Cybersecurity remains a highly dynamic topic as the new year begins: emerging threats, increasing complexity, and growing requirements continue to shape the landscape for organizations. Looking back while also looking ahead, the question is: What lessons can we take from the past year, and what should we prepare for next?
Today we’re talking to Fabian Mittermair, Head of the Offensive Security Team & COO.
2025 has already flown by. Looking back at the past year, what do you think were the biggest cybersecurity challenges for organizations?
Fabian Mittermair: The first half of 2025 was comparatively quiet, with significantly fewer successful cyberattacks. By the middle of the year, however, the situation had changed. Since then, we have observed an increase in attacks, both in terms of frequency and sophistication.
It became clear that attackers have continued to evolve and deliberately adapted their methods to new circumstances. This was particularly evident in attacks targeting software supply chains and SaaS environments. These incidents—some of which received significant media attention—demonstrated just how severe the consequences can be when dependencies are not adequately considered.
Identity remained a key issue throughout the year. Stolen credentials continue to be one of the most important attack vectors. At the same time, it became increasingly clear that multi-factor authentication is not a silver bullet. In numerous attack simulations conducted by our Offensive Security team, we found that even MFA-protected accounts could be successfully compromised. In many cases, the attacks started with nothing more than simple phishing emails. Technical controls alone are therefore not enough; user behavior and organizational processes must always be part of the equation.
Finally, compliance deserves a mention. It occupied many organizations throughout 2025. The uncertainty surrounding the implementation of new regulatory requirements created noticeable pressure and made strategic planning significantly more difficult.
As we enter 2026, which cyber threats do you consider particularly dangerous this year?
Fabian Mittermair: For 2026, I expect fewer entirely new attack techniques and instead a continued professionalization of existing threats. Identity-based attacks will remain especially relevant. Stolen credentials, MFA bypasses, and social engineering will continue to be key entry points because they are relatively easy to execute while remaining highly effective.
Another major risk lies in attacks targeting software and cloud supply chains. The growing dependence on SaaS providers, managed services, and third-party components creates attractive attack surfaces with potentially far-reaching consequences.
In addition, geopolitical tensions will continue to fuel cyberattacks. State-sponsored or state-backed actors, as well as ideologically motivated groups, are likely to operate in a more targeted and strategic manner—for example, to disrupt business operations or exert political and economic influence.
Which regulatory developments are on the horizon, and how can organizations prepare?
Fabian Mittermair: Looking ahead, NIS2 and the Cyber Resilience Act will play a central role. Both regulations increase the pressure on organizations to implement cybersecurity in a more structured and transparent way—not only from a technical perspective, but also at the organizational and management levels.
In my view, companies should not see these regulations merely as compliance obligations. Instead, they provide a valuable framework for clarifying responsibilities, making risks transparent, and embedding security measures sustainably within the organization. Companies should assess as early as possible which requirements apply to them and develop realistic implementation roadmaps based on that assessment.
The key is effectiveness. It is not enough to meet requirements on paper or produce documentation. Security measures must work in day-to-day operations and prove effective when an incident occurs. Organizations that use regulatory requirements as an opportunity to critically review and improve their existing processes will be much better positioned in the long run—regardless of the next audit or regulatory inspection. And yes—I understand that this is sometimes easier said than done. 😉
AI has also become increasingly integrated into our own company. Do you have an AI tip or a particularly useful use case you’d like to share?
Fabian Mittermair: Here’s one outside the typical business context that I use quite often: I simply tell my chatbot what ingredients I have in the fridge and ask it to suggest a dinner. The bot already knows my usual eating habits—high protein, coleslaw is always welcome, but no Gorgonzola—and takes those preferences into account. It saves time, reduces decision fatigue, and often gives me ideas I wouldn’t have come up with myself. 😉
That said, the same principle applies here as it does in business: never accept AI-generated suggestions without reviewing them. Ingredient quantities, preparation methods, or combinations are not always sensible. That’s exactly why the human-in-the-loop approach is so important. AI is excellent at supporting, structuring, and generating ideas—but the final evaluation and decision should always remain with a human. That’s true in the kitchen just as much as it is in business.
Organized hacker groups were frequently in the headlines this year, and we were also involved in responding to incidents involving them. What role will groups such as NoName or Qilin play in 2026?
Fabian Mittermair: Making precise predictions is difficult with the information available to me. However, I expect organized hacker groups to remain highly relevant throughout 2026. Geopolitical tensions generally act as force multipliers in this environment. Given current global developments, I would expect these activities to increase rather than decline. It would not surprise me if cyberattacks were increasingly used as deliberate instruments in pursuit of ideological, economic, or state-driven objectives.
We are already seeing established groups becoming more professional. In many cases, the risk of prosecution remains comparatively low while the potential financial gains remain high. From an attacker’s perspective, those are almost ideal operating conditions.
At the same time, new threat actors—some potentially supported by nation states—are likely to emerge. This will increase both the capabilities and the strategic coordination of future attacks.
What advice would you give organizations to prepare for 2026?
Fabian Mittermair: Organizations should treat cybersecurity as a strategic business topic in 2026 rather than a purely IT responsibility. The past few years have shown how critical dependencies on individual vendors can become. The AWS outage in 2025 was not a cyberattack, yet it still disrupted digital business processes worldwide. Incidents like this demonstrate that resilience and deliberate architectural decisions are becoming increasingly important.
In Europe in particular, digital sovereignty is becoming a key topic. Organizations should therefore seek to reduce dependencies on individual vendors or platforms wherever feasible. At the same time, this creates opportunities for European technology providers to develop their own solutions and strengthen their position in the market.
Beyond that, traditional security measures remain highly effective. Security awareness training, regular penetration testing, and well-configured systems continue to be among the most cost-effective ways to improve an organization’s security posture. Ultimately, success is determined not by the number of security tools deployed, but by whether detection, alerting, and response actually work in practice.
Organizations should also actively monitor regulatory developments such as NIS2 and the Cyber Resilience Act (CRA). Many companies will find themselves affected sooner than expected, and regulatory requirements are only going to increase.
From the perspective of your area of expertise, what do you hope to see in 2026?
Fabian Mittermair: From an Offensive Security perspective, I hope to see a stronger focus on holistic attack simulations. Traditional penetration tests remain important, but they often don’t provide a complete picture of an organization’s real-world attack surface.
Successful attacks are typically the result of an interplay between technology, people, and processes. Approaches such as Red Teaming and Purple Teaming allow organizations to test exactly these interactions under realistic conditions—including alerting, detection, and response capabilities.
My wish for 2026 is that organizations increasingly view these attack simulations as a strategic instrument. Not as a one-off assessment, but as an opportunity to realistically evaluate their cyber resilience and objectively measure the effectiveness of their existing security controls.
