The cybersecurity landscape entering 2026 is nothing short of transformational. We’ve moved beyond the era of human-speed cyber operations into something fundamentally different: machine-speed warfare driven by autonomous AI agents, executed against a backdrop of intensifying geopolitical fractures. This month’s report examines the convergence of these forces and what they mean for organisations navigating the year ahead.

The Poly-Crisis Reality

January 2026 marks a watershed moment. Organisations globally now face an average of nearly 2,000 cyber attacks per week—a staggering 70% increase since 2023. But this isn’t merely about volume. The mechanics of cyber warfare have fundamentally shifted. The window between initial compromise and lateral movement has shrunk to under 60 minutes in advanced campaigns. When your adversary operates at machine speed, your defences must match that pace.

The World Economic Forum’s latest cybersecurity outlook confirms what many practitioners have suspected: we’re operating in a “poly-crisis” where hyper-accelerated AI threats, geopolitical fragmentation, and structural shifts in cybercrime economics converge simultaneously. The old playbooks aren’t just outdated—they’re dangerous.

The Agentic Shift: AI Moves From Assistant to Adversary

The defining characteristic of the 2026 threat landscape is the transition from generative AI as a content creation tool to agentic AI as an operational execution engine. Adversaries are no longer simply using large language models to craft phishing emails. They’re deploying autonomous agents capable of navigating networks, identifying high-value data, and executing exfiltration protocols without human intervention.

These “shadow agents” operate continuously, process vast amounts of network telemetry, and find subtle vulnerabilities that human operators miss. The industrialisation of social engineering has reached unprecedented sophistication—Check Point Software reports a 500% surge in “ClickFix” techniques, where AI generates context-aware lures in real-time based on individual user behaviour and role-specific context.

The emergence of autonomous malware that rewrites its own code to evade signature-based detection represents a fundamental escalation. Capabilities once exclusive to elite nation-state actors are now accessible to criminal groups. The “AI Arms Race” described by Google Cloud isn’t a prediction—it’s our current operational reality.

Deepfake weaponization has moved from theoretical risk to potent operational tool. The Arup incident earlier this year—where AI-generated video facilitated a $25 million theft by impersonating a CFO during a video conference—demonstrates that traditional human verification methods are now obsolete for high-stakes transactions.

Identity: The New Battlefield

With traditional network perimeters dissolved by cloud adoption and remote work, identity has become the primary control point—and the primary target. Reports indicate 97% of identity-based attacks involve credential abuse rather than vulnerability exploitation. Adversaries don’t need to hack in; they simply log in.

The volume of stolen credentials available on dark web marketplaces has reached critical mass, with 149 million passwords exposed in a single late-January leak. Multi-factor authentication bypasses have been industrialised—token theft, session hijacking, and “quishing” (QR code phishing) are now standard tradecraft. The FBI has issued specific warnings about North Korean groups using embedded malicious QR codes to force victims from secured corporate devices to less-secure mobile devices, effectively bypassing endpoint protection entirely.

A critical new category has emerged: non-human identity risk. As organisations deploy authorised AI agents for productivity, these entities receive permissions to access sensitive data and execute actions. Adversaries are now targeting these “silicon employees,” exploiting their entitlements to gain access that would otherwise trigger anomalies if attempted by human users.

The Typhoon Strategy: Nation-State Operations Intensify

Chinese state-sponsored cyber activity remains the most persistent and sophisticated threat to Western infrastructure. The Salt Typhoon campaign has become a central geopolitical crisis, with systematic infiltration of global telecommunications networks—including confirmation of a ninth US telecom firm compromised this month.

The strategic objective is clear: counterintelligence and monitoring of high-value targets. By compromising core switching and routing infrastructure, Salt Typhoon can intercept communications metadata and content, effectively wiretapping the wiretappers. Data exfiltrated includes call records, text messages, and geolocation data from senior government officials and prominent political figures.

Volt Typhoon continues targeting US critical infrastructure—energy, water, transportation—for “pre-positioning.” The strategic intent is maintaining persistent access that could be leveraged to disrupt communications and logistics in the event of kinetic conflict in the Indo-Pacific. Throughout January, Volt Typhoon has been observed attempting to re-establish access to networks from which they were previously evicted.

Meanwhile, Russian operations under Midnight Blizzard continue exploiting information from previous high-profile breaches to target downstream customers. Their tradecraft has evolved to focus on identity providers and cloud trust relationships, making detection extraordinarily difficult.

The Ransomware Economy Restructures

The ransomware ecosystem has undergone structural transformation. While attack frequency has increased, ransom payments have declined 50% compared to last year—driven by improved backup resilience and a cultural shift toward refusal. Sixty-four percent of victims now refuse payment on principle.

In response, attackers have pivoted to pure data extortion. Encryption is frequently skipped entirely; instead, actors exfiltrate sensitive data and threaten public release. This reduces technical overhead while maintaining leverage over victims who fear reputational damage and regulatory fines more than operational downtime.

The monolithic ransomware cartels have fragmented into a decentralised ecosystem of smaller, specialised groups. The collapse of Black Basta following the “ExploitWhispers Leak” validates the strategy of psychological warfare against ransomware groups—sowing distrust among criminals can be as effective as technical takedowns.

The Agentic SOC Emerges

To counter machine-speed attacks, the industry has moved decisively toward the “Agentic SOC.” Major vendors including CrowdStrike, Microsoft, and Google have rolled out autonomous capabilities that independently triage alerts, correlate telemetry across disparate tools, and execute remediation playbooks without human approval for routine incidents.

Early adopters report 90% reduction in mean time to conclusion for routine investigations. Human analysts are transitioning from “alert factory workers” to AI supervisors and strategic threat hunters. The AI handles the noise; the human handles the nuance.

However, deployment challenges remain significant. The “black box” trust issue persists—security leaders remain wary of granting autonomous write-access to AI agents due to hallucination risks that could cause business disruption. Data sovereignty concerns complicate cloud-based LLM processing of sensitive security telemetry, particularly under GDPR and DORA.

Critical Vulnerabilities Demand Immediate Attention

January has been punctuated by high-severity zero-days requiring emergency response. The Fortinet FortiCloud SSO bypass (CVE-2026-24858) was so severe that Fortinet temporarily disabled the service globally to stop exploitation—an unprecedented step highlighting systemic risk in centralised cloud management planes.

The Cisco Unified Communications Manager vulnerability (CVE-2026-20045) has been heavily targeted by state-sponsored actors seeking to intercept communications. Microsoft’s January Patch Tuesday addressed 114 vulnerabilities including three actively exploited zero-days affecting Desktop Window Manager, Office security features, and Secure Boot.

Ivanti Connect Secure continues struggling with edge device security, with new vulnerabilities being exploited by Chinese nexus groups to deploy web shells on VPN gateways.

Regulatory Landscape Tightens

The EU’s Digital Operational Resilience Act (DORA) has entered its first full year of enforcement, with the Article 58 Review determining whether requirements will extend to statutory auditors. Financial entities are scrambling to complete third-party registers and prepare for threat-led penetration testing.

The UK’s Cyber Security and Resilience Bill has passed its second reading, expanding scope to include managed service providers and data centres while introducing mandatory incident reporting for ransomware.

In India, friction mounts over accelerated timelines for the Digital Personal Data Protection Act, with the proposed 12-month compliance window threatening smaller organisations’ viability.

Strategic Imperatives for 2026

The poly-crisis demands a fundamental shift in how organisations approach security:

Assume compromise. The perimeter is gone. Resilience must be built on the assumption that adversaries are already inside. Zero trust isn’t a product—it’s an operating philosophy.

Embrace agentic defence. Manual security operations cannot scale to meet machine-speed attacks. Supervised autonomous security agents are no longer optional—they’re a necessity for survival.

Decouple from centralised failures. Over-reliance on single points of failure is systemic risk. The Fortinet SSO crisis demonstrates how a single vulnerability in a cloud provider can compromise thousands of downstream devices. Diversification and break-glass continuity plans are essential.

Prioritise identity fabric. With 97% of attacks involving credential abuse, identity security isn’t just an IT concern—it’s the cornerstone of organisational resilience. Phishing-resistant MFA, identity threat detection, and non-human identity management must be priority investments.

Prepare for the quantum transition. While Q-Day remains years away, the “harvest now, decrypt later” threat means organisations handling long-lived secrets must begin crypto-agility planning now. The 2035 deadline for US federal quantum-safe migration should guide private sector timelines.

Looking Ahead

The year 2026 will not be defined by prevention of attacks but by the speed and intelligence of response. Navigating the poly-crisis requires a fusion of advanced technology, rigorous compliance, and geopolitical awareness. The decisions made by security leaders this year will define organisational resilience for the decade to come.

Samuel Odekunle is Managing Partner at MustardTree Partners, specialising in cybersecurity strategy, identity and access management, and digital transformation.

State of Security is published monthly. Subscribe for the latest analysis on the evolving threat landscape.

© 2026 MustardTree Partners (Part of the MustardTree Group). All rights reserved.