Risk assessment 2026: emerging threats that are already here

The concept of emerging threats is no longer a label; it is an operational fact. Organizations are facing attack vectors that operate in real time, adapt through artificial intelligence (AI), leverage legitimate identities, and exploit the convergence of IT, OT, and hybrid environments with extremely high effectiveness.

The most recent metrics from vendors, analysts, and specialized news sources show that these threats are already here. They evolving and causing economic, operational, and reputational impact without precedent in the history of corporate cybersecurity.

This publication explores in depth what these threats are, how they work, why they are so effective, which real-world examples illustrate them, what their economic impact is, and what their predominant trends will be in 2026.

1) The end of the classic perimeter: the real attack surface

Less than a decade ago, CISOs were still talking about protecting a physical network perimeter. Today, that idea is completely obsolete. The real attack surface is defined by:

• Distributed human and non-human identities (remote users, API keys, service accounts, vendors).
• Hybrid multicloud infrastructure (public/private/edge).
• OT/IoT devices with extended connectivity.

With the massive adoption of hybrid and multicloud environments, attacks no longer “enter through the perimeter”; they reside within organizations’ trusted topology. This means attackers focus on:

• Stealing, cloning, or hijacking identities.
• Exploiting poorly managed cloud service configurations (misconfigured IAM, accounts with excessive privileges).
• Using legitimate access mechanisms to move laterally.

In this model, there is no “inside” or “outside”: there is distributed operational trust, and emerging threats exploit precisely that trust, not a traditional “technical breach.”

2) Identity: the epicenter of modern risk

One of the main conclusions of global reports from the past year is that compromised identities continue to be the primary entry point for high-impact cyberattacks:

• More than 61% of all documented breaches involve stolen or hijacked credentials.
• AI-powered phishing attacks have increased by more than 1,200%.
• Traditional MFA remains insufficient against MFA bypass attacks and active session hijacking.

Identity-based emerging threats include:

• Hyper-realistic AI-generated phishing, indistinguishable from legitimate communications.
• MFA bypass through sophisticated social engineering techniques.
• Abuse of valid tokens and sessions to move laterally without triggering alerts.

This risk approach is driving the adoption of Zero Trust Identity First architectures, where every interaction is continuously verified and logged, reducing the attack surface associated with users and services.

3) Offensive Artificial Intelligence: the industrialization of the attack

One of the most disruptive emerging threats is the use of general-purpose AI and autonomous agents (agentic AI) to automate complete attacks:

• AI agents can already execute phishing campaigns, reconnaissance, exploitation, and exfiltration with minimal human intervention.
• Offensive automation enables large-scale simultaneous attacks with very little human oversight.
• Advanced AI models can identify and exploit vulnerabilities in code or configurations without writing a single line of malware manually.

Reports suggest that this offensive AI has dramatically accelerated the attack cycle; for example, some attacks that previously took weeks are now executed in minutes with autonomous AI.

The direct consequence is that defense teams, if they do not use complementary defensive AI, will be under-equipped to respond in real time. This race between offensive and defensive AI is at the core of today’s emerging threats.

4) Silent persistence: attacks that do not make noise

Most real damage does not occur in a single explosive event. It happens when:

• The attacker establishes a silent presence in critical systems.
• They use “legitimate” tools to move laterally without triggering alarms.
• They implant persistence mechanisms that are difficult to detect.

This type of emerging threat feeds on two factors:

• Abuse of operational trust (identity, roles, permissions).
• Low visibility of relevant telemetry (critical events are not logged).

Silent persistence is one of the reasons why the “mean time to detection” (MTTD) remains unacceptably high in many organizations, even when advanced security tools are implemented.

5) Ransomware and double/triple extortion: emerging economic threats

Although ransomware is not new, its evolution in the latest phase turns it into an emerging economic and strategic threat:

• In 2025, approximately 43% of organizations were targeted by ransomware.

• The double extortion model (data theft + encryption) is already present in nearly 87% of attacks.
• Ransomware-as-a-Service (RaaS) platforms have democratized access to sophisticated attacks.

In addition, an evolution toward “triple extortion” is observed, where public threats, reputation manipulation, and legal pressure are added, increasing impact and complicating organizational response.
Projected damages are enormous: estimates of the global impact of ransomware and extortion exceed hundreds of billions of dollars per year, and these figures are expected to continue growing exponentially toward 2030.

6) OT & IoT: physical and operational risk is already digital

One of the most insidious emerging threats arises from the convergence of IT and OT:

• Industrial and manufacturing systems now share platforms with enterprise systems.
• IoT device botnets continue to grow, expanding the attack surface.
• The risk is not only digital: it can cause physical failures, production interruptions, or damage to critical infrastructure.

In response, leading organizations are adopting security architectures tailored for OT, including advanced segmentation, digital twins for attack simulation, and AI-driven adaptive controls to close the gaps between OT and IT.

7) Deepfakes and advanced social engineering

Social engineering techniques are no longer simple poorly written emails; they are sophisticated, AI-driven, and extremely realistic:

• Audio and video deepfakes have enabled impersonation fraud involving high-value fund transfers.
• “Vishing” attacks using voice cloning have multiplied more than fourfold in a short time.
• Real-time deepfake-based attacks can deceive biometric authentication systems.

These emerging threats directly attack human trust (the weakest link in any security chain) and require technical controls such as spoofing-resistant multifactor validation, combined with advanced organizational training.

8) Traditional vulnerabilities: they still account for large volumes

While emerging vectors capture headlines, traditional techniques continue to be exploited at scale:

• Phishing continues to increase year after year with more targeted and credible campaigns.
• Unpatched vulnerabilities in software, devices, or libraries (supply chain) remain a critical entry point.
• Misconfigurations in cloud environments (IAM, exposed storage) represent a significant proportion of breaches.

Attackers combine these traditional techniques with offensive AI to amplify them, creating more effective threats than ever before.

9) Compliance and regulation: NIS2 and the era of technical evidence

European and global regulations demand more than policies: they require continuous technical evidence:

• Incident reporting within strict timeframes.
• Periodic risk assessments with measurable metrics.
• Technical auditing of controls, not just documentation.

This transforms risk assessment from a static exercise into a continuous process of monitoring, analysis, and improvement, aligned with frameworks such as NIS2, DORA, and ENS.

10) Emerging threat predictions toward 2026

Based on data, observed trends, and current evolution:

• Offensive AI will continue to expand the volume and sophistication of attacks.
• Identity will remain the dominant vector, with attacks based on MFA bypass and session hijacking.
• Ransomware and multiple extortion will consolidate as critical economic vectors.
• OT/IoT will continue to absorb attacks with physical and operational impact.
• Deepfakes and social attacks will continue evolving toward hyper-realistic impersonations.

Artificial intelligence becomes both an emerging threat and an indispensable defensive tool.

Conclusion: emerging threats already operate and dominate the risk of 2026

The word “emerging” no longer indicates something future, but something active, adaptive, and constantly expanding. Successful organizations in 2026 will be those that:

• Apply Zero Trust Identity First as a standard.
• Integrate defensive AI with continuous monitoring.
• Visualize and manage the attack surface in real time.
• Demonstrate verifiable technical compliance with continuous evidence.

Cosmikal: hardened workspaces and multilayer security against emerging threats

In a landscape where emerging threats continuously evolve, Cosmikal offers comprehensive defense based on shielded workspaces and multilayer security, designed to protect both IT and OT environments. Its approach is based on a fundamental principle: every interaction with critical systems must pass through a controlled, monitored, and secure-by-design workspace.

Shielded workspaces

Cosmikal implements two protected workspace modalities:

• RSW (Remote Shielded Workspace): through Endurance, users interact with critical systems from a Shielded Remote Workspace, combining VDI, PAM, and continuous monitoring. Every action is logged, eliminating risks of lateral movement or data exfiltration, even if the user’s endpoint is compromised.
• LSW (Local Shielded Workspace): with Ranger, access is performed from centrally managed thin clients, restored at every startup. This ensures that only trusted devices can interact with critical assets, reducing exposure to malware, phishing, or insecure configurations.

Multilayer security

Cosmikal’s protection is structured across several mutually reinforcing layers:

• Access and credential control through PAM and encrypted vaults, ensuring that privileged identities are never an attack vector.
• A Connection Broker that limits communication between user and asset to essential events (keyboard, mouse, video, audio), preventing data exfiltration or system manipulation.
• Continuous monitoring and automatic auditing, providing verifiable evidence to facilitate compliance with regulations such as NIS2, ENS, or ISO.
• Hybrid IT/OT and multicloud integration, protecting critical assets regardless of their location or nature, and closing gaps between traditional and connected environments.

This approach combines shielded workspaces with multilayer security, ensuring that organizations can detect, contain, and mitigate emerging threats in real time, transforming the complexity of modern attacks into operational control and cyber resilience.

In summary, while emerging threats redefine modern security, Cosmikal guarantees a secure and controlled environment for users and assets, offering solutions that combine advanced technology, full visibility, and regulatory compliance, enabling CISOs and IT leaders to work with confidence and maximum security.