Hadrian's hacking team on what they expect from 2026 based on cybersecurity trends

Over the past year, we have seen many changes in the cybersecurity industry. Notably, time-to-exploit in 2025 reached negative numbers due to the rise of AI-generated exploit code. The nature of security is always changing and updating, but even by those already lofty standards, 2025 has been a watershed year for the future of protecting businesses from cybercriminals. That’s why we feel it’s important to take what we have learned and noticed over the last few months and translate them into actionable insights about what SecOps professionals and beyond can expect from 2026. Our hacking experts at Hadrian have seen these trends in the wild. The team made up of Olivier Beg, Miguel Regala, Himanshu Patri, Yash Sodha, and Adnankhan Pathan bring years of experience and knowledge about how hackers operate.

Our predictions are anchored in published industry research, threat intelligence, and the exploitation patterns our own hacking team observes right now. These are not guesses; they are patterns already emerging, giving organizations a window to prepare before these become systemic failures.

Prediction 1: Quantum computing will make "harvest now, decrypt later" more popular

Many professionals view quantum computing as a threat a decade away, but this perspective dangerously misunderstands the immediate danger. The primary risk is not that quantum computers will break encryption in 2035; the risk is that adversaries are already collecting our encrypted data today, waiting for quantum capabilities to decrypt it later. This strategy is known as "harvest now, decrypt later," or HNDL.

This threat is not theoretical. While 62 percent of security professionals express concern over HNDL, a mere 5 percent of their organizations have a defined strategy to address it. This disconnect represents a critical vulnerability.

From an External Attack Surface Management (EASM) perspective, this presents an immediate challenge: every external-facing service using legacy encryption is a target. This includes common TLS certificates using RSA 2048, VPN endpoints, and cloud storage repositories. Nation states are actively capturing this traffic, fully expecting to decrypt it within the next five to ten years. The vulnerability is vast, spanning the proliferation of IoT devices, many with outdated cryptography, and older VPN implementations protecting sensitive remote access. API authentication tokens face the exact same problem.

This migration process must span a decade and should begin now. Organizations must start by inventorying every external service. We need to identify which services rely on quantum vulnerable algorithms, such as RSA keys under 3072 bits or ECC keys under 384 bits, and track certificate issuance dates—any certificate issued before 2024 is a liability. This program must extend to monitoring third-party vendors and establishing clear transition timelines for all critical data systems. The data harvesting is current; the decryption will follow.

Prediction 2: DNS weaponization leads to systemic supply chain compromise

In our experience, the fundamental problem with DNS is not technical; it is operational. We have collectively left DNS wide open as an attack surface, and the industry is not treating this vulnerability with sufficient seriousness.

Gartner predicts that 25 percent of cloud breaches in 2026 will stem from poorly managed DNS records. We are already seeing a consistent pattern: organizations struggle to manage thousands of DNS records distributed across multiple cloud providers and registrars, creating operational chaos that attackers exploit.

We are watching several key attack vectors amplify this chaos:

Dangling DNS Records: When a cloud service is deprovisioned, but the corresponding DNS record remains active, an attacker can claim the abandoned resource and host a phishing site under the organization's legitimate domain. We have reviewed cases where this scenario cost organizations millions, such as a Fortune 500 company that lost $2.4 million because an attacker hijacked a single, forgotten CNAME record.
Subdomain Takeovers and AI SEO: Subdomain takeovers are becoming a primary attack vector. Attackers are seizing control of subdomains, publishing AI-generated content, and achieving high search rankings for legitimate brand queries. The SubdoMailing campaign offered a stark preview of this, hijacking over 8,000 subdomains from major brands, resulting in millions of phishing emails that successfully bypassed security filters.
Supply Chain Amplification: A DNS vulnerability becomes exponentially more dangerous when it affects suppliers and partners. If an attacker compromises the DNS infrastructure at a single vendor, they can gain lateral access across that vendor's entire customer ecosystem—a repeat of the SolarWinds attack profile, but executed via DNS.

The core problem is apathy. Researchers find approximately 15,000 vulnerable subdomains every month. When they warned over one thousand organizations about this exposure, 98 percent of those organizations ignored the alerts.

From an EASM perspective, fast action is important. We must implement continuous monitoring for CNAME records that point to deprovisioned cloud services. We also need robust detection for newly registered typosquatting domains and validation that SSL certificates align with their corresponding DNS records. The uncomfortable truth is this: if you are not continuously monitoring your entire DNS infrastructure, including that of your third-party vendors, you should expect to be compromised through DNS by 2026.

Prediction 3: Shadow AI creates an uncontrolled attack surface

We are facing a significant problem that is developing largely outside of IT and security visibility. I am referring to "Shadow AI".

Latest research confirms the severity: While 97 percent of companies are reportedly using or piloting AI coding tools, and 100 percent already have AI-generated code in production, a staggering 81 percent have no visibility into this activity. This creates a severe governance crisis.

The opportunity for attackers is clear. Developers are using common tools like ChatGPT, Claude, and Copilot to generate production code that frequently contains critical vulnerabilities like SQL injection, cross-site scripting, and insecure authentication protocols. This is compounded by the fact that 65 percent of companies lack security training for developers using generative AI.

From an EASM perspective, the impact is immediate: Developers are exposing new, unmonitored attack surfaces by activating AI-powered APIs, integrating third-party LLM services, and creating inference endpoints—all without formal security review. Wallarm's Q3 2025 API ThreatStats report confirms this trend: it showed a 57 percent increase in AI API vulnerabilities in a single quarter.

Furthermore, credential exposure is rampant. AI assistants can inadvertently include API keys, database passwords, and other secrets in generated code. Automated bots harvest these credentials within hours, as documented in one case that led to over $12,000 in unauthorized AWS usage for crypto mining.

To address this from an EASM standpoint, immediate actions are necessary: Implement repository scans for AI-generated code to target known vulnerabilities, and begin API discovery that specifically targets AI and machine learning endpoints. We must also detect shadow AI tool usage through network traffic analysis and establish automated secrets detection and remediation workflows. The insecure, exponential growth of AI deployments is creating an ideal environment for attackers, and most organizations are dangerously unaware of how rapidly their attack surface is expanding.

Prediction 4: VPN = ransomware entry point (yes, still)

It should not be surprising that Virtual Private Networks (VPNs) are the number one entry point for ransomware gangs, yet this fact seems to be consistently overlooked. The Coalition Cyber Threat Index 2025 report identified stolen VPN credentials as the leading cause of ransomware infections. The report found that 69 percent of breaches involved third-party VPN access.

The reason is straightforward: once an attacker bypasses the VPN, they are authenticated, providing complete access to move laterally across the entire network, find high-value targets, exfiltrate data, and deploy ransomware.

We are facing a crisis in VPN vulnerability. The number of published VPN CVEs grew 82.5 percent between 2020 and 2024, with approximately 60 percent of those rated as high or critical CVSS. The most dangerous are Remote Code Execution (RCE) vulnerabilities, which permit attackers to bypass authentication entirely. Recent examples, such as CVE-2025-0282 affecting Ivanti Connect Secure, demonstrate how quickly these are weaponized to target financial and government agencies.

The implication for EASM is stark: Every internet-exposed VPN endpoint is a ransomware target. Ransomware operators possess the resources to buy zero-day exploits or weaponize recent CVEs with alarming speed, continuously scanning the internet for vulnerable appliances.

Organizations must prioritize the following EASM actions: Continuous scanning of all internet-exposed VPNs for known RCE vulnerabilities, identification of VPN software running deprecated code, and monitoring of all third-party vendor VPN exposure. Treating VPN endpoints as a critical part of the external attack surface is non-negotiable in the interim before transitioning to Zero Trust Network Access.

Prediction 5: Business logic failures become the primary API security vulnerability

APIs represent our most significant and misunderstood security vulnerability. The primary danger does not come from traditional code defects, but from our failure to defend against business logic flaws, which developers often do not perceive as security issues in the first place.

Wallarm's Q3 2025 API ThreatStats provides a clear baseline: 99 percent of organizations experienced at least one API security issue in the past year. The critical insight is that 95 percent of API attacks in 2025 originated from authenticated sessions. The problem is not authentication bypass; the problem is what legitimate, authenticated users can do by exploiting gaps in authorization and business logic.

We see several recurring problems:

Broken Object Level Authorization (BOLA): This is the most common flaw, accounting for 28 percent of all API vulnerabilities. Organizations consistently fail to verify if an authenticated user should actually have access to the specific resources they request.
API Misconfiguration: This is rampant, with 605 cases in Q3 2025 alone, representing a 33 percent increase quarter over quarter, including exposed development environments and unauthenticated administrative panels.
AI API Exploitation: The fastest growth is in AI API vulnerabilities, which increased 57 percent in three months. Attackers chain prompt injection flaws with business logic gaps to achieve results like the Chevrolet dealership incident, where an attacker received a quote for a one-dollar car.

This problem is magnified by a severe governance failure: nearly half of all organizations, 47 percent, have no formalized process for managing API security at scale.

An EASM program must adapt to this reality: It must provide comprehensive API discovery, including undocumented endpoints, and continuous authorization testing to validate BOLA across user boundaries. We must integrate AI API specific scanning for inference endpoints and conduct business logic testing that goes beyond traditional vulnerability scanning. By 2026, APIs are the interface to the business. The security model for them is fundamentally different, and we must adapt our monitoring to address the rise of business logic exploitation.

Some of these trends are novel and require novel methods of addressing them. But an equal number of these threats on the horizon are issues that are tried-and-true amongst threat actors. That’s what makes it so imperative that organizations move away from a reactive security stance, into a more proactive approach.