The week’s defining cybersecurity event was Microsoft’s May Patch Tuesday, which addressed 137 vulnerabilities, 31 of which were marked critical, with none observed being actively exploited in the wild — the first such clean release in nearly two years. But the relief is fragile: Microsoft disclosed that 16 of the flaws fixed this month across the Windows networking and authentication stack were identified through its new multi-model AI-driven vulnerability discovery system, codenamed MDASH (multi-model agentic scanning harness), and Tenable’s Satnam Narang noted Microsoft has already patched over 500 CVEs five months into the year — a volume reflecting a broader trend where vulnerability discovery has scaled new highs via AI-powered approaches.

On the breach front, education technology giant Instructure suffered one of the year’s most consequential intrusions, ShinyHunters expanded its Salesforce-targeting rampage to Cushman & Wakefield, and Trellix — a cybersecurity vendor — disclosed its own source-code repository breach. Meanwhile, quantum computing’s timeline compression continues to validate NIST’s call for immediate post-quantum migration.

Key Developments

Microsoft’s “No-Zero-Day” Patch Tuesday Masks an AI-Driven Volume Surge

For the first time since June 2024, Microsoft shipped a monthly security update with zero actively exploited or publicly disclosed zero-day vulnerabilities. The headline number, however, obscures a structural shift.

Of 31 “critical” entries, 16 are remote code execution vulnerabilities spanning Microsoft Office, Word, Windows Native WiFi Miniport Driver, Azure, Dynamics 365, Windows GDI, SharePoint, Windows Graphics Component, Netlogon, and Windows DNS Client.

Among the most severe: CVE-2026-41096 (CVSS 9.8), a heap-based buffer overflow in Windows DNS that could allow an unauthorized attacker to execute code over a network, and CVE-2026-42898 (CVSS 9.9), a code injection vulnerability in Microsoft Dynamics 365 (on-premises) allowing an authorized attacker to execute code over a network.

Why it matters: The AI-discovery pipeline is now mainstream. Microsoft’s MDASH discovered 16 of the Patch Tuesday vulnerabilities, and Palo Alto used Mythos to find dozens of flaws.

Oracle has responded structurally: Oracle said it will supplement its quarterly Critical Patch Update fixes with monthly security releases focused on high-priority vulnerabilities, citing the increased pace of AI-assisted vulnerability disclosures stemming from adoption of AI models like Anthropic Mythos. The first monthly Critical Security Patch Updates will arrive on May 28, 2026.

Strategic implications: The cadence of enterprise patching is being forcibly compressed. CISOs should expect monthly fix volumes to roughly double over the next 12 months and reallocate vulnerability management budgets toward automated triage, runtime mitigation, and exposure-management tooling.

Instructure/Canvas Breach Hits 275 Million Education Users

Education technology giant Instructure, operator of the Canvas learning management system, suffered a significant data breach on May 7, 2026. The ShinyHunters cybercrime group claimed responsibility, gaining unauthorized access and causing widespread outages during the critical final exam period for schools and universities across the U.S. and internationally. The breach affected nearly 9,000 educational institutions, with the attackers claiming to have compromised data on up to 275 million users, including students, teachers, and staff. Exposed information includes names, email addresses, student ID numbers, and private messages between students and teachers.

The Committee on Homeland Security has requested to be briefed on the incident and Instructure’s remediation steps.

Why it matters: This is a top-tier SaaS-concentration risk event — a single platform compromise exposed data spanning thousands of K–12 districts and universities at exam time, with attackers defacing login pages to amplify pressure.

Strategic implications: Education-sector SaaS has joined healthcare and finance as Tier-1 ransomware/extortion targets. Boards should expect insurance carriers to retighten coverage for EdTech vendors and federal scrutiny of K–12 cyber resilience requirements to intensify.

ShinyHunters Salesforce Campaign Expands; Trellix Source Code Stolen

Global real estate services firm Cushman & Wakefield confirmed a vishing-related security breach after both the ShinyHunters and Qilin ransomware groups listed the company on their dark web leak sites. ShinyHunters claimed to have stolen over 500,000 Salesforce records containing personally identifiable information and internal corporate data. The company responded by activating incident response protocols and engaging third-party experts. The attackers issued a ransom demand with a deadline of May 6, threatening to leak the data if not paid.

Separately, cybersecurity firm Trellix disclosed a data breach after attackers gained access to “a portion” of its source code repository.

Why it matters: Vishing-driven Salesforce compromise has become ShinyHunters’ signature playbook, and Trellix’s source-code exposure raises supply-chain concerns mirroring the 2024 wave of vendor breaches.

Strategic implications: CRM platforms are now the highest-yield exfiltration target in the enterprise. Identity verification at the help-desk layer — not technical controls alone — is becoming the decisive control point.

Anthropic’s “Mythos” Vulnerability-Discovery AI Triggers Regulatory Response

Anthropic CEO Dario Amodei has warned that AI has created a narrow window of about six to 12 months for organizations across the world to fix tens of thousands of software vulnerabilities found by its AI model before Chinese AI catches up.

Regulators are responding. The Securities and Exchange Board of India (SEBI) has released an advisory stating that tools like Mythos “may give rise to heightened risk exposure by enabling identification and potential exploitation of existing vulnerabilities using speed and scale,” and that it may also introduce concerns relating to data confidentiality, application integrity, and reliability of outputs. SEBI is also establishing a cyber task force to examine cybersecurity risks posed by AI models and devise a mitigation strategy.

Why it matters: A new asymmetry has emerged: defenders using AI to find bugs are accelerating disclosure faster than enterprises can deploy patches. The “patch gap” is the new attack window.

Strategic implications: Expect AI-discovery-driven CVE volumes to become a permanent feature of the threat landscape. Organizations that haven’t automated their patch pipelines should treat 2026 as the year they must — virtual patching, runtime application self-protection (RASP), and compensating controls are no longer optional.

SAP, Fortinet, and Adobe Round Out a Heavy Patch Week

SAP released May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in the Commerce Cloud enterprise-grade e-commerce platform and the S/4HANA ERP suite.

Fortinet released security patches for two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code.

The supply-chain front remained active: hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers.

Quantum Computing Corner

This week’s quantum developments materially compress the timeline that underpins post-quantum migration planning.

JUPITER simulates 50 qubits — a new world record. Researchers at the Jülich Supercomputing Centre and NVIDIA achieved a major milestone in quantum computing by fully simulating a universal quantum computer with 50 qubits for the first time using Europe’s first exascale supercomputer.

The achievement surpasses the previous record of 48 qubits, also set by Jülich scientists in 2019 using Japan’s K computer. Beyond setting a new benchmark, the breakthrough highlights the enormous capabilities of JUPITER and could accelerate the development of future quantum algorithms.

Mobile qubits on silicon. In a development with major scalability implications, researchers have demonstrated that qubits can physically move across a silicon chip while preserving their fragile quantum states. The findings, published in Nature, show that electron spin qubits embedded in silicon can be shuttled across microscopic distances using precisely controlled electrostatic potentials without losing coherence or computational fidelity.

ETH Zurich stabilizes neutral-atom qubits. Researchers at ETH Zurich took a step closer to quantum supercomputers after achieving a major breakthrough with neutral-atom qubits, making them more stable during operation than ever before, while developing a new type of quantum operation.

Kyoto W-state breakthrough. Scientists in Japan have developed a new way to instantly detect elusive quantum “W states,” a major milestone for quantum technology. The breakthrough could help unlock faster quantum communication, teleportation, and powerful new computing systems.

Why this matters for security. Harvard’s quantum researchers reiterated earlier this month what the field is now openly acknowledging: “People initially thought that this sort of fault-tolerant, large-scale, quantum computers would be coming some time by the end of the next decade, and I think it’s quite likely that actually they will be here — at least in some form — by the end of this decade,” Lukin said. “So, we’re at least five, maybe 10 years ahead.”

The cryptographic implications are concrete. “Bitcoin could be vulnerable to a quantum computer with only about 25,000 or 30,000 [qubits],” Aaronson told Discover. “A year ago, the best estimate would have been in the millions.” He added that Google’s findings provide a strong incentive to upgrade to quantum-resistant encryption.

NIST PQC status check. NIST expects the two digital signature standards (ML-DSA and SLH-DSA) and the key-encapsulation mechanism standard (ML-KEM) to provide the foundation for most deployments of post-quantum cryptography. They can and should be put into use now. NIST has set a target of deprecating quantum-vulnerable algorithms by 2035, with high-risk systems expected to transition much earlier.

Enterprise adoption is uneven but accelerating: major cloud providers including Google, AWS, and Microsoft have implemented PQC in their services. Google has enabled ML-KEM in Chrome for connections to compatible servers. Microsoft has implemented PQC in Azure and Windows updates.

The harvest-now-decrypt-later threat remains the binding constraint. Sophisticated adversaries — including state-sponsored threat actors — are already collecting encrypted data today with the intent to decrypt it once quantum computers become available. Sensitive data captured in 2026 could remain encrypted for decades, meaning it will be exposed the moment a capable quantum computer exists.

What to Watch

• June 26, 2026 Secure Boot deadline. May 12 marked 45 days remaining until the June 26 Secure Boot certificate expiration; June 9 will be the final Patch Tuesday before expiration. The deadline is the absolute cutoff for the original 2011 certificates. Enterprises with large fleets of OEM hardware need to verify trust-anchor rotation now.

• Oracle’s first monthly CSPU (May 28). A real-time test of whether monthly cadence reduces or merely redistributes patch fatigue.

• PQC certificate availability. Cloudflare expects the first post-quantum certificates to be available in 2026, but not enabled by default. Organizations should prepare for a future flip-the-switch migration to post-quantum signatures.

• ShinyHunters follow-on extortion. Expect additional Salesforce-tenant victims to surface as the group monetizes its access pipeline.

• AI vulnerability discovery as regulatory category. SEBI’s task force is likely the first of several national regulators to formalize AI-discovery risk frameworks; expect parallel moves from ENISA and CISA over the summer.

• HQC standardization. The draft standard incorporating the HQC algorithm is expected in early 2026, with the final in 2027 — security architects designing crypto-agility frameworks should plan for multi-algorithm support.

Bottom Line

Security leaders are now managing two timelines that have begun to converge. The near-term timeline is dominated by AI-accelerated vulnerability disclosure: Microsoft, Oracle, and SAP are collectively pushing record patch volumes, and Amodei’s six-to-twelve-month warning suggests that vendor disclosure will keep outpacing enterprise remediation capacity throughout 2026.

The medium-term timeline — quantum cryptanalytic risk — has tightened materially this week. JUPITER’s 50-qubit simulation, mobile silicon qubits, and ETH Zurich’s stability gains each independently advance the date at which “cryptographically relevant” quantum computers become realistic. Harvard’s own researchers now openly say the field is five to ten years ahead of pre-2024 projections.

The practical takeaway for CISOs and boards is that crypto-agility and patch-pipeline automation are no longer two separate programs. Both demand the same underlying capabilities: a complete cryptographic and software inventory, automated deployment infrastructure, runtime compensating controls, and governance authority to act in days rather than quarters.

Organizations that have deferred PQC inventory work on the assumption of a 2030+ horizon should reassess this quarter. The week’s headline may have been a quiet Patch Tuesday — but the underlying signals point firmly toward a noisier, faster, and more cryptographically perilous second half of 2026.

By Samuel Odekunle, Managing Partner

April 2026 will be remembered as the month the cybersecurity industry crossed a Rubicon. Anthropic announced an AI model so capable at finding software vulnerabilities that the company refused to release it publicly. Iran-affiliated actors moved from rhetoric to demonstrable disruption of US critical infrastructure. RSA Conference 2026 confirmed that agentic AI security has become the dominant product category in enterprise security. And whilst the industry talked about machines, criminals continued to extract devastating losses from old-fashioned identity compromise.

The themes converging this month are not new—but the pace at which they are converging is unprecedented. For security leaders, April marks the point at which the question shifts from “is this happening?” to “are we keeping up?”

Project Glasswing: A Watershed Moment for Cybersecurity

On 7 April, Anthropic announced Claude Mythos Preview alongside Project Glasswing—a coalition of twelve major technology and finance companies including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, and Nvidia. The headline claim was extraordinary: Mythos has already identified thousands of high-severity zero-day vulnerabilities across every major operating system and web browser. The oldest discovery was a 27-year-old bug in OpenBSD, an operating system widely regarded as among the world’s most secure. A 17-year-old remote code execution vulnerability in FreeBSD’s NFS implementation (CVE-2026-4747) was, according to Anthropic, fully autonomously identified and exploited by the model.

Anthropic’s decision not to release the model publicly is itself remarkable. The company committed $100 million in usage credits and an additional $4 million in donations to open-source security organisations, restricting access to a vetted group of partners and approximately forty additional organisations maintaining critical software.

The strategic reasoning is straightforward: AI capabilities have crossed a threshold where defenders need a head start. As Cisco noted in joining the project, “the old ways of hardening systems are no longer sufficient.” The question dominating boardroom conversations this month is what happens when these capabilities proliferate beyond actors committed to deploying them safely.

Three observations matter for security leaders. First, the gap between vulnerability discovery and exploitation has collapsed further—what once took months now happens in minutes when AI is involved. Second, this favours defenders if they act quickly; finding vulnerabilities for patching purposes is materially easier than chaining them into operational exploits. Third, the proliferation timeline is short. Within a week of Anthropic’s announcement, OpenAI announced a similarly capable model under similar restrictions. By 22 April, reports emerged that unauthorised users had reportedly gained access to Mythos through a third-party vendor environment.

The Mythos era has begun whether organisations are ready or not.

Iran’s Escalation: From Rhetoric to Industrial Control Systems

The Iran cyber campaign that dominated March’s report has matured significantly. On 7 April, CISA, FBI, NSA, EPA, DOE, and US Cyber Command issued a joint advisory warning that Iranian-affiliated APT actors have been actively disrupting programmable logic controllers across multiple US critical infrastructure sectors—including Government Services and Facilities, Water and Wastewater Systems, and Energy.

The targeting has focused on Rockwell Automation Allen-Bradley PLCs, with Unit 42 tracking the activity as CL-STA-1128 (also known as Cyber Av3ngers or Storm-0784). The attackers have moved beyond their historic focus on Unitronics PLCs—the same group responsible for the November 2023 attack on the Municipal Water Authority of Aliquippa, Pennsylvania—to Rockwell devices. This represents a deliberate expansion of capability, with attackers reportedly installing FactoryTalk software on virtual private server infrastructure to enable their exploitation efforts.

The pattern is clear. Iran lacks symmetric conventional response options against the United States and Israel, so cyberspace becomes the primary theatre of retaliation. The pro-Iranian hacking group Ababil of Minab claimed responsibility for a March hack on the Los Angeles County Metropolitan Transportation Authority, with the transit agency confirming unauthorised activity that forced network restrictions.

Perhaps most concerning is research from DomainTools Investigations describing activity attributed to Homeland Justice, Karma, and Handala Hack as a “single, coordinated cyber influence ecosystem” aligned with Iran’s Ministry of Intelligence and Security. These personas function as interchangeable operational veneers applied to a consistent underlying capability—deliberately complicating attribution while maintaining strategic coordination.

For organisations operating critical infrastructure, the implications are immediate. Internet-exposed PLCs remain a primary attack vector. The basic hygiene measures matter enormously: removing PLCs from direct internet exposure, changing default credentials, segmenting OT networks from IT networks, and implementing strong authentication for remote access. The advisory should be treated as operational guidance, not advisory reading.

Stryker’s Aftermath and the Endpoint Management Reckoning

The full scope of March’s Stryker incident became clearer in April. A single stolen credential, abused by the Iran-linked Handala group through Microsoft Intune, wiped approximately 80,000 devices across the company’s offices in seventy-nine countries. Hornetsecurity’s analysis notes that device management platforms are now a tier-one attack surface—a categorisation that would have seemed alarmist twelve months ago.

For any organisation running Microsoft Intune, Microsoft Endpoint Configuration Manager, or comparable mobile device management platforms, the questions are uncomfortable but unavoidable. Who holds administrative access? Are those accounts protected with phishing-resistant multi-factor authentication? Do device wipe commands require additional out-of-band authorisation before execution? The blast radius of a compromised MDM administrator account is no longer theoretical—it is documented across seventy-nine countries.

The Medusa ransomware compromise of the University of Mississippi Medical Center provides a parallel case study. The attack forced UMMC—the state’s only Level I trauma centre and only children’s hospital—to shut down 35 clinics, suspend elective surgeries, and lose access to its Epic electronic health records system for nine days. Healthcare remains a high-value target with real patient safety consequences.

The Supply Chain Battlefront

April brought stark reminders that the supply chain remains the soft underbelly of enterprise security. North Korean threat actors, attributed by Microsoft as Sapphire Sleet and by Google as UNC1069, published two malicious versions of the Axios npm package on 31 March. Axios is one of the most widely used JavaScript HTTP client libraries in existence, with over 70 million weekly downloads. The malicious versions contained an injected dependency that downloaded remote access trojan payloads from North Korean command-and-control infrastructure. The packages were live for approximately three hours before detection and removal—but the potential reach of even brief exposure in a library this ubiquitous is substantial.

Vercel disclosed on 19 April that it had identified a security incident involving unauthorised access to its systems, caused by the compromise of Context.ai, a third-party tool. Attackers claimed to have stolen access keys, source codes, API keys, credentials to internal deployments, and database data. By 23 April, Vercel had identified additional compromised customer accounts. The Bitwarden CLI npm package was also compromised in mid-April, with attackers leveraging a compromised GitHub Action in Bitwarden’s CI/CD pipeline to steal GitHub tokens, SSH keys, environment variables, shell history, and cloud secrets.

Most strikingly, malicious images were pushed to the official “checkmarx/kics” Docker Hub repository, with threat actors managing to overwrite existing tags. The bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version—creating serious risk for teams using KICS to scan infrastructure-as-code files containing credentials.

The pattern across these incidents is consistent: trusted distribution channels, automated update mechanisms, and CI/CD pipelines have become the preferred entry points. Software composition analysis and provenance verification are no longer optional capabilities.

RSA Conference 2026: Agentic AI Takes the Floor

RSA Conference 2026, held in late March, set the agenda for the year. The dominant product category was not endpoint detection, cloud security posture management, or traditional SIEM—it was AI agent security: the tools, frameworks, and identity systems needed to govern autonomous software acting on behalf of humans inside enterprise networks.

The vendor announcements clustered around three themes: identity (who is the agent?), runtime enforcement (what is it allowed to do?), and detection (when something goes wrong, how do we know?). Cisco extended Zero Trust Access to AI agents through Duo IAM, registering non-human identities and binding them to accountable human owners with time-bound permissions. Microsoft launched Microsoft 365 E7: The Frontier Suite, bundling Copilot, Entra identity services, and Agent 365—a governance platform for AI agents. CrowdStrike announced the Charlotte AI AgentWorks ecosystem with Anthropic, OpenAI, and others as launch partners.

The numbers tell the story. Cisco’s own survey found that 85% of large enterprises are experimenting with AI agents, but only 5% have moved them to production. Research suggests non-human identities already outnumber human users by a factor of seventeen. Gartner predicts 33% of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024.

Mandiant’s M-Trends 2026 report, released alongside the conference, captured the operational reality: cybercriminals are increasingly operating like highly-efficient businesses, establishing partnerships that have collapsed the window for defenders to intervene from hours down to twenty-two seconds at initial access points.

For organisations, the message is unambiguous: identity governance must extend to non-human identities. The traditional model—where security focuses on human users and “service accounts” are an afterthought—cannot scale to environments where machines outnumber humans by an order of magnitude.

April Patch Tuesday and the Vulnerability Cadence

Microsoft’s April 2026 Patch Tuesday was the second-largest on record, addressing 167 vulnerabilities across Windows, Office, SharePoint, and related products. Notable highlights include CVE-2026-32201, a SharePoint Server zero-day actively exploited in the wild, allowing unauthenticated remote attackers to present falsified information within trusted SharePoint environments. CISA added it to the Known Exploited Vulnerabilities catalog and urged immediate patching.

SAP’s CVE-2026-27681 (CVSS 9.9) stood out among other vendor patches for its potential to allow arbitrary SQL command execution. Fortinet and Adobe also released critical patches.

The Zscaler ThreatLabz 2026 VPN Risk Report, released during RSA, found that 51% of organisations experienced a VPN-related security incident in the past twelve months. Only 5% trust their VPN infrastructure to detect and stop AI-enabled threats, and only 6% can deploy a critical VPN patch within twenty-four hours. The latter figure is particularly concerning given that the exploitation window for critical vulnerabilities is now measured in hours, not weeks.

Notable Incidents This Month

Drift Protocol lost over $280 million in user assets through an attack discovered on 1 April that had been planned at least six months in advance. The incident underscores how patient and well-resourced cryptocurrency-focused threat actors have become.

Booking.com confirmed unauthorised third-party access to reservation information including names, addresses, booking dates, and special requests. The data is now prime fuel for highly targeted phishing campaigns.

Basic-Fit, Europe’s largest gym chain, suffered a cyberattack compromising data of 200,000 members in the Netherlands and exposing bank details of one million members across multiple countries.

Signature Healthcare Brockton Hospital in Massachusetts experienced a ransomware attack by the Anubis group, forcing emergency room ambulance diversion and patient care delays.

Minot, North Dakota Water Treatment Plant suffered a ransomware attack that forced reversion to manual management processes—the kind of operational impact that turns cyber incidents into public safety incidents. The FBI launched Operation Winter Shield to combat rising ransomware attacks on public utilities.

Active ransomware groups this month have included Qilin, ShinyHunters, CoinbaseCartel, and TheGentlemen, with municipal governments, professional services, and manufacturing remaining the primary targets.

Strategic Imperatives for May 2026

The convergence of AI-augmented vulnerability discovery, geopolitical retaliation against critical infrastructure, and supply chain compromise demands recalibrated priorities:

Treat the Mythos era as an inflection point. The capabilities Anthropic has demonstrated will proliferate. Organisations need patch management programmes that can respond in days, not months. The 6% of organisations that can deploy a critical VPN patch within twenty-four hours represent the new minimum standard, not a stretch goal.

Audit non-human identities ruthlessly. If non-human identities outnumber human users by seventeen to one—and your governance focuses primarily on humans—you have an architectural problem, not a tooling gap. Service accounts, API keys, AI agents, and machine identities require the same lifecycle management as human accounts.

Disconnect operational technology from the public internet. The Iranian PLC campaign succeeds because internet-exposed industrial control systems remain depressingly common. This is not a sophisticated attack vector. It is a configuration failure that adversaries have industrialised.

Verify your software supply chain. Software composition analysis, package provenance verification, and CI/CD pipeline security are no longer mature-organisation luxuries. The Axios, Vercel, Bitwarden, and Checkmarx incidents this month demonstrate that any of these vectors can compromise downstream organisations regardless of their own security posture.

Test endpoint management blast radius. If a single compromised admin account can wipe 200,000 devices across seventy-nine countries, your incident response plan needs to address that scenario explicitly. Phishing-resistant MFA, just-in-time privilege elevation, and out-of-band authorisation for destructive actions are essential.

Looking Ahead

April 2026 demonstrated that the threat landscape and the defensive capability landscape are evolving at unprecedented pace—often in the same direction, but not always at the same speed. The same AI capabilities that enable Project Glasswing’s coalition to find decades-old vulnerabilities will inevitably enable adversaries to find and exploit similar flaws elsewhere. The window is narrow.

The Iran conflict shows that geopolitical events translate to cyberspace within hours, with consequences extending to organisations far from the kinetic theatre. Critical infrastructure operators—particularly water, energy, and transit—should assume targeting is ongoing.

The supply chain incidents reinforce that perimeters are increasingly meaningless. Your security posture is the product of every organisation that touches your software, your data, and your identity systems. Trust must be earned through verification, not extended by default.

Most importantly, the agentic AI era has arrived in production. Whether your organisation is prepared to govern autonomous systems is no longer a strategic question for 2027 planning—it is an operational question for May.

The defenders who thrive will be those who recognised these shifts early and acted with conviction. The clock is no longer ticking quietly.

Samuel Odekunle is Managing Partner at MustardTree Partners, specialising in cybersecurity strategy, identity and access management, and digital transformation.

State of Security is published monthly. Subscribe for the latest analysis on the evolving threat landscape.

By 2026, non-human identities — APIs, bots, service accounts, IoT devices, AI agents, CI/CD tokens, container workloads — outnumber human users in most enterprises by roughly three to one. In heavily automated environments, the ratio climbs to ten to one or higher. Every one of those identities has credentials, permissions, and access to something a person would need a manager’s sign-off to touch.

If you run a risk committee, an audit committee, or a board, the implication is uncomfortable: the majority of your organisation’s identity surface is not human, is not reviewed on a joiner-mover-leaver cycle, and is almost certainly not reflected in your cyber risk register.

Why the governance model breaks

Human identity governance is a broadly solved problem. We have decades of precedent. HR initiates an account when a person is hired. Access is reviewed quarterly. Permissions change when people move teams. Accounts are disabled on the last day of employment. Annual recertifications catch the drift. Auditors tick boxes. The board sees a dashboard.

Non-human identities fit none of this.

A service account is created by a developer, often in a rush, often with broader permissions than needed, often without a lifecycle owner. When the developer leaves, the account doesn’t. When the application it serves is decommissioned, the account rarely is. When a contractor spins up an integration for a six-week project, it lingers for six years. There is no HR system for machines. There is no quarterly access review. There is no joiner-mover-leaver workflow unless someone has built one deliberately.

The result is a population of credentials larger than your workforce, more privileged than most employees, and governed by approximately nobody.

How attackers are exploiting the gap

The attack chain I have seen most often this year goes roughly like this. An adversary targets a developer — increasingly through recruitment fraud, where a fake job posting or trojanised coding challenge delivers malware. The developer’s workstation yields their personal GitHub or GitLab token. That token grants access to internal code repositories. Inside those repositories are hardcoded credentials, API keys, and service account tokens — the machine identities. From there, the attacker moves laterally using those credentials, which typically have far more privilege than the compromised developer.

The developer is the foothold. The non-human identities are the payload.

This is not a theoretical threat model. Identity security researchers have documented the pattern through multiple incidents in the past twelve months. In most cases, the breached organisations had strong human IAM — MFA, SSO, conditional access — and catastrophic machine identity hygiene. The perimeter that mattered was the one they had not measured.

The disclosure question most boards haven’t asked

There is a second, quieter governance concern.

Since the SEC’s November 2025 decision to terminate its long-running SolarWinds CISO litigation, the Commission has refocused on material misrepresentations in cyber disclosures that harm investors. That is a narrower but sharper standard. The accuracy of your Form 8-K cyber disclosures — and what your audit committee knew when they approved them — is now a live legal question.

If a material breach originates from a machine identity your organisation cannot account for, and your public disclosure describes your identity posture in terms of your human workforce, you have a problem that a regulator can reach. The board cannot comfortably rely on “we didn’t know” if the inventory was never commissioned in the first place.

This is why I treat non-human identity governance as a board-level disclosure issue, not just an operational IAM issue.

Where governance needs to catch up

Three shifts are required, and the first two are structural rather than technical.

First, non-human identities need a named owner. Every service account, API key, and machine credential needs a named human accountable for its lifecycle — provisioning, permissions, rotation, and decommissioning. The failure mode I see repeatedly is “owned by the team”, which in practice means owned by nobody. Attach each identity to a person, and when that person leaves, reassign it explicitly. This is the single highest-leverage change available to most organisations, and it costs nothing but discipline.

Second, NHIs need to appear on the risk register in language the board understands. Not “we have 11,000 service accounts” but “42% of those accounts have privileged access, and 18% have not been authenticated in over 12 months.” The board’s job is to judge whether that level of unmeasured privilege is acceptable. They cannot do that with a headcount figure alone.

Third, the joiner-mover-leaver process needs a machine analogue. When an application is decommissioned, its identities should be decommissioned with it. When a developer leaves, the credentials they created should be reviewed, not only the ones assigned to them. This is dull, unglamorous governance work. It is also what the SEC, the ICO, and your cyber insurer will ask about after an incident.

Questions for your next risk committee

A handful of questions worth raising at your next risk or audit committee meeting.

Do we have an inventory of non-human identities, and when was it last verified independently? If the answer is “the identity team maintains one,” that is different from an audit.

Who owns the lifecycle of any given machine identity — is there a named person, or a team?

How many of our machine identities have privileged access, and how many have been dormant for more than 90 days?

If a breach originated from a service account tomorrow, could our disclosure accurately describe our identity governance posture?

When did the board last see an identity figure that included non-human identities?

The answer to that last question, in my experience, is almost always “never.”

That is the governance gap. Closing it does not require new technology. It requires the board to ask for a number it has not previously asked for, and to keep asking until someone owns it.

By Samuel Odekunle, Managing Partner

The cybersecurity landscape of March 2026 has been irrevocably shaped by kinetic conflict. On 28 February, the United States and Israel launched coordinated strikes against Iran—Operation Epic Fury and Operation Roaring Lion—and cyberspace became the parallel theatre of war. What has unfolded since represents the most intensive period of state-linked cyber warfare since the Russia-Ukraine conflict, with operations spanning critical infrastructure, financial systems, communications networks, and the cognitive domain itself.

For organisations operating in this environment, the implications extend far beyond geopolitics. The targeting patterns are broad and opportunistic. Sectors with no direct connection to the conflict are being hit simply because they present opportunity. The rules of engagement have shifted, and every security leader needs to understand what that means for their organisation.

The Four-Hour Cyber War

Before a single missile struck Iranian soil, cyber operations had already begun. General Dan Caine, Chairman of the Joint Chiefs of Staff, confirmed that US Cyber Command was among the “first movers” in Operation Epic Fury. Coordinated space and cyber operations disrupted Iranian communications and sensor networks, leaving the adversary “without the ability to see, coordinate, or respond effectively.”

The sophistication of the pre-kinetic cyber campaign was extraordinary. Israeli intelligence had spent years building what sources describe as a comprehensive intelligence architecture focused on Tehran. Real-time feeds from compromised traffic cameras provided pattern-of-life analysis. Mobile phone networks had been “deeply penetrated,” allowing targeting intelligence that pinpointed where senior officials’ protection details parked their vehicles. When the moment came, a cyber operation disrupted mobile communications near the Supreme Leader’s compound, preventing warnings from reaching his security team.

Perhaps most striking was the compromise of BadeSaba, a popular Iranian prayer app with over five million downloads. Users received push notifications reading “Help has arrived” and messages urging military personnel to defect. The app had been targeted not merely for psychological warfare, but for its intelligence value—the application requests location access for accurate prayer times, making its user data extraordinarily valuable for targeting.

Within four hours of strikes beginning, Iran imposed a near-total internet blackout. Connectivity dropped to between one and four percent, remaining degraded for over sixty hours. This was a combination of physical strikes on data centres and what Israeli sources described as “the largest cyberattack in history.”

Asymmetry in Cyberspace

The opening days revealed a stark disparity in cyber capabilities. Iran lacks symmetric conventional response options against the United States and Israel—which is precisely why the regime has historically relied on cyber operations and proxy actors as instruments of response.

The internet blackout, while limiting information flow out of Iran, also severely constrained Iranian state actors’ ability to coordinate sophisticated cyberattacks. Unit 42 at Palo Alto Networks initially assessed that threat activity from nation-state groups within Iran would be mitigated in the near term due to limited connectivity and degraded command structures.

That assessment proved optimistic. By early March, security researchers were tracking over sixty active threat groups aligned with this conflict—fifty-three operating on the pro-Iranian side. Activity accelerated sharply, and contrary to initial assessments that Iranian cyber capabilities had been degraded by kinetic strikes, adversary operations intensified rather than diminished.

The explanation lies in geography. Pro-Iranian groups operate from Southeast Asia, Pakistan, Iraq, and elsewhere in the Middle East. The Cyber Islamic Resistance claimed responsibility for over six hundred distinct attacks in the first two weeks, operating across more than one hundred Telegram channels. NoName057(16), a pro-Russian hacktivist group that previously targeted Ukraine, has teamed up with Iranian hacktivists to target Israeli defence and municipal organisations.

Stryker: The Canary in the Coal Mine

On 11 March, American medical technology company Stryker confirmed a cyberattack had disrupted its global network. Employees across the company’s offices found the logo of Handala, an Iran-linked hacking group, displayed on their login pages. The attack targeted Stryker’s Microsoft environment, and Handala claimed to have exploited Microsoft Intune to remotely wipe more than 200,000 devices across seventy-nine countries.

The group stated the operation was retaliation for a missile strike on a school in Minab, Iran. Stryker filed an 8-K with the SEC on 23 March confirming the incident was contained, but the implications are profound. This was not espionage. This was destructive retaliation against civilian infrastructure—a medical device company—executed through compromised enterprise management systems.

CISA has since flagged rising threats to endpoint management systems, urging organisations to recognise that the tools designed to defend networks are often their weakest link. Edge devices, routers, firewalls, VPN gateways—critical yet frequently neglected—have become prime targets.

The targeting patterns in this conflict are instructive for every organisation. Sectors facing elevated exposure include energy and utilities, financial services (particularly institutions with Middle Eastern operations), aerospace and defence, healthcare, cloud and telecommunications infrastructure, and critical national infrastructure broadly—including water utilities, where pro-Iranian groups have claimed access to operational control systems.

The Institutional Response

On 23 March, the State Department formally launched the Bureau of Emerging Threats, a unit designed to combat cyberattacks, AI weaponisation, space threats, and other advanced challenges from adversaries including Iran, China, Russia, and North Korea. The bureau comprises five divisions: the Office of Cybersecurity, the Office of Critical Infrastructure Security, the Office of Disruptive Technology, the Office of Space Security, and the Office of Threat Assessment.

The timing is significant. This represents a shift toward anticipatory rather than reactive diplomacy—recognition that emerging technologies are now central to the modern arms race. The bureau reports to the Under Secretary for Arms Control and International Security, signalling that bits, bytes, and orbital assets are now viewed as equivalent to conventional weapons in strategic importance.

However, the domestic cyber defence posture presents challenges. CISA has lost staffers focused on regional outreach, infrastructure security, and strategic planning. The Critical Infrastructure Partnership Advisory Council has been shuttered. Funding for the Multi-State Information Sharing and Analysis Center has been eliminated. Schools, hospitals, and state governments report a stark difference in the availability of CISA services.

The irony is acute: at the precise moment when state-aligned cyber threats are escalating, the mechanisms needed to support critical infrastructure partners have been hollowed out. The essential question for 2026 is whether institutional capacity can be rebuilt faster than threat actors can exploit the gaps.

Agentic AI: The Threat Multiplier Arrives

While the Iran conflict dominates headlines, a parallel transformation is reshaping the threat landscape at a structural level. Agentic AI—autonomous systems capable of planning, deciding, and executing multi-step actions toward specific goals—has moved from research prototype to operational deployment on both sides of the adversarial divide.

Unlike generative AI, which requires human prompting, agentic AI can orchestrate autonomous attack chains. It automates reconnaissance, phishing generation, credential testing, and infrastructure rotation without direct human control. This dramatically lowers the cost of experimentation and increases the speed of exploitation.

Barracuda Networks documented an agentic-style AI attack targeting FortiGate firewalls in February, where autonomous agents gained access and conducted reconnaissance on victim networks. Flashpoint’s 2026 Global Threat Intelligence Report identifies agentic AI operationalisation as one of four converging forces reshaping the global threat landscape, alongside identity as the primary exploit vector, compression of the exploitation window, and the continued blurring between cybercrime and nation-state operations.

For defenders, agentic AI represents both threat and opportunity. EY’s Cybersecurity Roadmap Study found that 96% of senior security leaders view AI-enabled attacks as a significant threat, with 48% estimating that AI-powered attacks accounted for incidents their organisation experienced in the past year. Yet 97% also agree their competitive advantage will be directly tied to the maturity of their agentic AI cybersecurity defences.

The number of security leaders expecting agentic AI to largely run key functions is set to double within two years: APT detection rising from 30% to 62%, real-time fraud detection from 32% to 58%, and identity and access management from 23% to 51%. The AI arms race has moved from prediction to operational reality.

The Ransomware Ecosystem Adapts

Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks. This declining profitability is driving tactical evolution that organisations should prepare for in 2026.

First, ransomware-as-a-service operations are bundling DDoS capabilities to increase pressure on victims. The newly formed Chaos ransomware group exemplifies this trend, providing DDoS capabilities to all affiliates. When encryption alone doesn’t yield payment, sustained service disruption becomes an additional lever.

Second, insider recruitment is accelerating. There has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders. If workforce reductions at major companies persist, this trend will intensify. The most public example came when a ransomware group attempted to recruit a BBC reporter, but this represents only the visible tip of a much larger phenomenon.

Third, the ransomware ecosystem is globalising. Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it. This doesn’t indicate a decline in Russian-based operations—it reflects how dramatically the global ecosystem has expanded.

March’s most active groups include DragonForce and World_Leaks, each responsible for multiple daily compromises, followed by Akira and Qilin. The primary targets remain Professional Services and Manufacturing sectors, with the United States experiencing the majority of reported compromises.

Critical Vulnerabilities: March 2026

The exploitation window continues to compress, with mass exploitation of zero-day vulnerabilities occurring in as little as twenty-four hours after disclosure. Key vulnerabilities demanding immediate attention this month include:

BeyondTrust Remote Support (CVE-2026-1731): A pre-authentication remote code execution flaw actively exploited in ransomware campaigns. The speed at which this vulnerability moved from disclosure to active exploitation—less than two weeks—demonstrates that patch windows are continuing to shrink. Organisations running self-hosted BeyondTrust deployments that didn’t act within days should treat this as a potential compromise scenario.

VMware Aria Operations (CVE-2026-22719): A command injection vulnerability rated CVSS 8.1, allowing unauthenticated attackers to execute arbitrary commands. CISA added this to the Known Exploited Vulnerabilities catalog and set a federal remediation deadline of 24 March.

Cisco Secure Firewall Management Center (CVE-2026-20131): A critical remote code execution flaw being actively exploited by the Interlock ransomware group since January. Amazon confirmed active exploitation on 18 March. This flaw allows unauthenticated attackers to execute arbitrary Java code with root privileges.

Microsoft SharePoint (CVE-2026-20963): A deserialization vulnerability allowing authorised attackers to execute code over a network. CISA set a remediation deadline of 21 March.

The Tycoon 2FA takedown in early March—a coordinated disruption involving Proofpoint, Microsoft, Europol, and international law enforcement that seized 330 control panel domains—represents positive momentum. However, adversary-in-the-middle phishing-as-a-service platforms remain prolific, and organisations should not assume the ecosystem has been permanently degraded.

Strategic Imperatives for Q2 2026

The convergence of kinetic conflict, agentic AI operationalisation, and persistent ransomware activity creates a threat environment that demands immediate executive attention:

Assume targeting is opportunistic, not strategic. Organisations with no direct connection to the Iran conflict are being hit simply because they present opportunity. Sector, geography, and political alignment matter less than vulnerability. If you’re accessible, you’re a target.

Audit endpoint management and edge infrastructure immediately. The Stryker incident demonstrates that enterprise management systems are now prime targets. Intune, SCCM, VPN concentrators, firewalls—these tools carry elevated privileges and wide network access. A single vulnerability hands attackers a skeleton key.

Compress patch cycles to days, not weeks. The exploitation window for critical vulnerabilities has collapsed to under two weeks in many cases. If your vulnerability management programme operates on monthly cycles, you are already behind adversary timelines.

Prepare for agentic threats. Traditional security tools were built to detect anomalies in human behaviour. An agent that executes perfectly ten thousand times in sequence looks normal to these systems—but that agent might be executing an attacker’s will. Behaviour-based detection and strong identity controls remain effective, but must be applied consistently.

Treat supply chain risk as operational risk. The more robust technical perimeters become, the more attractive human targets and third-party relationships become. Your security posture is ultimately defined by the weakest link in your supply chain.

Looking Ahead

March 2026 will be remembered as the month cyber warfare became inseparable from kinetic conflict at scale. The Iran campaign demonstrated capabilities that should concern every organisation: real-time intelligence from compromised civilian infrastructure, weaponised consumer applications, and destructive attacks against healthcare companies executed as retaliation for military strikes.

The State Department’s Bureau of Emerging Threats signals institutional recognition that emerging technologies are now weapons of statecraft. Whether that recognition translates to operational capability fast enough to counter accelerating threats remains an open question.

For security leaders, the imperative is clear: the threat environment has changed. Geopolitical conflict now directly affects organisations that considered themselves outside the blast radius. The defenders who thrive in 2026 will be those who recognise that assumption and act accordingly.

The parallel wars—kinetic and digital—are now one.

Samuel Odekunle is Managing Partner at MustardTree Partners, specialising in cybersecurity strategy, identity and access management, and digital transformation.

State of Security is published monthly. Subscribe for the latest analysis on the evolving threat landscape.

Let me start with a confession.

I have a law degree. Not computer science. Not software engineering. An LLB from the University of Buckingham, with modules in contract law, tort, and constitutional law. And yet here I am, over twenty years into a career in enterprise cybersecurity — leading identity and access management programmes for several both public and private sector clients, building SaaS products, advising on governance frameworks, and writing about emerging threats for an audience of CISOs and security architects.

Nobody handed me a technical certificate at the door.

I tell you that not to be self-promotional, but because the number one myth holding capable, intelligent people back from the technology sector is the belief that you need a technical background to get in. You don’t. What you need is clarity about where your existing skills are actually valuable — and the willingness to learn enough of the language to operate fluently in technical spaces.

In 2026, that opportunity has never been larger. And some of the most exciting doors are ones that barely existed five years ago.

Why the Tech Industry Needs People Who Aren’t Technologists

Here’s something the industry doesn’t say loudly enough: technology is increasingly failing because of problems that technology cannot solve.

Projects run over budget because no one translated the technical requirements into business language clearly enough. Products get built that nobody wants because the people who understand the users weren’t in the room when decisions were made. AI systems get deployed that no one can adequately govern or explain because the people who understand regulation, ethics, and accountability weren’t involved until it was too late. Security strategies get signed off that look impressive on paper but don’t reflect how the organisation actually works — because the people who wrote them didn’t understand the operational context.

These are people problems. Communication problems. Governance problems. Strategy problems.

Which means they are precisely the kinds of problems that people coming from law, finance, healthcare, teaching, communications, project management, social sciences, and a dozen other non-technical backgrounds are often uniquely positioned to solve.

The technology industry doesn’t just need more engineers. It needs more people who can sit between the technical and the human — and make sense of both.

The Roles That Don’t Require You to Write a Line of Code

Business Analysis

This is one of the most underrated entry points into tech, and one of the most natural pivots for people coming from operational, finance, or consultancy backgrounds. Business analysts are essentially translators — they sit between what a business needs and what a technical team builds, and they make sure those two things are actually aligned.

Strong analytical thinking, the ability to ask the right questions, document complex requirements clearly, and hold a room of stakeholders together — these are the skills. The technical vocabulary can be learned. The instinct for structured problem-solving usually can’t.

If you’ve managed projects, written reports, run process improvement initiatives, or spent time in a role where you had to take messy information and make it legible — business analysis will feel like home.

Product Management

Product management is arguably the most coveted non-technical role in tech, and for good reason. Product managers own the vision and direction of a product. They decide what gets built, in what order, and why. They speak to customers, interpret data, manage stakeholders, write roadmaps, and ultimately take accountability for whether a product succeeds or fails.

It’s one of the highest-leverage roles in any technology company — and some of the best product managers I’ve encountered came from backgrounds in education, journalism, healthcare, and the law. The common thread isn’t technical expertise; it’s the ability to hold complexity without collapsing it prematurely, and to make decisions with incomplete information.

Cybersecurity — Especially GRC

I’m going to spend a moment on this one because it’s close to my world, and the talent shortage here is genuinely acute.

Governance, Risk, and Compliance (GRC) within cybersecurity is a discipline that sits almost entirely in the intersection of regulation, policy, process, and human behaviour. You need to understand frameworks like ISO 27001, NIST, and the UK Cyber Essentials scheme. You need to be able to write risk assessments, conduct audits, manage policies, and translate regulatory obligations into operational controls. You need to be able to communicate risk clearly to boards who don’t understand technical jargon.

None of that requires you to configure a firewall or write a security script. It requires rigour, attention to detail, legal and regulatory literacy, and the ability to build governance structures that work in practice rather than just looking good in a document.

People with backgrounds in law, compliance, finance, and audit are natural fits. The technical fluency you need can be built incrementally — the conceptual foundation is already there.

Technical Writing and UX Writing

Every piece of software has documentation. Most of it is terrible. The people who can write clearly, empathetically, and precisely about technical subjects — translating complex functionality into language that real users can follow — are genuinely in demand across the technology sector, including in AI companies, developer tool companies, and large enterprise software vendors.

UX writing is the specific discipline of writing the microcopy inside products: the button labels, error messages, onboarding prompts, and instructional text that determine whether a user feels guided or lost. It sounds small. It’s actually the difference between a product people adopt and one they abandon.

If you have a background in communications, journalism, English, or any discipline that trained you to write with clarity and precision, these pathways are wide open.

Customer Success and Solutions Engineering

Enterprise technology is sold, implemented, and supported by people — not just code. Customer Success Managers work with enterprise clients to ensure they’re getting value from the products they’ve purchased. They need to understand the product deeply, understand the client’s business, and build relationships that prevent churn and enable expansion.

Solutions Engineers (sometimes called Pre-Sales or Sales Engineers) work at the intersection of sales and technical depth — they help prospective clients understand how a product would solve their specific problems. The best ones come from backgrounds where they’ve had to quickly understand complex domains and communicate them credibly under pressure.

These roles can pay extremely well in enterprise SaaS, and they reward people skills, business acumen, and domain expertise as much as — often more than — purely technical credentials.

The Emerging Spaces: Where the Next Wave of Opportunity Lives

AI — But Not the AI You’re Thinking Of

When most people hear “AI jobs,” they imagine machine learning engineers running neural networks. And yes, that market is competitive, technical, and requires specialist education.

But the AI economy is generating a much larger ecosystem of roles that don’t look like that at all.

AI Product Managers are needed to define what AI-powered products should do, who they serve, and how they should behave — including how to handle failure, bias, and edge cases. This is a deeply human and strategic role.

AI Trainers and Evaluators — sometimes called RLHF specialists or Red Teamers — are people who test AI systems, identify where they fail, and provide feedback that shapes their behaviour. Accuracy, critical thinking, and domain expertise matter far more than coding ability here.

AI Ethics and Governance Specialists are arguably the fastest-growing adjacent role category. The EU AI Act is now in force. The UK is developing its own regulatory framework. Every company deploying AI at scale needs people who can navigate the compliance obligations, define acceptable use policies, conduct impact assessments, and build accountability mechanisms around automated systems.

Lawyers. Policy analysts. Social scientists. Ethicists. Compliance professionals. The technology industry desperately needs your perspective here — and most of the people making decisions in this space right now are doing so without it.

Prompt Engineers and AI Workflow Designers — designing the way AI systems receive and process instructions, and how they’re integrated into organisational workflows — is a discipline that rewards clear thinking, an understanding of human communication, and a systematic approach to problem design. You don’t write the AI. You architect how people and teams interact with it.

Quantum Computing — The Long Game

Quantum is earlier stage than AI, and I want to be honest about that. Most quantum computing roles today are still heavily research-oriented and do require deep technical backgrounds. But the industry is maturing, and a new category of supporting roles is beginning to emerge that looks different from the research lab.

Quantum Strategy and Policy roles are being created by governments, financial institutions, and defence contractors who need people who can assess the strategic implications of quantum technology — for cryptography, for national security, for supply chain resilience — without necessarily being able to operate the hardware themselves. McKinsey projects that only half of the quantum jobs that will exist in the coming decade may be filled due to talent shortages. The people who position themselves now — building conceptual literacy in post-quantum cryptography, quantum risk, and quantum policy — will have a significant first-mover advantage.

Post-Quantum Cryptography (PQC) Transition is perhaps the most immediately relevant opportunity for people with cybersecurity governance and compliance backgrounds. Organisations across financial services, government, and critical infrastructure are beginning the process of migrating their cryptographic systems to quantum-resistant standards. This is a governance and programme management challenge as much as a technical one. NIST finalised its PQC standards in 2024. The migration timelines are being set now. The people who lead those programmes will need to understand the risk landscape, engage with regulators, manage vendor relationships, and communicate complex technical transitions to boards.

That is not a purely technical skill set. It’s a hybrid one. And the window to develop it is open right now, before everyone else arrives.

GRC for Emerging Technologies

Regulation is following technology at an unprecedented pace. The EU AI Act, the UK Cyber Resilience framework, DORA, NIS2, the Cyber Security and Resilience Bill — organisations across every regulated sector are navigating a landscape of compliance obligations that most of their internal teams are not equipped to interpret or implement.

People with legal training, financial services compliance experience, public policy backgrounds, or even theological ethics (the principles translate further than you’d think) can move into technology governance roles and immediately contribute in ways that pure technologists cannot.

This is a space where your existing expertise isn’t a liability you need to overcome. It’s the asset.

The Practical Question: How Do You Actually Make the Move?

A few things I’d say from experience, watching people make this transition well and watching others get stuck.

Stop waiting until you feel ready. The people who successfully move into tech don’t wait until they know enough. They move into adjacent roles that stretch them, learn on the job, and build technical vocabulary through proximity and practice. Readiness is a horizon — it keeps moving.

Get the certification, not the degree. For most non-technical routes into tech, professional certifications are worth more than a second degree. CompTIA Security+ for cybersecurity fundamentals. The BCS Business Analysis certificate. The IAPP certifications for privacy and AI governance. The CISMP for information security management. These are relatively accessible, widely recognised, and demonstrate intentional commitment to the field.

Learn the language without needing to speak it fluently. You don’t need to understand how OAuth 2.0 works mechanically. But you do need to understand what it does, why it matters, and how to have a conversation with a developer about it. Conceptual literacy — understanding enough to ask the right questions and contribute meaningfully to technical decisions — is a realistic and achievable goal.

Find the translation role. The most successful lateral movers into tech are the ones who don’t try to compete with career technologists on technical ground. They find the space where their background gives them an advantage — the boardroom, the client relationship, the regulatory conversation, the governance framework — and they become indispensable there.

Build in public. Write about what you’re learning. Comment thoughtfully in LinkedIn conversations about the topics you’re developing expertise in. Publish your thinking. The technology sector — especially in cybersecurity, AI governance, and product — is a space where public intellectual presence creates genuine opportunity. Recruiters find people this way. Collaborators find people this way. Clients find people this way.

A Word to Anyone Who Thinks It’s Too Late

I have met people who moved into cybersecurity governance in their forties after careers in policing. I know people who moved into product management after years in teaching. I’ve seen former journalists build entire careers in technical writing and UX. I’ve watched compliance professionals become the most valued people in AI risk conversations precisely because nobody else in the room understood the regulatory landscape they’d spent a decade navigating.

The technology sector is young enough, and moving fast enough, that experience from elsewhere is almost always relevant somewhere. The question is never whether your background has value. The question is where that value lands.

In 2026, the answer to that question is: more places than ever.

The doors are open. They just don’t always look like the ones you’ve been told to walk through.

Sam is a Senior Cybersecurity Consultant and IAM specialist, Founding Partner at MustardTree Group, and writer on technology, governance, and emerging cyber risk.

There’s a particular kind of security failure that keeps me up at night. Not the dramatic zero-day. Not the nation-state actor deploying exotic tooling. The one I’m talking about is quieter, more insidious, and in 2026, dramatically more common: the attacker who does everything right.

They authenticate. They send spec-compliant requests. They operate at volumes that look like legitimate integration traffic. They get what they came for — and they leave without triggering a single alert.

This is where API security currently lives, and it’s a governance nightmare masquerading as a technical problem.

The Number That Should End Every “We Have a WAF” Conversation

95% of API attacks in 2025 originated from authenticated sessions.

Let that land for a second. Not from unrecognised IPs. Not from known malicious signatures. From sessions your perimeter controls blessed as legitimate.

The Dell breach — 49 million customer records — followed this exact pattern. An attacker registered as a fake partner, hit a service tag lookup endpoint with zero entitlement checking, and ran 5,000 requests per minute for three weeks. Authenticated. Spec-compliant. Undetected.

Meanwhile, AI-adjacent API vulnerabilities grew by nearly 400% year-on-year (439 CVEs in 2024; 2,185 in 2025), and 57% of organisations have suffered an API-related breach in the past two years, with average losses north of $4 million per incident.

These aren’t edge cases. This is the normal operating environment.

The Governance Gap Is Worse Than the Security Gap

Here’s what I find more troubling than the breach statistics: only 10–14% of organisations have anything resembling an API posture governance strategy. Only 19% are “very confident” in their own API inventory. And 80% lack continuous real-time monitoring — which means most organisations are not watching their API estate at all.

At the same time, API estates grew by 41% last year alone.

We are running faster and seeing less. That’s not a risk posture — that’s a prayer.

From my work with public sector clients, I can tell you this gap is even wider in government and central departments. Legacy systems, fragmented ownership, under-resourced teams, and simultaneous compliance obligations across half a dozen regulatory frameworks. The API is the connective tissue of the modern digital estate, and in many organisations no one owns it end-to-end.

What the Regulatory Pile-On Actually Means

If you work in financial services, healthcare, or critical national infrastructure, you are now operating under a convergence of API-relevant obligations that most legal and compliance teams haven’t fully mapped yet.

DORA, mandatory since January 2025, imposes digital operational resilience testing with explicit third-party risk requirements. Your ICT provider’s API isn’t exempt just because it’s their infrastructure.

NIS2 expanded obligations to 18 sectors and roughly 300,000 entities, with incident reporting timelines of 24 hours and penalties up to €10 million or 2% of global turnover. Critically, it reaches into supply chain security — meaning the API integrations you manage indirectly are now in scope.

PCI DSS 4.0 Phase 2 controls, live since March 2025, contain the first explicit API mention in PCI history. They require automated, continuous detection and prevention of API-layer attacks. A WAF alone won’t get you there, and the QSA community is beginning to wake up to this.

The UK NCSC issued its first dedicated API security guidance in April 2025 — seven foundational pillars from design through to lifecycle management. Worth reading if you haven’t already.

None of these frameworks are fully aligned. There’s no universal API security standard, and that creates compliance overhead and leaves genuine gaps that each framework assumes another one fills. That’s a legal and governance problem as much as a technical one.

The New Attack Class: When the Agent Doesn’t Know It’s Being Manipulated

Here’s where I want to spend some time, because this is the part that most enterprise security teams haven’t operationalised yet — and the vendors haven’t fully solved.

Agentic AI has fundamentally changed what an API call means.

In 2020, an API call returned a payload. In 2026, an API call can instruct an autonomous agent to send emails, query databases, trigger financial transactions, and call other agents — all without a human in the loop. Gartner reports 35% of enterprises now use agents for business-critical workflows, up from 8% in 2023. 80% of IT professionals have already seen agents perform unauthorised or unexpected actions.

This creates three new attack classes that no current governance framework adequately addresses.

Indirect prompt injection is the most widely exploited. The attacker doesn’t attack the agent directly — they poison the content the agent retrieves. A malicious email sits in your inbox. A user asks your AI assistant a question. The assistant retrieves the email as context, activates the hidden instruction, and exfiltrates data via a rendering trick your Content Security Policy doesn’t catch. This is precisely what happened in the EchoLeak vulnerability (CVE-2025–32711) against Microsoft 365 Copilot. Zero clicks required. Zero visible trace. CVSS 9.3.

Agent-to-agent privilege escalation is even harder to defend against, because the attack doesn’t target your perimeter — it targets trust. A low-privilege agent convinces a high-privilege agent to act on its behalf. One researcher demonstrated this in a multi-agent smart home environment: a malicious agent broadcast a natural language request, a trusted lock agent interpreted it as authorised, and the door unlocked. In enterprise ServiceNow environments, low-privilege agents have been shown to coerce higher-privilege agents into exporting case files to external URLs through second-order injection. Your IAM controls validated every credential. The attack happened at the semantic layer.

Semantic privilege escalation may be the subtlest and most dangerous. The agent has exactly the permissions it should have. It performs an action those permissions technically allow. But the action violates the intent of the original task because a prompt injection in a document, ticket, or API response redirected its behaviour. Every policy check passes. The breach is invisible until the data shows up somewhere it shouldn’t.

OWASP released the Top 10 for Agentic Applications in December 2025. It’s the first systematic taxonomy of this attack class. If you’re deploying anything with agentic workflows and you haven’t read it, stop what you’re doing.

The Supply Chain Problem Isn’t Going Away

Approximately 30% of all data breaches now originate from third-party or supply chain compromise — doubled year-on-year. And annual vendor questionnaires are, frankly, inadequate.

The 700Credit breach is instructive. Attackers compromised one of 200 integration partners, obtained valid API tokens, and ran high-volume queries for months. 5.8 million Social Security numbers were exfiltrated. The partner never notified 700Credit. The questionnaire had presumably been completed.

The U.S. Treasury breach — Chinese state actors (Silk Typhoon), zero-day in BeyondTrust’s infrastructure, single API key enabling remote access to OFAC and the Treasury Secretary’s office — followed the same pattern. A trusted third party was the entry point.

This is why zero-trust API architecture isn’t a nice-to-have. Every integration partner is a potential attack vector. Every API key issued is a standing risk if it isn’t ephemeral, scoped, and monitored. The principle of least privilege doesn’t stop at your own estate.

What Good Looks Like in 2026

I want to be concrete here, because the analysis is only useful if it points somewhere actionable.

Continuous inventory, not periodic audits. You cannot govern what you cannot see. Shadow APIs, deprecated endpoints, and undocumented integrations are where attackers live. Runtime discovery — not scan-and-forget — is the baseline.

Behavioural monitoring from the inside. Signature-based detection misses business logic abuse from authenticated sessions by design. You need anomaly detection that understands what legitimate API traffic looks like for your environment and alerts on deviations from that baseline.

Ephemeral, scoped credentials for all agent interactions. Every agent-to-tool and agent-to-agent API call should use short-lived, narrowly scoped credentials. Persistent API keys in agentic workflows are a CISO incident waiting to happen.

API governance as an IAM problem. This is my lens, and I think it’s the right one. Who (or what) can call which endpoints, under what conditions, with what audit trail? That’s an identity and access question. It belongs in your IAM strategy alongside your human user lifecycle. JML processes that cover human accounts but not service accounts and agent identities are leaving the back door open.

Third-party API risk in your supply chain security programme. Not as a checkbox on a questionnaire — as a continuous monitoring obligation. What tokens does each integration partner hold? What’s the blast radius if they’re compromised?

The Market Signal

The API security market is growing at nearly 30% annually, and the vendor consolidation we’ve seen — Akamai absorbing Noname for $450 million, Traceable merging with Harness — tells you where enterprise budget is heading. Gartner’s 2025 Hype Cycle places API security testing at “High” benefit with under two years to plateau.

But the tooling for agentic AI API security is still genuinely early-stage. No vendor currently offers production-grade protection against semantic privilege escalation or cross-agent confused deputy attacks. The OWASP MCP Top 10 is under development. We are, as an industry, roughly where cloud IAM was in 2015: the threat is real, the frameworks are forming, and the organisations building governance frameworks now will be significantly ahead of those who wait for the standards to mature.

Closing Thoughts

There’s a line I keep returning to from OpenAI’s December 2025 security assessment: “Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully ‘solved.’”

That’s not defeatism. It’s an invitation to think differently about the problem. We don’t “solve” phishing — we build layered defences, educate users, implement technical controls, and accept residual risk with clear governance around it.

API security in 2026 needs the same maturity shift. The attack surface is too large, too dynamic, and too deeply embedded in agentic systems for any single technical control to contain it. What it requires is governance — continuous, cross-functional, identity-aware governance — treating every API call as a trust decision that needs to be made consciously, logged reliably, and reviewed regularly.

The organisations that get there first won’t just be more secure. They’ll be better positioned for every regulatory audit, every third-party risk assessment, and every boardroom conversation about whether their AI deployments are actually under control.

Which, in 2026, is the question everyone is being asked — and very few can answer with confidence.

February 2026 has been defined by convergence. The threats we’ve been tracking individually — AI-powered offensive operations, nation-state supply chain infiltration, ransomware fragmentation, and regulatory acceleration — are no longer operating in parallel. They’re colliding. The Milan-Cortina Winter Olympics provided a live demonstration of what happens when geopolitical tension meets digital infrastructure at scale. Meanwhile, an unprecedented wave of zero-day exploitation forced emergency responses across every major platform simultaneously, and the cybersecurity industry’s own structural transformation accelerated with the largest acquisition in its history. This month’s report examines the forces reshaping the threat landscape and what they demand of defenders.

The Olympics Under Siege: When Cyber Meets Geopolitics

The Milan-Cortina 2026 Winter Olympics became the most heavily targeted Games in history — and the most extensively defended. Italy’s National Cybersecurity Agency stood up a 24/7 command centre in Rome, deploying 6,000 security officers across venues spanning 22,000 square kilometres of northern Italy. They needed every one of them.

Pro-Russian hacktivist group NoName057(16) launched sustained DDoS campaigns against Olympic infrastructure, Italian government websites, and the diplomatic network — including the Italian embassy in Washington and consulates across four continents. The group framed the attacks as retaliation for Italy’s support of Ukraine, but the operational pattern reveals something more calculated. DDoS was the visible layer; the concern among security teams was that volumetric attacks served as cover for deeper intrusion attempts against operational technology: power grids in the Dolomites, snow-making systems, scoring networks, and ticketing platforms.

The threat landscape extended well beyond Russia. Palo Alto Networks’ Unit 42 identified APT28, China’s Mustang Panda, and North Korea’s Kimsuky as credible threats. The BD Anonymous group announced an #OpItaly campaign, while Z-Pentest Alliance and Server Killers claimed attacks against Italian industrial control systems. Russia’s exclusion from the Games — driven not by doping disputes but by the geopolitical fallout of the Ukraine invasion — removed a critical restraining influence. When marquee winter sports like ice hockey and figure skating are absent from the Russian national conversation, the calculus around offensive operations shifts.

The Milan-Cortina experience confirms what security strategists have long warned: major international events are no longer just physical security challenges. They are cyber battlegrounds where nation-state proxies, hacktivists, and opportunistic criminals converge simultaneously.

Zero-Day Avalanche: February’s Emergency Patching Crisis

February 2026 will be remembered as an emergency-level patching month. Microsoft’s Patch Tuesday addressed 58 vulnerabilities, including a staggering six actively exploited zero-days — an event that prompted CISA to add all six to its Known Exploited Vulnerabilities catalogue with a March 3rd remediation deadline for federal agencies.

The severity profile is alarming. CVE-2026-21510, a Windows Shell bypass rated CVSS 8.8, allows a single click on a malicious link to silently execute attacker-controlled content without any warning dialog. CVE-2026-21513 achieves similar results through the MSHTML Framework. CVE-2026-21533, discovered by CrowdStrike, revealed that threat actors had been exploiting a privilege escalation flaw to target organisations in the United States and Canada since at least December 2025 — meaning defenders were unknowingly exposed for months before the patch arrived.

But Microsoft wasn’t alone. Google patched CVE-2026-2441, the first actively exploited Chrome zero-day of the year — a use-after-free vulnerability in CSS that enables arbitrary code execution through a malicious website. Apple shipped emergency updates across its entire ecosystem for CVE-2026-20700, a flaw weaponised in what the company described as an “extremely sophisticated attack” targeting specific individuals. BeyondTrust disclosed CVE-2026-1731 with a CVSS score of 9.9, actively exploited in the wild. Dell’s RecoverPoint for Virtual Machines was found to contain hard-coded credentials enabling unauthenticated remote root access.

The simultaneous exploitation across Microsoft, Google, Apple, Dell, and BeyondTrust products represents a fundamental challenge: organisations cannot triage when everything is critical simultaneously. The traditional “patch by severity” approach collapses when every major vendor releases emergency fixes in the same window.

The Shadow Campaign and the Supply Chain Siege

Nation-state operations reached a new threshold of ambition in February. Palo Alto Networks disclosed what it calls the “Shadow Campaign” — a state-sponsored espionage operation that compromised at least 70 organisations across 37 countries. Tracked as TGR-STA-1030 and assessed with high confidence to be a Chinese nexus group, the campaign targeted government agencies and critical infrastructure with systematic precision.

The Notepad++ supply chain compromise may prove even more consequential. Between June and December 2025, the Lotus Blossom group — a known state-sponsored threat actor — infiltrated the official hosting infrastructure for Notepad++, one of the world’s most widely used text editors. They intercepted and redirected traffic destined for the update server, selectively targeting users in Southeast Asian government, telecommunications, and critical infrastructure sectors. The implications are stark: if a ubiquitous open-source tool’s update mechanism can be silently weaponised for six months, the entire software supply chain model requires re-examination.

Meanwhile, the FBI confirmed at CyberTalks that Salt Typhoon remains an active, ongoing threat. The Chinese espionage group’s infiltration of US telecommunications infrastructure — now confirmed at nine major carriers — continues to provide counterintelligence capabilities that effectively wiretap the wiretappers. Volt Typhoon’s pre-positioning in critical infrastructure for potential kinetic conflict scenarios persists, with renewed attempts to re-establish access to networks from which it was previously evicted. Ivanti vulnerabilities were exploited in targeted attacks against the European Commission and Dutch and Finnish government agencies.

The common thread across these operations is patience. These are not smash-and-grab campaigns. They are systematic, long-duration infiltrations designed to persist undetected while providing strategic advantage.AI Crosses the Rubicon: From Tool to Autonomous Attacker

The transition from AI-assisted to AI-driven offensive operations accelerated dramatically. A Russian-speaking threat actor leveraged commercial generative AI services to compromise over 600 FortiGate devices across 55 countries between January and February. The significance isn’t the scale alone — it’s that the attacker was assessed as unsophisticated. AI transformed weak credentials and exposed management ports into a global campaign that would previously have required nation-state resources.

The agentic AI threat moved from theoretical to operational. Anthropic reported an observed intrusion where AI executed 80–90% of the activity autonomously, with human operators intervening only at a handful of decision points. This represents a fundamental inflection: the adversary’s constraint is no longer technical skill but access to AI tooling.

On the defensive side, the enterprise rush to deploy AI agents created its own attack surface. A Dark Reading poll found 48% of cybersecurity professionals now identify agentic AI as the top attack vector heading into 2026. The WEF’s Global Cybersecurity Outlook reports 94% of respondents believe AI will be the single biggest driver of change in cybersecurity this year. The risks are specific and documented: prompt injection attacks achieving 92% success rates across open-weight models, agent-to-agent impersonation enabling unauthorised capability escalation, memory poisoning of long-term agent storage, and supply chain attacks through the rapidly adopted Model Context Protocol ecosystem.

NIST responded by launching its AI Agent Standards Initiative, acknowledging that more than 80% of Fortune 500 companies now deploy active AI agents. The gap between deployment speed and security maturity is widening — and adversaries are already exploiting it.

The Ransomware Metamorphosis

The ransomware ecosystem continued its structural transformation. Attack volume surged — publicly reported incidents rose 47% year-over-year to approximately 7,200 in 2025, with February showing no signs of deceleration. The FCC cited a fourfold increase in ransomware attacks since 2021 in urging telecommunications firms to strengthen defences.

But the economics are shifting beneath the surface. Ransom payments declined in both total volume and average size, as more organisations refuse to pay, invest in backup resilience, and engage law enforcement. Sixty-four percent of victims now refuse payment on principle. The response from threat actors has been predictable: the pivot to pure data extortion accelerated. Encryption is increasingly bypassed entirely in favour of exfiltrating sensitive data and threatening public release. This reduces technical overhead while maintaining leverage through regulatory exposure and reputational damage.

The ecosystem’s fragmentation intensified. Where 2025 still featured recognisable ransomware brands, February 2026 saw rapid rebranding, affiliate migration, and the emergence of new groups including CipherForce and NightSpire alongside established operators like Qilin and ShinyHunters. Attribution has become significantly harder. Recorded Future assessed that 2026 will be the first year the number of new ransomware operators outside Russia exceeds those emerging within it — reflecting global expansion rather than Russian decline.

The insider threat dimension grew more concerning. Ransomware operators are increasingly recruiting corporate insiders — specifically targeting native English speakers — to provide initial access. With credential-based intrusions already dominating the initial access landscape, the combination of purchased credentials, vulnerability exploitation, and recruited insiders creates a multi-vector entry problem that perimeter defences alone cannot address.

Google-Wiz: The $32 Billion Bet Reshapes the Industry

On February 10th, the European Commission granted unconditional approval for Google’s $32 billion acquisition of Wiz — the largest cybersecurity acquisition in history. With prior DOJ clearance, the deal is now positioned to close, fundamentally reshaping the competitive landscape.

The strategic logic is clear: the integration of Wiz’s cloud security scanning capabilities with Google’s Gemini AI models and Mandiant’s threat intelligence creates an end-to-end autonomous security platform. Google’s vision of AI-native security operations — where scanning, detection, and response happen at machine speed — moves from concept to operational capability.

The competitive implications are significant. While Google committed to maintaining Wiz’s cross-platform support for AWS, Azure, and Oracle Cloud, the potential for preferential integration with Google Cloud is the elephant in the room. For organisations building multi-cloud security architectures, the consolidation raises questions about vendor neutrality and long-term platform strategy. For the broader market, it signals that cybersecurity’s next phase will be defined by whoever best integrates AI, cloud infrastructure, and threat intelligence into a unified platform.

Regulatory Momentum Builds Across Jurisdictions

The regulatory landscape tightened on multiple fronts. The EU’s NIS2 Directive moved decisively from national transposition to active enforcement, significantly expanding the number of organisations in scope. The Cyber Resilience Act’s mandatory security requirements for connected products approach their 2026 compliance deadline. The European Cybersecurity Act’s proposed revision reflects a 150% increase in cyber-attacks since its original adoption, with expanded scope and strengthened requirements.

In the United States, the regulatory picture remained complex. The CISA incident reporting rule was delayed until May 2026 amid industry criticism that the proposed requirements are overly broad. CISA itself enters 2026 without a Senate-confirmed director, creating leadership uncertainty at a critical moment. At the state level, the patchwork expanded to 20 states enforcing consumer privacy statutes, with California continuing to refine requirements around automated decision-making and cybersecurity audits. New York’s Department of Financial Services began its first full examination cycle under amended cybersecurity regulations, with enforcement focus on governance, risk assessment, and multi-factor authentication.

The US House passed the PILLAR Act to renew cybersecurity grants for state and local governments — an acknowledgement that municipal and state-level organisations face nation-state calibre threats with significantly fewer resources. Smaller financial institutions face a June 3rd compliance deadline under amended Regulation S-P requirements, including new mandates for incident response programmes, customer notification, and service provider due diligence.

The overarching trend is regulatory convergence toward accountability: organisations must demonstrate not just compliance but active, measurable security posture improvements.

Strategic Imperatives

February’s events demand specific defensive responses:

Adopt crisis-speed patching protocols. The simultaneous exploitation across multiple vendors requires pre-approved emergency patching workflows that bypass standard change management timescales. Waiting for the next maintenance window is no longer viable when six zero-days are actively exploited.

Harden the software supply chain. The Notepad++ and AI model supply chain compromises demonstrate that trusted software distribution channels are now primary attack vectors. Implement integrity verification for all software updates, restrict auto-update mechanisms in sensitive environments, and maintain software bills of materials.

Secure AI agent deployments. The rush to deploy agentic AI is outpacing security controls. Every AI agent requires identity governance, privilege boundaries, output validation, and monitoring equivalent to a human employee with the same access. Memory persistence, tool access, and inter-agent communication are all attack surfaces that demand immediate attention.

Prepare for data-only extortion. Traditional ransomware defences focused on backup and recovery are insufficient when attackers skip encryption entirely. Data loss prevention, network segmentation, and exfiltration detection must be prioritised alongside — not behind — backup resilience.

Consolidate event-driven threat intelligence. Major international events are now predictable triggers for coordinated cyber campaigns. Organisations with any connection to host nations, participating organisations, or supporting infrastructure must integrate event calendars into their threat modelling.

Looking Ahead

March will bring the conclusion of the Milan-Cortina Games and a likely surge in post-event disclosure of attacks that were contained but not yet public. The CISA incident reporting rule’s progress toward its May deadline will shape US reporting obligations for years to come. The Google-Wiz integration will begin revealing whether the promise of AI-native security operations can be delivered at scale. And the ransomware ecosystem’s fragmentation will continue testing attribution capabilities and law enforcement coordination.

The thread connecting February’s events is acceleration. Threats are moving faster, exploits are being weaponised sooner, AI is lowering barriers more rapidly, and the regulatory response — while heading in the right direction — is struggling to keep pace. The organisations that thrive will be those that match this acceleration with their own: in detection, in patching, in adaptation, and in strategic foresight.

This report is produced by MustardTree Partners as part of our ongoing commitment to providing actionable cybersecurity intelligence for senior leadership and technology decision-makers

.

What began as a product update from a single AI company has erased over $1 trillion in market value, sent shockwaves from Wall Street to Mumbai, and forced investors to confront an uncomfortable truth: the AI disruption thesis is no longer theoretical. It’s repricing entire industries in real time.

The second week of February 2026 will be studied in business schools for years. A cascading series of AI-driven market shocks has fundamentally shifted investor psychology from “AI excitement” to what analysts are now calling “AI Darwinism” — a brutal, sector-by-sector repricing of companies deemed vulnerable to autonomous AI systems.

The trigger was deceptively modest. On 30 January, Anthropic released a set of industry-specific plugins for Claude Cowork, its AI-powered workplace assistant capable of authoring documents, organising files, and executing multi-step professional workflows. Plugins tailored for legal, finance, sales, and data marketing went live on Friday 31 January. By Tuesday, the market response was savage.

Thomson Reuters plunged 15.83% — its biggest single-day drop on record. LegalZoom sank 19.68%. The London Stock Exchange Group fell approximately 13%, while RELX, parent of LexisNexis, dropped 14%. FactSet Research Systems fell 10%, with S&P Global, Moody’s, and Nasdaq all seeing sharp declines. ServiceNow tumbled nearly 7%, pushing its year-to-date losses to 28%, while Salesforce dropped about 7%, bringing its 2026 decline to almost 26%.

Then came Thursday 6 February. Anthropic unveiled Claude Opus 4.6, an advanced model designed to coordinate teams of AI agents and perform sophisticated professional tasks — including financial analysis, due diligence, and market intelligence synthesis. The selloff deepened. Bloomberg calculated that roughly $1 trillion of market value evaporated within a week.

Jefferies traders coined the term that has since defined the moment. “We call it the ‘SaaSpocalypse,’ an apocalypse for software-as-a-service stocks,” said Jeffrey Favuzza from the firm’s equity trading desk. JPMorgan analyst Toby Ogg captured the depth of investor sentiment even more starkly, noting that the sector “isn’t just guilty until proven innocent but is now being sentenced before trial.”

Beyond Software: The Contagion Spreads

What makes this week’s events genuinely significant for technology analysts — and for anyone making investment decisions — is that the disruption narrative has broken containment. This is no longer a software sector story. AI-driven repricing is now hitting financial services, professional services, business process outsourcing, and global IT services with equal ferocity.

On 10 February, a new AI-powered tax planning tool from fintech platform Altruist triggered a separate wave of selling across wealth management stocks. LPL Financial closed 8.31% lower after tumbling 11% in midday trading, while Charles Schwab fell 7.42% and Raymond James Financial lost 8.75%. The tool demonstrated the ability to create fully personalised tax strategies for clients within minutes — work that currently sustains significant revenue streams for advisory firms.

The shockwaves reached Asia within days. India’s Nifty IT index shed over 4% to reach a four-month low on 12 February, wiping approximately ₹1.3 lakh crore from the combined market capitalisation of leading IT firms. TCS, Wipro, Cyient, and Hexaware Technologies all hit 52-week lows. Infosys fell 6%, and the Nifty IT index has now declined approximately 14% over the past seven trading days.

The Indian IT selloff is particularly telling because it exposes a structural vulnerability that extends across the entire global services economy. AI’s potential to automate tasks previously performed by human capital threatens the bedrock of the IT services business model. Analysts estimate the impact could translate to a 5–10% reduction in core coding demand and a 10–15% impact on operations including finance, procurement, and HR outsourcing.

For investors and business leaders, the message is clear: if your company’s value proposition relies on per-seat licensing, billable hours, or labour-intensive knowledge work, the market is now actively discounting your future.

Anthropic’s $30 Billion War Chest

Against this backdrop of market carnage, the company at the centre of the storm completed one of the largest private funding rounds in technology history.

Anthropic closed a $30 billion Series G funding round at a $380 billion post-money valuation — more than double what it was worth in September when it last raised money. The round was led by Singapore sovereign wealth fund GIC and Coatue Management, with co-leads including D.E. Shaw Ventures, Dragoneer, Peter Thiel’s Founders Fund, ICONIQ, and Abu Dhabi’s MGX. The round also includes portions of previously announced investments from Microsoft and Nvidia.

The numbers tell a story of exponential enterprise adoption. Anthropic’s annualised revenue has reached $14 billion, growing more than 10x annually over the past three years. Claude Code, its AI coding agent, now has run-rate revenue exceeding $2.5 billion — more than double its level at the start of the year. Enterprise customers spending over $100,000 annually have grown 7x in the past twelve months.

This is the second-largest private tech fundraising round on record, trailing only OpenAI’s $40 billion+ raise. And the arms race continues: OpenAI is reportedly assembling a new round that could close at around $100 billion.

The sheer scale of capital flowing into frontier AI labs — while the companies those labs are disrupting haemorrhage market value — crystallises the dual nature of this moment. We are witnessing both the greatest concentration of private capital formation and the fastest destruction of incumbent business models in recent market history, driven by the same underlying technology.

What This Means for Investment Strategy

Several structural shifts are now undeniable.

The “winners vs losers” framework is permanent.

The era of every tech stock benefiting from AI enthusiasm is over. Deutsche Bank’s Jim Reid noted that the market has shifted from an “every tech stock is a winner” mindset to a “true winners and losers landscape.” Capital is flowing aggressively toward AI infrastructure providers and frontier labs, and flowing out of companies whose business models AI can replicate or automate.

Per-seat and per-user pricing models are under existential threat.

The core concern is that AI tools will reduce the need for multiple software licences, weakening revenue growth across the entire SaaS sector. Companies that cannot transition to value-based or compute-based pricing will face sustained valuation compression.

The disruption radius is expanding faster than expected.

Six months ago, the AI disruption conversation centred on coding assistants and chatbots. Today it encompasses legal services, financial advisory, tax planning, data analytics, IT outsourcing, and enterprise software broadly. Private equity firms are reportedly hiring consultants to audit their portfolios for AI-vulnerable holdings.

Physical-world assets are emerging as a hedge.

Apollo’s chief economist Torsten Slok has urged investors to look past the tech volatility, arguing that the broader economy is positioned for a boom driven by reindustrialisation, infrastructure spending, and locked-in data centre capital expenditure. Google, Amazon, and Meta have announced a combined $660 billion in capital expenditure plans for 2026. AI capex is forecast to quadruple to $1.2 trillion by 2030.

Don’t confuse market panic with immediate obsolescence.

Gartner analysts have cautioned that predictions of the death of SaaS and enterprise applications are premature, arguing that tools like Claude Cowork are task-level automators rather than replacements for mission-critical business systems. The comparison to the displacement of BlackBerry is apt — the technology survived, but the stock lost 98% of its value. The question for every incumbent is not whether AI will make them obsolete overnight, but whether they can integrate fast enough to avoid terminal decline.

Our View

We are at an inflection point that mirrors the early internet era in its capacity to reshape entire industries — but is moving at a pace that makes the dotcom transition look leisurely by comparison. The SaaSpocalypse is not a one-week event. It is the opening chapter of a multi-year repricing that will reward companies with proprietary data, AI-native architecture, and physical-world moats, while punishing those whose value propositions can be replicated by an autonomous agent.

For enterprises, the strategic imperative is immediate: assess where your workflows are vulnerable to agentic AI, invest in the integrations that make AI a competitive advantage rather than a displacement threat, and recognise that the regulatory landscape — from the EU AI Act in August 2026 to the Colorado AI Act in June 2026 — will shape how quickly adoption accelerates.

For investors, the week was the market’s way of saying: the AI disruption thesis is no longer priced in as a future possibility. It is being priced in as a present reality.

In my previous piece on Harvest Now, Decrypt Later, I argued that senior leadership need to own the quantum cryptography conversation. Mosca’s Theorem gives us a clear framework: if the time your data needs protection plus your migration timeline exceeds the arrival of Q-Day, you’re already exposed.

The response I received was telling. Most readers agreed with the urgency. But the question that came back repeatedly was disarmingly simple: “Where do we actually start?”

The answer is equally simple, and brutally difficult: you start by finding out where cryptography lives in your organisation. All of it.

This is the cryptographic inventory—the foundation upon which every quantum readiness initiative must be built. Without it, you’re not doing post-quantum migration. You’re doing post-quantum guesswork.

Why This Is Harder Than It Sounds

Most organisations dramatically underestimate the scope of cryptographic discovery. When I ask security teams where their cryptography is, I typically get confident answers: TLS certificates, VPN configurations, maybe some database encryption. These are the visible tips of an enormous iceberg.

The reality is that cryptography has become so embedded in modern enterprise architecture that it’s effectively invisible. It’s in places your security team doesn’t manage, in systems your IT department didn’t build, and in dependencies your developers never consciously chose.

Consider a typical enterprise application. The code itself might use explicit encryption libraries. But it also inherits cryptography from the framework it’s built on, the runtime environment it executes in, the container it’s packaged in, the orchestration platform that deploys it, the service mesh that routes its traffic, the API gateway that exposes it, and the cloud platform that hosts it. Each layer brings its own cryptographic implementations, configurations, and vulnerabilities.

Multiply this by hundreds or thousands of applications, add in legacy systems, third-party integrations, IoT devices, and shadow IT, and you begin to appreciate the scale of the problem.

The Five Domains of Cryptographic Discovery

Through numerous discovery exercises, I’ve found it useful to think about cryptographic inventory across five distinct domains. Each requires different tools, different expertise, and different stakeholders.

Domain 1: Network and Transport Layer

This is where most organisations start, and for good reason—it’s the most visible. TLS/SSL certificates protecting web applications, API endpoints, and internal services. IPsec configurations for VPNs and site-to-site connections. SSH keys for administrative access. Load balancer and reverse proxy configurations.

The tools here are relatively mature. Certificate discovery scanners can enumerate your external attack surface. Internal network scanning can identify services using deprecated protocols or weak cipher suites. Most organisations have some visibility here, even if it’s incomplete.

But “some visibility” isn’t enough for quantum readiness. You need comprehensive coverage, including certificates issued by internal CAs, self-signed certificates in development environments, and machine identities that nobody remembers creating. The certificate you forgot about is the one that will still be using RSA-2048 when Q-Day arrives.

Domain 2: Application Layer

This is where discovery becomes significantly more complex. Applications use cryptography in ways that don’t traverse the network—encrypting data at rest, hashing passwords, generating signatures, protecting secrets in memory.

Discovery here requires a combination of approaches. Static code analysis can identify cryptographic library usage and flag deprecated algorithms. Software composition analysis reveals cryptographic dependencies in third-party components. Runtime analysis can detect cryptographic operations that static analysis misses—dynamically loaded libraries, reflection-based invocations, and configuration-driven algorithm selection.

The challenge is coverage. Most organisations have hundreds of applications, many without source code access (vendor packages, legacy systems, acquired companies). You’ll need to accept that application-layer discovery will be iterative and incomplete, prioritising based on data sensitivity.

Domain 3: Data Layer

Databases, file systems, backup systems, archives—anywhere data persists, cryptography may be protecting it. Transparent Data Encryption in your SQL Server instances. Encrypted columns in application databases. Encrypted backups sitting in cold storage. File-level encryption on endpoints.

This domain intersects directly with your data classification efforts. Remember Mosca’s X variable—how long does this data need to remain confidential? Your most sensitive, longest-lived data should be prioritised for quantum-safe migration. But first, you need to know how it’s currently protected.

Don’t forget data in transit between systems. ETL pipelines, replication streams, backup transfers—all may use cryptographic protection that needs to be catalogued.

Domain 4: Identity and Access Management

This is my home territory, and I can tell you it’s a minefield for cryptographic discovery. Identity systems are among the most cryptographically complex components in any enterprise, and among the hardest to migrate.

Consider what’s involved: certificate-based authentication for users and devices, Kerberos encryption in Active Directory environments, SAML and OAuth token signing, smart card and hardware token integrations, federation trust relationships with partners and cloud providers. Each of these involves cryptographic keys, algorithms, and protocols that need to be inventoried.

The interdependencies make this particularly challenging. Your identity provider’s signing keys are trusted by dozens of service providers. Your Active Directory’s Kerberos implementation touches every domain-joined system. Changing cryptography in identity systems isn’t just a technical migration—it’s an exercise in coordinating trust relationships across your entire ecosystem.

Domain 5: Hardware and Embedded Systems

The most overlooked domain, and often the hardest to address. Hardware Security Modules storing your most sensitive keys. Trusted Platform Modules in endpoints. Cryptographic implementations in network appliances, IoT devices, industrial control systems, building management systems.

Many of these systems have cryptography baked into firmware that can’t be easily updated. Some have cryptographic implementations that predate current best practices. And some are connected to operational technology environments where the very concept of “patching” is fraught with safety implications.

This domain requires close collaboration with operational technology teams, facilities management, and procurement. You need to understand not just what cryptography is in use today, but what the upgrade path looks like—and whether one exists at all.

Building Your Discovery Programme

Cryptographic inventory isn’t a project with a completion date. It’s an ongoing programme that needs to be embedded in your security operations. Here’s how to structure it:

Start with what you know. Don’t let the perfect be the enemy of the good. Begin with your certificate management system, your PKI infrastructure, your known encryption implementations. Build initial inventory from existing documentation, even if incomplete.

Layer in automated discovery. Deploy network scanning for certificate enumeration. Integrate software composition analysis into your CI/CD pipelines. Use cloud security posture management tools that identify cryptographic configurations in your cloud environments.

Engage application teams. Automated tools will only get you so far. Application owners know their systems better than any scanner. Create a structured questionnaire and work through your application portfolio systematically. Yes, this takes time. There’s no shortcut.

Don’t forget third parties. Your supply chain uses cryptography to protect data you’ve entrusted to them. SaaS providers, cloud platforms, managed service providers—all should be able to articulate their cryptographic posture and their quantum readiness roadmap. Add this to your vendor risk assessments.

Maintain continuously. New applications deploy. Configurations change. Certificates rotate (or don’t, which is its own problem). Your cryptographic inventory needs to be treated as a living document, updated through integration with change management processes and continuous discovery scanning.

Structuring the Output

A cryptographic inventory that lives in a spreadsheet and never gets used is worse than useless—it provides false confidence. The output of your discovery programme needs to be structured for action.

At minimum, each cryptographic asset should be catalogued with: the system or application it belongs to, the algorithm and key length in use, the data or function it protects, the sensitivity classification of that data, the Mosca X value (how long the data needs protection), the asset owner, and the feasibility of migration.

This allows you to prioritise. High-sensitivity data with long protection requirements, protected by vulnerable algorithms, in systems that can be migrated—these are your first targets. Low-sensitivity data in systems that will be decommissioned before Q-Day can wait.

The Uncomfortable Discoveries

I’ll warn you now: cryptographic discovery surfaces uncomfortable truths. You’ll find systems using MD5 for integrity checks. You’ll find certificates that expired years ago but somehow still work. You’ll find SSH keys that were generated in 2009 and have never been rotated. You’ll find encryption implementations where nobody knows who holds the keys.

This is normal. Every organisation I’ve worked with has cryptographic skeletons in the closet. The purpose of discovery isn’t to achieve some platonic ideal of cryptographic hygiene—it’s to understand your actual posture so you can make informed decisions about risk and prioritisation.

Don’t let the scale of the problem paralyse you. Document what you find, prioritise ruthlessly based on data sensitivity and exposure, and start the migration where it matters most.

What Comes Next

Cryptographic inventory is the foundation, not the destination. With a clear picture of where cryptography lives in your organisation, you can begin the harder work: developing crypto-agility so you can swap algorithms without rebuilding systems, testing NIST’s post-quantum standards in your environment, and building the business case for the multi-year migration programme that lies ahead.

In my next piece, I’ll explore what crypto-agility actually looks like in practice—particularly in identity systems, where the interdependencies make migration uniquely challenging.

For now, start finding your cryptography. All of it. The inventory you build today is the roadmap you’ll follow when Q-Day arrives.

The cybersecurity landscape entering 2026 is nothing short of transformational. We’ve moved beyond the era of human-speed cyber operations into something fundamentally different: machine-speed warfare driven by autonomous AI agents, executed against a backdrop of intensifying geopolitical fractures. This month’s report examines the convergence of these forces and what they mean for organisations navigating the year ahead.

The Poly-Crisis Reality

January 2026 marks a watershed moment. Organisations globally now face an average of nearly 2,000 cyber attacks per week—a staggering 70% increase since 2023. But this isn’t merely about volume. The mechanics of cyber warfare have fundamentally shifted. The window between initial compromise and lateral movement has shrunk to under 60 minutes in advanced campaigns. When your adversary operates at machine speed, your defences must match that pace.

The World Economic Forum’s latest cybersecurity outlook confirms what many practitioners have suspected: we’re operating in a “poly-crisis” where hyper-accelerated AI threats, geopolitical fragmentation, and structural shifts in cybercrime economics converge simultaneously. The old playbooks aren’t just outdated—they’re dangerous.

The Agentic Shift: AI Moves From Assistant to Adversary

The defining characteristic of the 2026 threat landscape is the transition from generative AI as a content creation tool to agentic AI as an operational execution engine. Adversaries are no longer simply using large language models to craft phishing emails. They’re deploying autonomous agents capable of navigating networks, identifying high-value data, and executing exfiltration protocols without human intervention.

These “shadow agents” operate continuously, process vast amounts of network telemetry, and find subtle vulnerabilities that human operators miss. The industrialisation of social engineering has reached unprecedented sophistication—Check Point Software reports a 500% surge in “ClickFix” techniques, where AI generates context-aware lures in real-time based on individual user behaviour and role-specific context.

The emergence of autonomous malware that rewrites its own code to evade signature-based detection represents a fundamental escalation. Capabilities once exclusive to elite nation-state actors are now accessible to criminal groups. The “AI Arms Race” described by Google Cloud isn’t a prediction—it’s our current operational reality.

Deepfake weaponization has moved from theoretical risk to potent operational tool. The Arup incident earlier this year—where AI-generated video facilitated a $25 million theft by impersonating a CFO during a video conference—demonstrates that traditional human verification methods are now obsolete for high-stakes transactions.

Identity: The New Battlefield

With traditional network perimeters dissolved by cloud adoption and remote work, identity has become the primary control point—and the primary target. Reports indicate 97% of identity-based attacks involve credential abuse rather than vulnerability exploitation. Adversaries don’t need to hack in; they simply log in.

The volume of stolen credentials available on dark web marketplaces has reached critical mass, with 149 million passwords exposed in a single late-January leak. Multi-factor authentication bypasses have been industrialised—token theft, session hijacking, and “quishing” (QR code phishing) are now standard tradecraft. The FBI has issued specific warnings about North Korean groups using embedded malicious QR codes to force victims from secured corporate devices to less-secure mobile devices, effectively bypassing endpoint protection entirely.

A critical new category has emerged: non-human identity risk. As organisations deploy authorised AI agents for productivity, these entities receive permissions to access sensitive data and execute actions. Adversaries are now targeting these “silicon employees,” exploiting their entitlements to gain access that would otherwise trigger anomalies if attempted by human users.

The Typhoon Strategy: Nation-State Operations Intensify

Chinese state-sponsored cyber activity remains the most persistent and sophisticated threat to Western infrastructure. The Salt Typhoon campaign has become a central geopolitical crisis, with systematic infiltration of global telecommunications networks—including confirmation of a ninth US telecom firm compromised this month.

The strategic objective is clear: counterintelligence and monitoring of high-value targets. By compromising core switching and routing infrastructure, Salt Typhoon can intercept communications metadata and content, effectively wiretapping the wiretappers. Data exfiltrated includes call records, text messages, and geolocation data from senior government officials and prominent political figures.

Volt Typhoon continues targeting US critical infrastructure—energy, water, transportation—for “pre-positioning.” The strategic intent is maintaining persistent access that could be leveraged to disrupt communications and logistics in the event of kinetic conflict in the Indo-Pacific. Throughout January, Volt Typhoon has been observed attempting to re-establish access to networks from which they were previously evicted.

Meanwhile, Russian operations under Midnight Blizzard continue exploiting information from previous high-profile breaches to target downstream customers. Their tradecraft has evolved to focus on identity providers and cloud trust relationships, making detection extraordinarily difficult.

The Ransomware Economy Restructures

The ransomware ecosystem has undergone structural transformation. While attack frequency has increased, ransom payments have declined 50% compared to last year—driven by improved backup resilience and a cultural shift toward refusal. Sixty-four percent of victims now refuse payment on principle.

In response, attackers have pivoted to pure data extortion. Encryption is frequently skipped entirely; instead, actors exfiltrate sensitive data and threaten public release. This reduces technical overhead while maintaining leverage over victims who fear reputational damage and regulatory fines more than operational downtime.

The monolithic ransomware cartels have fragmented into a decentralised ecosystem of smaller, specialised groups. The collapse of Black Basta following the “ExploitWhispers Leak” validates the strategy of psychological warfare against ransomware groups—sowing distrust among criminals can be as effective as technical takedowns.

The Agentic SOC Emerges

To counter machine-speed attacks, the industry has moved decisively toward the “Agentic SOC.” Major vendors including CrowdStrike, Microsoft, and Google have rolled out autonomous capabilities that independently triage alerts, correlate telemetry across disparate tools, and execute remediation playbooks without human approval for routine incidents.

Early adopters report 90% reduction in mean time to conclusion for routine investigations. Human analysts are transitioning from “alert factory workers” to AI supervisors and strategic threat hunters. The AI handles the noise; the human handles the nuance.

However, deployment challenges remain significant. The “black box” trust issue persists—security leaders remain wary of granting autonomous write-access to AI agents due to hallucination risks that could cause business disruption. Data sovereignty concerns complicate cloud-based LLM processing of sensitive security telemetry, particularly under GDPR and DORA.

Critical Vulnerabilities Demand Immediate Attention

January has been punctuated by high-severity zero-days requiring emergency response. The Fortinet FortiCloud SSO bypass (CVE-2026-24858) was so severe that Fortinet temporarily disabled the service globally to stop exploitation—an unprecedented step highlighting systemic risk in centralised cloud management planes.

The Cisco Unified Communications Manager vulnerability (CVE-2026-20045) has been heavily targeted by state-sponsored actors seeking to intercept communications. Microsoft’s January Patch Tuesday addressed 114 vulnerabilities including three actively exploited zero-days affecting Desktop Window Manager, Office security features, and Secure Boot.

Ivanti Connect Secure continues struggling with edge device security, with new vulnerabilities being exploited by Chinese nexus groups to deploy web shells on VPN gateways.

Regulatory Landscape Tightens

The EU’s Digital Operational Resilience Act (DORA) has entered its first full year of enforcement, with the Article 58 Review determining whether requirements will extend to statutory auditors. Financial entities are scrambling to complete third-party registers and prepare for threat-led penetration testing.

The UK’s Cyber Security and Resilience Bill has passed its second reading, expanding scope to include managed service providers and data centres while introducing mandatory incident reporting for ransomware.

In India, friction mounts over accelerated timelines for the Digital Personal Data Protection Act, with the proposed 12-month compliance window threatening smaller organisations’ viability.

Strategic Imperatives for 2026

The poly-crisis demands a fundamental shift in how organisations approach security:

Assume compromise. The perimeter is gone. Resilience must be built on the assumption that adversaries are already inside. Zero trust isn’t a product—it’s an operating philosophy.

Embrace agentic defence. Manual security operations cannot scale to meet machine-speed attacks. Supervised autonomous security agents are no longer optional—they’re a necessity for survival.

Decouple from centralised failures. Over-reliance on single points of failure is systemic risk. The Fortinet SSO crisis demonstrates how a single vulnerability in a cloud provider can compromise thousands of downstream devices. Diversification and break-glass continuity plans are essential.

Prioritise identity fabric. With 97% of attacks involving credential abuse, identity security isn’t just an IT concern—it’s the cornerstone of organisational resilience. Phishing-resistant MFA, identity threat detection, and non-human identity management must be priority investments.

Prepare for the quantum transition. While Q-Day remains years away, the “harvest now, decrypt later” threat means organisations handling long-lived secrets must begin crypto-agility planning now. The 2035 deadline for US federal quantum-safe migration should guide private sector timelines.

Looking Ahead

The year 2026 will not be defined by prevention of attacks but by the speed and intelligence of response. Navigating the poly-crisis requires a fusion of advanced technology, rigorous compliance, and geopolitical awareness. The decisions made by security leaders this year will define organisational resilience for the decade to come.

Samuel Odekunle is Managing Partner at MustardTree Partners, specialising in cybersecurity strategy, identity and access management, and digital transformation.

State of Security is published monthly. Subscribe for the latest analysis on the evolving threat landscape.

© 2026 MustardTree Partners (Part of the MustardTree Group). All rights reserved.

Somewhere, right now, a state-sponsored actor is quietly siphoning encrypted traffic from major financial institutions, government networks, and healthcare systems. They can’t read any of it. Not yet. But they’re not trying to. They’re waiting.

This is the world of Harvest Now, Decrypt Later (HNDL), a cybersecurity threat that’s already happening but won’t hurt you until it does. It’s the ultimate long game, and if you’re not already thinking about it, you’re already behind.

What is HNDL? (And Why Should You Care?)

HNDL is elegantly simple and terrifyingly patient. Adversaries intercept and store encrypted data today, knowing that quantum computers will eventually be powerful enough to crack today’s encryption algorithms. Your RSA-2048 keys? Your elliptic curve cryptography? Once a sufficiently powerful quantum computer running Shor’s algorithm comes online, those mathematical safeguards become little more than a polite suggestion.

Elliptic Curve Cryptography (ECC) is an asymmetric encryption algorithm that leverages the algebraic structure of elliptic curves over finite fields. It is used for public-key encryption, providing the same level of security as RSA but with significantly smaller key sizes.

The kicker? The data doesn’t need to be valuable right now. It needs to be valuable when it’s decrypted. Think about it: personnel records, medical histories, national security communications, financial transactions, trade secrets, merger and acquisition details. These don’t become less sensitive with age. A 15-year-old government communication about intelligence operations is still classified. Medical records remain sensitive for a lifetime. And that brilliant innovation your R&D team is working on? Your competitors would still love to know about it in a decade.

Enter Mosca’s Theorem: Your New Best Friend

Dr. Michele Mosca, a cryptography expert and co-founder of the Institute for Quantum Computing at the University of Waterloo, gave us a beautifully simple framework for understanding why we can’t afford to wait. It’s called Mosca’s Theorem, and it boils down to an inequality that should keep every CISO up at night:

If X + Y > Z, you have a problem.

Where:

X = How long your data needs to remain confidential (the shelf life of your secrets)

Y = How long it will take to migrate your systems to quantum-resistant cryptography (your migration time)

Z = How long until a cryptographically relevant quantum computer arrives (Q-Day)

Let’s make this painfully real. You’re a financial services firm with customer data that needs to remain confidential for, say, 20 years (regulatory requirements, customer relationships, the works). Your IT team estimates a full cryptographic migration will take 5 years. That’s X + Y = 25 years.

Now, expert consensus is coalescing around Q-Day occurring somewhere in the early-to-mid 2030s — let’s be generous and say 2035. That’s roughly 10 years from now (Z = 10).

25 > 10. Houston, we have a problem.

And here’s the uncomfortable truth that Mosca’s Theorem reveals: by the time Q-Day arrives, your data has already been harvested. The breach happened years ago — you just haven’t felt it yet.

Why Senior Leadership Need to Lead This Conversation

I’ve seen it too often: quantum computing gets treated as a “future problem” or, worse, dismissed as science fiction. “We’ll deal with it when it’s real,” they say, while conveniently ignoring that adversaries are harvesting encrypted traffic right now.

This isn’t a junior analyst problem. This isn’t something you can delegate to the next security committee. The HNDL threat requires senior leadership because:

1. The timelines are measured in years, not sprints. NIST has set 2035 as the deadline for federal systems to complete their migration to post-quantum cryptography (PQC). The EU is even more aggressive, requiring critical infrastructure to be quantum-safe by 2030. These aren’t aspirational targets — they’re regulatory expectations.

2. Migration is complex. This isn’t a patch Tuesday fix. We’re talking about discovering every cryptographic dependency in your enterprise, prioritizing assets based on data sensitivity and exposure, testing new algorithms for compatibility and performance, and deploying across potentially thousands of systems and devices. Some organisations took years just to deprecate SHA-1. PQC migration makes that look like changing a password.

3. The business case is counterintuitive. You’re asking executives to invest significant resources to protect against a threat that hasn’t materialized yet, to prevent a breach that may have already happened, resulting in damage that won’t be visible for years. That’s a difficult conversation that requires credibility and influence.

What Can You Do Today?

• Conduct a Cryptographic Inventory. You can’t protect what you don’t know about. Map every system, application, and data flow that uses public-key cryptography. Yes, this is tedious. Yes, it’s essential.

• Classify Data by Sensitivity Lifespan. Not all data is created equal. Personnel records have different longevity requirements than marketing materials. Apply Mosca’s X variable to your data classification scheme.

• Develop Crypto-Agility. Build systems that can swap cryptographic algorithms without wholesale replacement. This isn’t just about quantum — it’s good security hygiene that will serve you well regardless of how the threat landscape evolves.

• Start Testing NIST-Approved PQC Algorithms. NIST finalized its first set of post-quantum cryptography standards in August 2024 (FIPS 203, 204, and 205). These aren’t theoretical — they’re ready for piloting. Major players like Apple, Google, and Cloudflare are already deploying hybrid quantum-safe encryption.

• Educate Your Leadership. Use Mosca’s Theorem as a communication tool. Its simplicity makes the quantum threat tangible: “Here’s how long our data needs protection. Here’s how long migration takes. Here’s when the threat arrives. Do the maths.”

As senior IT professionals, we have a choice: we can wait for Q-Day to arrive and scramble to respond, or we can start the migration now and be ready when the storm hits. The cost of preparation is measured in budget and effort. The cost of being late is measured in data breaches, regulatory penalties, reputational damage, and the uncomfortable knowledge that we saw this coming and chose to look the other way.

The quantum clock is ticking.

Sam Odekunle is a Cybersecurity Consultant specialising in Identity and Access Management, currently leading enterprise IDAM transformation programmes. He writes about the intersection of cybersecurity, governance, and emerging threats.

Microservices architectures promise scalability and flexibility, but they transform security from a single perimeter problem into a distributed trust challenge. When your application becomes dozens of services communicating across network boundaries, every inter-service call becomes a potential attack vector.

Unlike monolithic applications where components communicate through in-memory calls or local databases, microservices must authenticate each request over the network. A compromised service can potentially impersonate others, access unauthorised data, or pivot through your entire system. Traditional approaches like shared secrets or IP-based trust fall apart at scale.

The stakes are higher than inconvenience — service identity failures can lead to data breaches, privilege escalation, and compliance violations. Consider an e-commerce platform where the recommendation service gains unauthorised access to payment processing, or a healthcare system where diagnostic services can access patient records beyond their authorisation scope.

This article examines three battle-tested patterns for securing service-to-service communication: mutual TLS (mTLS) for cryptographic identity verification, Service Mesh Identity for infrastructure-managed authentication, and Token Relay patterns for propagating user context through service chains. Each approach addresses different architectural needs and operational constraints.

Identity in Microservices: Service-to-Service Authentication Patterns

Microservices architectures promise scalability and flexibility, but they transform security from a single perimeter problem into a distributed trust challenge. When your application becomes dozens of services communicating across network boundaries, every inter-service call becomes a potential attack vector.

Unlike monolithic applications where components communicate through in-memory calls or local databases, microservices must authenticate each request over the network. A compromised service can potentially impersonate others, access unauthorised data, or pivot through your entire system. Traditional approaches like shared secrets or IP-based trust fall apart at scale.

The stakes are higher than inconvenience — service identity failures can lead to data breaches, privilege escalation, and compliance violations. Consider an e-commerce platform where the recommendation service gains unauthorised access to payment processing, or a healthcare system where diagnostic services can access patient records beyond their authorisation scope.

This article examines three battle-tested patterns for securing service-to-service communication: mutual TLS (mTLS) for cryptographic identity verification, Service Mesh Identity for infrastructure-managed authentication, and Token Relay patterns for propagating user context through service chains.

Mutual TLS (mTLS): Cryptographic Service Identity

Mutual TLS extends standard TLS by requiring both client and server to present valid certificates, creating bidirectional authentication. In microservices architectures, this means every service acts as both client and server, presenting its identity certificate for each connection.

mTLS Implementation Architecture

# Certificate Authority Structure
Root CA
├── Intermediate CA (Infrastructure)
│   ├── Service A Certificate
│   ├── Service B Certificate
│   └── API Gateway Certificate
└── Intermediate CA (External)
    └── Client Certificates

The mTLS handshake process involves six distinct steps:

1. Client initiates connection with ClientHello message

2. Server presents certificate containing its public key and identity claims

3. Client verifies server certificate against trusted CA bundle

4. Server requests client certificate via CertificateRequest message

5. Client presents certificate and signs a challenge with its private key

6. Server verifies client certificate and establishes encrypted channel

Practical mTLS Implementation

Here’s how to implement mTLS in a Go microservice:

package main

import (
    "crypto/tls"
    "crypto/x509"
    "fmt"
    "io/ioutil"
    "net/http"
)

func setupMTLSServer() *http.Server {
    // Load server certificate and key
    serverCert, err := tls.LoadX509KeyPair("server.crt", "server.key")
    if err != nil {
        panic(err)
    }
    
    // Load CA certificate for client verification
    caCert, err := ioutil.ReadFile("ca.crt")
    if err != nil {
        panic(err)
    }
    
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)
    
    tlsConfig := &tls.Config{
        Certificates: []tls.Certificate{serverCert},
        ClientAuth:   tls.RequireAndVerifyClientCert,
        ClientCAs:    caCertPool,
        MinVersion:   tls.VersionTLS12,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
        },
    }
    
    return &http.Server{
        Addr:      ":8443",
        TLSConfig: tlsConfig,
    }
}

func setupMTLSClient() *http.Client {
    clientCert, err := tls.LoadX509KeyPair("client.crt", "client.key")
    if err != nil {
        panic(err)
    }
    
    caCert, err := ioutil.ReadFile("ca.crt")
    if err != nil {
        panic(err)
    }
    
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)
    
    tlsConfig := &tls.Config{
        Certificates: []tls.Certificate{clientCert},
        RootCAs:      caCertPool,
        MinVersion:   tls.VersionTLS12,
    }
    
    return &http.Client{
        Transport: &http.Transport{
            TLSClientConfig: tlsConfig,
        },
    }
}

Certificate Lifecycle Management

The biggest operational challenge with mTLS is certificate management at scale. Consider these automation strategies:

Automated Certificate Provisioning:

# cert-manager Kubernetes integration
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: service-a-cert
  namespace: production
spec:
  secretName: service-a-tls
  issuerRef:
    name: internal-ca-issuer
    kind: ClusterIssuer
  commonName: service-a.production.svc.cluster.local
  dnsNames:
  - service-a.production.svc.cluster.local
  duration: 720h # 30 days
  renewBefore: 240h # Renew 10 days before expiry

Certificate Rotation Strategy:

• Implement overlapping validity periods (old and new certificates valid simultaneously)

• Use certificate serial numbers or thumbprints for cache invalidation

• Monitor certificate expiry across all services with alerting

mTLS Performance Considerations

mTLS introduces latency overhead, particularly during the initial handshake:

Typical mTLS Handshake Overhead:
- Additional RTT for certificate exchange: 1-2ms
- Certificate validation: 0.5-1ms  
- Cryptographic operations: 0.1-0.5ms
Total: ~2-4ms per new connection

Mitigation strategies include:

• Connection pooling to amortise handshake costs

• Session resumption using TLS session tickets

• Certificate caching to avoid repeated validation

• Hardware acceleration for cryptographic operations

When to Choose mTLS

Ideal scenarios:

• High-security environments (financial services, healthcare)

• Compliance requirements mandating cryptographic authentication

• Services with predictable, long-lived connections

• Infrastructure you fully control (no third-party dependencies)

Avoid mTLS when:

• Rapid service deployment cycles make certificate management burdensome

• Performance requirements are extremely stringent

• Third-party services don’t support client certificates

• Development teams lack PKI expertise

Service Mesh Identity: Infrastructure-Managed Security

Service meshes abstract away the complexity of mTLS by handling certificate provisioning, rotation, and policy enforcement at the infrastructure layer. Popular implementations include Istio, Linkerd, and Consul Connect.

SPIFFE/SPIRE Identity Framework

Most service meshes implement the SPIFFE (Secure Production Identity Framework for Everyone) specification:

# SPIFFE Identity Document (SVID)
{
  "sub": "spiffe://example.com/payment-service",
  "aud": ["spiffe://example.com/api-gateway"],
  "exp": 1640995200,
  "iat": 1640908800,
  "spiffe_id": "spiffe://example.com/payment-service",
  "workload_selectors": {
    "k8s:deployment": "payment-service",
    "k8s:namespace": "production"
  }
}

Istio Service Mesh Implementation

Here’s how Istio handles service identity and mTLS:

# Automatic mTLS enforcement
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT
---
# Fine-grained authorization policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: payment-service-policy
  namespace: production
spec:
  selector:
    matchLabels:
      app: payment-service
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/production/sa/api-gateway"]
  - to:
    - operation:
        methods: ["POST"]
        paths: ["/payments/*"]
    when:
    - key: request.headers[user-role]
      values: ["admin", "payment-processor"]

Sidecar Proxy Architecture

Service meshes deploy sidecar proxies (typically Envoy) alongside each service:

┌─────────────────┐    ┌─────────────────┐
│   Service A     │    │   Service B     │
│                 │    │                 │
│ ┌─────────────┐ │    │ ┌─────────────┐ │
│ │ App Process │ │    │ │ App Process │ │
│ └─────────────┘ │    │ └─────────────┘ │
│ ┌─────────────┐ │    │ ┌─────────────┐ │
│ │Envoy Sidecar│◄┼────┼►│Envoy Sidecar│ │
│ └─────────────┘ │    │ └─────────────┘ │
└─────────────────┘    └─────────────────┘
        │                        │
        └────── mTLS Tunnel ──────┘

The sidecar handles:

• Certificate management: Automatic provisioning and rotation

• Traffic interception: Transparent proxy for all network communications

• Policy enforcement: Authorization rules and traffic routing

• Observability: Metrics, tracing, and access logs

Service Mesh Performance Impact

Sidecar proxies introduce resource overhead:

Typical Resource Overhead:
- Memory: 50-100MB per sidecar
- CPU: 0.1-0.2 cores per sidecar
- Network latency: 0.5-2ms additional hop
- Throughput impact: 5-15% reduction

Optimisation strategies:

• Resource limits tuned to workload requirements

• Proxy configuration optimised for specific traffic patterns

• Selective deployment only for services requiring mesh features

• Hardware acceleration for cryptographic operations

Service Mesh Decision Matrix

Choose service mesh when:

• Operating at significant scale (50+ services)

• Requiring consistent security policies across services

• Teams lack deep networking/security expertise

• Compliance requires comprehensive audit trails

• Need advanced traffic management (canary deployments, circuit breaking)

Avoid service mesh when:

• Simple architectures with few services

• Extremely latency-sensitive applications

• Limited operational resources for mesh management

• Services primarily communicate with external systems

Token Relay Pattern: Propagating User Context

Token relay patterns maintain user context across service boundaries by forwarding authentication tokens through the service call chain. This approach combines service authentication with user authorisation.

JWT-Based Implementation

// API Gateway - Initial token validation and relay
const jwt = require('jsonwebtoken');
const axios = require('axios');

class APIGateway {
    async authenticateAndRelay(req, res) {
        try {
            // Validate incoming JWT
            const token = req.headers.authorization?.replace('Bearer ', '');
            const decoded = jwt.verify(token, process.env.JWT_SECRET);
            
            // Enrich token with service-specific claims
            const serviceToken = jwt.sign({
                ...decoded,
                iss: 'api-gateway',
                aud: 'internal-services',
                service_chain: ['api-gateway'],
                request_id: req.headers['x-request-id']
            }, process.env.SERVICE_JWT_SECRET, {
                expiresIn: '5m' // Short-lived for internal use
            });
            
            // Forward to downstream service
            const response = await axios.post(
                'https://payment-service/process',
                req.body,
                {
                    headers: {
                        'Authorization': `Bearer ${serviceToken}`,
                        'X-Original-Token': token,
                        'X-Request-ID': req.headers['x-request-id']
                    }
                }
            );
            
            res.json(response.data);
        } catch (error) {
            res.status(401).json({ error: 'Authentication failed' });
        }
    }
}

Service-to-Service Token Validation

package main

import (
    "context"
    "fmt"
    "net/http"
    "strings"
    "time"
    
    "github.com/golang-jwt/jwt/v4"
)

type ServiceClaims struct {
    UserID       string   `json:"user_id"`
    Roles        []string `json:"roles"`
    ServiceChain []string `json:"service_chain"`
    RequestID    string   `json:"request_id"`
    jwt.RegisteredClaims
}

func validateServiceToken(tokenString string) (*ServiceClaims, error) {
    token, err := jwt.ParseWithClaims(tokenString, &ServiceClaims{}, func(token *jwt.Token) (interface{}, error) {
        if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
            return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
        }
        return []byte(os.Getenv("SERVICE_JWT_SECRET")), nil
    })
    
    if err != nil {
        return nil, err
    }
    
    if claims, ok := token.Claims.(*ServiceClaims); ok && token.Valid {
        // Validate audience and issuer
        if !claims.VerifyAudience("internal-services", true) {
            return nil, fmt.Errorf("invalid audience")
        }
        
        // Check service chain for loop detection
        if contains(claims.ServiceChain, "payment-service") {
            return nil, fmt.Errorf("circular service call detected")
        }
        
        return claims, nil
    }
    
    return nil, fmt.Errorf("invalid token")
}

func authMiddleware(next http.HandlerFunc) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        authHeader := r.Header.Get("Authorization")
        if authHeader == "" {
            http.Error(w, "Missing authorization header", http.StatusUnauthorized)
            return
        }
        
        tokenString := strings.TrimPrefix(authHeader, "Bearer ")
        claims, err := validateServiceToken(tokenString)
        if err != nil {
            http.Error(w, "Invalid token: "+err.Error(), http.StatusUnauthorized)
            return
        }
        
        // Add claims to request context
        ctx := context.WithValue(r.Context(), "claims", claims)
        next.ServeHTTP(w, r.WithContext(ctx))
    }
}

Token Security Considerations

Token Scoping: Implement different token types for different contexts:

{
  "user_token": {
    "sub": "user123",
    "aud": ["web-app"],
    "scope": "read:profile write:profile",
    "exp": 3600
  },
  "service_token": {
    "sub": "service:api-gateway", 
    "aud": ["internal-services"],
    "scope": "service:call",
    "exp": 300,
    "service_chain": ["api-gateway"]
  }
}

Token Refresh Strategy: Implement sliding window refresh for long-running operations:

class TokenManager:
    def __init__(self, refresh_threshold=300):  # 5 minutes
        self.refresh_threshold = refresh_threshold
        
    async def get_valid_token(self, current_token):
        try:
            payload = jwt.decode(current_token, verify=False)
            exp = payload.get('exp', 0)
            
            # Refresh if token expires within threshold
            if exp - time.time() < self.refresh_threshold:
                return await self.refresh_token(current_token)
                
            return current_token
        except:
            # Token invalid, request new one
            return await self.authenticate()

Token Relay Performance Optimization

Token Caching Strategy:

import redis
from datetime import timedelta

class TokenCache:
    def __init__(self):
        self.redis_client = redis.Redis(host='localhost', port=6379, db=0)
        
    def cache_token(self, user_id, token, expiry):
        # Cache with 90% of actual expiry to ensure validity
        cache_expiry = int(expiry * 0.9)
        self.redis_client.setex(
            f"token:{user_id}", 
            cache_expiry, 
            token
        )
        
    def get_cached_token(self, user_id):
        cached_token = self.redis_client.get(f"token:{user_id}")
        if cached_token:
            # Validate token is still usable
            if self.validate_token_locally(cached_token):
                return cached_token.decode('utf-8')
        return None

When to Use Token Relay

Ideal scenarios:

• Need to maintain user context across service boundaries

• Implementing fine-grained, user-specific authorization

• Services require different permissions based on user roles

• Audit trails must track user actions across services

Avoid token relay when:

• Service-to-service calls don’t require user context

• Extremely high-throughput scenarios where token overhead matters

• Services are purely internal with no user-facing authorization requirements

Hybrid Approaches and Decision Framework

Real-world systems often combine multiple patterns. Consider this hybrid architecture:

Internet → [API Gateway] → [Service Mesh] → [Internal Services]
           ↓               ↓                 ↓
       JWT Validation   mTLS + Identity    Token + mTLS
       Token Relay      Service Policies   Authorization

Decision Matrix

Implementation Roadmap

Phase 1: Foundation (Months 1–2)

• Implement token relay for user-facing services

• Establish certificate authority for internal services

• Deploy basic mTLS between critical services

Phase 2: Scale (Months 3–4)

• Evaluate service mesh for complex deployments

• Implement automated certificate management

• Add comprehensive monitoring and alerting

Phase 3: Optimization (Months 5–6)

• Fine-tune performance based on production metrics

• Implement advanced authorization policies

• Establish security incident response procedures

Monitoring and Observability

Effective monitoring is crucial for service identity systems:

# Key metrics to track
authentication_requests_total: 
  - Counter of authentication attempts by service, method, result
  
authentication_duration_seconds:
  - Histogram of authentication latency by method
  
certificate_expiry_days:
  - Gauge of days until certificate expiry by service
  
token_validation_errors_total:
  - Counter of token validation failures by error type
  
service_mesh_connection_failures_total:  
  - Counter of mTLS connection failures by source/destination

TLDR;

Service-to-service authentication in microservices requires careful consideration of security requirements, operational complexity, and performance constraints. mTLS provides the strongest cryptographic guarantees but demands sophisticated certificate management. Service meshes simplify operations while introducing infrastructure complexity. Token relay patterns excel at maintaining user context but require careful token lifecycle management.

The most successful implementations combine multiple patterns strategically: using service meshes for infrastructure security, token relay for user context, and selective mTLS for high-security communications. Start with simpler approaches and evolve toward more sophisticated patterns as your architecture and operational capabilities mature.

Remember that security is not a one-time implementation but an ongoing process. Regular security reviews, certificate rotation, policy updates, and incident response procedures are essential for maintaining secure service-to-service communication at scale.

Passwords are fundamentally broken. They’re weak, reused, stolen, and forgotten — yet they remain the backbone of authentication for most applications. The average user juggles over 100 password-protected accounts, leading to predictable behaviours: simple passwords, password reuse, and storage in insecure locations.

Passwordless authentication promises to solve these problems whilst improving user experience. But implementing passwordless systems requires careful consideration of security trade-offs, user experience design, and technical complexity. This guide explores three primary passwordless approaches: WebAuthn, magic links, and biometric authentication.

The Password Problem: Why Change Matters

Traditional password-based authentication faces several insurmountable challenges:

Security vulnerabilities plague password systems. Data breaches expose billions of credentials annually, and users’ tendency to reuse passwords amplifies the impact. Credential stuffing attacks succeed because users employ the same password across multiple services.

Usability friction drives poor security practices. Complex password requirements lead users to append numbers or symbols to familiar passwords rather than creating truly random credentials. Password reset flows interrupt user journeys and create support overhead.

Maintenance overhead burdens both users and organisations. Password policies require enforcement, storage demands secure hashing, and forgotten passwords generate support tickets.

WebAuthn: The Standards-Based Approach

Web Authentication (WebAuthn) represents the most robust passwordless solution, providing cryptographic security through public key authentication. Users register authenticators — hardware tokens, platform authenticators, or mobile devices — that generate cryptographic key pairs.

WebAuthn Architecture

WebAuthn operates through a challenge-response protocol between three entities:

• Relying Party (RP): Your web application

• Client: The user’s browser or mobile app

• Authenticator: Hardware token, phone, or built-in biometrics

// Registration flow
async function registerWebAuthn(username) {
    const publicKeyCredentialCreationOptions = {
        challenge: new Uint8Array(32), // Server-generated random bytes
        rp: {
            name: "Your App",
            id: "yourapp.co.uk",
        },
        user: {
            id: new TextEncoder().encode(username),
            name: username,
            displayName: username,
        },
        pubKeyCredParams: [{alg: -7, type: "public-key"}], // ES256
        authenticatorSelection: {
            authenticatorAttachment: "cross-platform", // Allow external authenticators
            userVerification: "preferred"
        },
        timeout: 60000,
        attestation: "direct"
    };

    const credential = await navigator.credentials.create({
        publicKey: publicKeyCredentialCreationOptions
    });
    
    // Send credential to server for verification and storage
    return await fetch('/webauthn/register', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
            id: credential.id,
            rawId: Array.from(new Uint8Array(credential.rawId)),
            response: {
                attestationObject: Array.from(new Uint8Array(credential.response.attestationObject)),
                clientDataJSON: Array.from(new Uint8Array(credential.response.clientDataJSON))
            }
        })
    });
}

Server-Side WebAuthn Implementation

The server must validate registrations and authentication attempts whilst storing public keys securely:

from webauthn import generate_registration_options, verify_registration_response
from webauthn.helpers import structs

class WebAuthnManager:
    def __init__(self, rp_id, rp_name, origin):
        self.rp_id = rp_id
        self.rp_name = rp_name  
        self.origin = origin
        
    def generate_registration_challenge(self, user_id, username):
        options = generate_registration_options(
            rp_id=self.rp_id,
            rp_name=self.rp_name,
            user_id=user_id.encode(),
            user_name=username,
            user_display_name=username
        )
        
        # Store challenge in session or database
        session['challenge'] = options.challenge
        return options
        
    def verify_registration(self, credential_data, expected_challenge):
        verification = verify_registration_response(
            credential=credential_data,
            expected_challenge=expected_challenge,
            expected_origin=self.origin,
            expected_rp_id=self.rp_id
        )
        
        if verification.verified:
            # Store credential public key and metadata
            self.store_credential(
                credential_id=verification.credential_id,
                public_key=verification.credential_public_key,
                sign_count=verification.sign_count
            )
            
        return verification.verified

WebAuthn User Experience Considerations

Progressive enhancement works best for WebAuthn adoption. Implement it as an optional enhancement rather than a replacement, allowing users to choose their preferred authentication method.

Clear communication helps users understand the process. Terms like “passkey” or “security key” resonate better than technical jargon. Provide visual guidance for hardware token interactions and biometric prompts.

Fallback mechanisms remain essential. Network issues, device incompatibility, or lost authenticators require alternative authentication paths.

Magic Links: Simplicity with Trade-offs

Magic links deliver passwordless authentication through email-based tokens. Users request access, receive a unique link via email, and clicking the link authenticates them. This approach eliminates passwords whilst leveraging existing email infrastructure.

Magic Link Implementation

import secrets
import jwt
from datetime import datetime, timedelta

class MagicLinkManager:
    def __init__(self, secret_key, email_service):
        self.secret_key = secret_key
        self.email_service = email_service
        
    def generate_magic_link(self, email, redirect_url=None):
        # Generate cryptographically secure token
        token_data = {
            'email': email,
            'iat': datetime.utcnow(),
            'exp': datetime.utcnow() + timedelta(minutes=15),
            'purpose': 'authentication',
            'nonce': secrets.token_hex(16)  # Prevent token reuse
        }
        
        token = jwt.encode(token_data, self.secret_key, algorithm='HS256')
        magic_link = f"https://yourapp.co.uk/auth/verify?token={token}"
        
        if redirect_url:
            magic_link += f"&redirect={redirect_url}"
            
        return magic_link
        
    def send_magic_link(self, email):
        if not self.is_valid_email(email):
            raise ValueError("Invalid email address")
            
        # Rate limiting to prevent abuse
        if self.is_rate_limited(email):
            raise RateLimitError("Too many requests")
            
        magic_link = self.generate_magic_link(email)
        
        self.email_service.send_email(
            to=email,
            subject="Sign in to Your App",
            template="magic_link",
            context={'magic_link': magic_link}
        )
        
    def verify_magic_link(self, token):
        try:
            payload = jwt.decode(token, self.secret_key, algorithms=['HS256'])
            
            # Check if token has been used (implement token blacklist)
            if self.is_token_used(payload['nonce']):
                raise ValueError("Token already used")
                
            # Mark token as used
            self.mark_token_used(payload['nonce'])
            
            return payload['email']
            
        except jwt.ExpiredSignatureError:
            raise ValueError("Token expired")
        except jwt.InvalidTokenError:
            raise ValueError("Invalid token")

Magic Link Security Considerations

Email security becomes critical in magic link systems. Email interception, forwarding rules, and shared inboxes can compromise authentication. Consider implementing additional verification for sensitive operations.

Token lifecycle management prevents replay attacks. Single-use tokens with short expiration windows (5–15 minutes) limit exposure. Implement token revocation for active sessions when new magic links are requested.

Rate limiting prevents abuse whilst maintaining usability. Allow 3–5 requests per hour per email address, with exponential backoff for repeated requests.

Biometric Authentication: Platform Integration

Biometric authentication leverages device capabilities — fingerprints, face recognition, or voice patterns — for user verification. This approach provides excellent user experience on supported devices whilst maintaining strong security.

Platform-Specific Implementation

// iOS/Safari Touch ID/Face ID integration
async function authenticateWithBiometrics() {
    if (!window.PublicKeyCredential) {
        throw new Error('WebAuthn not supported');
    }
    
    // Check for platform authenticator
    const available = await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
    if (!available) {
        throw new Error('Biometric authentication not available');
    }
    
    const publicKeyCredentialRequestOptions = {
        challenge: new Uint8Array(32),
        allowCredentials: [{
            id: stored_credential_id,
            type: 'public-key',
            transports: ['internal']
        }],
        userVerification: 'required',
        timeout: 30000
    };
    
    const assertion = await navigator.credentials.get({
        publicKey: publicKeyCredentialRequestOptions
    });
    
    return assertion;
}

// Android biometric prompt integration
function initAndroidBiometrics() {
    if ('credentials' in navigator) {
        // Use WebAuthn with platform authenticator
        return authenticateWithBiometrics();
    } else if (window.Android && window.Android.showBiometricPrompt) {
        // Fallback to native Android integration
        return new Promise((resolve, reject) => {
            window.Android.showBiometricPrompt(
                'Authenticate to continue',
                resolve,
                reject
            );
        });
    }
    
    throw new Error('Biometric authentication not available');
}

Biometric UX Best Practices

Graceful degradation handles device limitations. Not all devices support biometrics, and users may disable these features for privacy reasons. Provide alternative authentication methods without friction.

Clear privacy communication addresses user concerns about biometric data. Emphasise that biometric templates remain on-device and aren’t transmitted to servers. Local processing and cryptographic signatures maintain privacy.

Accessibility considerations ensure inclusive design. Some users cannot use certain biometric modalities due to physical limitations. Multiple biometric options and alternative authentication methods maintain accessibility.

Implementation Strategy: Progressive Rollout

Phase 1: Foundation

Start with magic links as the simplest passwordless option. This requires minimal client-side complexity whilst providing immediate user experience improvements. Implement robust email security and rate limiting.

Phase 2: Enhanced Security

Add WebAuthn support for security-conscious users. Begin with optional enrollment, allowing users to register security keys or platform authenticators alongside existing authentication methods.

Phase 3: Biometric Integration

Integrate platform-specific biometric authentication where available. Focus on mobile applications first, as mobile biometric adoption exceeds desktop usage.

Security Considerations Across Methods

Account recovery becomes more complex in passwordless systems. Users may lose devices, change email addresses, or disable biometrics. Implement secure account recovery flows that balance security with usability.

Session management requires careful consideration. Passwordless authentication often provides stronger initial authentication, but session security remains important. Implement appropriate session timeouts and reauthentication for sensitive operations.

Monitoring and anomaly detection help identify potential security issues. Track authentication patterns, device changes, and geographic anomalies. Unusual authentication attempts may indicate compromise.

User Experience Design Principles

Contextual prompts improve adoption rates. Introduce passwordless options after users experience password friction — failed login attempts or password reset flows create natural opportunities.

Clear value proposition helps users understand benefits. Emphasise convenience, security, and time savings rather than technical implementation details.

Seamless fallbacks maintain user trust. When passwordless methods fail, provide clear paths to alternative authentication without abandoning the user journey.

Measuring Success

Track key metrics to evaluate passwordless implementation effectiveness:

• Authentication success rates: Compare completion rates across methods

• Time to authenticate: Measure user journey duration

• Support ticket volume: Monitor authentication-related support requests

• User adoption: Track voluntary enrollment in passwordless methods

• Security incidents: Monitor authentication-related security events

Looking Forward

Passwordless authentication adoption continues accelerating. Apple’s Passkeys initiative, Google’s WebAuthn implementation, and Microsoft’s Windows Hello drive consumer familiarity. Enterprise adoption follows consumer trends, making now an ideal time to implement passwordless systems.

The future points towards seamless, contextual authentication that adapts to user behaviour and risk profiles. Combining multiple passwordless methods with adaptive risk assessment creates robust, user-friendly authentication systems.

The transition to passwordless authentication isn’t just a technical upgrade — it’s a fundamental improvement in how users interact with digital systems. By eliminating passwords, we remove a significant source of security vulnerabilities whilst creating more intuitive, accessible authentication experiences.

The transformation of Identity and Access Management (IAM) from a simple authentication mechanism to the central nervous system of modern security represents one of the most profound shifts in cybersecurity history. As organizations grapple with dissolved network perimeters, exponential growth in machine identities, and the double-edged sword of artificial intelligence, IAM has evolved beyond its traditional boundaries to become inseparable from governance, risk management, and business strategy itself.

This convergence is not merely technological—it reflects a fundamental reimagining of trust in the digital age. Where once we trusted locations and networks, we now must verify every identity, every transaction, and every moment. The emergence of AI systems that can make thousands of decisions per second while exhibiting unpredictable behaviors challenges our very conception of access control. Meanwhile, regulatory frameworks struggle to keep pace, creating a complex landscape where security leaders must balance innovation with compliance, automation with control, and accessibility with zero trust principles.

The stakes could not be higher. Identity-related breaches now account for 79% of security incidents, while non-human identities outnumber human ones by ratios exceeding 40:1. Organizations that master this new identity fabric will thrive in the AI-accelerated economy; those that fail to adapt face not just security breaches but existential threats to their ability to operate in an increasingly regulated, automated world.

The Dissolution of the Perimeter and the Ascent of Identity

The death of the network perimeter wasn't sudden—it was a gradual dissolution that accelerated into an avalanche. Traditional security operated like a medieval castle, with thick walls separating the trusted interior from the hostile outside world. This model worked when organizations controlled their infrastructure, applications lived in data centers, and employees worked from offices. But the digital transformation shattered these assumptions so thoroughly that the entire foundation of enterprise security had to be reconsidered.

Cloud adoption served as the primary catalyst, with 94% of enterprises now operating in multi-cloud environments where data and applications exist far beyond any controllable perimeter. The pandemic-driven shift to remote work merely accelerated what was already inevitable: the complete untethering of productivity from location. When employees access corporate resources from coffee shops, contractors connect from different continents, and applications communicate across multiple cloud providers, the very concept of an "inside" and "outside" becomes meaningless. In this new reality, identity emerges not as a replacement for the perimeter but as the only consistent element in an otherwise fluid architecture.

This transformation required new technological foundations. The evolution from LDAP's centralized directories through SAML's federated authentication to OAuth and OpenID Connect's API-driven world tells the story of increasing complexity and sophistication. Each standard addressed the limitations of its predecessors while enabling new possibilities. Modern cloud-native IAM platforms have capitalized on these standards to deliver remarkable improvements: organizations report 67.4% fewer identity-related incidents and 41.8% lower operational overhead after migration. But perhaps most tellingly, the time to onboard new applications has dropped from nearly a month to less than a week, demonstrating that proper identity architecture accelerates rather than impedes business velocity.

The Convergence of IAM and GRC

The integration of Identity and Access Management with Governance, Risk, and Compliance represents a maturation of organizational thinking about security. No longer can these disciplines operate in silos—they have become so intertwined that attempting to separate them creates dangerous gaps and inefficiencies. This convergence reflects a deeper truth: in a world where identity is the primary security control, managing identities IS governance, and governing access IS risk management.

Modern IAM platforms have evolved to encompass both operational access management—the real-time authentication, authorization, and session management that enables daily work—and strategic identity governance—the policy definition, access certification, and compliance reporting that ensures appropriate oversight. This dual nature transforms IAM from a technical utility into a business-critical platform that directly supports regulatory compliance, risk reduction, and operational efficiency. The shift from periodic access reviews to continuous compliance monitoring exemplifies this evolution, as organizations can now detect and remediate inappropriate access in real-time rather than discovering problems months later during audits.

The regulatory landscape has become increasingly prescriptive about identity and access controls. The SEC's cybersecurity disclosure rule requires public companies to report material incidents within four business days, making rapid detection and response essential. The EU AI Act introduces entirely new categories of compliance requirements for organizations deploying AI systems, with potential fines reaching 7% of global revenue. GDPR, CCPA, HIPAA, SOX, and PCI-DSS each bring specific mandates around access control, audit trails, and data governance. Policy-as-code has emerged as the only scalable approach to managing this complexity, enabling organizations to codify compliance requirements directly into their IAM systems and automatically generate evidence for auditors.

Zero Trust Architecture Implementation

Zero Trust represents a philosophical revolution in security thinking, rejecting the fundamental assumption that anything should be trusted by default. The principle of "never trust, always verify" sounds simple but implementing it requires a complete reimagining of enterprise architecture. Every user, device, application, and network flow must be treated as potentially hostile until proven otherwise—not just once at login, but continuously throughout every session.

The three pillars of Zero Trust work synergistically to create defense in depth. Explicit verification goes beyond simple authentication to evaluate multiple contextual factors: who is requesting access, from what device, at what location, exhibiting what behavior patterns, to access what resource, for what stated purpose? This multidimensional analysis enables nuanced decisions that balance security with usability. Least privilege access ensures that even verified entities receive only the minimum permissions required for their immediate task, while temporal controls ensure these permissions expire automatically. The assumption of breach drives architectural decisions toward resilience: when attackers inevitably gain some level of access, microsegmentation and encryption limit their ability to move laterally or exfiltrate data.

The NIST Zero Trust Architecture provides a conceptual framework rather than a prescriptive implementation, recognizing that each organization's journey will be unique. The Policy Engine serves as the brain, continuously evaluating requests against policies and real-time threat intelligence. The Policy Administrator acts as the nervous system, communicating decisions throughout the infrastructure. Policy Enforcement Points serve as the muscles, actually granting or denying access at each resource. But the real challenge lies not in deploying these components but in feeding them the continuous stream of contextual data required for intelligent decisions. Success requires breaking down silos between identity, network, endpoint, and application security to create a unified fabric of observable, controllable, and auditable access decisions.

Enterprise vs SME Strategies

The divergent paths of large enterprises and small-to-medium businesses in IAM implementation reflect not just differences in resources but fundamental differences in complexity, risk tolerance, and operational requirements. Understanding these differences is crucial for vendors, consultants, and security leaders who must navigate both worlds.

Large enterprises face staggering complexity: hundreds of thousands of identities spread across legacy systems, cloud platforms, and SaaS applications, often complicated by mergers and acquisitions that create identity silos. Their regulatory obligations span multiple jurisdictions and frameworks, requiring sophisticated governance capabilities. These organizations typically invest in comprehensive Identity Governance and Administration (IGA) platforms from vendors like SailPoint, Saviynt, or Oracle, which provide the deep functionality required for role mining, separation of duties enforcement, and complex approval workflows. The focus is on centralized governance with federated execution—maintaining consistent policies while allowing business units flexibility in implementation.

Small and medium enterprises operate under different constraints but face many of the same risks. With limited budgets and IT staff who wear multiple hats, SMEs cannot afford the complexity and overhead of enterprise IGA platforms. Cloud-native Identity-as-a-Service (IDaaS) solutions from vendors like Okta, JumpCloud, or OneLogin provide these organizations with enterprise-grade capabilities in a consumable package. The emphasis shifts from customization to standardization, from on-premises control to cloud-based simplicity. Yet this creates a dangerous governance gap: as SMEs adopt sophisticated technologies like multi-cloud infrastructure and AI tools, they face enterprise-level identity risks without enterprise-grade governance capabilities. The market desperately needs a new category of "IGA-lite" solutions that provide automated, AI-driven governance without the cost and complexity of traditional platforms.

The Non-Human Identity Crisis

The explosion of non-human identities represents perhaps the most underappreciated security challenge facing modern organizations. While security teams have spent decades refining controls for human users, the proliferation of service accounts, API keys, OAuth tokens, and AI agents has created a vast, largely ungoverned attack surface. These machine identities now outnumber human identities by ratios of 40:1 or higher, and unlike human identities that remain relatively stable, machine identities multiply exponentially with every new microservice, automation workflow, or AI deployment.

The risks are not theoretical. The 2023 discovery of 12.8 million exposed secrets on GitHub alone demonstrates the scale of the problem. Non-human identities suffer from unique vulnerabilities: they're often created ad-hoc by developers seeking to solve immediate problems, lack clear ownership or lifecycle management, rely on static credentials that may be hardcoded in source code, and receive excessive permissions to avoid potential disruptions. Traditional security controls like multi-factor authentication and behavioral analytics, designed for human users, simply don't apply to entities that never sleep, never change their behavior, and can operate from multiple locations simultaneously.

Securing this explosion requires a fundamental shift in thinking. Organizations must treat non-human identities as first-class citizens in their IAM programs, subject to the same governance, monitoring, and lifecycle management as human users. This means implementing continuous discovery to find shadow service accounts, assigning clear ownership with accountability for each identity's existence and permissions, enforcing least privilege with the same rigor applied to human users, automating the entire lifecycle from provisioning to deprovisioning, modernizing credential management with dynamic secrets and automated rotation, and integrating machine identity governance into central IAM platforms rather than treating it as a separate problem. The organizations that master non-human identity governance will have a significant security advantage; those that ignore it face inevitable compromise.

The AI Paradox

Artificial Intelligence presents the ultimate paradox for security teams: it is simultaneously the most powerful tool for enhancing security and the most challenging threat to traditional security models. This duality creates a complex landscape where security leaders must harness AI's capabilities while defending against its risks, often within the same systems and sometimes within the same transactions.

On the positive side, AI transforms security operations from reactive to predictive. Machine learning models can analyze vast datasets to identify subtle anomalies that would escape human analysts, enabling detection of zero-day attacks and insider threats. Behavioral analytics continuously evaluate user actions against established baselines, triggering adaptive authentication when anomalies arise. Security Orchestration, Automation, and Response (SOAR) platforms use AI to coordinate responses across multiple tools, reducing response times from hours to seconds. AI even enhances governance through automated role mining and access optimization, helping organizations achieve least privilege at scale.

Yet AI simultaneously undermines traditional security assumptions. Data poisoning attacks can corrupt training datasets, causing models to make incorrect decisions that attackers can later exploit. Adversarial inputs can trick production models into misclassifications, potentially granting unauthorized access. The vast data requirements of AI systems pressure organizations to break down silos and grant broad access, directly conflicting with least privilege principles. The black-box nature of many AI models makes it impossible to audit or explain their decisions, complicating compliance and forensics. Most fundamentally, AI shifts security from deterministic to probabilistic models: instead of binary allow/deny decisions based on clear rules, we now have risk scores and confidence intervals that must be interpreted and acted upon. This recursive challenge—using AI to govern AI while ensuring the governance AI itself remains trustworthy—represents one of the most complex problems in modern security.

Reconciling AI with Zero Trust

The collision between AI's operational requirements and Zero Trust's security principles creates friction that threatens to derail digital transformation initiatives. AI systems need broad data access to learn effectively, but Zero Trust demands minimal privileges. Automation requires speed, but Just-in-Time access introduces friction. AI behavior is often non-deterministic and unpredictable, but Zero Trust requires explicit verification of known patterns. Resolving these conflicts requires evolving our security models to accommodate a new class of intelligent, autonomous entities that don't fit traditional identity categories.

The path forward requires adaptive, context-aware governance that can distinguish between different types of AI activities. A machine learning model training on anonymized historical data presents different risks than a production AI agent accessing live customer information. Policies must become dynamic, adjusting based on the AI system's purpose, behavior patterns, and risk profile. This necessitates using AI to govern AI—deploying machine learning within Policy Engines to evaluate and respond to requests from other AI systems at machine speed. It's an arms race of sorts, but one where both sides work for the same organization.

Technical solutions include provisioning AI agents with strong cryptographic identities through frameworks like SPIFFE, enabling verification without relying on static credentials. Data-centric security controls become paramount, with classification, encryption, and loss prevention applied at the data level rather than just at access points. The future points toward multi-modal Zero Trust architectures with distinct policy sets for different identity classes: traditional rules for human users, streamlined policies for simple service accounts, and adaptive, AI-driven policies for autonomous agents. This isn't just an evolution of Zero Trust—it's a fundamental reimagining of how we establish and maintain trust in an era of machine intelligence.

Strategic Recommendations

Building a resilient IAM program for the AI era requires both immediate tactical actions and long-term strategic transformation. Organizations must move beyond viewing these as technical projects to recognize them as fundamental business enablers that determine competitive advantage in an increasingly automated economy.

In the immediate term, organizations must gain visibility into their complete identity landscape. This means discovering not just user accounts but every service account, API key, and automated process that has access to resources. Implementing phishing-resistant multi-factor authentication for all privileged accounts is no longer optional—it's the minimum bar for credibility. Audit logs must be immutable and tamper-evident, capable of supporting both security investigations and regulatory inquiries. Most urgently, organizations need AI-specific access controls that recognize the unique requirements and risks of these systems.

The medium-term focus shifts to eliminating standing privileges through Just-in-Time access controls, particularly for administrative accounts where the risk is highest. Policy-as-code initiatives should codify compliance requirements directly into IAM systems, enabling automatic enforcement and evidence generation. Organizations must deploy AI governance frameworks that can manage the lifecycle of AI systems from development through decommissioning, including specialized gateways that can inspect and control AI behavior. This period also demands serious investment in DevSecOps practices that embed security into development workflows, making the secure path the easiest path for developers.

Long-term transformation aims to create a unified identity fabric spanning all environments—cloud, on-premises, SaaS, and edge. Access decisions must become truly risk-adaptive, continuously adjusting based on real-time signals rather than static rules. Organizations should align their AI deployments with emerging frameworks like ISO 42001 or the NIST AI Risk Management Framework, not just for compliance but as a competitive differentiator. The ultimate goal is a multi-modal Zero Trust architecture sophisticated enough to handle the full spectrum of identities from humans to simple services to autonomous AI agents, each with appropriate governance models.

Forward View

The journey from network perimeters to identity fabrics, from static access controls to adaptive Zero Trust, from human-centric IAM to AI-inclusive governance, represents more than technological evolution—it's a fundamental reimagining of digital trust. Organizations standing at this crossroads face choices that will determine their security posture, regulatory compliance, and competitive position for years to come.

Success requires more than deploying new technologies or updating policies. It demands a cultural transformation that breaks down silos between security, development, and business teams. It requires investment in new skills that bridge traditional security expertise with AI and automation knowledge. Most critically, it needs leadership that understands identity not as a technical detail but as the foundation upon which all digital business rests.

The organizations that master this complexity—that build adaptive, intelligent identity fabrics capable of governing humans and machines alike—will thrive in an AI-accelerated future. They will move faster while remaining secure, innovate freely while maintaining compliance, and harness automation while preserving control. Those that fail to evolve, that cling to outdated perimeter-based thinking or treat AI as just another user type, face not just increased breach risk but fundamental inability to compete in an automated economy.

The European Union Agency for Cybersecurity (ENISA) has officially launched the European Vulnerability Database (EUVD), representing a significant shift in the global vulnerability management landscape. This system offers both strategic opportunities and implementation challenges for organisations. Key takeaway: Don't view it as "yet another system to monitor" but as a strategic redundancy that strengthens your security posture while aligning with EU regulatory requirements.

Why This Matters Now

On 13 May 2025, ENISA officially launched the European Vulnerability Database (EUVD), a significant development in the EU's cybersecurity infrastructure. This system, mandated by the NIS2 Directive, represents Europe's move toward greater technological sovereignty in vulnerability management whilst maintaining coordination with existing global systems.

The timing couldn't be more critical. Just last month, the U.S. government nearly discontinued funding for MITRE's Common Vulnerabilities and Exposures (CVE) programme—a cornerstone of global vulnerability tracking for 25 years—before CISA intervened with last-minute emergency funding for 11 months. This near-miss exposed a dangerous dependency on single-nation infrastructure for critical cybersecurity functions.

ENISA began developing the EUVD in June 2024 and has been operating a limited-access beta version since early 2025. The system is now fully operational and publicly accessible.

What Technical Leaders Need to Know

The Architecture: More Than Just Another Database

The EUVD isn't merely duplicating existing systems but offers enhanced functionality through:

• Specialised dashboard views for critical vulnerabilities, actively exploited vulnerabilities, and EU-coordinated vulnerabilities

• Multi-source intelligence aggregation from open-source databases, national CSIRTs, vendor advisories, and exploitation data

• Near real-time updates rather than the delayed processing that has plagued other vulnerability databases

• Machine-readable security advisories through Common Security Advisory Framework (CSAF) support

Identification and Interoperability: Playing Nice with Others

The EUVD employs its own identification format (EUVD-year-designation) whilst maintaining interoperability with existing systems through:

• Cross-referencing with CVE IDs

• Supporting multiple vulnerability tracking systems

• Integration with open-source correlation tools

• Compatibility with global security standards

This hybrid approach demonstrates the EU's commitment to both sovereignty and collaboration—creating independence without isolation.

Strategic Implications for Your Organisation

1. Sovereignty and Resilience

The EUVD represents a strategic move toward European digital sovereignty. By establishing a complementary vulnerability tracking system, the EU reduces dependency on U.S.-controlled infrastructure whilst maintaining compatibility with global standards.

For multinational organisations, this signals a need to develop regionally-aware security strategies that acknowledge the growing diversification of cybersecurity infrastructure.

2. Operational Redundancy

The near-collapse of CVE funding demonstrated the risk of single-point failures in critical cybersecurity infrastructure. The EUVD provides valuable redundancy, ensuring continuity even if disruptions occur elsewhere.

This is particularly significant for organisations operating in regulated EU sectors where continuous vulnerability awareness is not just good practice but a compliance requirement.

3. Regulatory Alignment

The EUVD is directly connected to the EU's regulatory framework, specifically the NIS2 Directive and the Cyber Resilience Act (CRA). Organisations operating in EU jurisdictions should view EUVD integration as a component of regulatory compliance strategy, particularly those in critical infrastructure sectors.

Strengths vs Challenges: A Balanced Assessment

What Works Well

• Real-time updates: Unlike the U.S. National Vulnerability Database (NVD), which has experienced submission backlogs, the EUVD aims to provide near real-time updates

• Enhanced visualisation: Prioritisation of critical and exploited vulnerabilities with improved interfaces

• EU-specific focus: Special attention to vulnerabilities affecting European critical infrastructure

• Multinational sponsorship: Reduced political volatility compared to single-nation funded alternatives

Implementation Hurdles

• Maturity: As a new system, the EUVD will require time to reach full operational effectiveness

• Integration complexity: Organisations will need to incorporate another vulnerability tracking system into existing security operations

• Potential divergence: Despite commitment to interoperability, regional differences in vulnerability classification could emerge over time

Implementation Roadmap: From Strategy to Action

First 90 Days

1. Establish EUVD monitoring: Configure vulnerability management platforms to incorporate EUVD data feeds alongside existing CVE monitoring

2. Update security policies: Revise vulnerability management documentation to reference EUVD identifiers

3. Vendor assessment: Evaluate how security vendors and partners plan to integrate EUVD into their workflows

Medium-term Strategy (3-12 months)

1. Automation integration: Develop workflows that incorporate EUVD data for vulnerability prioritisation, particularly for EU-based assets

2. Training and awareness: Educate security teams on EUVD's structure and capabilities

3. Feedback participation: Contribute to ENISA's EUVD feedback programme to shape the platform's development

Long-term Positioning (12+ months)

1. Regional risk assessment: Develop region-specific vulnerability management approaches

2. Regulatory alignment: Position vulnerability management practices within the broader context of evolving EU cybersecurity regulations

3. Resilience planning: Design processes that remain effective regardless of potential disruptions to any single vulnerability tracking system

How EUVD Compares to Existing Systems

The Balanced Approach Forward

The European Vulnerability Database represents both a strategic opportunity and an operational challenge. While adding complexity to vulnerability management processes, it provides valuable redundancy and potentially enhanced visibility into critical vulnerabilities, particularly those affecting European assets.

The most prudent approach is neither over-reliance on EUVD nor dismissal of its significance, but rather thoughtful integration into existing security operations. Organisations should position themselves to benefit from multiple, complementary sources of vulnerability intelligence while maintaining efficiency in remediation workflows.

ENISA has explicitly stated that 2025 will be dedicated to further improving the EUVD based on stakeholder feedback. Technical decision makers should actively participate in this process to ensure the system evolves to meet organisational needs.

As the complexity and frequency of cyber attacks continue to escalate, traditional security methodologies such as point-in-time penetration testing are increasingly insufficient to address modern threats. The recent breaches at major UK retailers Harrods, Marks & Spencer, and Co-op illustrate that even organizations with substantial security investments remain vulnerable to sophisticated attacks. This article examines whether point-in-time security testing has become obsolete, evaluates the critical role of human-centric security ("the human firewall"), and assesses if we are approaching a paradigm shift in cybersecurity—possibly precipitated by a catastrophic "big one" event that would fundamentally alter security culture.

The Limitations of Point-in-Time Penetration Testing

Traditional penetration testing provides a valuable but inherently limited snapshot of an organization's security posture. As cyber threats evolve at unprecedented speeds, the fundamental limitations of this approach have become increasingly apparent:

Static Assessment in a Dynamic Threat Landscape

Point-in-time penetration testing represents a moment-in-time assessment of security vulnerabilities, but the cyber threat landscape is continuously evolving. As organizations build and improve their security postures, they often continue to rely on these periodic assessments despite their limitations. Security vulnerabilities can emerge at any moment between scheduled tests, leaving critical systems exposed for months until the next assessment cycle.

According to Security Scorecard, "Point-in-time IT security risk assessments can find vulnerabilities at a single moment, but they fail to monitor activity between the assessments. These assessments quickly go out of date and depending on the form, can be very subjective." Organizations often engage in "security theatre" before scheduled assessments, temporarily strengthening systems to meet compliance requirements rather than maintaining consistent security postures.

Delayed Response to Emerging Threats

The gap between traditional penetration test schedules creates dangerous windows of vulnerability. SynerComm highlights that "without continuous testing, your security posture can quickly become outdated, leaving your systems exposed to the latest attack vectors." This delay in identifying and addressing vulnerabilities provides ample opportunity for threat actors to exploit weaknesses.

The recent attacks on UK retailers underscore this risk. In April and May 2025, Marks & Spencer, Co-op, and Harrods all suffered significant cyber attacks within a short timeframe. M&S was particularly affected, with its online services disrupted for weeks and customer data compromised. According to Reuters, the company lost approximately £3.5 million in daily revenue and saw around £700 million wiped from its market value.

Incomplete Coverage

Traditional penetration testing typically focuses on specific systems or applications, potentially overlooking vulnerabilities in other parts of the organization's infrastructure. This siloed approach creates blind spots that sophisticated attackers can exploit, particularly in complex, interconnected environments.

The cyber attacks on M&S, Harrods, and Co-op demonstrate the complexity of modern threats. These attacks have been linked to a group called Scattered Spider (also known as Octo Tempest), which reportedly used the DragonForce ransomware on M&S's VMware ESXi hosts to encrypt virtual machines. Their methods included sophisticated social engineering techniques to convince IT help desks to reset passwords, highlighting how attackers exploit both technical vulnerabilities and human factors.

The Rise of Continuous Security Testing

As limitations of traditional penetration testing become more apparent, organizations are shifting toward continuous security approaches:

Continuous Penetration Testing

Continuous penetration testing represents an evolution of traditional methods, involving frequent and iterative testing to identify vulnerabilities as they emerge. According to Evolve Security, this approach "allows security teams to catch vulnerabilities as they arise and effectively seal gaps before they are exploited." By combining automated tools with regular human expertise, continuous testing provides ongoing visibility into an organization's security posture.

Benefits of Continuous Monitoring

A continuous approach offers significant advantages:

1. Real-time threat detection: Continuous monitoring enables organizations to identify and respond to emerging threats immediately, dramatically reducing the window of exposure.

2. Adaptation to evolving threats: Regular testing allows security teams to adjust their strategies based on the latest attack vectors and techniques.

3. Comprehensive coverage: Continuous approaches can cover a broader range of systems and applications, reducing blind spots.

4. Integration with development cycles: Continuous security testing aligns with modern DevOps practices, enabling security to be integrated into the development process.

The MITRE ATT&CK framework has become an invaluable resource for implementing comprehensive security strategies. As described by MITRE, it's "a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." By mapping attacks using this framework, organizations can better understand threat actors' behaviours and implement appropriate countermeasures.

The Human Firewall: The Critical Element in Modern Cybersecurity

While technological solutions are essential, the human element remains both the greatest vulnerability and potential strength in cybersecurity defences.

The Human Factor in Cybersecurity Breaches

Human error continues to be a primary factor in security breaches. According to current statistics:

• 82% of data breaches have been linked to human-related security weaknesses

• The human element is the common root cause of 68% of data breaches

• 95% of cybersecurity incidents happen because of human mistakes

The M&S and Co-op breaches exemplify how sophisticated attackers target the human element. Scattered Spider reportedly initiated these attacks by impersonating employees and convincing IT help desks to reset passwords. This social engineering tactic bypassed technical controls by exploiting human vulnerabilities.

Building an Effective Human Firewall

Transforming employees from security liabilities into security assets requires comprehensive education and cultural change:

Cybersecurity Awareness Training Evolution

Traditional security awareness programs are evolving into more sophisticated approaches focused on behaviour change rather than just knowledge transfer. IBM notes that "Nearly 95% of human thinking and decision making is controlled by System 1, which is our habitual way of thinking." Effective training must address this by creating security-conscious habits rather than merely providing information.

Modern training approaches include:

1. Personalized, role-specific training: Tailoring content to specific job functions and risk profiles.

2. Simulated attacks: Conducting realistic phishing, vishing, and smishing simulations to build practical skills.

3. Continuous reinforcement: Providing regular, bite-sized training modules rather than annual compliance exercises.

4. Gamification and engagement: Using competition and rewards to motivate ongoing participation.

5. Behavioural analytics: Employing AI to analyse employee behaviour and deliver targeted interventions.

Despite these advances, there are still significant gaps in implementation. As of 2024, 45% of employees report receiving no security training from their employers, and 62% of companies do not conduct sufficient security awareness training to see significant benefits.

From Awareness to Culture

Building a robust security culture goes beyond training to create an environment where security becomes part of everyday decision-making. This requires:

1. Leadership commitment: Visible support from executives and managers for security initiatives.

2. Positive reinforcement: Recognizing and rewarding security-conscious behaviours rather than punishing mistakes.

3. Clear expectations: Establishing and communicating security responsibilities for all roles.

4. Empowerment: Giving employees the tools and authority to report and address security concerns.

5. Continuous improvement: Regularly evaluating and enhancing security culture initiatives.

Organizations that successfully implement these strategies can expect significant benefits. Properly implemented cybersecurity awareness training can lead to a 70% reduction in security-related risks, and users who have undergone phishing awareness training are 30% less likely to click on phishing links.

The Current State: Retail Sector Under Siege

The recent spate of attacks on UK retailers provides a revealing case study of current cybersecurity challenges:

The M&S, Harrods, and Co-op Attacks

In April and May 2025, three major UK retailers experienced significant cyber attacks:

1. Marks & Spencer: The attack began around April 21, with customers reporting issues with contactless payments and click-and-collect services. By April 25, M&S suspended all online orders and removed job listings from its website. Weeks later, the company was still unable to process online sales and acknowledged that customer data had been stolen. The attack has cost M&S millions in lost revenue and wiped approximately £700 million from its market value.

2. Co-op Group: Shortly after the M&S attack, Co-op revealed it had also been targeted. The company shut down parts of its IT system, affecting back-office and call centre functions. It later acknowledged that data from a significant number of current and past members had been stolen, including personal information such as names, contact details, and dates of birth.

3. Harrods: On May 1, the luxury retailer confirmed it had experienced unauthorized access attempts to its systems. While Harrods managed to contain the breach more effectively than M&S, internal files, including employee data, were reportedly accessed.

Attack Vectors and Techniques

These attacks demonstrate the sophistication of modern threat actors:

• Social engineering: The attackers reportedly used sophisticated social engineering techniques, including impersonating employees to convince IT help desks to reset passwords.

• Ransomware deployment: In the case of M&S, attackers reportedly used the DragonForce ransomware to encrypt virtual machines.

• Identity-based attacks: The attackers targeted credentials and access controls rather than attempting to directly breach perimeter defences.

The attacks have been attributed to DragonForce affiliates, with evidence suggesting involvement from the Scattered Spider/Octo Tempest group. This group has demonstrated a pattern of targeting prominent brands in specific sectors to generate media attention before moving on to other targets.

Sectoral Vulnerabilities

These incidents highlight specific vulnerabilities in the retail sector:

1. Underinvestment in security: Retail organizations often prioritize customer experience and operational efficiency over security investments.

2. Complex digital infrastructure: Modern retailers operate complex, interconnected systems spanning physical stores, e-commerce platforms, and supply chains.

3. Valuable data assets: Retailers process and store significant volumes of customer and payment data, making them attractive targets.

4. Skill shortages: According to recent research, 83% of UK organizations are grappling with a shortage of skilled cybersecurity professionals.

Cabinet Office minister Pat McFadden described the wave of attacks on UK businesses as a "wake-up call" for the industry, highlighting the need for organizations to reassess their security strategies.

Are We Approaching "The Big One"?

The concept of "the big one"—a catastrophic cyber event that fundamentally changes security culture and practice—looms large in cybersecurity discussions. Are we approaching such an event?

Signs of Growing Risk

Several factors suggest the potential for a major, paradigm-shifting cyber event:

1. Increasing attack sophistication: Threat actors are employing increasingly advanced techniques, including AI-enhanced attacks and deepfakes. According to Gartner, around 50% of executives believe Generative AI will advance adversarial capabilities such as phishing, malware, and deepfakes.

2. Critical infrastructure targeting: Attacks are increasingly targeting essential services and infrastructure, with the potential for significant real-world impacts.

3. Supply chain vulnerabilities: In 2024, 183,000 customers were affected by supply chain cyber attacks, an increase of 33% from the previous year.

4. Ransomware evolution: Ransomware operators are moving to subscription models, enabling even low-skilled criminals to launch sophisticated attacks.

5. Geopolitical tensions: Rising international conflicts are accompanied by increased state-sponsored cyber activities.

The potential impact of a major cyber event could be catastrophic. The reported costs of cyber attacks are projected to reach $10.5 trillion annually by 2025, according to Cybersecurity Ventures, while another forecast places the cost of cybercrime at $23 trillion by 2027.

Evaluating Readiness

Despite growing awareness of cyber risks, organizational readiness remains concerning:

1. The resilience gap: The divide between resilient organizations and those struggling has become stark, with the number of organizations maintaining minimum viable cyber resilience declining by 30% in 2024.

2. Resource constraints: A lack of resources and skills is the biggest challenge for 52% of organizations in designing cyber resilience.

3. Legacy technology: Transforming legacy technology and processes remains a significant barrier to improved security.

4. Human factors: Despite their critical role, human-centric security measures remain underdeveloped in many organizations.

These factors suggest that while a catastrophic cyber event is increasingly possible, many organizations remain unprepared to prevent or respond effectively to such an event.

The Path Forward: Integrated, Continuous Security

As we consider the future of cybersecurity, several key principles emerge for building more resilient organizations:

Embracing the MITRE ATT&CK Framework

The MITRE ATT&CK framework provides a valuable foundation for modern security strategies. By categorizing and mapping adversary tactics, techniques, and procedures, it enables organizations to develop specific threat models and implement appropriate countermeasures.

For 2025, the MITRE ATT&CK Evaluations are focusing on cloud-based attacks, response and containment strategies, and post-incident analysis, reflecting the evolving threat landscape. Organizations can use this framework to enhance threat intelligence, detection capabilities, and incident response procedures.

Implementing Continuous Security Approaches

Moving beyond point-in-time assessments to continuous security monitoring provides several advantages:

1. Reduced exposure window: Continuous testing dramatically reduces the time between vulnerability creation and detection.

2. Adaptive defence: Organizations can quickly adjust their security posture in response to emerging threats.

3. Comprehensive coverage: Continuous approaches can cover a broader range of systems and attack vectors.

4. Improved resource allocation: Organizations can prioritize remediation efforts based on real-time risk assessments.

Strengthening the Human Firewall

Enhancing human-centric security measures is essential for addressing the root causes of many breaches:

1. Behavioural security: Focus on changing behaviours rather than just increasing awareness.

2. Personalized training: Tailor security education to specific roles, risks, and learning styles.

3. Positive security culture: Build an environment where security is valued and rewarded rather than seen as an obstacle.

4. Leadership engagement: Ensure visible support from executives and managers for security initiatives.

Preparing for "The Big One"

Organizations should take proactive steps to prepare for potentially catastrophic cyber events:

1. Scenario planning: Develop and test response plans for various high-impact cyber scenarios.

2. Resilience investments: Focus on building systems and processes that can withstand and recover from major attacks.

3. Collaborative defence: Participate in industry information sharing and collective defence initiatives.

4. Supply chain security: Implement robust third-party risk management processes.

No Silver Bullet, but a Way Forward

The question of whether we'll ever find a "silver bullet" for cybersecurity has a clear answer: no. The complexity and dynamism of the threat landscape, combined with the inherent vulnerabilities of human-computer interaction, mean that perfect security will remain elusive.

However, by moving beyond point-in-time testing to continuous, integrated security approaches that address both technical and human factors, organizations can significantly improve their ability to prevent, detect, and respond to cyber threats. The MITRE ATT&CK framework provides a valuable foundation for these efforts, enabling organizations to understand and counter adversary tactics and techniques.

As for "the big one"—a catastrophic cyber event that forces a paradigm shift in security practice—the signs suggest that the risk is growing. The increasing sophistication of attacks, the expanding attack surface, and the critical nature of digital systems in modern society all point to the potential for a major cyber event with far-reaching consequences.

The clock may indeed be ticking toward midnight for such an event. However, by implementing the principles outlined in this article, organizations can improve their readiness and resilience, potentially mitigating the impact of even the most severe cyber attacks.

In the end, effective cybersecurity is not about finding a single solution, but about building a comprehensive, adaptive defence that evolves alongside the threat landscape. By embracing continuous security approaches, strengthening the human firewall, and leveraging frameworks like MITRE ATT&CK, organizations can navigate the challenging cybersecurity landscape of 2025 and beyond.

One month after President Trump’s tariffs on imported semiconductors and key technology components took effect, the U.S. tech sector is showing early signs of adaptation — even as uncertainty lingers. While short-term disruptions remain evident, major firms are beginning to implement strategic pivots to blunt the impact of higher costs and shifting supply dynamics.

Market Reaction Stabilizes — but Divergence Emerges

The initial selloff in tech stocks has plateaued, with the Nasdaq 100 recovering 2.5% in April after a steep early-month dip. However, investor behavior remains cautious. AI hardware firms such as Nvidia and AMD have stabilized but continue to trade below pre-tariff valuations. Meanwhile, companies with diversified manufacturing bases, like Apple and Intel, have outperformed sector averages, suggesting that markets are beginning to reward supply chain agility.

Supply Chain Reconfiguration Underway

According to a mid-April report by Deloitte, over 40% of U.S. tech firms are actively evaluating alternate suppliers outside traditional hubs like Taiwan and China. Countries such as Vietnam, Malaysia, and India are seeing increased interest. While full relocation remains costly, incremental outsourcing and risk distribution are becoming the norm.

Domestically, chipmakers are accelerating partnerships with U.S.-based fabrication startups, some of which have received increased attention — and investment — due to federal incentives quietly expanded alongside the tariffs.

Infrastructure and Cost Pressures Persist

CBRE has revised its earlier estimate, now projecting that construction costs for data centers and related infrastructure could rise by as much as 7% by Q3 2025, as materials subject to tariffs become scarcer and more expensive. Some projects in early development stages have already been paused or re-scoped.

Policy and Corporate Strategy Align

There’s a notable trend of alignment between corporate strategy and federal policy objectives. Apple has broken ground on its Houston expansion and confirmed that a portion of its MacBook production will begin stateside by late 2025. TSMC’s Arizona project, while still in early phases, received expedited permitting support — suggesting stronger collaboration between public and private stakeholders.

Looking Ahead

Though the full implications of the tariffs are still unfolding, the technology sector is gradually absorbing the shock and beginning to pivot. The winners in this new environment will likely be those who act swiftly to localize production, hedge supply risks, and build strategic partnerships within the U.S. manufacturing ecosystem.

For now, the question remains: can domestic production scale fast enough to offset the pressures — and will the political calculus behind these tariffs ultimately prove beneficial?

Context and Background

The release of Qwen 3 arrives amid intensifying competition within China's AI sector. DeepSeek's R1, launched earlier in 2025, received considerable acclaim for its performance across mathematical and reasoning benchmarks, quickly establishing itself as a benchmark-setter. Alibaba's earlier iteration, Qwen 2.5-Max, already showed signs of competitive parity, outperforming DeepSeek V3 in several evaluation frameworks such as Arena-Hard and LiveBench.

Meanwhile, Baidu continues to push its Ernie series models, including the newly launched Ernie 4.5 Turbo and Ernie X1 Turbo. These rapid developments mirror China's broader AI strategy: driving homegrown innovation to reduce dependence on Western technology and foster domestic ecosystems of applied AI solutions.

With regulatory frameworks becoming more accommodating and capital continuing to flow into foundational model R&D, Alibaba’s Qwen 3 is the company's most aggressive move yet to claim a stake in this evolving frontier.

Core Analysis

Model Architecture and Performance

Qwen 3 is available in various model sizes, including the flagship Qwen3-235B-A22B, and features significant architectural upgrades. These include hybrid reasoning capabilities that combine symbolic and neural processing pathways to enhance decision-making depth and precision. Notably, Qwen 3 supports extended context lengths of up to 131,072 tokens for models at 4B size and above, positioning it for more complex, multi-turn interactions and long-form content synthesis.

Performance benchmarks indicate that Qwen 3 has outperformed notable competitors across several fronts:

• On Codeforces, it surpasses OpenAI's o3-mini and Google’s Gemini 2.5 Pro.

• On reasoning-centric tests such as AIME and BFCL, it has shown higher consistency in accuracy and interpretability.

• In multilingual evaluations, Qwen 3 demonstrates competitive proficiency across Chinese, English, and mixed-language inputs.

Open-Source Availability

Perhaps the most strategically significant aspect of the launch is Qwen 3's open-source availability. Hosted across platforms including Hugging Face and GitHub, the models come with a permissive license that enables research and commercial use. This contrasts sharply with many U.S.-based counterparts which often restrict model weights or impose usage limitations.

By opening the architecture, Alibaba is not only inviting global collaboration but also contributing to the maturation of the Chinese open-source AI community—an essential component in reducing foreign dependency.

Strategic Implications

Domestic AI Ecosystem Strengthening

The release reinforces Alibaba’s role as a core AI innovator within China. By competing head-to-head with DeepSeek and Baidu, Alibaba is catalysing a virtuous cycle of innovation. The availability of a top-tier open-source model could drive faster iteration cycles, as startups, academic labs, and enterprises integrate and adapt Qwen 3 for localized needs.

Geopolitical and Industrial Positioning

At a geopolitical level, Qwen 3 exemplifies China's strategic pivot toward technological self-sufficiency. The capabilities it introduces also have direct implications for sectors like defence, cybersecurity, and language processing across Chinese dialects, which have historically lacked sufficient NLP support.

For industries, the implications are equally expansive:

• Enterprise Software: Integration into vertical SaaS platforms for legal, finance, and HR analytics.

• Manufacturing & Logistics: Enhanced digital twins, predictive maintenance, and AI-driven optimization.

• Healthcare: Advanced biomedical literature synthesis and diagnostic support tools.

Competitive Pressures on Western Firms

Alibaba's aggressive open-sourcing strategy places pressure on Western AI developers to reconsider closed-model frameworks. It introduces a credible alternative to OpenAI's GPT and Google's Gemini series, especially for organizations prioritizing cost-efficiency, local data sovereignty, and customizable AI stacks.

Forward Outlook

The launch of Qwen 3 marks not only a technical leap but a strategic recalibration. Alibaba is signalling that it aims to be a foundational actor in shaping the future of global AI infrastructure. The company's emphasis on open development, hybrid reasoning, and performance transparency sets new precedents in both China and abroad.

Looking forward, three critical scenarios merit attention:

1. Ecosystem Acceleration: An uptick in AI-native applications leveraging Qwen 3 in both Chinese and international markets.

2. Policy Interventions: Chinese regulators may introduce frameworks to favour open-source model adoption, catalysing broader systemic shifts.

3. Cross-border Collaborations: With open access, Alibaba may attract Western and Global South developers, forging a more multipolar AI ecosystem.

Qwen 3 is more than an engineering achievement; it is a strategic instrument in China's evolving AI doctrine. For executives, policymakers, and technologists alike, the model's release demands close scrutiny and calibrated engagement.

Lgger Analytics | Date: April 29, 2025

West Africa has emerged as one of the most vibrant and rapidly evolving fintech ecosystems in Africa. Driven by mobile-first innovation, increasing financial inclusion needs, and a young, tech-savvy population, fintech startups have become a transformative force across the region. Nigeria, Ghana, Senegal, and Côte d’Ivoire are at the forefront of this evolution, with each country contributing to a growing web of digital financial services that now stretch beyond borders.

Yet, while financial inclusion and innovation remain top priorities, there's a growing conversation around Environmental, Social, and Governance (ESG) responsibility in the fintech sector. As global and local investors begin to demand greater accountability and transparency, the intersection of fintech and ESG is becoming more important than ever.

This report dives into the fintech landscape in West Africa, exploring key players, investment flows, and the budding but crucial role ESG is beginning to play.

The State of Fintech in West Africa

West African fintech has experienced explosive growth in the last decade. The region’s fintech startups raised hundreds of millions in funding in 2024 alone, with Nigeria reclaiming its position as the top destination for venture capital on the continent, drawing over $520 million in equity funding across 103 deals.

The main drivers of this boom include:

• High mobile penetration: Mobile phone usage across West Africa has soared in the past decade. With smartphones becoming more affordable and mobile networks expanding into rural regions, the majority of the population—especially the youth—now has access to digital tools. This high level of mobile adoption provides the essential infrastructure for mobile banking, mobile payments, and financial apps to thrive.

• A large unbanked population: A significant portion of West Africans still lack access to formal banking services. In Nigeria, for instance, more than 60 million adults are unbanked. Fintechs are seizing this opportunity to introduce digital wallets, agent banking, and other solutions that bypass traditional banks and deliver financial services directly via mobile phones.

• Underdeveloped traditional banking systems: In many areas, brick-and-mortar banks are either non-existent or difficult to access. Bureaucracy, high fees, and documentation requirements have also deterred many from engaging with traditional banks. Fintech startups are filling this vacuum with agile, customer-centric alternatives that prioritize accessibility and ease of use.

• A youthful, entrepreneurial demographic: West Africa has one of the youngest populations globally. With growing internet literacy, digital fluency, and a hunger for innovation, young people are both consumers and creators in the fintech space. Many of the region's fintech founders are under 35, building products tailored to the needs of their peers and leveraging mobile-first platforms to scale quickly.

These conditions have fostered innovation in mobile payments, digital banking, micro-lending, savings platforms, and cross-border transactions.

Top Fintech Startups by Country

Nigeria:

• Flutterwave: Payments infrastructure powerhouse valued over $3B.

• Paystack: Online payments giant, acquired by Stripe in 2020.

• Kuda: A leading digital bank with over $90M in funding.

• PiggyVest & Cowrywise: Digital savings and investment platforms.

• Moniepoint: Agent banking and SME-focused digital services.

Ghana:

• Zeepay: Mobile money and remittance services.

• Dash: Cross-border wallet interoperability.

• BezoMoney: Social savings for underserved communities.

Senegal:

• Wave: No-fee mobile money disrupting telco-led models.

• PayDunya: Payment gateway for Francophone markets.

• MaTontine: Digitizing group savings and micro-lending.

Côte d’Ivoire:

• Julaya: B2B digital payment and payroll solutions.

• CinetPay: Secure payments for e-commerce.

• Djamo: Neobank offering cards and financial literacy.

Investment Flows and Key Investors

West African fintech continues to attract global capital at impressive rates. In 2024, fintech startups across Africa secured roughly $1.4 billion, and West Africa claimed a large share of that, especially in Nigeria.

Notable investment highlights:

• Moniepoint (Nigeria) raised $110M, reaching unicorn status.

• Flutterwave continues to expand after a $250M Series D.

• Kuda, FairMoney, and Chipper Cash also received multimillion-dollar funding rounds.

Key investors fueling this growth include:

• Development Partners International (DPI)

• Google Africa Investment Fund

• Partech Africa (launched a $300M Africa-focused fund)

• TLcom Capital and Norrsken22

• IFC and FMO, development finance institutions pushing impact-oriented investments

These investors are not only injecting capital but also introducing governance frameworks, ESG reporting requirements, and long-term scaling strategies.

The ESG Conversation: Early but Growing

While fintech is primarily seen as a tool for financial access and innovation, its potential as an ESG-aligned sector is becoming clearer. Here’s how ESG factors are starting to influence fintech in West Africa:

Environmental (E)

• Fintech platforms inherently reduce the carbon footprint by digitizing previously paper-heavy, in-person banking.

• Emerging interest in climate-linked financial products, such as green loans and climate insurance.

• Agricultural fintechs are beginning to integrate weather and sustainability data into their credit models.

Social (S)

• The strongest ESG alignment exists here:

  • Platforms like Moniepoint, Opay, Paga, and Wave bring banking services to remote, underbanked areas.

  • BezoMoney and MaTontine empower women and informal entrepreneurs.

  • Products promote financial literacy, savings culture, and economic inclusion.

Governance (G)

• As startups mature, there's a visible push toward:

  • Stronger AML/KYC protocols

  • Responsible lending standards

  • Transparent data privacy and protection measures

• Investors are requiring ESG reporting as a precondition for funding.

Challenges in ESG Integration

Despite progress, several challenges remain:

• Limited environmental focus compared to social goals: While fintech platforms often create indirect environmental benefits by digitizing services and reducing the need for physical infrastructure, very few have direct strategies aimed at environmental sustainability. There's a noticeable absence of green financial products, carbon footprint tracking, or support for eco-friendly sectors like renewable energy or sustainable agriculture. This leaves a gap where fintech could play a greater role in environmental stewardship.

• Lack of standardized ESG metrics among startups: Most early- and even mid-stage fintechs do not yet report on ESG indicators in a structured or consistent way. Metrics such as gender inclusion, carbon savings, or data transparency are rarely tracked or shared publicly. This makes it difficult for investors and stakeholders to evaluate the impact or sustainability of these businesses, and it hampers efforts to benchmark or scale ESG initiatives across the industry.

• Governance practices vary widely, especially in early-stage companies: While some well-funded fintechs adopt strong internal governance practices, others—especially startups in early growth phases—lack formal boards, risk management protocols, or compliance departments. This inconsistency can lead to poor decision-making, vulnerabilities in cybersecurity, or difficulty in scaling operations responsibly. As regulatory scrutiny increases, governance will become a make-or-break factor.

• Some startups face criticism over aggressive lending and debt recovery tactics: In the race for market share, some digital lenders have been accused of high-interest rates, predatory lending models, and invasive debt collection practices. This undermines the trust they seek to build with users and can contradict the broader ESG objective of promoting fair and inclusive finance. Addressing this issue requires a balance between innovation, profitability, and consumer protection.

Still, there's clear momentum. ESG is no longer a Western buzzword—it’s becoming an operational lens for long-term success in West African fintech.

What’s Next? Opportunities Ahead

The intersection of ESG and fintech is full of opportunity:

• Green lending models for agriculture and clean energy financing: These models enable fintech platforms to offer loans specifically tied to eco-conscious initiatives. For agriculture, this may include credit to farmers who adopt sustainable farming practices, such as water-efficient irrigation or organic inputs. In clean energy, it supports consumers and SMEs who invest in solar systems, biodigesters, or electric mobility solutions. By tying financial support to environmental impact, fintechs create incentives for sustainable behavior while opening new markets.

• Digital identity and inclusive KYC solutions: Traditional Know Your Customer (KYC) protocols often exclude individuals lacking formal ID documentation, a common barrier in many West African regions. Inclusive digital identity solutions—such as biometric verification, mobile-based ID registration, and blockchain-backed credentials—are allowing more people to access financial services securely and conveniently. Fintechs that adopt such systems are helping bridge the identity gap and reduce exclusion from the formal financial system.

• ESG analytics-as-a-service platforms for African startups: These are emerging tools or service providers that help startups track, report, and improve their ESG metrics. They might offer dashboards that monitor carbon savings, social impact (like gender inclusion), or governance risks. This is especially helpful for early-stage fintechs seeking to attract institutional capital or development finance, as it aligns them with international reporting standards without requiring large in-house compliance teams.

• Ethical AI and data governance embedded in credit scoring and risk systems: As AI becomes central to credit decisions, ethical considerations are paramount. Ethical AI ensures models are free from biases that might marginalize vulnerable groups. Coupled with data governance practices that prioritize consent, transparency, and privacy, fintechs can build trust and avoid regulatory backlash. In credit scoring, this means using explainable algorithms and allowing users insight into how their financial behavior influences their eligibility.

As investors continue to demand impact metrics and regulators sharpen oversight, the fintechs that proactively embed ESG will be the ones best positioned for scale, resilience, and global partnerships.

West African fintech is in a golden age of expansion, powered by innovation and a hunger to solve local financial challenges. The ESG wave is still gathering force, but early adopters are already laying the foundation for sustainable, inclusive growth.

As fintech startups in the region continue to scale across borders and verticals, those who align profits with purpose—especially in financial inclusion, good governance, and environmental stewardship—will lead the way into a future where tech does more than disrupt: it empowers.