• Rik Ferguson, VP of Security Intelligence at Forescout Technologies
• Daniel dos Santos, Head of Research at Forescout Vedere Labs
• Kristian von Mejer, Director Central & Eastern Europe at Forescout Technologies – Predictions for the DACH market

1. Attackers will exploit SaaS application permissions instead of passwords

Attackers are shifting their focus from stolen passwords to the permissions granted to connected applications. By misusing OAuth consents and refresh tokens from legitimate integrations in platforms such as Microsoft 365, Salesforce and Slack, they can move between tenants unnoticed and retain access even after passwords have been reset. In 2026, these ‘token hopping’ campaigns will compete with traditional phishing attacks for the title of most effective attack vector – and as passwordless authentication becomes more prevalent, the day when OAuth abuse overtakes phishing is fast approaching. Defenders should create a directory of authorised apps, restrict their functions, and regularly revoke unused or suspicious tokens.

2. Attackers will not only use AI for social engineering – they will also sell it as a service.

In 2026, SEaaS – ‘Social Engineering as a Service’ – will become the most popular subscription model in the criminal world. We will see SEaaS take off with ready-made, purchasable kits that include AI voice clones, pre-written call scripts, and fake ‘authorisation app’ links. More expensive options will offer the services of experienced social engineering experts who want to distance themselves from subsequent incidents and the interest of law enforcement agencies. With these turnkey packages, even inexperienced attackers can impersonate employees and bypass multi-factor authentication through convincing help desk or chat interactions. With the increasing prevalence of voice and chat automation, defenders must treat every conversation as untrusted input and incorporate verification into every workflow.

3. Preparing for quantum computers will (finally) come to the fore.

The quantum risk is no longer just theoretical, and those who continue to view it as such will soon be proven wrong. Next year, forward-thinking organisations will finally realise that every unmanaged device they use today is a future emergency waiting to happen. Networks with a hardware lifespan of at least five years must begin planning for crypto migration by identifying which assets do not support post-quantum algorithms, isolating crypto-vulnerable systems, and discussing PQC-enabled roadmaps with vendors.

4. Ransomware will target supply chains for maximum impact

Attackers are learning that the fastest way to make money is not necessarily to encrypt or publish files, but to take supply chains hostage. In 2026, we will see the emergence of ‘reverse ransom’ campaigns that cripple smaller upstream manufacturers, logistics providers or service hubs and then pressure downstream partners to pay to keep operations running. This tactic allows the attacker to target smaller companies with potentially weaker security measures and demand money from the company most likely to pay. It also exploits the financial and functional interdependence between companies, turning a single security breach into an industry-wide crisis. Protecting your partners is now part of protecting yourself.

Here is an example of a ransom note to illustrate how this might work:

“To: Management and Supply Chain, [DownstreamBrand]

Cc: Operations, [CompromisedSupplierName]

Hello [DownstreamBrand],

we have suspended critical workflows at [ComprimisedSupplierName] that process your orders. As a result, order entry and outbound processing for your account are temporarily suspended. If you are reading this, there will be delays in your [region/factory/DC] starting at [DATE/TIME, time zone].

This is a case of commercial extortion.

We are not demanding payment from [CompromisedSupplierName]. They are a small partner with limited resources. The continuity risk is yours, and you have the opportunity to resolve it quickly.

Solution:

Pay a service restoration fee to lift the locks and restore normal operations.

Amount: [AMOUNT]

Deadline: [DATE/TIME, time zone]

Contact: [URL of negotiation portal / case ID / secure inbox placeholder]

Upon confirmation, we will:

Lift the blocks and restore normal processing status.

Provide your teams with a post-incident checklist so they can verify the integrity of operations.

Make no public mention of this incident.”

5. Attackers will accelerate the exploitation of edge devices and IoT

It is expected that routers, firewalls, VPN devices and other edge devices, as well as IP cameras, hypervisors, NAS and VoIP on the internal network – all of which are beyond the reach of endpoint detection and response systems – will increasingly become prime targets. Customised malware for network and edge devices is on the rise, often abusing legitimate admin tools for covert command and control functions. In 2025, over 20% of newly exploited vulnerabilities affected network infrastructure devices. By 2026, this figure could rise to over 30%, as exploiting unmanaged resources provides the perfect entry point for initial access and lateral movement. Extending inventory and enforcement to every device, whether agent-enabled or not, will define the next phase of exposure management.

6. Cybercrime will continue to specialise – but will rely on common toolkits

Next year, cybercrime will continue to fragment into an industry of specialists, with initial access brokers, data launderers and extortionists dividing the work among themselves and trading access points. As the Lockbit leak already suggests, many of the groups making headlines will split into franchise-like brands and no longer operate as unified organisations. Despite this diversity, however, most groups will continue to rely heavily on reusing the same small selection of frameworks, toolchains and exploits. In 2026, this mix of specialisation and shared tools will blur the lines between threat groups, so that shared behaviours, rather than brand names, will be the best indicator of who is behind an attack.

7. Hacktivists will use confusion as a weapon

Hacktivists have learned that sowing doubt can be just as disruptive as causing downtime. In 2026, hacktivists, faketivists and state-sponsored actors will increasingly combine public claims with minor practical interventions in OT systems, forcing operators to shut down systems as a precautionary measure, even if no actual damage is done – especially in critical sectors such as water, energy and healthcare. Many of these ‘announce first, prove later’ operations will exaggerate their impact to pressure operators into voluntarily shutting down systems. The only defence is clear visibility, threat detection and segmentation to separate rumours from reality.

Forecasts for the DACH market

8. ‘Reverse ransom’ campaigns hit DACH SMEs – supply chains become a lever for extortion

With its strong industrial backbone, the DACH region will increasingly become the target of attackers specialising in supply chain extortion in 2026. Small and medium-sized suppliers in industries such as mechanical engineering, automotive and logistics are particularly at risk – precisely those companies that form the backbone of the regional economy. These businesses often have weaker cyber hygiene, but are critical to the production of major brands. Attackers will exploit this asymmetry to put pressure on large manufacturers and clients by paralysing upstream partners – in line with a ‘reverse ransom’ model. Since every standstill has noticeable consequences in the just-in-time processes typical of the DACH region, the economic damage caused by outages quickly becomes existential. In addition, regulatory pressure is growing: under NIS2, companies will also have to demonstrate the cyber resilience of their suppliers in future. Companies should view their supply chain as an extended area of attack and protection. This includes classifying suppliers, integrating security standards into purchasing guidelines and ensuring technical visibility across all partners. Protecting your partners will be synonymous with protecting your own business in future.

9. Regulatory pressure and cloud sovereignty are changing security strategies in the DACH region

In 2026, cybersecurity decisions in the DACH region will be increasingly driven by regulatory requirements and the call for digital sovereignty. With the implementation of NIS2 and the stricter requirements of the BSI, companies will be forced to rethink their security architectures – especially with regard to transparency, auditability and data residency. While international cloud providers are vying for trust with ‘EU-only’ zones and new compliance certifications, local MSPs and IT service providers are under pressure to provide comprehensive evidence of security and monitoring processes. At the same time, the shortage of skilled workers is forcing many organisations to outsource critical security functions – which in turn creates new dependencies and risks.

CISOs should view compliance not as a bureaucratic hurdle, but as a competitive advantage. Those who invest today in automated visibility, agentless detection and traceable exposure management will not only meet legal requirements, but also strengthen their own position in the market – because by 2026, cyber compliance will become a decisive purchasing criterion.