Full Report
In this week’s newsletter, Martin examines the evolving landscape for 2026, highlighting key threats, emerging trends like AI-driven risks, and the continued importance of addressing familiar vulnerabilities.
Analysis Summary
# Main Topic
Forecasting the 2026 Cybersecurity Threat Landscape: Evolving Risks including AI-driven threats alongside persistent traditional vulnerabilities.
## Key Points
- **AI-Driven Risks:** The adoption of generative AI systems with increased autonomy and broader internal system access is predicted to introduce new breach vectors.
- **AI Incident Vectors:** Breaches may occur via poorly constrained or insufficiently governed AI agents, potentially through flawed design, unintended behavior, or deliberate prompt manipulation.
- **Geopolitical Drivers:** Continued use of infostealer malware and phishing campaigns is expected as adversaries map supply chains amidst a tense geopolitical environment.
- **Proxy Actor Activity:** Expect continued destructive attacks orchestrated by proxy actors who finance activities through extortion.
- **Familiar Threats Persist:** Unpatched systems, leaked credentials, lack of MFA, and poor network visibility will continue to be foundational elements in successful attacks.
- **Emerging/Exotic Threats:** Less sophisticated groups will likely engage in website defacements or deploy disruptive malware for ideological visibility.
## Threat Actors
- **China-Nexus APT (UAT-8837):** High-confidence monitoring of an APT actor actively targeting North American critical infrastructure since at least 2025.
- **Proxy Actors:** Involved in destructive attacks and extortion-based financing.
- **Less Sophisticated Groups:** Motivated by political visibility or ideology, engaging in defacements or deploying disruptive malware.
## TTPs
- **UAT-8837 Methods:** Gaining access via vulnerability exploitation or stolen credentials; employing a mix of open-source tools for data exfiltration; maintaining persistent backdoors; and rapidly adapting tools to evade detection.
- **General Cybercrime:** Continued use of infostealer malware and phishing campaigns to gather intelligence on supply chains.
- **Destructive Attacks:** Conducted by certain proxy groups.
- **Insider/Autonomous Risk:** AI systems posing risks via excessive permissions or unfettered access, mimicking insider threats.
## Affected Systems
- **Critical Infrastructure:** Specific focus area for the UAT-8837 threat actor in North America.
- **Generative AI Systems:** Systems where autonomy and internal access are granted without sufficient governance.
- **General Enterprise:** Any system suffering from unpatched vulnerabilities, leaked credentials, or missing Multi-Factor Authentication (MFA).
## Mitigations
- **AI Governance:** Implement stringent governance and constraints on AI agents given high levels of access to prevent accidental or malicious incidents.
- **Vulnerability Management:** Maintain vigilance by ensuring all systems are kept patched.
- **Credential Security:** Enforce strong credential management and ensure all accounts utilize Multi-Factor Authentication (MFA).
- **Visibility:** Improve network visibility to detect anomalous activity.
- **Threat Hunting:** Proactively hunt for IoCs and unusual user/account activity, especially related to known APT behaviors (relevant to UAT-8837).
## Conclusion
The 2026 threat landscape will be defined by a duality: the rise of complex, autonomous AI-driven risks coupled with the predictable exploitation of common, foundational security weaknesses. Organizations must prioritize locking down basic hygiene (patching, MFA) while simultaneously developing robust governance frameworks for emerging AI integrations. The current geopolitical instability suggests heightened activity from state-aligned actors targeting critical infrastructure.