online crime ecosystems. The goal is not punitive but preventive, redirecting potential offenders before they enter the cybercrime economy.
Preventive deterrence will also gain traction as part of a broader strategy to erode the recruitment pipelines that sustain organized cybercrime. Many entry-level offenders are motivated by opportunity rather than ideology. Providing legitimate pathways, such as education, training, and early intervention, can transform potential offenders into future defenders.
Fortinet actively participates in such efforts through partnerships with law enforcement, academic institutions, and nonprofit organizations. Such partnerships are expected to continue expanding across the industry. By broadening access to training, contributing intelligence to disruption campaigns, and strengthening local capacity, such private-public collaborations will help reduce both the supply of new cybercriminals and the conditions that enable recruitment. To be effective, the evolution of deterrence must mirror that of defense itself: proactive, intelligence-driven, and focused on long-term resilience.
Evolving cybersecurity expertise: Education and training are not only central to prevention but also crucial in closing the cybersecurity skills gap that continues to challenge both the public and private sectors. The conversation around the “cybersecurity skills gap” often oversimplifies what is, in reality, a structural evolution. The challenge facing organizations today is not simply a lack of professionals but a shift in specialization. For years, cybersecurity was managed by capable IT generalists.
Modern environments will increasingly require a combination of specialized skills that blend cybersecurity expertise, cloud incident response, identity and detection engineering, and AI-assisted operations.
This evolution reflects progress, as more organizations come to understand that operating in today’s digital economy requires specialized skills. To that end, universities and training programs will produce more qualified cybersecurity graduates than ever, while private-sector teams must invest in continual learning and certification. The friction arises because the threat landscape—and the assurance bar for effective defense—has been changing faster than many organizations can adapt. New attack surfaces, such as cloud identity, Infrastructure-as-Code, and SaaS governance, demand skills that simply didn’t exist in traditional IT security. In this sense, today’s “skills gap” is less about scarcity and more about alignment and the need to match specialized expertise to the reality of machine-speed, data-driven operations will become increasingly crucial.
AI will continue to play a decisive role in this transition. As security operations become more integrated and data-centric, AI will increasingly act as the connective tissue between disciplines, connecting events, surfacing anomalies, enriching context, and identifying what humans might otherwise miss. The next generation of cybersecurity professionals will need to operate in partnership with AI-enhanced systems that augment rather than replace human expertise
