7 CIS Experts' 2026 Cybersecurity Predictions

Elimination of federal funding for the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) ... cyber threat actors (CTAs') ongoing use of artificial intelligence (AI) ... the AWS outage in October ... these and similar developments created new risks for organizations like yours in 2025. In doing so, they shifted the conversation around your cybersecurity and compliance priorities going forward.

There's so much change to decipher. Where do you focus your efforts?

To put next year into context, we spoke to seven experts at the Center for Internet Security^® (CIS^®) about their 2026 cybersecurity predictions. Here's what they had to say.

Sean Atkinson | CISO

AI Continues to Dominate the Headlines and Security Landscape. We will require contextualization of specific AI applications and use cases, including Model Context Protocol (MCP), Agentic AI, and Large Language Models (LLMs), and we will need to consider each in its own right. As more decision-making is placed on these technologies, organizations will need to assess them as tools, technologies, and personas within their environments — each with its own risk profile.

Focused and Specific Threats to Critical Infrastructure and U.S. State, Local, Tribal, and Territorial (SLTT) Entities. Threats and risks facing these organizations continue to grow and become more sophisticated. Organizations need assistance in the way of preparation, training, and support to confront talent shortages — all while navigating a lack of funding.

Quantum Creep. We will start thinking more about the risk and implications of quantum technologies. This will start with quantum-safe algorithms, and we will continue to see if the technology becomes commercialized. It will start to encroach into strategic risk assessment for 2026 and beyond.

Don Freeley | VP of IT Services

In 2026, IT organizations will need to refocus on operational security fundamentals, such as least privileged access policies, minimizing attack vectors, and vulnerability and patch management. Adversaries are using AI to shorten the time from the publication of a security bulletin to an attack in the wild dramatically. Research has shown the ability to reverse engineer vendor security update notices into exploitable code within hours. This means IT organizations must continuously revisit what can be reached by attackers, including by minimizing the exposure and surface areas available to exploitation by employing zero trust principles. Security update processes must evolve from scheduled patching windows to a CI/CD approach for higher severity vulnerabilities.

Lee Noriega | Executive Director of CSO

Operationalization of AI in Cybersecurity Operations. In 2026, AI will shift from experimental deployments to fully operationalized components within Security Operations Centers (SOCs). AI will no longer be limited to anomaly detection or log analysis; instead, it will be embedded across the entire incident lifecycle — from threat identification and prioritization to automated containment and remediation. This evolution will be driven by the need to scale defenses against increasingly sophisticated and fast-moving threats, especially in resource-constrained environments like state and local agencies. For those who advocate for scalable and mission-aligned cybersecurity services, this marks a turning point. AI will enable service providers to deliver Cybersecurity as a Service with greater precision, speed, and cost-efficiency. It will also support law enforcement by automating the correlation of threat actor behaviors and accelerating evidence collection. However, operationalizing AI will require robust governance frameworks to ensure transparency, accountability, and alignment with public trust — areas where CIS can lead by example.

Law Enforcement-Centric Threat Intelligence Platforms. In 2026, the cybersecurity landscape will demand more specialized platforms that enable real-time, actionable threat intelligence sharing between cybersecurity teams and law enforcement agencies. These platforms will go beyond traditional Information Sharing and Analysis Center (ISAC) models, integrating forensic data, behavioral analytics, and legal workflows to support investigations, prosecutions, and coordinated response efforts. As cybercrime becomes more transnational and technically complex, U.S. SLTT agencies and law enforcement will need tools that not only detect threats but also translate technical indicators into investigative leads. These platforms will likely include features such as:

• Chain-of-custody tracking for digital evidence
• Automated correlation of threat actor tactics, techniques, and procedures (TTPs) with known criminal profiles
• Secure channels for cross-jurisdictional collaboration
• Integration with national and international watchlists

Zero Trust Becomes a Compliance Mandate. Beginning in 2026, zero trust architecture (ZTA) will transition from a best practice to a regulatory requirement for public sector organizations. Federal agencies are already under executive mandates to implement zero trust, and this pressure will cascade down to U.S. SLTTs through compliance frameworks, procurement requirements, and cybersecurity grant conditions. The shift will be driven by the need to reduce systemic risk, especially in environments where legacy infrastructure and decentralized access models have left agencies vulnerable to lateral movement and identity-based attacks. However, the challenge will be ensuring that zero trust doesn’t become a check-the-box exercise and that adoption of zero trust proceeds in a way that’s practical, scalable, and aligned with their agency’s operational realities. Compliance will likely be measured through updated National Institute of Standards and Technology (NIST) frameworks, state-level mandates, and integration into procurement and audit processes.

Privacy and Cybersecurity Will Converge in Governance Models. In 2026, organizations, especially in the public sector, will increasingly integrate privacy and cybersecurity into unified governance frameworks. Historically treated as separate domains, privacy and cybersecurity are now recognized as interdependent; protecting sensitive data requires both technical safeguards and policy-driven controls that respect legal, ethical, and societal expectations. This convergence will be driven by several factors:

• Regulatory pressure from laws like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and emerging state-level privacy statutes
• Public trust concerns, especially in law enforcement and government services
• Operational efficiency as agencies seek to streamline oversight and reduce silos between IT security, legal, and compliance teams

Randy Rose | VP of Security Operations & Intelligence

This year, I reached out to our analyst teams and got some great insight into what they’re expecting in the coming year(s). The credit for these ideas belongs to Josh P., Kyle L., Casey C., and Matt N. from our Security Operations and Intelligence division.

Cross-Platform Campaigns Become the Norm. Cyber threat actors (CTAs) are increasingly designing payloads that can execute across Windows, Linux, and even macOS, reducing the need for separate codebases and increasing their reach. We’ll likely see more unified frameworks capable of compromising mixed environments with a single campaign. The malware itself will likely be more of the same — we’ll still be talking about infostealers, loaders, ransomware, and spyware — and much of it will come from familiar families. But what will change is how adaptable and efficient these threats become.

The Rise of Semi-Autonomous Malware. We’re seeing glimpses of automation already, such as credential theft, worm-like propagation, and automated payload delivery. For example, QakBot used automated techniques for lateral movement throughout a compromised network, while Lumma Stealer automated data harvesting. While efficient and effective, neither of these threats nor any other current malware are fully autonomous … yet. Instead, they’re modular, scripted routines that are an early and important step in the move toward malware capable of chaining those processes together with minimal, if any, human direction. That evolution could dramatically shorten the time between initial access and full compromise.

Crimeware as a Service and AI-Assisted Malware. CTAs will experiment with generative AI (GenAI) and code-assist tools to speed up malware development, improve obfuscation, or create polymorphic variants on demand. We’ll likely see limited case-by-case examples of this rather than widespread adoption in 2026, as advances in development will still fall short of consistent operational use. While not truly “AI-driven malware,” these early collaborations between human operators and AI tools could make the threat landscape slightly more adaptive and unpredictable in select campaigns. GenAI has also become the great equalizer for many cybercriminals. What used to take specialty skills and hours of intense effort can now be handled in a matter of minutes leveraging tools anyone can access. From automating analysis of stolen data to profiling targets to creating false identities to leveraging GenAI’s capacity for natural language, cybercrime has become more accessible to a wider audience of potential threat actors than ever before, and we’re likely to see increased use of GenAI for Crimeware as a Service.

Increased Malicious Use of Trusted Infrastructure to Thwart Cyber Defense. Threat actors are increasingly abusing trusted cloud and web service infrastructure to host malicious resources, effectively blending into legitimate traffic and undermining defenders’ ability to identify and block their activity. Rather than relying on easily flagged IPs or domains that create bottlenecks for detection, adversaries are turning to reputable platforms — such as content delivery networks and SaaS providers — to host credential harvesting pages and other malicious content. Fake login pages hosted on legitimate domains may be taken down quickly, so attackers are seeking opportunities to simply spin up new subdomains at speed and scale to maintain persistence. This constant churn, combined with the use of trusted domains, will continue to grow in frequency and complexity, forcing defenders to rely more on behavioral indicators and content analysis rather than indicators alone.

Increased Focus on Supply Chain Attacks and Other Single Points of Failure. We’ve seen a clear shift in how adversaries think about impact. They’re no longer content with hitting one organization at a time. Instead, they’re targeting the connective tissue of our digital ecosystem: software suppliers, managed service providers, and other single points of failure. These types of security incidents underscore how a single compromise can cascade across sectors and have global impact for hours or even days. Expect to see more pre-positioning aimed at these and other massively integrated environments that are quiet, deliberate intrusions aimed at ensuring attackers are already in place before the next opportunity for widescale disruption presents itself when the attacker determines the time is right.

Continued Loss of Federal Support for State and Local Government Increases Cyber and Physical Risks. With federal funding for cybersecurity being reduced and many services pared back, including the cancellation of the Cooperative Agreement to fund operational services through the MS-ISAC, state and local governments are increasingly exposed just as adversaries are ramping up operations against them. Multiple incidents of foreign state intrusions into municipal utilities and other critical infrastructure networks underscore how global geopolitical tension is spilling into America’s hometowns. Reduced support and coordination with the federal government will likely create more opportunities for foreign adversaries to gain footholds into our most important networks. Municipal networks are tempting targets because they are viewed as less defended, full of rich data, and critical to the fabric of our society. 2026 could see a dangerous convergence of rising attack focus and diminishing protective capacity, with the MS-ISAC being one of the few organizations positioned to help reduce the risk at scale.

Shift in GenAI LLMs from Trained Data Only to Retrieval-Augmented Generation (RAG) Models. RAG-based LLMs are already gaining in popularity. While the latest open LLMs are not proper RAGs, there is likely to be a shift in 2026 toward RAG models. These models combine trained data with external sources to produce more timely and relevant responses than a model could generate on its own. From a threat perspective, this could introduce new risks in the form of model poisoning, sensitive data leakage, and exposure of proprietary data if not implemented carefully and if those external knowledge sources are not carefully controlled.

Marcus Sachs | SVP, Chief Engineer

Offensive autonomous and Agentic AI will emerge as a mainstream threat, with attackers unleashing fully automated phishing, lateral movement, and exploit-chain engines that require little or no human operator engagement.

2026 is an election year, meaning that deepfake fraud and cognitive attacks will surge.

Operational Technology (OT) and critical infrastructure will experience a high-impact cyber incident, likely tied to a geopolitical conflict, which will finally trigger mandatory federal cybersecurity standards for water, communications, agriculture, and transportation sectors.

Cloud service prioritization and resilience will become a national policy topic after another major SaaS outage disrupts emergency or public services, accelerating multi-cloud and “cloud failover” architectures.

Karen Sorady | VP of MS-ISAC Strategy & Plans

U.S. SLTTs will continue to grapple with persistent funding constraints — even as they are increasingly called upon to shoulder greater responsibility in defending their jurisdictions and critical infrastructure against a growing wave of sophisticated cyber threats. In this evolving threat landscape, it is clear that no single jurisdiction can stand alone. The path forward demands deeper coordination and collaboration within states, across sectors, and among peers nationwide.

The MS-ISAC is uniquely positioned to serve as a trusted partner and facilitator, helping U.S. SLTTs navigate these complex challenges and strengthen their collective cyber resilience during these demanding times.

Valecia Stocchetti | Sr. Cybersecurity Engineer, CIS Critical Security Controls

A Rapidly Growing and Complex Threat Landscape. With the rapid advancement of AI and convergence of sophisticated threat groups, today’s cyber threat landscape is more complex than ever before. Attackers now have unprecedented access to tools and resources, making it easier to launch high-volume, high-impact campaigns. For instance, Denial of Service (DoS) attacks and social engineering are proliferating globally, as highlighted in Verizon's 2025 Data Breach Investigations Report and the ENISA Threat Landscape 2025 report.

Unlike a decade ago, organizations are no longer unaware of the need for cyber defense. Many are responding — some proactively, others reactively — by implementing security measures. Yet it is clear that these efforts often fall short. To defend against modern threats, organizations must move faster than ever, which can be exhausting and psychologically taxing for security teams. Nonetheless, these attacks aren’t going anywhere anytime soon.

The Microsoft Digital Defense Report 2025 emphasizes this shift, noting that threat actor campaigns have evolved from single-stage to multi-stage attacks. That’s a problem for organizations. Security programs must anticipate and adapt to meet the complexity of the threats they are facing.

While I don’t have a crystal ball to predict what next year will bring, I do know this: as a Senior Cybersecurity Engineer for the CIS Critical Security Controls^® (CIS Controls^®), my role is to listen, learn, and continuously evolve our CIS Controls to help organizations defend against this ever-changing threat landscape.

Regulations and Compliance (and Security). As the threat landscape continues to evolve, so too does the wave of regulations and compliance requirements. In many ways, this is a positive development. Think of it like the automotive industry. If safety standards were suddenly lowered, most of us would feel anxious about getting behind the wheel. The same principle applies to cybersecurity. Regulations help raise the bar and encourage organizations to implement foundational controls.

However, compliance alone is not enough, and meeting regulatory requirements is just the beginning. To build a resilient cybersecurity posture, organizations need a comprehensive security framework that fills in the gaps left by compliance checklists. More importantly, these controls must be actively managed.

That means conducting regular audits, managing changes in the environment, and treating cybersecurity as a continuous, evolving process — not a one-time task. This requires significant resources: time, leadership buy-in, tools, skilled personnel, and ongoing assessments. And as regulations increase, so does the demand for all of these resources. I believe that organizations will be left with no choice but to combine security and compliance into a single pane of glass.

Ultimately, a strong culture of security across the organization is essential to drive a program forward. It’s not just about checking the box; it’s about embedding security into the heart of the business.

Keep up with Multidimensional Threats in 2026 and Beyond

The 2026 cybersecurity predictions above are what stand out to us. They're not all-inclusive of everything that's changing in cybersecurity and compliance. If you think we missed something, let us know on X, LinkedIn, or Facebook.

Once you've done that, you need to think about how to keep up with all the changes we discussed in this blog post. One of the ways you can do this is by taking a proactive approach to defending against multidimensional threats. ThreatWA™ can help you do just that. It leverages the expertise of law enforcement, cybersecurity, and physical security analysts to not only highlight multidimensional threats that matter to your organization but also provide actionable steps you can take to defend yourself.

Ready to enhance your multidimensional threat defense posture for 2026?