However, since then, things have changed. Let’s revisit those predictions and make some new ones.

1. The Threat Landscape is Changing

2023: Not really.
2026: AI has entered the chat. 

For 2023 I wrote, “everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.”

For the most part, this prediction remains the same. The threat landscape in 2026 will be about the same as 2025, 2024, 2023, and so on. Malware is still a threat. Credential theft remains the primary focus of attackers. And hackers still have the upper hand in every way.

However, when we look at AI systems, there are tremendous changes in the threat landscape. Perhaps the most interesting of these threats are data poisoning attacks. These specifically target AI systems and large language models (LLMs) to produce flawed or misleading output. In 2024, NIST released an advisory about this kind of attack based on a study they conducted titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This study is an interesting read. It is extremely thorough and even identifies some lingering cybersecurity challenges such as the dilemma of open versus closed systems.

The mitigating factor with this kind of treat is that it targets the AI platforms, and not the end users of those platforms. This limits the scope of this threat to a handful of AI platform providers, such as OpenAI, Google, Microsoft, etc. Furthermore, I could not to locate any confirmed instance of a data poisoning attack, however that does not mean it has not happened.

What is a larger issue are employees sending company data into AI platforms with no regard to the sensitivity of that data. This poses a complex challenge for organizations who want to enjoy the benefits of AI but need to protect sensitive data. It also poses a massive challenge for regulated systems under standards such as FedRAMP, CMMC, etc.

Fortunately, the industry is responding to this with ample technologies to manage, monitor, and control AI access as well as model context protocol (MCP) servers. Some examples of AI security providers in this space include Obsidian, Zenity, and Cyberhaven.

2. Executives Will Start Taking Security Seriously

2023: Probably not.
2026: No, and you can turn in your badge with security. 

For 2023, I wrote, “Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.”

Around 2016 or so, I noticed that many executives would tune out the moment cybersecurity was mentioned. I had CEOs once tell me he was sick of security slowing down his company. Here we are a decade later and this attitude has only become more prevalent. A recent example of this attitude happened in early 2025 when the Trump administration wiped out the entire Department of Homeland Security’s Cyber Safety Review board. The message was unambiguous: security is unimportant. 

Executive indifference to security is a massive barrier for security startups. Leaders only care about security when it becomes a catastrophe. And all they really want is to find somebody to blame.

3. Companies will Commit to Stronger Security Defenses

2023: No, they will stick with “good enough” security
2026: Good enough is pretty good.

What I wrote for 2023 remains relevant. “It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.”

Fortunately, “good enough” security is getting pretty good. One example of this was AWS’s recent announcement of their security agent product. This is a cool new AI technology that can scan an environment, locate vulnerabilities, and suggest improvements. While no AI agent will ever be as good as a skilled human penetration tester, for most organization, this agent is all they really need.

Another good example of how “good enough” has improved is Azure Sentinel. What used to be a mediocre SIEM and endpoint product, has evolved into a respectable security platform. Azure environments have Sentinel built-in, so Azure customers can access and use it easily.

4. We Will See a Megabreach that Cannot be Ignored

2023: We are already ignoring them.
2026: Megabreaches, what’s that?

I cannot even think of a megabreach from 2025 that had any significant impact. Apparently, Verizon had a massive leak in August, which they denied. Whatever. This is a classic “boy cried wolf” problem.

5. Security Staffing will See Improvements

2023: Not likely.
2026: Define “improvements.”  

For 2023 I said, “Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.”

The most significant change for 2026 is that AI is changing who companies are hiring. AI can do what a lot of security analysts and engineers once did. It even can write NGINX config scripts, which is something nobody can successfully do. (Yes, that’s a nerdy joke.)

AI can also do a lot of the grunt work industry analysts do, as Richard Stiennon has proved with his IT Harvest platform.

None of this is good news for job seekers. While the cratering US economy accounts for a lot the downsizing, AI is only making it worse. AI will never entirely replace humans, but organizations are testing the limits of that. Teams are being shrunk, and the remaining staff is expected to fill the gaps with AI tools.

This adds up to a bleak outlook for security staffing in 2026.

6. Cloud Eats Security

However, the ultimate prediction for 2026 is that security is everywhere, integrated into everything. In 2021, I identified a growing cybersecurity trend: Cloud Eats Security (also called “platformization”.) Cloud providers, like AWS, Azure, and GCP, and SaaS providers like Salesforce or ServiceNow, were (are) slowly consuming many of the traditional security capabilities (firewall, intrusion detection, vulnerability management, web-application firewalls, etc.)

The impact of this trend is that security is now integrated into the platforms companies use. Companies do not need to purchase individual point-solutions which demand complex and expensive integration efforts. However, even the point solutions are getting on board with this trend, making their products much simpler to roll out and fully integrated into cloud and SaaS offerings.

This was one of the reasons why Google paid $32B for Wiz in 2025. Wiz is a powerful platform that simplifies a lot of cloud security functions. Cloud security providers, like Cloudflare, are also rolling out new capabilities practically everyday. And some of those are free, such as Cloudflare Tunnels which allows anybody to securely host anything on the Internet.

To help monitor all these integrated systems, there are emerging AI-powered security operations products from companies such as AI Strike, Torq, and Dropzone AI.

If all this AI stuff seems unstoppable, and wildly insecure, well, it is. However, there are promising emerging technologies such as Automated Moving Target Defense.

And the final piece of this trend is the rise of automated, integrated managed security providers who can keep an eye on everything. In early 2025, I worked on an MSSP analysis project. I was stunned at how many MSSPs had fully embraced automation, AI, and the cloud in their offerings. Unless your organization is gigantic or a government agency, there is no reason to do security internally. Hire an MSSP. There are a lot of great ones out there that can further simplify security.

Conclusion

For 2026, I predict cybersecurity will continue down the path of more integration, more platformization, and more simplicity. This will not stop attackers, but it does swing the odds of success toward the defenders.

As for the attackers, like the rest of us, they are going to use AI to do their dirty work. And like the rest of us, they are going to generate a lot of pictures of cats playing pickleball. Which means defenders do not need some whiz-bang quantum oscillating over-thruster to stop them. They merely need to make the most of the security tools they already have.

NOTE: The companies mentioned in this blog are for examples only. I received no compensation for mentioning them nor do I endorse them or their technologies. 

The post 2026 Cybersecurity Predictions appeared first on Zenaciti.

A few years ago, I predicted that the large cloud service providers (CSP), like Azure, are slowly consuming security products and offering them as services.  This was not a prediction, but rather pointing out the obvious. This had been going on for years, starting with AWS offering web application firewall as a service.  With each passing year, the CSPs have expanded their security services.  For example, Microsoft added Sentinel, GCP built Chronicle, and AWS added GuardDuty.  Microsoft is particularly aggressive in bundling their security tools and capabilities into Azure and Office 365 platforms.

The CSPs already have the tools. They have the knowledge. They have the ability. Why not give customers free security as part of their hosting costs?

The free offering should be a complete defense in depth platform: endpoint security, vulnerability management, network firewall, intrusion detection, web application firewall, data encryption, identity management, and centralized log monitoring.  Unite them into a single console, offer them for free to any customer hosting workloads on the platform.

Why should they do this?

A Case for Free Cloud Security

While there are many reasons for free cloud security, there are three compelling ones that deserve attention:

1. It Would Show a Commitment to Security

CSPs are increasingly entangled in the security of their customers.  When there is a breach, customers are quick to blame the CSP.  AWS for example has a long history of being blamed for leaky data buckets, which is entirely unfair since they do not control the access rights.  Offering a complete suite of security tools, for free, would demonstrate a commitment to ensuring customers host their workloads securely. It also would allow the CSPs to integrate security tools into their templates and blueprints.

2. It Will Accelerate Cloud Adoption

Large and small companies routinely cite security concerns as a primary reason for not migrating to the cloud.  This 2019 story validates that thesis.  Offering free security would encourage a lot of companies (even enterprise sized ones) to move to the cloud.  Free security lowers the burden of relocating workloads to the cloud. It allows companies to more quickly build secure environments that can host sensitive workloads.  It may also convince companies that fear cloud adoption that it is safe.

3. It is Good Business

Free security would not come cheap for the CSPs but it would increase billings.  One of the things I noticed when I helped customers move workloads to the cloud, was that security drove additional spending.  Once an organization was comfortable with the security of their platform, they were comfortable moving more workloads into the cloud.  Moreover, there was a natural sprawl of usage. In one customer, I recall their AWS billings more than quadruped when we deployed strong security controls.

Free security makes cloud hosting more attractive to customers.  It also reduces a customer’s expenses. That frees up budget for more cloud spending on instances, databases, and other services.

Drawbacks

What about the existing security vendors?

Their business would erode.  Stand-alone security vendors like Crowdstrike, Qualys, or Palo Alto Networks would see some lost business. This means they would need to adapt to offer more advanced security capabilities beyond the baseline.  That is still good for the rest of us.

Can we trust CSPs with security?

We already do.  Our data is already at these CSPs.  You think all those SaaS application subscriptions you purchased are running on some Dell server in a data center?  They are running at AWS or Azure.  I have seen the security operations at these CSPs. They do a significantly better job at security than 99% of the organizations out there.  They have to, otherwise customers would abandon them.

It Creates Platform Lock-in

That already exists. For all the talk of “multi-cloud” strategies, extremely few organizations implement them.  Multi-cloud strategies are insanely expensive.  This would not fundamentally alter the lock-in issue.

There is No Way AWS Could Compete with the Likes of Palo Alto Networks

They do not have to. This is not about building the best security tool possible. This is about building a capable set of tools that can deliver a reasonably acceptable security baseline. Again, think Microsoft Defender. Is it the best AV on the market? No, but it is better than nothing.  For smaller to mid-sized organizations, it is completely adequate.  A free cloud security platform would offer an adequate set of tools, not top-of-the-line stuff.

What is Good for One, Is Good for All

There is one more compelling reason for cloud providers to offer security for free – it is the right thing to do.

Decades ago, the Bill and Melinda Gates Foundation began funding immunization efforts in developing nations.  Eliminating curable diseases was not only good for the people, it was good for all of us.

Microsoft did something similar.  It began bundling Defender Antivirus with Windows. Initially the product may have had weaknesses, but it spread anti-virus to the masses.  Entire strains of common malware disappeared.

Cloud providers are in a similar position.  They could make their platforms stronger and more desirable with a complete, bundled security platform.  Then small businesses, non-profits, and governments world-wide could operate more securely.  Which is good for us all.

AWS, Microsoft, and Google, you can make this happen.  Do it.  Do it for your own interests.  Do it for ours.

The post AWS, Azure, and Google: Make Security Free for All appeared first on Zenaciti.

You bought a froduct, a product that is really a feature or collection of features. Froducts are everywhere, but they are particularly pervasive in cloud and security market. Free flowing funds has fostered fertile field for founders flaunting froducts.

What is a Froduct?

For something to be a froduct, it must meet two criteria:

1. Limited Use. Security and cloud froducts target specific needs, such as compliance, data replication, or incident response.
2. Dependencies. Froducts depend on other technologies, systems, or people to work properly.

Froducts are not necessarily a bad thing.  In fact, many innovative technologies begin their life as a foduct.

One example of a successful froduct was Portshift. This Israeli company made a Kubernetes security product. Their product, like many container security products, was really a collection of existing Kubernetes and cloud capabilities. You could do almost everything Portshift did with existing open source tools. You also had to have a containerized application environment — limited uses, critical dependencies.

Portshift brought these features together into a product, racked up some wins, and got acquired. Investors put in $5 million and Cisco paid approximately $100 million for the company (the actual amounts remain undisclosed.) That is a 20x return on capital. A fabulous froduct finish.

While froducts are great for founders and investors (when they work), they are not always so good for customers. Froducts can create as many issues as they solve. Yes, you have security mesh on your containers, but who is going to define, manage, and monitor that? Container security mesh, like many other security froducts, is a great idea that is difficult to implement successfully. Froducts often make lofty promises of efficiency, security, and reliability, that are difficult to fully realize.

So where do all these froducts go?

Cloud Eat Froduct

In my recent analysis article, Cloud Eats Security, I described how the Cloud Service Providers (CSPs) such as AWS or Azure, are gobbling up security capabilities.

For example, consider Web Application Firewalls (WAF). A decade ago, WAF was a thriving market, with multiple big players like Imperva and F5. Now, WAF is a few clicks on your AWS, Azure, or Cloudflare console. There is really no reason to buy a WAF anymore.

Cloud providers are slowly gobbling up froducts. Bundling them up into their offerings and making them easier to implement. While their versions of these technologies may not be as good as the stand-alone ones, it does not matter. They are good enough. Like it or not, that is all most buyers want.

Go to Froduct Market

For every froduct that clocks in a 20x return, there are hundreds that merely burn investor cash. The core problem with these places is they have their go-to-market efforts completely wrong.

Security and cloud froduct companies keep struggling to solve security or cloud problems. They put out endless marketing fluff about hacking, peace of mind, and attack surface areas but fail to address the real question that buyers want to know: what business problem do you solve?

Security problems are small, nuanced, esoteric pixies that require lengthy explanation, education, and endurance to comprehend. In contrast business problems are lumbering leviathans that even the most clueless investor can understand. For example…

Business problem: we need money.

Security problem: we need to restrict access to specific users, with approved session tokens.

A security froduct might be innovative and effective, but if it creates any kind of impediment to revenue, then who cares. Startups with froducts need to look way beyond the cool thing they do and think about what those cloud service providers are doing.

Froduct Packaging

The reason AWS can get away with a subpar WAF is because the totality of AWS is more valuable than the individual components. AWS’s value is not in their security or compute capabilities, it is in the platform.

Or another way to say this, AWS does not solve compute problems (or security ones for that matter), they solve business problems with computing products.

Startups can use this same technique to make their languishing froduct more useful and valuable.

For example, which one of these product pitches do you think work better on a C-level executive with limited budget?

Our cloud deployed IAM product integrates with your on-premise Active Directory to synchronize user identities across cloud environments. It can reduce unauthorized access and protect data.

Our product keeps your people working earning revenue.

Do not sell the froduct, sell the better future the froduct (on some big platform) delivers. Froducts, packaged together, to solve large scale problems are irresistible to leaders who want to contain costs. Moreover, they alleviate pain.

So, what are some of these large, business problems? There are only a few of them.

1. People: expensive, fickle, smelly, hungry
2. Money: never enough of it
3. Time: never enough of it

If your froduct platform can replace people, save money, and/or reduce time to success, then you have a winner. If your froduct requires a company to hire more people, pay more money, or consumes more time, you have an uphill battle ahead of you.

Conclusion

When you go shopping for new security products, take the time to consider the dependencies.  You may be buying a froduct.  Likewise, products that integrate with existing platforms, like AWS or Azure, are naturally more effective since they can work on existing environments.

If you are a product company, then you must be able to place your product into the context of a customer’s environment.  Stop talking about the security challenges you address, and start talking about how you will improve the customer’s experience. You can still talk about those security benefits, but only after you and the customer are clear on the business problems you solve.

The post Rise of the Froduct appeared first on Zenaciti.

Over the past 20 years, cybersecurity has played an unwinnable game. In this game, the attackers make all the rules, score all the points, and can quit anytime without losing.

Meanwhile, the defenders are encumbered with a cavalcade of rules, tools, and fools: insidious compliance rules that drag down progress, a messy assortment of security tools that never work together, and company executives that dismiss security as a nuisance inhibiting their success.

If you have ever had to implement enterprise information security you know that it is not merely difficult, it is profoundly difficult. However, what is the alternative? Companies must defend themselves. And so, security professionals diligently persevere. They buy new tech, hire more people, and fight enemies inside and out. After a while, the virtuousness of their perseverance becomes indistinguishable from insanity.

Beyond Human

The crux of this Unwinnable Game is that protecting modern IT systems exceeds human cognitive abilities. Information security, even for a modest sized organization, is insanely complex, volatile, and error-prone. This has left CISOs playing a game they can never win. See more about What is Wrong with CISOs.

If humans cannot handle security, then who or what can? Automation? Artificial Intelligence (AI)?

AI and automation both have tremendous potential to make security less complex and more reliable. Automation tools can repeatedly (and tirelessly) analyze data to identify outliers and potential attacks. AI can, theoretically, adapt to changing environments.

Unfortunately, these tools have massive hurdles to adoption.

First, implementing AI and automation are well beyond the technical capabilities of most security teams. Most security teams struggle to maintain basic hygiene. Expecting them to install, tune, and manage complex AI technologies is unrealistic.

Second, these tools demand standardization. Environments with disparate systems are impossible to automate and confound AI engines.

Lastly, AI engines demand vast amounts of data to build accurate propensity models. This means the engine must have both abnormal and normal data (and anything in between). Most security technologies discard or ignore normal data, favoring the abnormal. This is because the humans who manage those security products cannot handle the onslaught of both normal and abnormal data.

Introducing Platformization

This is the point when cloud providers, like AWS, Microsoft, and Google, as well as large SaaS providers, like SalesForce and ServiceNow join the chat. Cloud providers have huge advantages in regard to automation and AI. They are skilled at taking technologies and processes, and transforming them into standardized, easy to implement, and automated services. AWS has the people, purpose, and scale to build AI engines. Mostly, cloud providers have a huge advantage over the point players, like Crowdstrike or Splunk. Cloud providers can see everything, normal and abnormal. This makes them a logical place to implement security.

The reason computing workloads are moved to the cloud is because the cloud providers simplify complex technology into standardized services. Cloud and SaaS have already consumed entire markets, such as email. Ten years ago, if you needed an email server, you had to setup, manage, and secure your own. Today, with a few clicks and a script you can have an enterprise class email system at Microsoft or Google, pre-configured and secured correctly. There are few reasons to run your own mail server these days.

Security is no longer an add-on product. It is inside the platforms companies already use.

The New Cloud Order

By 2030, security will inside the platform, not outside it. These integrated services will extend out to endpoints and IoT devices as well. What we know today as the security industry, with thousands of vendors all selling point products will dramatically change. It will be more about integrating capabilities into existing cloud and SaaS platforms.

This trend is already in motion. The impact of this shift will be felt far and wide. Some of the things we can expect include:

• The demand for point security products will not disappear, rather it will move down-market to SMB and laggard industries that refuse to adopt the cloud.
• The market valuations for security point solutions will decline as they run out of customers.
• The demand for in-house security expertise will decline. With cloud services and AI doing much of the dirty work, in-house teams will have less to do. This will make the security roles less about twiddling with tools and more about managing risk posture throughout the organization. This will also fuel expansion in the managed security segment.
• Since everything in the cloud can be automated through an API, a new class of value-added resellers will emerge: automation integrators. These providers will repackage automations between different providers. They will offer pre-built architectures, with your preferred vendors (like ServiceNow or Salesforce) pre-integrated. With a few clicks you will be able to build an entire enterprise infrastructure with everything tightly integrated.
• The market for managed security providers (MSSP) will grow, however they must adapt to work with the cloud. The traditional MSSP, with a big SOC managing hardware devices, will be less relevant. MSSP will also move down-market into SMB environments. It will be less expensive and simpler for organizations to outsource security monitoring than attempting to do it in-house.
• Demand for stand-alone security awareness and application code scanning solutions will remain stable or increase. These services are difficult for cloud providers to adopt, due to the customized nature of them. However, security awareness training has already moved to cloud-delivery. Likewise, most application code scanners have SaaS delivered versions as well.
• Hardware security products must refocus on access, with tight integration to cloud services. Many of the hardware vendors, like Palo Alto Networks and Fortinet have already begun this transition.
• Compliance will be devalued. Compliant environments can be built, certified, and authorized through automated means. Compliance bodies will resist this at first, but the cloud providers will strong-arm them into adopting. You already see the beginnings of this, with the FedRAMP office push their standardized OSCAL language.
• Multi-cloud will become more difficult as cloud providers find more ways to create lock-in strategies. This will also increase the need for automation integrators, which can smooth out multi-cloud adoption complexities.
• Attacks and ransomware will shift focus to “softer” targets such as laptops and IoT devices.
• AI engines will become increasingly more capable at identifying new attacks. However, people will need to manage the response and remediation.
• Automation will extend to remediation tools. Cleaning up an intrusion will no longer require expensive engagements with outside consultants. Rather, automation tools will gather evidence, wipe out affected systems, and rebuild from known-good repositories.
• Risk management will become more important to companies, as they shift from a purely reactionary approach to that of controlling risks.
• Watch closely anybody AWS, Azure, Google, Salesforce, Service Now, Oracle, SAP etc. acquires. They will start vacuuming up technologies that will serve this change. AWS has already done a few.

Evidence

The evidence of this movement is already out there.

• Microsoft Azure has their own Security Event and Information Management (SIEM) product: Sentinel
• AWS has rolled out Guard Duty and WAF, rendering the need for standalone WAF or IDS/IPS less relevant.
• Google’s Chronicle integrates multiple security functions as well as some AI capabilities.
• At re:Invent 2022, AWS announced Security Lake a new SIEM product similar to Chronicle and Sentinel
• Google purchased Wiz, with the intention to integrate it into their cloud offerings.
• AWS announced Security Agent, an AI-based vulnerability identification and remediation tool.

Counterpoints

Of course, this trend will encounter resistance from all those vendors. Just as hardware vendors ignored the writing on the wall in the early 2000s, so too with the sea of booths at the RSA ignore the rising cloud waters around them. However, let’s consider some contrary points.

Cloud services are not as accurate or capable as dedicated point solutions.

This may be true, but it does not matter. The cost and complexity of implementing, optimizing, and managing point solutions is already higher than adopting cloud-native tools. Moreover, the quality of a product is largely irrelevant in the grand scheme of protecting a business. Most of the companies that experienced a large data breach possessed cutting edge security technologies. It is not the technology that protects a company, it is how the technology is implemented, managed, and monitored.

Cloud providers are incentivized to ignore or cover up security problems. You cannot have the fox guarding the henhouse!

Pushing the farm clichés aside, this is untrue. Cloud providers are under tremendous legal, regulatory, and reputational pressure to secure their services. For example, a few years back AWS took heat for customers with public S3 bucks. Even though this is a legitimate configuration, and customers are entirely responsible for setting this access, AWS still implemented improvements to lock down S3 buckets even more.

Furthermore, if you are going to entrust the entirety of your company’s data and processing to AWS, why can you not trust their security? Lastly, cloud providers are deeply incentivized to protect customer’s workloads for one less savory reason: lock-in. If a cloud platform is consistently having security issues, customers will leave and move to a competitor’s platform.

This is monopolistic, many organizations will reject using cloud-native security tools leaving a market for point-solution vendors.

Yes, some companies will resist, however this will not stop the cloud providers. Those companies that resist will be at a disadvantage. Security today is an insanely inefficient and error-prone precisely because there are too many tools which are difficult to interoperate. Automating and standardizing security is the only way to contain this expanding inefficiency. Those companies that resist, will lose the efficiency and effectiveness gains of those companies who do adopt the cloud-native security tools.

The follow-on question for this is: at what point do the cloud providers transform from merely providing a compute service, to being a utility. Where are the limits of their reach? That is a larger, complex question for another article.

Conclusion

Information security is stuck playing a game it will never win. However, unlike the sage wisdom of Wargames which suggested the only winning move is not to play, we do not have that choice. We must defend our data, our infrastructure, and our nations from cyberattacks.

Information security teams can win this game, if they leave defense to the robots. Only automation can adapt, react, and protect at the scale necessary to defend an enterprise. And only the cloud providers have the scale, resources, and motivation to be able to build these robots effectively.

This was originally published in December 2021 and revised a few times since then.

The post Cloud Eats Security appeared first on Zenaciti.