As the global threat landscape accelerates its transformation, 2026 marks a turning point that requires a fundamental shift in defense strategies. The volatility observed in 2025 has paved the way for an era that will soon be characterized by AI-powered autonomy, information-stealing malware, systemic instability of public vulnerability systems, and the full convergence of digital and physical risks.
Flashpoint offers a unique insight into this complexity and gives companies the foresight to master the future. Based on Flashpoint's leading intelligence and primary source collections, we highlight five key trends shaping the threat landscape in 2026. These insights are intended to help organizations not only understand what comes next, but also build the resilience needed to withstand and adapt to emerging challenges.
Prediction 1: Agentic AI threats will weaponize autonomy and force a new standard of defense
In 2026, AI threats will continue to evolve, with future attacks focused on autonomy and integration. Across the Deep Web and Dark Web, Flashpoint sees threat actors moving beyond experimentation to operationally deploying illicit AI.
As attackers train custom fraud-tuned large language models (LLMs) and multilingual phishing tools directly on illegal data, these AI models become more powerful. The criminal intent underlying their abuse is also becoming more sophisticated. Additionally, in 2026 there will be a larger market for paid jailbreaking communities and synthetic media kits for KYC (Know Your Customer) bypassing.
These advances allow criminals to go beyond simple tools and conduct large-scale, autonomous fraud operations, resulting in two major changes:
- Agentic AI becomes the real focal point: Threat actors will use agent systems to automate reconnaissance, generate synthetic identities, and traverse fraud strategies in near real-time. In this SaaS ecosystem, AI will help attackers exploit subscription tiers and customer feedback loops at scale.
- The attack surface will shift and focus on AI integrations: Companies are increasingly integrating LLMs into live data streams, internal tools, identity systems and autonomous agents. This approach often lacks the same security checks, access controls, and monitoring measures as other enterprise systems. Therefore, attackers will primarily target these integrations such as APIs, plugins, and system connections, rather than the models themselves.
“Pervasive automation has dramatically increased the pace of attacks and left many security teams behind. While automation can replace repetitive tasks across the organization, companies must not make the critical mistake of replacing AI with human judgment at the intelligence level.
This is of utmost importance as a critical threat in 2026 is the autonomy of agent AI used against soft targets – API integrations and identity systems. The only effective defense will be human-led and AI-powered, prioritizing targeted engagement to protect organizations from this exponential risk.”
Josh Lefkowitz, CEO of Flashpoint
These evolving AI threats will force a fundamental shift in defense strategies. Defenders must move to deploying systems around AI rather than relying on them alone.
Prediction 2: Identity compromise by infostealers will become the basis of every attack
Infostealers become the entry point, the data broker, the intelligence layer, and the fuel for everything that happens after a cyberattack. This shift is already underway and accelerating rapidly: in the first half of 2025 alone, infostealers were responsible for 1.8 billion stolen credentials, an increase of 800% since the beginning of the year. However, in 2026, the role of malware will be redefined so that its most valuable impact will be access rather than disruption.
Infostealers become the upstream event that drives the rest of the attack chain. Identity and session data are increasingly targeted because they give attackers instant access to victims' environments. Ransomware, fraud, data theft and extortion will only be downstream opportunities for monetization.
This upstream approach defines the new reality of the attack chain that is already operational. Nearly every major stealer strain watching Flashpoint is now leaking the following:
- Autofill PII (Personally Identifiable Information).
- Saved addresses
- Telephone numbers
- Internal URLs
- Browsing history
- Cloud app tokens
An organization's attack surface is no longer just its own networks. It is the entire digital identity of your employees and partners. This new reality requires a new approach from security teams. Instead of trying to block attacks, they must proactively detect compromised credentials before they are weaponized. This will make the difference between responding to a data breach and preventing one.
“The infostealer economy has completely industrialized the attack chain and made the initial compromise a low-cost commodity. Multiple security incidents in 2025 are related to credentials found in Infostealer logs. This reality has underscored the critical importance of digital trust – particularly verifying who can access what resources. In 2026, identity is the area to monitor and security teams must proactively look for compromised credentials before they can be weaponized.”
Ian Gray, Vice President of Intelligence at Flashpoint
Prediction 3: CVE volatility will force redundancy in vulnerability intelligence
The CVE temporary funding crisis in April 2025 and the subsequent CISA extension of the stopgap measure through March 2026 have exposed the systemic fragility of a centralized vulnerability intelligence model. With the future of the CVE/NVD system at stake, 2026 will be marked by the urgent need for redundancy and diversification in vulnerability intelligence.
In today's vulnerability intelligence ecosystem, almost every organization's vulnerability management framework relies on CVE and NVD – including its “alternatives” such as the EUVD (European Union Vulnerability Database). The CVE system has become a key global cybersecurity utility, relied upon by nearly all vulnerability scanners, SIEM platforms, patch management tools, threat intelligence feeds, and compliance reports. A complete shutdown of CVE would result in widespread loss of institutional infrastructure.
The next generation of security must be built on resilient, diverse and data-driven practices. The focus should be on providing insights that can be used to take action, such as threat actor behavior, likelihood of exploitation in the wild, relevance to ransomware campaigns, and business context. Security teams need to leverage a comprehensive source of vulnerability information like Flashpoint's VulnDB, which fully covers CVE while cataloging more than 100,000 vulnerabilities missed by CVE and NVD.
Prediction 4: Protecting executives will remain a critical challenge given the convergence of cyber-physical threats
The continued blurring of the lines between cyber, physical and geopolitical threats will increase risk to corporate leadership and make executive protection a holistic intelligence function in 2026. The rise of information warfare combined with physical world convergence means that the threat to key personnel is no longer purely digital.
Following the tragic assassination of the CEO of United Healthcare in December 2024, Flashpoint continued to distribute and glorify “wanted posters” of leaders in extremist communities. Additionally, Flashpoint involved nation-state actors using espionage and influence to target high-ranking individuals.
Organizations must take an integrated approach that combines insights from threat actor chatter and a variety of other OSINT sources. This fusion of information is critical to applying frameworks to ensure the safety of executives and key personnel.
Prediction 5: Blackmail will shift to identity-based supply chain risk
The year 2025 was marked by several large-scale extortion campaigns and demonstrated how quickly the threat landscape is evolving. Ransomware operations have evolved into a pure extortion game. Flashpoint has observed an increase in new entrants to the ransomware market, accompanied by a decline in the quality and integrity of ransomware groups.
Additionally, vishing campaigns attributed to “Scattered Spiders” have exposed identity, trust, and verification vulnerabilities. Scattered LAPSUS$ Hunters campaigns have also uncovered vulnerabilities in third-party integrations. These attacks culminated in extortion and demonstrated that modern attacks target trusted users and trusted applications for initial access, using ransomware instead of data access.
As this shift continues into 2026, threat actors will increasingly focus their efforts on exploiting human behavior and identity systems. Instead of attempting to devote resources to breaching network perimeters, attackers will instead use social engineering to gain access to corporate systems at scale. This change in TTPs will undoubtedly significantly increase risk in the supply chain, particularly for third parties.
Plan a path through an evolving threat landscape with Flashpoint Intelligence
These five predictions highlight the transformative trends shaping the future of cybersecurity and threat intelligence. Staying ahead of these challenges requires more than just reactive measures – it requires actionable intelligence, strategic foresight and cross-sector collaboration. By adopting these principles and investing in proactive security strategies, organizations can not only mitigate risks but also capitalize on opportunities to improve resilience.
As the threat landscape continues to rapidly evolve, staying informed and prepared is critical to mitigating risk. With the right tools, insights and partnerships, security teams can navigate the complexities ahead and protect what matters most.