In 2026, cyber threats are not only more sophisticated, but above all harder to detect. Compromised identities, artificial intelligence used for malicious purposes and invisible vulnerabilities are widening the gap between perceived security and actual risk. In this scenario, cybersecurity is no longer a technical function, but a strategic capability requiring visibility, governance and continuous adaptation.
In 2026, one of the main cybersecurity challenges is no longer stopping the obvious attack, but recognising the one that cannot be seen. Many organisations believe they have their security posture under control because they do not detect significant incidents. In reality, they are often simply overlooking a significant portion of their attack surface.
Forgotten APIs, legacy systems never decommissioned, technical identities outside governance and unmapped cloud assets continue to exist beneath the radar of IT and security teams. This is what we describe in the Cyberoo Observatory 2026 as the ‘dark matter’ of cyberspace: it does not generate alerts, but it accumulates risk.
With a global average of hundreds of serious attacks per month, silence is no longer synonymous with security. Far more often, it is a sign of a lack of visibility. For Italian and European companies, 2026 marks the definitive shift from perimeter-based security to the need for continuous adaptation.
Artificial Intelligence has transformed the cyberattack into an industrial process. What once required advanced skills, time and resources can now be automated, scaled and replicated at a much lower cost.
AI agents are emerging that are capable of planning, testing and executing attacks autonomously, adapting to the defences they encounter. These systems become particularly dangerous when exposed to prompt injection or when using poorly secured APIs, as they can be hijacked against the very organisation using them.
Added to this is the phenomenon of LLMjacking, namely the misuse of AI models via stolen cloud credentials, which generates high costs and can lead to the leakage of specific and sensitive data. On the fraud front, phishing and social engineering have reached unprecedented levels of credibility, thanks to perfectly contextualised emails and the use of voice and video deepfakes to impersonate executives and senior figures.
In 2026, the perimeter is no longer the network, but identity. Attackers no longer seek to ‘break into’ systems; they seek to become legitimate users.
Business Email Compromise campaigns remain extremely effective, largely thanks to techniques such as Adversary-in-the-Middle, which allow attackers to intercept authentication sessions and bypass traditional MFA. At the same time, the number of non-human identities has exploded: service accounts, bots, cloud workloads, APIs and IoT devices now far outnumber human ones.
These technical identities often lack credential rotation, monitoring and adequate access policies. Malware infostealers do the rest, silently and persistently harvesting passwords, tokens and session cookies. Once an identity is compromised, the breach becomes difficult to distinguish from legitimate activity.
Anything exposed on the Internet is a target, and by 2026, reaction time will matter more than the depth of defences. The gap between the publication of a vulnerability and its active exploitation is often measured in hours, no longer in weeks.
Ransomware attacks are evolving towards triple extortion schemes, which affect not only the victim company but also its customers, partners and suppliers. In this context, there is growing focus on the digital and software supply chain, both for security reasons and to reduce exposure to geopolitical risks.
More and more organisations are considering regional or sovereign cloud strategies, not as an ideological choice but as a response to regulatory fragmentation and the need for greater control over critical data.
By 2026, compliance is no longer a mere paperwork exercise. It becomes verifiable, measurable and enforceable.
The NIS2 Regulation imposes stringent obligations on governance, risk management and incident reporting. The AI Act introduces direct liabilities for the use of artificial intelligence systems, with penalties that can amount to significant percentages of turnover. The Cyber Resilience Act drastically shortens the reporting times for exploited vulnerabilities, whilst DORA strengthens controls on operational resilience in the financial sector.
This means that security, legal and the board can no longer operate in silos. Cybersecurity becomes a matter of corporate responsibility.
The quantum threat is not a problem of the future, but a decision of the present. The “Harvest Now, Decrypt Later” model is already a reality: attackers steal encrypted data today knowing they will be able to decrypt it tomorrow.
Healthcare information, trade secrets and personal data have a long shelf life. Organisations must therefore start thinking in terms of crypto-agility, preparing their systems to migrate to post-quantum algorithms without having to redesign them from scratch.
In Italy, the manufacturing sector remains one of the hardest hit, accounting for 29% of attacks (Cyberoo Observatory 2026). The reason is structural: the ever-closer integration between IT and OT expands the attack surface, often without adequate updates to security models.
There is also a temporal factor that is often underestimated. Attacks increase during periods of reduced operational staffing, such as summer breaks, the Christmas period or certain transitional months. This makes cybersecurity a key element of business continuity, not just technical protection.
In 2026, defence will not mean reacting to incidents, but building resilience. The most mature organisations will start with active governance, with direct board involvement, and work on defining the Minimum Viable Business, i.e. what must continue to function in any scenario.
Security becomes identity-first, with phishing-resistant authentication and continuous monitoring of behaviour. Patching shifts from a cumulative approach to management based on actual risk. Cloud and SaaS are governed with greater visibility, backups become truly immutable, and the supply chain is tracked at the software level too, through SBOMs and third-party audits.
To think that cybersecurity is merely a technological issue is a strategic error. The human factor is involved in a significant proportion of breaches, but reducing everything to human error is a dangerous oversimplification.
People operate within processes and systems. If these are fragile, even the best behaviour fails. Effective security stems from the integration of clear, tested processes, technologies capable of detecting and responding in real time, and widespread, up-to-date skills.
Organisations that manage to shed light on their own ‘dark matter’ of risk do not merely defend themselves. They build an adaptive capability that grows alongside the context.