Looking Back at 2025: The Cybersecurity Lessons That Will Shape 2026
Long promised technologies continue to mature at a faster-than-expected pace and materially impacted the threat landscape in 2025. Here’s where to pay attention to in 2026:
1. AI Made Attacking Cheaper
Security has always been an economics problem. Attackers weigh cost against benefit. Defenders try to make that math unfavorable.
In 2025, generative AI significantly tilted the scales in the attackers’ favor, and defenders are still catching up.
We used to talk about “script kiddies” – unsophisticated attackers running someone else’s tools – as the lowest tier threat actor. In 2025, the floor rose and we saw agentic orchestrators: AI systems that automate reconnaissance, exploit identification, lateral movement, and even exfiltration. One documented campaign showed an AI agent executing 80-90% of an attack lifecycle autonomously, compressing weeks of tradecraft into minutes [1].
The old joke about the hikers in the woods applies: you don’t have to run faster than the bear, you have to run faster than the weakest target. AI just put a lot more bears in the forest.
What this means for 2026: Your threat model needs to assume a much more persistent and sophisticated attacker baseline. Manual processes that worked against slower attackers won’t work anymore – they’ll leave you vulnerable for an unacceptable time window, and with all the bears in the woods, you’re bound to get gnawed on a bit.
2. The Gap Between Disclosure and Exploit is Collapsing
Pour one out for “Patch Tuesday, Exploit Wednesday.” Now, as soon as patches are released, the exploits will start coming.
In 2025, defenders got hard data for what many teams were already feeling: a meaningful share of exploited vulnerabilities are hit very quickly after disclosure. In Q1 2025, VulnCheck found that 28.3% of known exploited vulnerabilities (KEVs) with publicly disclosed evidence of exploitation were exploited less than 24 hours after their CVE disclosure [5].
Consider React2Shell (CVE-2025-55182), publicly disclosed on December 3, 2025. **Within hours**, AWS observed active exploitation attempts, including activity they attribute to multiple China state-nexus threat groups [10].
Or Apache Tomcat in March (CVE-2025-24813): on March 10, 2025, the issue was publicly disclosed with a patch, and Akamai reports seeing initial exploit attempts shortly after publication, with attackers attempting to exploit it in the wild soon after public PoCs appeared [11].
Traditional patching strategies cannot keep up. If your security posture depends on monthly patch cycles, you’re operating with known vulnerabilities for most of that window, far more of which will have available working exploits in 2026 than in previous years.
What this means for 2026: Patching alone is not enough. The conversation shifts to isolation, segmentation, and automated containment. Know your external perimeter. Assume compromise and architect accordingly.
3. Quantum Is Lurking
Yes, quantum computing isn’t here yet. It’s the Y2K of the 2020s in some ways – a deadline that feels distant until it isn’t.
Adversaries are collecting encrypted traffic today, banking on future quantum capabilities to decrypt it (“harvest now, decrypt later”). If your secrets have long-term value – intellectual property, health data or M&A data, government communications – you’ll need to think about forward secrecy with a capable quantum adversary in mind.
NIST standardized several post-quantum cryptography (PQC) algorithms – designed to resist quantum attacks – after a many-year evaluation cycle [2]. These algorithms rely on mathematical problems believed to be hard for both classical and quantum computers to solve.
Cloudflare’s work on post-quantum cryptography has been valuable, fronting a significant portion of internet traffic with PQC-enabled connections. Their approach uses hybrid key exchange, combining a classical ECDHE-style exchange with post-quantum algorithms like ML-KEM, so that traffic remains protected even if one of the two is eventually compromised [8][9].
But here’s the cautionary note: post-quantum cryptography isn’t foolproof. During NIST’s standardization process, two promising algorithms (SIKE and Rainbow) were completely broken by classical attacks – no quantum computer required [3][4]. SIKE was cracked in about an hour on a standard laptop [4]. The term to consider is “quantum agility” — the ability to swap cryptographic primitives without redesigning systems. Organizations building new systems should architect for this flexibility now.
What this means for 2026: Inventory your long-lived secrets. Start planning for cryptographic agility. Don’t wait for the “quantum moment” to act.
4. IT and OT Convergence Became Tangible
Operational technology used to be air-gapped. That air gap has been steadily eroded by efficiency gains: remote monitoring, predictive maintenance, convenience.
In 2025, the Jaguar Land Rover breach made the consequences clear. An IT breach cascaded into their OT network, forcing a weeks-long production shutdown at JLR’s UK plants and rippling through its supply chain [13]. The estimated cost to the UK economy was £1.9 billion [12]. Production lines – physical things – stopped because of a cyber incident, and the Bank of England cited the incident as a contributing factor to weaker GDP outcomes [6].
This wasn’t lost data. This was lost vehicles. “Lost production units” hits different than “lost records.”
What this means for 2026: If you’re bridging IT and OT networks, treat that convergence point as your highest-risk surface. Segmentation, monitoring, and incident response plans must account for physical-world impacts.
5. Shadow AI Is the New Shadow IT
A decade ago, enterprises wrestled with shadow IT – employees using Dropbox, unsanctioned SaaS tools, and personal devices. While still a struggle and security risk, enterprises now have far better tools available than they did 10 years ago.
Shadow AI follows the same pattern.
In 2025, a survey found that 80% of American office workers used AI in their roles, but only 22% relied exclusively on employer-provided tools [7]. In another 2025 survey, 46% of employees reported uploading sensitive company information to public AI platforms [14].
That sensitive data could be stored by the plugin, the AI platform, or become part of future model improvements if the provider uses it for training. Most of the AI tools employees tend to use aren’t inherently malicious. They’re just operating outside your governance perimeter.
What this means for 2026: Banning AI won’t work. Employees will find workarounds. The answer is secure, sanctioned alternatives that meet actual productivity needs, combined with visibility tools and clear policies. Beware, however, of logging all queries and creating a highly sensitive log file that could later be exposed.
Conclusion
In 2025, the steady march of generative AI into the workplace continued and shifted how we think about both attacks and defense. AI-native attacks, collapsing exploit windows, quantum threats, IT/OT convergence, and shadow AI are now current realities.
The organizations that will have a smoother ride in 2026 are the ones that plan for these shifts and adapt their architectures, processes, and cultures accordingly.
If you have questions about how to apply these lessons to your environment, reach out to ivision to connect with our engineers.
References
[1]: https://www.anthropic.com/news/disrupting-AI-espionage
[2]: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
[3]: https://research.ibm.com/publications/breaking-rainbow-takes-a-weekend-on-a-laptop
[4]: https://cacm.acm.org/news/nist-post-quantum-cryptography-candidate-cracked/
[5]: https://www.vulncheck.com/blog/exploitation-trends-q1-2025
[6]: https://www.bankofengland.co.uk/monetary-policy-report/2025/november-2025
[7]: https://www.ibm.com/think/insights/rising-ai-adoption-creating-shadow-risks
[8]: https://blog.cloudflare.com/pq-2025/
[9]: https://developers.cloudflare.com/ssl/post-quantum-cryptography/
[10]: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
[11]: https://www.akamai.com/blog/security-research/march-apache-tomcat-path-equivalence-traffic-detections-mitigations
[12]: https://cybermonitoringcentre.com/2025/10/22/cyber-monitoring-centre-statement-on-the-jaguar-land-rovercyber-incident-october-2025/
[13]: https://www.reuters.com/business/retail-consumer/jaguar-land-rovers-uk-production-returns-normal-after-weeks-long-cyber-shutdown-2025-11-14/
[14]: https://kpmg.com/us/en/media/news/trust-in-ai-2025.html
