AI-driven cyber attacks & deepfakes set to surge by 2026

Cybersecurity experts are forecasting a sharp escalation in attack sophistication and volume by 2026, driven by rapid advancements in artificial intelligence (AI), challenges with the IPv6 transition, and persistent gaps in third-party risk management. Experts warn that these trends will hit defenders' response times and visibility while attackers capitalise on automation and identity-focused tactics.

AI's accelerating threat

AI is expected to move beyond simply supporting security operations, instead becoming a core accelerator for offensive cyber activity. Automated reconnaissance, exploit chaining, and adaptive lateral movement enabled by AI will allow attackers to breach systems at speeds impossible for human teams to match. Dwell time-the period attackers remain undetected-could shrink from weeks to days as a result.

The asymmetry in how AI failures play out for attackers and defenders further complicates matters. Attackers can tolerate errors, repeating attempts with little consequence. In contrast, a faulty defensive AI ruling out a genuine threat or missing a vulnerability can immediately expose organisations to risk.

Visibility will become a critical line of defence. Ensuring defenders maintain real-time, comprehensive maps of external exposures is expected to be the only viable countermeasure. Without this, security teams may struggle to match the speed and scale of AI-led intrusion cycles.

"Without an accurate, up-to-date model of exposures, defenders cannot match machine-speed intrusion cycles-and in 2026, that velocity gap becomes the defining risk," said Conner Lines, Chief Technology Officer, SixMap.

IPv6 blind spots

The global migration to the IPv6 protocol is accelerating due to IPv4 address exhaustion and regulatory pressures. Some regions, such as France, Germany and India, already see more than 70 percent of user traffic over IPv6. The United States lags behind with about half of traffic on IPv6, amplifying concerns about inconsistent readiness.

This transition is occurring faster than the deployment of visibility tools required to monitor new address spaces. Dual-stack environments-running both IPv4 and IPv6-create additional surfaces for attackers, with IPv6's practically unlimited address space making brute-force visibility infeasible. Many organisations risk having unmapped assets exposed to the internet solely through IPv6, especially during infrastructure updates or compliance projects.

Continuous, automated mapping across all protocols is viewed as essential to prevent attackers from finding unknown entry points.

Third-party and island hopping

Supply chain risks remain a persistent challenge. Security experts predict that incidents emanating from third parties will double in 2026, continuing the sharp rise seen in recent years. The primary driver is "island hopping"-where attackers breach weaker vendors as intermediate steps to reach better-defended targets.

Trust deficits between vendors and customers, exacerbated by minimal information sharing, are at the root of this problem. Dynamic business requirements can lead to rapid onboarding of vendors, expanding the attack surface faster than defenders can keep up.

"The breach rate from third parties doubled from 15% to 30% in the last year, and we expect it to double again in 2026," said Ryan Patrick, Executive Vice President, TPRM Customer Solutions at HITRUST.

Agentic AI and deepfakes

Agentic AI-autonomous systems capable of acting independently-are expected to play a central role in the first major publicly documented breach in 2026. These AI agents will probe defences and launch intricate social engineering attempts without human intervention, compressing attack timelines and complicating attribution.

The sophistication of deepfake and synthetic media attacks is also forecast to rise. Synthesised audio and video may become the main social engineering approach for gaining high-value access, duping employees into transferring funds or revealing sensitive data. Defenders are deploying AI-powered detection tools that rely on subtle linguistic analysis to distinguish genuine communications from fakes.

"Deepfake and synthetic content attacks are expected to establish synthetic media (audio and video) as the preeminent social engineering vector for high-value access in 2026," said Adrian Culley, Senior Sales Engineer, SafeBreach.

Identity and ransomware evolution

Ransomware tactics are shifting. Groups are moving away from traditional malware-based encryption in favour of data theft and multi-extortion. Attackers increasingly exploit stolen credentials, impersonate helpdesks, and use tactics such as Multi-Factor Authentication (MFA) fatigue to bypass defences after gaining network access.

These "malware-free" approaches blend with legitimate activity, reducing the effectiveness of conventional detection tools. Security teams are advised to run continuous, realistic attack simulations to assess Zero Trust effectiveness and to maintain robust, segmented backup systems that can withstand even privileged credential theft during an attack.