In 2026, cyberattacks no longer just breach systems: they use valid identities, tokens, SaaS accounts and provider access.
The hacker of 2026 no longer breaks down the company’s door: he logs in with the right credentials.
The modern cyberattack no longer resembles the cliché of the hacker breaching a firewall in a dark basement. In 2026, the most dangerous attack is often clean, silent, authenticated. It uses a real account, a real session, a real token, a real SaaS tool. The enemy no longer always breaks down the door. He has the badge.
For years, companies have built their cybersecurity around a comfortable idea: they had to prevent intrusion. Protect the network, filter emails, block malware, train employees to recognize phishing. This model remains necessary. But it is no longer enough. The attack surface has exploded with cloud, SaaS applications, APIs, provider access, privileged accounts, AI tools and distributed identities everywhere.
The shift is brutal: attackers are no longer just looking to gain entry. They try to look like someone who already has the right to be there.
Phishing has not disappeared, it has become too slow
Phishing remains massive, but it is no longer the alpha and omega of compromise. The attackers move as quickly as possible. When a vulnerability exposed on the Internet allows entry without dialogue with an employee, they do not waste time writing a false email.
Rapid7 reports that, in the first quarter of 2026, vulnerability exploitation overtook social engineering as the top initial access vector in its incident response cases, with 38% of cases observed. Half of the vulnerabilities exploited in the wild during the period were zero-click, network vulnerabilities, requiring neither authentication nor user interaction.
Verizon observes the same groundswell in its DBIR 2026: 31% of breaches now start with software vulnerabilities, ahead of stolen passwords, and 48% of breaches involve ransomware.
Simple conclusion: the company that still thinks of its cybersecurity as a matter of phishing awareness is only looking at part of the battlefield. The employee is no longer the only target. The exposed, poorly patched, poorly logged, poorly segmented system becomes a highway.
AI does not replace the hacker. She makes it industrial
The issue is not whether an AI model will “become autonomous” and attack companies alone like in a movie. The real subject is colder: AI saves attackers time at all stages of the attack.
It accelerates recognition. It helps find exposed assets. It personalizes phishing messages. She assists in writing scripts. It automates vulnerability analysis. It makes operations cheaper, faster and more scalable.
CrowdStrike reports an 89% increase in attacks by “AI-enabled” adversaries and describes AI as a dual risk: a multiplier of cyberattacks and a new attack surface.
Mandiant usefully nuanced: the majority of successful intrusions remain linked to classic human or systemic flaws. But its 2026 observations show that attackers are already integrating AI to speed up the attack cycle and are also abusing compromised AI environments.
This is precisely where the danger becomes serious. AI does not necessarily create a magical cyberattack. It eliminates downtime. It reduces marginal cost. It allows you to test more doors, faster, with less noise.
The new jackpot: tokens, cookies, SaaS accounts and valid identities
The classic security perimeter is long dead. But many companies continue to think as if the internal network was still the center of the world.
In reality, the center of the cyber world is identity. The Microsoft 365 account. The Google Workspace account. The Salesforce account. The cloud administrator account. The service provider’s account. The forgotten OAuth token. The session cookie retrieved. The hardcoded API key. The secret stored in a repository. The session that should no longer be active.
Microsoft indicates that 97% of identity attacks observed in its Digital Defense Report 2025 were password spray attacks, proof that attackers still massively exploit weak, reused or already exposed passwords.
Mandiant, for its part, describes attackers harvesting long-lived OAuth tokens and session cookies, compromising third-party SaaS providers, stealing hardcoded keys, and pivoting into customer environments.
The risk is therefore no longer just “a hacker installed malware”. The risk becomes: “a hacker uses legitimate access and everything looks like normal activity”. It’s much harder to see. And much more difficult to explain to management when the damage begins.
Ransomware is changing: less encryption, more blackmail
The traditional image of ransomware is familiar: encrypted files, a ransom note, a shut down business. This scenario still exists. But he is no longer the only one.
Criminal groups are moving towards pure extortion: stealing quickly, exfiltrating massively, threatening to publish, putting pressure on managers, customers, partners, sometimes without even deploying visible encryption. Rapid7 notes this shift toward tactics focused on rapid data theft rather than traditional encryption.
Mandiant also talks about ransomware becoming an operational resilience issue. Attackers are no longer just encrypting files: they are targeting backups, identity services, virtualization infrastructures and recovery plans.
This is a major change. Yesterday, the challenge was to recover the data. Today, the challenge is to rebuild the capacity to function. The real question is no longer just: “do we have backups?” » It becomes: “are we able to restart if identity, backups, cloud, hypervisors and provider access are compromised at the same time?” »
In France, the subject is no longer theoretical
France is not a spectator. ANSSI processed 3,586 security events in 2025, with 2,209 reports and 1,366 incidents brought to its attention. The sectors most targeted are education and research, ministries and local authorities, health and telecommunications.
The agency also notes that the threat remains high and that the boundaries between state actors and cybercriminals are eroding. Attackers share tools and methods, exploit poorly supervised products and make attribution more difficult.
In this context, NIS2 is not a simple compliance project. It’s a test of maturity. Since March 17, 2026, ANSSI has made available the Cyber France Framework, ReCyF, which lists the recommended measures to achieve the security objectives of NIS2.
Companies that still treat NIS2 as a legal matter will fall behind. Others will use it as a useful excuse to overhaul their cyber governance, access, cloud dependencies, backups, crisis procedures and supplier contracts.
Priority 2026: stop defending walls and start defending uses
Cybersecurity 2026 is not just about buying a new tool. It imposes a change of doctrine.
First rule: every account must be considered a target. Administrator accounts, provider accounts, dormant accounts, service accounts and SaaS accounts must be inventoried, monitored and limited. Permanent access becomes an anomaly. Excessive privilege becomes debt.
Second rule: patch management must become offensive. Vulnerabilities should not be treated according to a bureaucratic logic of theoretical criticality. They must be prioritized according to actual exposure, active exploitation, the existence of a PoC, the presence in the catalogs of exploited vulnerabilities and the business criticality of the asset.
Third rule: tokens, secrets and sessions must fall within the scope of security. Many companies protect passwords, but neglect session cookies, API keys, OAuth tokens, CI/CD secrets, and cross-application access. This is a mistake. For the attacker, a valid token is sometimes better than a password.
Fourth rule: backup must become an architecture of survival. A connected backup, modifiable with the same privileges as production, is not insurance. It’s a target. Immutability, recovery testing, privilege separation and the ability to rebuild outside of a compromised environment become prerequisites.
Fifth rule: detection must go outside the workstation. Endpoints remain important, but attacks also pass through network equipment, SaaS, cloud consoles, hypervisors, administration tools, APIs and identities. A company blind to these layers can be compromised without seeing malware.
The real cyber KPI: how long before the attack becomes a crisis?
General management wants dashboards. They are right. But bad indicators wrongly reassure.
The number of blocked emails does not indicate whether the company can survive a token theft. The phishing training rate does not indicate whether administrator accounts are too permissive. The number of vulnerabilities patched does not indicate whether the most critical exposed assets are addressed first. The volume of logs collected doesn’t tell whether anyone can actually understand a 3 a.m. attack.
The right metric is more blunt: how long does it take the company to detect, contain, isolate and restart?
In 2026, efficient cybersecurity will be less decorative. It will be measured on its ability to reduce the time between the intrusion and the decision. The rest is PowerPoint comfort.
The company must no longer just prevent the attack, it must prevent the collapse
Modern cyberattacks are not just more numerous. They are faster, cleaner, more distributed and harder to attribute. They leverage AI, exposed vulnerabilities, valid identities, providers, SaaS, tokens and monitoring blind spots.
The bad news is obvious: the historical defensive model is no longer enough.
The good news is just as clear: the fundamentals still work, provided you apply them seriously. Reduce exposure. Harden identity. Remove unnecessary privileges. Monitor access. Prioritize truly exploitable vulnerabilities. Protect backups. Test the restorations. Prepare for the crisis. Read supplier contracts. Journal for a long time. Decide quickly.
Cybersecurity 2026 will not be won by companies that pile on the tools. It will be won by those who accept a simple truth: the hacker no longer needs to break down the door when the company leaves him an active badge.
