If 2024 and 2025 were the years organisations felt the strain of tightening budgets, 2026 is the year those decisions will fully manifest in their cyber risk exposure. Across both the private and public sectors, years of belt-tightening have led to reduced headcount, ageing infrastructure and postponed modernisation. Analyst reports show growth in cyber security spending has slowed markedly and many security teams are operating with fewer specialists than they had three years ago. The cumulative effect of this means fewer defenders, slower detection and weakening resilience at a time when adversaries are escalating in both ambition and sophistication.

The past year has provided irrefutable proof of how these gaps translate directly into risk. A major supply-chain compromise of Oracle Cloud reportedly exposed millions of records and impacted more than 140,000 tenants. The Salesloft/Drift breach illustrated how attackers can exploit interconnected SaaS ecosystems to cascade access across multiple organisations. Meanwhile, Jaguar Land Rover’s cyber incident halted vehicle production and disrupted supply chains for weeks, demonstrating how even relatively mature, well-funded industries can be brought to a standstill by a single compromise. These incidents reveal a systemic weakening of defensive capacity and third-party oversight.

This is the backdrop against which 2026 begins, and the legacy of recent budget cuts will continue to degrade the defensive posture of many organisations. With smaller teams and constrained resources, adversaries will enjoy longer dwell times, greater freedom to move laterally and more opportunities to exploit unpatched systems. Supply-chain compromise and zero-day exploitation will remain primary attack vectors, especially in environments where patch cycles have slowed or asset inventories are incomplete. Compounding this is the fact that several national cyber bodies have themselves faced funding and workforce reductions, limiting their ability to coordinate incident response at scale. In short, the high-impact attacks of 2025 should not be viewed as peaks, unfortunately, but as early indicators of a worsening trend.

However, budget pressure is not the only factor reshaping the threat landscape. A parallel shift is emerging that is driven by a rise in what might be termed casual cyber aggression, outside the more predictable threats such as nation states or organised crime threat actors. Across the UK, several high-profile incidents in 2025 have been traced back to loosely affiliated individuals, often teenagers, wielding commodity hacking tools, rented botnets and downloadable exploit kits. These attackers are not motivated by complex financial schemes or geopolitical goals, instead drawn by curiosity, frustration, social validation or the mere thrill of notoriety.

This behaviour is being fuelled by two converging forces. First, the accessibility of attack tooling has increased dramatically. Automated scripts, ransomware-as-a-service platforms and AI-driven reconnaissance tools require minimal technical expertise, lowering the barrier to entry. Second, the volume of open source intelligence, from corporate data leaks to overshared social media profiles, has exploded. Executives, public figures and organisations leave digital footprints that can be assembled into highly persuasive social engineering campaigns. For would-be attackers, the pathway from idea to impact has never been shorter.

What appears to be eroding at the same time – maybe due to the frequency of attacks or complacency – is the perceived risk of consequence. Arrests and prosecutions for cyber offences remain rare relative to the scale of attacks; and within online communities where many of these individuals operate, reputation and bravado often outweigh caution. Combined with social disaffection and worsening economic pressures, hacking is becoming, for some, a form of digital expression by offering an accessible outlet with very real-world repercussions and very little perceived consequence.

In 2026 that will translate into an expectation of more erratic and attention-grabbing attacks by small groups or individuals using widely-available tools. While these incidents may lack technical sophistication, their public visibility and collateral impact, particularly when they target public services, transportation networks or major consumer brands, will make them strategically significant. They also risk eroding public trust in digital services at a moment when that trust is already fragile.

Of course, it wouldn’t be a look ahead without the mention of the rapid evolution of artificial intelligence in cyber security on top of everything. Back in 2020, predictions that AI would reshape defensive strategies seemed optimistic; today, they look understated. By 2025, an IBM report revealed more than two-thirds of organisations reported using AI in their cyber security programmes and nearly a third rely on it extensively. AI now underpins anomaly detection, automated response, threat-hunting and vulnerability management. But cyber criminals have adopted it just as aggressively. Research suggests that the majority of email-based attacks now incorporate AI, and AI-assisted ransomware campaigns are becoming the norm.

Generative AI has made it far easier to craft targeted phishing emails, credible social-engineering scripts and realistic deepfake impersonations. For high-value targets such as CEOs, the oversharing of personal and professional information online materially increases risk. And the growing maturity of agentic AI, those autonomous systems capable of multi-step tasks, introduces both powerful defensive opportunities and new avenues for attack.

Taking all of this into account, three trends stand out.

First, the knock-on effects of underinvestment will continue; i.e. fewer breaches overall, but those that do occur will be larger, more complex and more damaging due to longer dwell times and interconnected supply chains.

Second, casual cyber aggression will become more visible, testing societal resilience and challenging policymakers to rethink digital accountability.

Third, the AI arms race will accelerate on both sides, with defenders and attackers deploying increasingly autonomous systems, driving the next stage of the cat-and-mouse dynamic.

It’s fair to say that 2026 will not necessarily be the most catastrophic year in cybersecurity but it could be one of the most telling. The choices organisations make now, in restoring investment, rebuilding cyber skills and governing AI responsibly, will determine whether the curve bends towards resilience or further fragility.

Anthony Young is CEO at Bridewell, a managed security services provider working in the UK and US.