Sophos, the firm specialized in computer security, has analyzed the cyber-threat ecosystem over the past year to offer its vision of the main cyber risks for 2026 that will affect organizations.
According to Sophos analysis, the threat ecosystem in 2025 has shown a simultaneous expansion of risksdriven by both criminal and state actors, who are rapidly adapting their tactics to exploit digital identities, supply chains and artificial intelligence technologies.
Top cyber risks for 2026
In this context, ransomware continues to be one of the main drivers of cybercrime. Western groups like Scattered Spider They are intensifying campaigns that often begin with stolen credentials and identity abuse. At the same time, attacks on the digital supply chain are growing from a still limited base, but with a clear goal of scale.
The social engineering remains one of the most effective entry vectors. Techniques such as fake support calls, MFA fatigue, malicious QR codes or click-fix scams continue to offer good results to attackers. In parallel, China maintains persistent campaigns ranging from edge devices to highly centralized cloud environments, while North Korea continues to infiltrate organizations through fake IT workers posing as freelance developers to steal code, credentials and currency.
AI accelerates the pace of cybercrime
Although the use of artificial intelligence by attackers has not yet led to major technological breaches, Its adoption is already generating incremental improvements in phishing, automation, malware and deepfakes. These capabilities are laying the foundation for more credible and scalable attacks.
Looking ahead to 2026, Sophos anticipates a high-impact cyber incident whose root cause will be poor digital hygiene and which, despite its consequences, would be completely avoidable. Additionally, voice deepfake fraud is expected to reach an enterprise scale, allowing identity checks to be bypassed in critical processes such as financial approvals, password resets, or supplier onboarding.
The evolution of CEO fraud will mark a new turning point. The combination of generative AI and agentic models will allow the creation of highly personalized campaigns with fake videos and messages from managers capable of interacting through messaging applications, significantly increasing the credibility of the deception.
Insider risk and the new AI attack surface
Internal risk will also be amplified. Not only by malicious employees, but by mistakes made by workers who use AI tools to improve their productivity without proper governance, exposing sensitive information through uncontrolled integrations, prompt leaks or misconfigured connectors.
Added to this is the rapid proliferation of AI applications accessible from the internet, many of them without strong authentication and connected to data that organizations consider critical. Sophos warns that prompt injection attacks could lead to significant breaches in the short term if this new attack surface is not properly evaluated.
Ransomware, crypto assets and state actors
Ransomware will continue to be the main form of high-impact cybercrime, with an increasingly fragmented market and greater participation by English- and Chinese-speaking groups. In parallel, cryptocurrency theft could reach unprecedented figures, exceeding the $1.5 billion stolen in the case of ByBit, with North Korea as a possible main actor.
North Korean IT workers will expand their use of AI to bolster the credibility and persistence of their fake identities, improving their ability to respond to remote requests and execute tasks more effectively within compromised organizations.
dMDR, MSP and cyber insurance: an ecosystem in transformation
The managed detection and response (MDR) market will reach a tipping point in 2026. The line between managed services and AI-powered tools will become increasingly blurred, forcing providers to transparently demonstrate where human judgment is involved and who takes responsibility during an incident.
At the same time, MSPas will evolve towards “AI-first” models, acting as virtual CISOs for organizations with less security maturity. The channel will be divided between suppliers focused on operational efficiency and those that differentiate themselves by measurable business results, such as risk reduction or remediation times.
In the cyber insurance space, insurers are moving towards models based on continuous telemetry. Subscription will no longer rely on annual questionnaires and will rely on real-time technical data, rewarding organizations that can objectively demonstrate the effectiveness of their security controls.
“We are entering a stage in which risk is no longer defined solely by the volume of attacks, but for speed, credibility and abuse of identity and artificial intelligence”afirma Rafe Pilling, Director of Threat Intelligence en Sophos X-Ops. “Many of the most serious disruptions we will see in 2026 will not be the result of sophisticated techniques, but of basic security hygiene failures. The difference will be in who achieves continuous visibility, identity control and real governance of the use of AI”.
Regulatory pressure that reaches the mid-market
Regulatory pressure will extend decisively to the mid-market, forcing companies of all sizes to demonstrate governance, continuous oversight and effective control of the use of artificial intelligence. Security will no longer be an annual compliance exercise but will become a permanent operational responsibility, driving dependence on external partners and managed services.
According to Sophos, the future of cybersecurity will not depend solely on new tools, but on the quality of data, the integration of intelligence into decision making and the ability to offer strategic judgment at scale. In an environment where identity, AI and automation redefine risk, organizations that manage to balance innovation, visibility and control They will be better prepared to face the challenges of the coming years.
