Cybersecurity remains a highly dynamic topic as the new year begins: emerging threats, increasing complexity, and growing requirements continue to shape the landscape for organizations. Looking back while also looking ahead, the question is: What lessons can we take from the past year, and what should we prepare for next?

Today we’re talking to Michael Brunner, Head of the Security Engineering Team.

2025 has already flown by. Looking back at the past year, what do you think were the biggest cybersecurity challenges for organizations?

Michael Brunner: In 2025, we saw a very tangible demonstration of the acute threat posed by software supply chain attacks. In particular, wormable attack tools distributed through compromised NPM packages stole developer credentials and infected additional repositories. Most recently, Shai Hulud 2.0 received significant media attention.

The primary challenge for organizations is to quickly determine whether they are affected and, if there is a substantiated suspicion, to immediately implement mitigating measures. Achieving this level of responsiveness requires mature processes in software development, vulnerability management, security monitoring, and incident response. The speed at which these worms spread clearly showed that there is still considerable room for improvement across the industry.

As we enter 2026, which cyber threats do you consider particularly dangerous this year?

Michael Brunner: I expect to see a further increase in similar software supply chain security incidents. We remain an attractive target in this area, and the combination of highly agile development processes with insufficient secure development practices will continue to facilitate the rapid spread of these attacks.

Which regulatory developments are on the horizon, and how can organizations prepare?

Michael Brunner: Organizations now need to prepare quickly for the European Cyber Resilience Act (CRA). Starting in September, manufacturers will be required to report actively exploited vulnerabilities to the relevant authorities within 24 hours. In simplified terms, this obligation applies to manufacturers of connected products with digital elements, including both software and hardware.

My impression is that not all affected manufacturers are currently capable of meeting these requirements—and building the necessary technical expertise and staffing should not be underestimated.

AI has also become increasingly integrated into our own company. Do you have an AI tip or a particularly useful use case you’d like to share?

Michael Brunner: No—I still rely primarily on the BI (biological intelligence) between my ears. 😉

That said, I regularly come across interesting AI use cases. The latest language models and their integration capabilities are becoming increasingly impressive. In the right scenarios, they can deliver substantial efficiency gains—provided you know how to prompt them effectively.

But I don’t have a specific “AI hack” that I’d consider worth sharing.

Organized hacker groups were frequently in the headlines this year, and we were also involved in responding to incidents involving them. What role will groups such as NoName or Qilin play in 2026?

Michael Brunner: As long as cybercrime remains highly profitable for these groups, I don’t expect the situation to improve. The fact that many organizations still haven’t done their cybersecurity homework will likely make things even worse over the coming year.

What advice would you give organizations to prepare for 2026?

Michael Brunner: Don’t wait until now to start preparing for 2026. This year brings a range of new regulatory requirements—particularly the Austrian NISG 2026—whose implementation cannot simply be handled as a side task.

From the perspective of your area of expertise, what do you hope to see in 2026?

Michael Brunner: Less complaining—more effective security!

Let’s establish Security Engineering as the standard approach to software and product development. That means Secure by Design, consistent Threat Modeling, and measurable risk reduction instead of relying on an ever-growing zoo of security tools.