Cyber Risk in 2026: From Today's Pressures to Tomorrow's Threats

As we enter 2026, security and risk leaders are navigating a landscape that is both increasingly complex and strikingly familiar. At Bitsight, we have spent the last year listening to our customers, synthesizing insights from the field, and preparing for what lies ahead. In a recent webinar with my colleague Vanessa Jankowski, we explored the forces shaping cyber risk in the year to come. What emerged was a clear-eyed view of today’s challenges and a blueprint for building resilience in the face of persistent uncertainty.

The expanding risk landscape: Complexity without boundaries

If there is a single thread connecting the challenges security teams face, it is the rapid expansion of the attack surface. This trend is not new, but its scale and implications have grown significantly. A recent survey of our own customers confirmed the following: asset sprawl, shadow IT, and interdependent vendors continue to overwhelm traditional controls and processes. Customers cited these concerns as their top challenge from 2025 and expect them to persist in 2026. In an environment shaped by Cloud and SaaS applications, remote work, and third-party integrations and dependencies, maintaining a coherent and current view of risk has never been more difficult.

The Bitsight TRACE research team recently visualized a real-world digital supply chain. The result, a dense, interconnected web, underscores the operational reality many organizations face. These ecosystems are not static. They can evolve minute by minute, making traditional approaches to asset and risk management obsolete.

AI adoption: Risk, reward, and the new frontier

AI adoption is accelerating faster than any other software wave in history. According to Menlo Ventures, enterprise AI spending has grown 3.2x to $37 billion in the past 12 months, with over half of that spend focused on embedding AI into applications and business workflows. AI-enabled workflows can provide compelling benefits, but they also introduce potential risks.

Shadow AI has emerged as a growing concern. These tools can be deployed without good governance, often in ways that create unknown or unmanaged exposure. Our team identified nearly a thousand MCP (Model Context Protocol) servers acting as potentially insecure gateways between AI agents and back-end systems or critical infrastructure. Many lacked basic authentication, which is optional with MCP. As organizations race to embrace AI-enabled capabilities, they are adding to an already overwhelming attack surface.

We’ve been here before. The early days of the internet were marked by similar exposures (e.g. Google Dorks) where speed and Internet enablement outpaced security. The difference today is scale and impact. AI is embedded in decision-making processes and critical data flows, magnifying both its value and its vulnerability. Fortunately, organizations are responding.

In our survey, AI governance—including Shadow AI oversight and formal framework development—ranked among customers’ top priorities for 2026. At the same time, security leaders are embracing AI’s potential to solve real problems. At Bitsight, we are providing visibility into the AI attack surface, including exposures like unsecured MCP servers, while also applying AI in applications and workflows like Instant Insights and Framework Intelligence. These capabilities enable teams to assess documentation and map controls to security frameworks in seconds—not hours. This is AI with a demonstrable value: reducing manual burden, enhancing consistency, and allowing teams to focus on the highest risk areas that truly require their time and attention.

Threats accelerating: The operational impact of vulnerability volume

In 2025, over 48,000 new vulnerabilities were disclosed (on top of 40,000 in 2024), which was an all-time high. Major Security Events (MSEs), or vulnerabilities that are being actively exploited by threat actors in broadly adopted and Internet-facing applications, are now occurring roughly every ten days. This pace is accelerating, up nearly 50% from 2024. These are vulnerabilities that are under active exploitation that, depending on the context, may require immediate action.

This annually increasing velocity and volume demands a shift in how we think about prioritization. You can’t, and probably shouldn’t even try, to address every vulnerability that is announced. You really need to prioritize based on the risk. One component of that risk prioritization exercise is to understand the threat. At Bitsight, we have developed a capability that we call Dynamic Vulnerability Exploit (DVE) scoring to give our customers a threat-informed lens into the risk of a particular vulnerability. As an augmentation to other vulnerability scoring approaches like CVSS and EPSS, DVE dynamically considers observed attacker behavior, exploit availability, and intelligence signals to help security teams focus on vulnerabilities that threat actors are most likely to exploit against their own assets, or the assets managed by their extended attack surface, which includes their third-party suppliers and partners.

This kind of prioritization is especially important when resources are constrained. A lack of resources was another regularly cited challenge in our recent survey. Teams continue to be asked to operate with flat or shrinking budgets while their risk surface grows. As one respondent put it: "We're doing more with less, and it's not slowing down."

Regulatory pressure: Compliance as a catalyst

Finally, the regulatory environment continues to trend towards more, not less regulation. In the EU, regulations like DORA and NIS2 are introducing new requirements for operational resilience, incident reporting, and third-party oversight. These rules are reshaping expectations not just for financial institutions, but for the extended ecosystems that enabled their operations.

The implications are global. Even organizations outside of the EU or financial services are feeling downstream compliance pressure. Regulators are demanding more visibility, more testing, and more proof. Bitsight is helping customers turn this regulatory moment into an operational advantage by streamlining evidence collection, automating documentation, and enabling continuous monitoring.

Resilience over perfection: A strategic mindset for 2026

We are witnessing a broader shift in how organizations think about cyber risk. As George Kurtz of CrowdStrike said, ”The future of cybersecurity is resilience, not perfect protection.“

This is not simply a philosophical pivot: it is a practical one. In 2025, the industry experienced widespread cloud outages, cascading supply chain incidents, and complex AI-related vulnerabilities. The lesson is clear: we will not prevent every breach or avoid every disruption. What matters is how we prepare, absorb, recover, and continue operating.

Resilience is a cross-functional initiative and is not reserved solely for the security and risk teams. It involves IT, procurement, legal, engineering, and executive leadership. It requires scenario planning, real-time visibility, and supply chain awareness. It required building capabilities and practices that enable an organization to operate through an incident.

Our survey results aligned and supported this shift. Risk management and resilience were the most cited strategic priorities among security leaders for 2026. The industry is aligning on the need for capabilities to operate through incidents and not just improve protection against them.

Looking forward

We have learned from you that 2026 will certainly bring its challenges; however, with these challenges come potentially great opportunities.

Focus and investment into broader visibility, intelligent automation, and organizational resilience can turn risks into competitive advantage.

At Bitsight, we remain deeply committed to this mission. We thank our customers for their trust, their insight, and their partnership and we look forward to helping you meet these challenges with confidence.

Watch the full webinar, “Cyber Risk in 2026: From Today’s Pressures to Tomorrow’s Threats,” to learn more about what’s top of mind for security leaders as we head into the new year.