4 Predictions Our Researchers Say Could Break (or Break Through) in 2026

As we step into 2026, Bitsight researchers are closely watching key developments across the cyber risk landscape. Their insights reveal a dynamic tension between rising threats and new opportunities to strengthen defenses. Here's what they predict for the year ahead, and what security teams should be prepared to navigate.

1. Fragmentation in vulnerability intelligence

Bitsight Principal Research Scientist Ben Edwards came remarkably close with his 2025 prediction, estimating there would be “between 48,675 and 58,956 new CVEs published.” The actual number (48,185) landed just shy of his lower bound. For 2026, however, he’s turning his attention to a different concern: fragmentation. “The vulnerability ecosystem will continue to fragment,” he predicts. “Different organizations and polities, both within and outside the Western world, are building their own tracking systems independent of CVE and will exert control over how vulnerabilities are reported and scored within their realm of influence. That will make it harder for users to effectively manage vulnerabilities.”

At the same time, he sees progress on the horizon. "We are finally going to have a better understanding of the correlation between cyber exposures and actual incidents, as the cyber insurance industry matures," Edwards adds. "We’ll be able to say how particular types of exposures (i.e. vulnerabilities, botnet infections, open ports) influence the likelihood and severity of incidents."

2. AI everywhere, but not always for good

Pedro Umbelino, Principal Research Scientist at Bitsight, starts with a familiar caveat: “Predictions are hard, especially about the future.” Still, he’s confident that 2026 will be filled with AI—whether it’s helpful or not: “Think about the Internet, almost everything is online nowadays. But just because we can connect our toilet to the Internet doesn't mean we should. I think we will get a lot of that regarding AI in the next couple of years: discussions on what makes sense versus what ends up happening anyway."

He’s also watching the IT/OT convergence in manufacturing. “Industry 5.0 is already overlapping with 4.0, expanding the attack surface at a very fast pace,” he explains, “but attackers will likely still be more focused on the IT side: the low-hanging fruit. I’m surprised we haven’t seen more ICS/OT attacks, but maybe that’s because cybercriminals haven’t found a profitable business model for it yet.”

Looking beyond 2026, Umbelino urges attention to a looming systemic risk: Y2K38, or the Epochalypse. “From the White House to the UN, I’ve had the honor of raising awareness about this issue. People think it’s like Y2K, but we have over 600 times more systems now. By 2038, it could be 1,000 times more. And we don’t have that much more money, time, or people to fix it.”

He concludes with a note of urgency and hope: “Society is becoming less proactive about long-term risks. Four-year election cycles don’t reward strategic spending. But we really need to get going on fixing Y2K38 while we still can. It’s more a desire than a prediction, but I honestly hope we’ll see some real movement on it this year.”

3. IoT and user risk will persist

João Godinho, Principal Research Scientist at Bitsight, warns that Internet of Things (IoT) threats are far from over: “As the number of IoT devices keeps increasing, and given their questionable supply chains, we'll likely keep more vulnerabilities in these devices. Threat actors will likely continue to take advantage of this to build their botnets for various purposes.”

He also points to unintended consequences of internet regulation: “We've recently seen multiple occasions where governments have imposed restrictions on internet access, such as the Online Safety Act in the UK or the Online Safety Amendment Act in Australia. As these types of policies become more common, we’ll likely see more users turning to services like proxies and VPNs to bypass restrictions. The concern is that less tech-savvy users may end up compromising themselves by relying on shady proxies that harvest data, or free VPNs that are involved in malicious activity.”

4. Critical infrastructure: A double-edged outlook

Threat Intelligence Researcher Emma Stevens predicts continued targeting of essential services: “Threat actors—especially advanced persistent threat groups and nation-state operators—will likely escalate their targeting of critical infrastructure and key resources. The Colonial Pipeline ransomware attack in 2021 is a stark reminder of what’s at stake; it shut down fuel operations and disrupted supply chains across Northern Virginia. More recently, the breach at the Municipal Water Authority of Aliquippa highlighted how exposed and under-defended water systems can be. Outdated infrastructure, exposed ICS/OT devices, and unpatched systems continue to give attackers ample opportunity.”

However, she thinks these high-profile incidents could also serve as a wake-up call. “They’re pushing the industry to strengthen its defenses. Regulatory scrutiny is increasing, security frameworks are evolving, and organizations are finally starting to modernize their ICS/OT environments,” she adds. “As a result we’ll hopefully see more proactive strategies, stronger response plans, and deeper investments in resilience, which will make these critical systems harder to compromise.”

Preparing for a complex year ahead

From fragmented vulnerability ecosystems to AI overreach and the persistent risks of outdated infrastructure, 2026 is poised to test even the most mature security programs. But it's also a year of opportunity.

At Bitsight, our researchers work deep within proprietary data to cut through noise and uncover actionable intelligence—emerging vulnerabilities, systemic weaknesses, and infrastructure risks that matter most to security practitioners and leaders alike. Catch up on the latest Bitsight TRACE research, and stay tuned throughout the year to see what they discover next. (And how our predictions hold up.)