Cybersecurity predictions for 2026
Security is forced to become more efficient
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
I’m back from a brief holiday break, and I’m continuing my yearly tradition of predicting where this chaotic industry is headed. If you want to see how my past outlooks fared, you can check out my 2025 predictions.
Near the end of last year, I also published a “wish list” for the community. While I admitted then that many of those wishes, like the total elimination of security awareness training, weren't necessarily "realistic," the predictions below are grounded in the cold reality of market consolidation, shrinking budgets, and the undeniable force of AI.
The death of the "tool babysitter"
The security industry has long complained about a “talent shortage,” but as I’ve argued before, the talent has simply been misplaced. Most security engineers today aren’t solving security problems; they are acting as “tool babysitters” for complex platforms. We created this mess by designing increasingly convoluted “enterprise” tools that require specialized certifications just to navigate their basic interfaces. Whether it’s Jamf, Zscaler, or Snyk, these systems are often so difficult to use that a simple task like deploying a package to a fleet of laptops requires a dedicated operator.
In 2026, the value of being a "tool expert" will plummet because the knowledge gap is finally closing. With the integration of LLMs directly into these platforms, you no longer need to scroll through pages of documentation to find an obscure setting; you simply prompt the system for the outcome you want. This turns the tool back into what it should have been all along: an appliance. Companies will realize they don't need to hire a full-time specialist just to operate it. It’s like saying you bought a microwave, only to need someone to operate it. Instead, they will seek out security generalists who use these tools as a means to an end rather than a primary identity.
Security budgets shrink to fund the AI race
The “blank check” era for security is officially over. For years, security enjoyed an ever-expanding budget because executives were terrified of becoming the next breach headline, but the ROI on these massive spends has never been clear. In 2026, tech budgets have become zero-sum. To fund the massive infrastructure required for AI experimentation, companies are actively cannibalizing their security spend. Security teams can no longer hide behind the excuse that “AI is insecure” to slow down adoption or demand more money.
With smaller budgets, security must focus on “must-haves” over theoretical risks. I expect to see a massive migration away from expensive, seat-based licenses for dedicated security tools. Teams are realizing that AI agents and tools like Codex or Claude Code are already “good enough” for many vulnerability management and remediation tasks, allowing them to save millions in licensing fees while maintaining effectiveness.
Security talent becomes more distributed
One of the most profound shifts in 2026 will be how and where security talent is deployed. As budgets contract at large enterprises, it will become increasingly difficult for those organizations to justify and retain massive, centralized security departments. However, I believe this is overall good for the industry. We are moving away from a concentration of talent at a few mega-corporations and toward a world where top-tier security expertise is distributed across a much larger pool of companies.
In this new environment, the “department of fifty” will be replaced by lean, highly efficient teams where 1–2 dedicated security people support 500 employees or 30 engineers. This is only possible because AI allows a single technical leader to scale their impact across multiple domains that previously required separate specialists. We are redefining what a talented security engineer can do; instead of being a cog in a large auditing machine, the modern practitioner acts as a force multiplier who leverages AI to secure an entire organization autonomously.
If we see companies generate millions of dollars per employee with small teams, why can’t we see smaller security teams doing more to reduce risk?
The rise of the technical security leader
This shift toward distributed talent is powered by the rise of the technical security leader. The days of a CISO managing a department of “risk managers” who only surface problems are ending. These new leaders won’t just “advise” on risk; they will write the code and build the guardrails that automatically prevent it.
This might look like automated pull requests that resolve dependency issues before they hit production, or cloud infrastructure that self-heals when it detects an overly permissive identity. These leaders understand that to manage risk in a modern software-driven business, they must understand software engineering and business context as deeply as the product teams they support. They realize that if a company can generate millions of dollars per employee with a small team, a small, highly technical security team should be able to reduce risk just as effectively.
Security startups look for exits through acquisitions rather than IPO
Security startups are figuring out their exit plans after many good years and slowing growth, especially given the shrinking budgets and increased focus on AI. Luckily, large security companies will look for new capabilities that they can’t create organically. As I’m writing this, there are talks of Cisco acquiring Axonius, and the year ended with ServiceNow buying Armis. Last year was full of blockbuster acquisitions, such as Cyberark, Wiz, Upwind, etc. Netskope was the only notable IPO, and it seemed to go fine, but nothing too major. It seems favorable to be acquired or even go private, such as Proofpoint, rather than having to spend large amounts of money on GTM in a competitive market, which seems high-risk.
Although the acquisition activity might convince more people to start security startups, these returns will seem risky. Investment money in security will shrink, but I believe that after some consolidation in the industry this year, the security industry will return to a more stable point.
AI-native UX and the end of the “enterprise sales motion”
This evolution will be supported by a new generation of AI-native products that move beyond the traditional “dashboard” UX. These tools will live where the work happens, i.e., in Slack, GitHub, or the IDE, and use autonomous tuning to handle 90% of alerts without human intervention. Security products have historically been “regulatory theater” designed to pass an audit, but AI is finally allowing us to build abstractions that save time rather than creating more manual work.
Finally, the most outdated part of our industry is the sales motion itself. The current third-party risk management (TPRM) and procurement process is a relic of a waterfall world that makes zero sense in an AI-driven economy. Fast-moving AI companies simply don’t have time for six-month sales cycles or “discovery calls” for every minor tool. Security vendors will be forced to adopt Product-Led Growth (PLG) motions, favoring credit card swipes and instant trials over traditional enterprise bloat. The market forces of 2026 are demanding efficiency, and while this reckoning might be painful for some, it is a thrilling time for the practitioner. We are finally moving away from “program management” and back to actual security engineering.
I’m hopeful that the market forces these security companies to changes their ways.
I predict that market pressures this year will make security more efficient and hopefully more innovative as well. They need to make our lives as security professionals easier, and I believe this will lead to overall improvements across the industry that I’ve been advocating for many years.