However, since then, things have changed. Let’s revisit those predictions and make some new ones.

1. The Threat Landscape is Changing

2023: Not really.
2026: AI has entered the chat. 

For 2023 I wrote, “everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.”

For the most part, this prediction remains the same. The threat landscape in 2026 will be about the same as 2025, 2024, 2023, and so on. Malware is still a threat. Credential theft remains the primary focus of attackers. And hackers still have the upper hand in every way.

However, when we look at AI systems, there are tremendous changes in the threat landscape. Perhaps the most interesting of these threats are data poisoning attacks. These specifically target AI systems and large language models (LLMs) to produce flawed or misleading output. In 2024, NIST released an advisory about this kind of attack based on a study they conducted titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This study is an interesting read. It is extremely thorough and even identifies some lingering cybersecurity challenges such as the dilemma of open versus closed systems.

The mitigating factor with this kind of treat is that it targets the AI platforms, and not the end users of those platforms. This limits the scope of this threat to a handful of AI platform providers, such as OpenAI, Google, Microsoft, etc. Furthermore, I could not to locate any confirmed instance of a data poisoning attack, however that does not mean it has not happened.

What is a larger issue are employees sending company data into AI platforms with no regard to the sensitivity of that data. This poses a complex challenge for organizations who want to enjoy the benefits of AI but need to protect sensitive data. It also poses a massive challenge for regulated systems under standards such as FedRAMP, CMMC, etc.

Fortunately, the industry is responding to this with ample technologies to manage, monitor, and control AI access as well as model context protocol (MCP) servers. Some examples of AI security providers in this space include Obsidian, Zenity, and Cyberhaven.

2. Executives Will Start Taking Security Seriously

2023: Probably not.
2026: No, and you can turn in your badge with security. 

For 2023, I wrote, “Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.”

Around 2016 or so, I noticed that many executives would tune out the moment cybersecurity was mentioned. I had CEOs once tell me he was sick of security slowing down his company. Here we are a decade later and this attitude has only become more prevalent. A recent example of this attitude happened in early 2025 when the Trump administration wiped out the entire Department of Homeland Security’s Cyber Safety Review board. The message was unambiguous: security is unimportant. 

Executive indifference to security is a massive barrier for security startups. Leaders only care about security when it becomes a catastrophe. And all they really want is to find somebody to blame.

3. Companies will Commit to Stronger Security Defenses

2023: No, they will stick with “good enough” security
2026: Good enough is pretty good.

What I wrote for 2023 remains relevant. “It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.”

Fortunately, “good enough” security is getting pretty good. One example of this was AWS’s recent announcement of their security agent product. This is a cool new AI technology that can scan an environment, locate vulnerabilities, and suggest improvements. While no AI agent will ever be as good as a skilled human penetration tester, for most organization, this agent is all they really need.

Another good example of how “good enough” has improved is Azure Sentinel. What used to be a mediocre SIEM and endpoint product, has evolved into a respectable security platform. Azure environments have Sentinel built-in, so Azure customers can access and use it easily.

4. We Will See a Megabreach that Cannot be Ignored

2023: We are already ignoring them.
2026: Megabreaches, what’s that?

I cannot even think of a megabreach from 2025 that had any significant impact. Apparently, Verizon had a massive leak in August, which they denied. Whatever. This is a classic “boy cried wolf” problem.

5. Security Staffing will See Improvements

2023: Not likely.
2026: Define “improvements.”  

For 2023 I said, “Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.”

The most significant change for 2026 is that AI is changing who companies are hiring. AI can do what a lot of security analysts and engineers once did. It even can write NGINX config scripts, which is something nobody can successfully do. (Yes, that’s a nerdy joke.)

AI can also do a lot of the grunt work industry analysts do, as Richard Stiennon has proved with his IT Harvest platform.

None of this is good news for job seekers. While the cratering US economy accounts for a lot the downsizing, AI is only making it worse. AI will never entirely replace humans, but organizations are testing the limits of that. Teams are being shrunk, and the remaining staff is expected to fill the gaps with AI tools.

This adds up to a bleak outlook for security staffing in 2026.

6. Cloud Eats Security

However, the ultimate prediction for 2026 is that security is everywhere, integrated into everything. In 2021, I identified a growing cybersecurity trend: Cloud Eats Security (also called “platformization”.) Cloud providers, like AWS, Azure, and GCP, and SaaS providers like Salesforce or ServiceNow, were (are) slowly consuming many of the traditional security capabilities (firewall, intrusion detection, vulnerability management, web-application firewalls, etc.)

The impact of this trend is that security is now integrated into the platforms companies use. Companies do not need to purchase individual point-solutions which demand complex and expensive integration efforts. However, even the point solutions are getting on board with this trend, making their products much simpler to roll out and fully integrated into cloud and SaaS offerings.

This was one of the reasons why Google paid $32B for Wiz in 2025. Wiz is a powerful platform that simplifies a lot of cloud security functions. Cloud security providers, like Cloudflare, are also rolling out new capabilities practically everyday. And some of those are free, such as Cloudflare Tunnels which allows anybody to securely host anything on the Internet.

To help monitor all these integrated systems, there are emerging AI-powered security operations products from companies such as AI Strike, Torq, and Dropzone AI.

If all this AI stuff seems unstoppable, and wildly insecure, well, it is. However, there are promising emerging technologies such as Automated Moving Target Defense.

And the final piece of this trend is the rise of automated, integrated managed security providers who can keep an eye on everything. In early 2025, I worked on an MSSP analysis project. I was stunned at how many MSSPs had fully embraced automation, AI, and the cloud in their offerings. Unless your organization is gigantic or a government agency, there is no reason to do security internally. Hire an MSSP. There are a lot of great ones out there that can further simplify security.

Conclusion

For 2026, I predict cybersecurity will continue down the path of more integration, more platformization, and more simplicity. This will not stop attackers, but it does swing the odds of success toward the defenders.

As for the attackers, like the rest of us, they are going to use AI to do their dirty work. And like the rest of us, they are going to generate a lot of pictures of cats playing pickleball. Which means defenders do not need some whiz-bang quantum oscillating over-thruster to stop them. They merely need to make the most of the security tools they already have.

NOTE: The companies mentioned in this blog are for examples only. I received no compensation for mentioning them nor do I endorse them or their technologies. 

The post 2026 Cybersecurity Predictions appeared first on Zenaciti.

Surprisingly, not that much.

The most notable changes are the influence of cloud and AI technologies on MSSPs.  However, these factors have not altered the constituent parts of an MSSP.  

Gartner Speaks

To understand what makes an MSSP, consider Gartner’s definition:

A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services. MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.

There is nothing wrong with this definition, but it describes what an MSSP does, not what they are.  There is a big difference between those two things.  If you are looking to hire (or build) an MSSP, you must evaluate not only what an MSSP can do, but what they are made of as well.

Managed Security Service Provider Definition  

Based on my research, an MSSP consists of four primary components:

• Platform
• People
• Process
• Scale

Let’s explore each of these components and how they contribute to an MSSP.  

Platform

This is the collection of technologies, tools, and products the MSSP uses to deliver their services.  Platform technologies may be developed in-house or sourced from third party vendors.  Many MSSPs use repurposed open-source products as their proprietary platforms.

An MSSP’s platform is important, but not as important as you may think.  Buyers do not, necessarily, select an MSSP because it offers an ultra-sophisticated platform (nor should they).  Rather, an MSSP’s platform is a “ticket to ride.”  When buyers evaluate MSSPs, they look at the platform first.  If it appears capable, then they move on to evaluate the other components.

The key components of an MSSP Platform include:

People

Even with automation and AI, MSSPs are completely dependent upon people to run everything and support customers.  The team that runs, manages, and monitors the platform are what makes an MSSP function.  Without them, there is no MSSP.

MSSP teams usually include analysts, support staff, engineers, and developers.

Analysts are the primary service delivery people. They operate the platform, perform security scans, respond to incidents, and deliver reports.  Some MSSPs also employ analysts to perform adjacent professional services such as penetration testing or virtual CISO services.  Analysts form the backbone of an MSSP.

Support staff handle the logistics and customer management functions.  This team may include project managers, customer success representatives, and other non-technical people.  Effective MSSPs use the support team as a “buffer” to allow the analysts and engineers to focus on service delivery.

Engineers operate the infrastructure for the platform. They may also serve as a second-tier support for analysts. Engineers typically operate in background, and only interact with the customers for more complex or bespoke needs, such as assisting with incident response.  

Developers design, built, and deploy the platform and relevant infrastructure components.  Some MSSPs do not differentiate between engineers and developers, and unite them into a common platform group.  Developers often have their own supporting staff of project managers and testing engineers.  

For buyers, it is difficult to assess the skillset of an MSSPs people.  You are not going to be able to meet many of the analysts and engineers working on your account.  However, you can assess the team that engages you in the sales process.  Savvy MSSPs place technical resources early in the sales process.  This ensures the MSSP is building credibility with prospective customers, rather than merely explaining their capability.

Process

Process is the assortment of procedures, practices, policies, and internal culture that operates an MSSP.  Process makes an MSSP sparkle.  Good MSSPs have well defined, well documented, well-maintained processes.  Moreover, they are constantly revising, adapting, and updating them to suit the perpetually shifting threat landscape.

In contrast, bad MSSPs have … nothing.  It is not uncommon for companies to charge into the MSSP business, believing that as long as they have the correct technologies and people to staff the SOC, they are good.  An MSSP is largely useless without effective processes.

Moreover, Process is what gives an MSSP its value.  MSSPs get acquired for their processes, not for their platform or people.  If you are evaluating an MSSP, you want to look closely at the processes they use to conduct their services.

Scale

For an MSSP to be successful, it must be able to put its platform, people, and processes in motion and deliver results. This means designing those components to be agile and adaptable.  It also means having the organizational maturity to accommodate a growing customer base. Scale is therefore a facet of an MSSP’s strategic and tactical execution.

Scale kills weak MSSPs while it fuels smart MSSPs.  Once they begin to acquire customers, the MSSP reaches a critical point where the platform, processes, and people must rapidly change.  This stresses those components, particularly the people.  If the organization lacks effective leadership or empowers people who are uncomfortable with change, the MSSP will begin to struggle.  The company will become unable to handle increased customer load, which will cause customers to become dissatisfied.

Change is discomfort, and savvy MSSPs embrace this discomfort.  They have internal DevOps-style practices that integrate change, growth, and adaptability into everything.

Customers evaluating an MSSP should consider how the MSSP has adapted to the changing threat landscape.  As a customer, constant change can be frustrating. However, if an MSSP can manage this change effectively, it demonstrates and organizational strength and maturity, which is something you want as a customer.

Factors Influencing MSSPs

As I mentioned in the introduction of this article, there are number of influential factors on MSSPs at this time.  In this section, I will address some of the more prevalent influences and how they have changed the MSSP landscape in the past few years.  

Cloud

Ten years ago, MSSP was an “on-premise” business.  In other words, their products were concentrated on managing and monitoring traditional, on-premise technologies (firewalls, IDS, endpoint, etc.).  Today, nearly all MSSPs are cloud-based.  Their platform resides in the cloud and even the management of on-premise equipment, such as firewalls, is handed through cloud products.

AI

Likewise, ten years ago AI was nothing.  Now it dominates every discussion about anything.  Currently, the use of AI in MSSPs is inconsistent.  Much of the AI messaging among MSSPs feels like marketing hype, and not substantive, technical improvement.  Where AI tends to land first is inside the third-party products that use some kind of AI detection method for malware.

Slowly AI is making it into SIEM platforms. However, AI use for threat hunting remains nascent.  Most MSSPs lack the internal expertise to fully integrate AI into their platforms.  Moreover, training an AI to analyze log data is difficult.  Without a sizable set of “positive” (or wanted) events, it is difficult for an AI to identity what constitutes “negative” (or unwanted) events.  Since most SIEM platforms do not store “non-events” this blinds the AI.

Where AI is making a difference is with analysts.  Use of AI for generating scripts, tools, and automations can dramatically accelerate an analysts efforts.  What used to require hours of painstaking coding, testing, and revising of automation scripts can be done in seconds with a prompt to ChatGPT.

However, buyers of MSSP services need to be mindful of this difference.  Merely because an MSSP says they use AI, does not mean it is integrated into the platform (or accessible to the customer).  Analysts using AI to develop scripts or automation is a good thing. However, that does not make the MSSP “AI enabled.”  This is where marketing fluff and process reality can diverge.

Co-Management

Another perpetual challenge with MSSPs is the co-management conundrum.  On the one hand, customers often demand access to the controls the MSSP manages.  On the other hand, giving a customer control creates a race-condition where the customer and MSSP can conflict on management styles or discipline.  Co-management is not necessarily good for customers or MSSPs.  Customers should be prepared to pay more for co-managed platforms vs full-managed ones.

Platform Images

This MSSP platform strategy is special to me, as it was a strategy I played a hand inventing.  In 2017 when I began my research, most MSSPs used a single, monolithic platform where they co-mingled all customer data.  This presented several challenges for using MSSP services in highly regulated environments, where data co-mingling is not permitted per compliance requirements.

My innovation was to use the automation capabilities of cloud environments to deploy an MSSP platform into customer’s own cloud accounts.  This functioned much in the same way as using an Linux or Windows image from a repository.  The image is instantiated independently in each customer’s environment.  Once deployed, it is then customized to suit the customer’s unique needs.  This deployment strategy eliminates all co-mingling issues and will support restrictive compliance requirements.

In 2018 when I built this platform, it was a novel concept.  Today, it is everywhere.  Many MSSP have fully embraced this deployment strategy, as it unlocks lucrative compliance funded opportunities. These types of environments are also more adaptable to customer needs.  

Buyer’s Guide

If you are considering hiring an MSSP, here are some questions you can use to evaluate each component of a potential vendor:

Platform Questions

• Describe the architecture of your platform.
• How is the platform deployed (automation, images, hardware, etc.)?
• What services (capabilities) does it offer?
• What software (agents, etc.) must we install in our environment?
• How does this software communicate with the platform?
• What access do we have to the platform and its components?
• What third-party products does your platform use?
• How do you update the platform?
• How is the platform licensed?
• Where is the data stored?  Is the data co-mingled?
• What reports / data analysis is provided?
• If AI is used, describe how and where.

People Questions

• How is your SOC organized?
• What teams do you have?
• Describe how you on-board analysts?
• What kinds of training, education, or career development does the team receive?
• Who responds to my tickets or phone calls?
• Who manages my account?
• How often can I expect to hear from an analyst?
• Are there any regular meetings, check-ins, or reviews
• If there is an emergency, who do I call?
• How will I be contacted in the event of an incident?

Process Questions

• Describe how my company will be onboarded to the platform.
• Define the data flow within your environment.
• How are access rights assigned, managed, and monitored?
• Describe how your team manages an incident?
• Does your company perform “post-mortems” on incidents?
• If vulnerabilities are detected (if this is part of the service), how will I be notified?
• What role does your company have in remediating vulnerabilities?

Scale Questions

• What kinds of performance metrics do you have for your platform?
• How do you measure success among your teams?
• How often do you revise internal processes?
• How is your platform updated, revised, or adapted to changing conditions?
• How does the organization manage change?
• What is the experience and background of the leadership?
• Does the leadership have information security expertise?
• What is the roadmap for the MSSP?

A savvy MSSP can answer these questions (and more).  An immature one may struggle, or resort to marketing fluff.

Conclusion

MSSPs are an integral part of the information security landscape.  In the past decade they have transformed from simple firewall management, to full-service outlets that can accommodate a diverse set of security services.

There are numerous benefits to engaging an MSSP.  The most significant is that an MSSP can focus on security.  Unless your company intends to build a robust, in-house information security practice, it makes sense to outsource some (if not all) security functions to an MSSP.

For marketing and sales teams, your go to market efforts should focus on explaining the benefits of your four components.  Why is your platform unique? How is your team effective?  What practices or processes make your MSSP special?  And how do you adapt, change, and grow with the volatile security landscape.

While the MSSP market has evolved in the past few years, it has not fundamentally changed.  AI and automation are helping MSSPs scale, but they are not altering what makes an MSSP function.  If you are looking to hire, or build and MSSP, then it is important to evaluate the four primary components of an MSSP.

The post What Is a Managed Security Service Provider (MSSP) appeared first on Zenaciti.