Tara Seals , Managing Editor, News , Dark Reading January 30, 2026 9 Min Read Source: Dennis Hallinan via Alamy Stock Photo Conventional wisdom says that in the ever-evolving cybersecurity landscape, attackers and defenders are locked in a perennial, never-ending death match: increasing threat sophistication battling it out with corresponding shifts in corporate and governmental responses. The showdown rages on in 2026, made all the more interesting by the rise of AI-augmented everything. But what do we not expect? Dark Reading canvassed a range of industry-watchers and threat-intelligence specialists about the more cutting-edge happenings for security teams to pay attention to. This includes garage APTs, ransomware becoming less lucrative, data embassies, corporate accountability, and CEOs in South Korea taking responsibility for major data breaches. Read on for our full compilation of these forward-thinking responses. Garage APTs Sophisticated cyberattacks will emerge from small groups and nations with minimal resources, enabled by AI-driven tools. Already, vibe-coded malware is emerging , albeit with mixed efficacy. Open source models like Llama, Mistral, and their derivatives have eliminated the technical barrier—you no longer need state-sponsored research labs to access frontier capabilities. You need a laptop and a VPN. By 2027, we'll see the first documented cyberattacks attributed to nations that have never appeared on a threat intelligence radar—countries with minimal GDP and no historical cyber capability suddenly executing campaigns that would have required nation-state resources two years ago. We'll also see the emergence of what I'd call "garage APTs"—small ideological groups, regional separatist movements, extremist factions—running sophisticated operations that previously required government backing. — Alan LeFort, CEO & Co-Founder, StrongestLayer Data Embassies Go Mainstream Sovereign-hosted data banks will replace cloud-based trust as governments prioritize control over infrastructure and data. “In the public sector, AI governance isn't just a compliance checkbox; it’s a matter of sovereignty. Governments around the world are realizing they can't outsource accountability to algorithms. When AI makes or influences a decision that impacts a citizen, there needs to be full traceability — from the model's provenance to every prompt and output. That means data loss prevention on inputs and outputs, human adjudication for determinations, and transparent disclosure whenever someone interacts with AI. True sovereignty means knowing not just where your data resides, but who holds the keys to it.” — Bill Church, Chief Technology Officer (CTO) at F5 Ransomware Loses Its Luster Ransomware is becoming less lucrative for attackers as enterprises increasingly refuse to pay ransoms. “Ransomware is becoming more dangerous and less lucrative for threat actors, and I think next year we will see many of the key indicators definitively suggest that the defenders are actually winning. Per Coveware's Q3 ransomware report , big enterprises are paying the ransom less, and ransom payment success rates overall are plummeting. This suggests that something is working, be it the sanctions or the police action or the insurance premiums. I predict next year's ransomware stats will be even more dramatic (in a good way).” — Alex Culafi, Senior News Reporter, Dark Reading Cyber Resilience in Startup Valuation Investors will prioritize cyber resilience as a key factor in startup valuation, alongside growth metrics. “Investors are expected to treat cyber-risk as a core factor in startup valuation, alongside revenue growth and market potential. Predictions highlight that AI-driven threats, identity risk, and regulatory requirements will reshape how startups are assessed, with cyber resilience becoming a differentiator for funding and long-term viability. “Startups will no longer be valued solely on growth metrics. Cyber resilience will be a boardroom-level differentiator. Investors are expected to apply a “cyber-risk discount” to startups lacking strong defenses, while rewarding those that integrate AI-native security, compliance frameworks, and identity-first strategies into their operating model. — Melina Scotto, Veteran CISO & Executive Vice President/Founder at Mastin & Associates Physical Security Weaknesses Physical security vulnerabilities in accredited environments will remain a critical challenge without mandated threat-led simulations. "Organizations will be caught off guard when they realize the access-control systems they paid for and installed can be trivially cloned using public tools and information." — Mark Frost, Principal Security Consultant at NCC Group Industrial Network Vulnerabilities Ransomware targeting ICS controllers and safety systems will increase, requiring OT segmentation and anomaly detection. "In October, the Jaguar Land Rover ransomware attackers pressured the company to pay while production lines remained idle. This highlighted the vulnerability of industrial networks and the cascading impact on suppliers and logistics." — Floris Dankaart, Lead Product Manager, Managed Extended Detection & Response at NCC Group Developer Role Evolution Developers will shift from "move fast and break things" to becoming precision experts at ensuring AI-generated code security . "The role [of developers] is at a pivot point with the introduction of AI code, but humans still have a crucial role to play in ensuring the code is secure." — Becky Bracken, Senior Editor, Dark Reading Hybrid Work in the Doghouse Hybrid work will lose favor as security concerns drive a return to office-based strategies. Hybrid work will become a security hazard. Hybrid work, once seen as a productivity booster, will lose its halo as security, not convenience, drives a return to the office. The cost of remote breaches and unmanaged devices will force CEOs and boards to rethink flexibility. My advice: start planning for a security-first workplace strategy today. Lock down endpoints, enforce managed devices, and prepare for cultural pushback, because this shift will come from the top.” — John DiLullo, CEO at Deepwatch Israeli Cybersecurity Investments Geopolitical tensions will drive increased investment in cybersecurity, especially in Israeli technologies. "As a VC that primarily focuses on the Israeli cyber market, it has been quite interesting to see the desire of many countries, in all regions of the world, to overlook past (and even present) geopolitical tensions to gain access to the cybersecurity technologies coming out of Israel. In the year ahead, I expect that continued investment in cybersecurity, especially in Israeli cybersecurity companies, will be one of the hottest topics in the industry.” — Seth Spergel, Managing Partner at Merlin Ventures Post-Quantum Cryptography (PQC) Enterprises will focus on cryptographic asset discovery and automation as PQC standards and certificate deadlines approach. “2024 marked the industry's awakening to post-quantum cryptography (PQC), as NIST locked in core standards and initial protections surfaced in platforms like Apple iMessage, Cloudflare, and Google Chrome. Enterprises spent 2025 catching up, confronting dual pressures from PQC migration and shrinking certificate validity periods, prompting 90% to budget for cryptographic inventories and assessments . In 2026, action takes center stage, with funding secured and March's key certificate deadline approaching, companies will shift to hands-on cryptographic asset discovery, PQC pilots, and full automation for true agility.” — Tim Callan, Chief Compliance Officer at Sectigo "The biggest security failure for tomorrow isn’t 'weak cryptography,' it’s the lack of crypto agility. Systems being deployed now will still be running when quantum-era attacks arrive, yet most are built on fixed-function security that cannot evolve." — Seth Reinhart, Security Market Lead at Altera "Driven by national-security imperatives, jurisdictional control concerns and regulatory mandates about where data is processed and who can access it, 2026 will see the accelerated migration toward sovereign-hosted communications and cloud infrastructure. In 2026, control will become the new foundation of trust. Governments and critical-infrastructure operators will favor platforms built for autonomy—where infrastructure, keys, and data remain fully within their own authority." — Christine Gadsby, Vice President & Chief Security Advisor, BlackBerry Secure Communications Modern SOC Evolution: Shattered Glass Replaces Single Pane Security operations centers (SOCs) will transform into distributed, API-driven environments leveraging AI for real-time security telemetry. "By 2026, the SOC is no longer a physical room of screens and browser tabs, but a distributed mesh of portable code, data pipelines, autonomous agents, and humans building all of the above and checking on how it runs. This ‘shattered glass’ architecture replaces the ‘single pane’ lie (that frankly never existed) with a knowledge graph that connects identity, asset, and security telemetry in real-time, moving us away from ‘grab a coffee and wait’ log searches to ‘down a 5-Hour Energy’ and immediately dive into high-context results that machines can act on. “The primary interface becomes a virtual ‘workbench’ — a headless, API-driven (and MCP!) environment that runs on cloud and uses AI heavily. Ultimately, the modern SOC functions as an engineering factory, where the 'product' is resilient, vendor-agnostic detection logic that lives in a pipeline rather than a proprietary vendor database.” — Anton Chuvakin, Senior Staff Security Consultant at Google Cloud AI Bubble Set to Burst — Then Recover The AI market will experience a correction , but AI will continue to penetrate cybersecurity and other industries. “The AI bubble will indeed burst, not because AI itself is a bad idea or a pipe dream, but rather because unfounded ex