SecurityWeek’s Cyber Insights 2026 examines knowledgeable opinions on the anticipated evolution of greater than a dozen areas of cybersecurity curiosity over the subsequent 12 months. We spoke to a whole lot of particular person consultants to achieve their knowledgeable opinions. Right here we discover menace looking as adversaries undertake automation and AI, and the way safety groups are adapting.
Menace looking is in flux. What began as a largely reactive ability grew to become proactive and is progressing towards automation.
Menace looking is the observe of discovering threats inside the system. It sits between exterior assault floor administration (EASM), and the safety operations heart (SOC). EASM seeks to thwart assaults by defending the interface between the community and the web. If it fails, and an attacker will get into the system, menace looking seeks to search out and monitor the traces left by the adversary so the assault could be neutralized earlier than injury could be executed. SOC engineers take new menace hunter information and construct new detection guidelines for the SIEM.
That’s a theoretical illustration – exact particulars fluctuate between totally different organizations.
Proactive or reactive?
A typical notion of cybersecurity defines protection as essentially reactive. Defenders are naturally pressured right into a place of reacting to assaults, whereas attackers are free to be proactive in their very own exercise. In lots of circumstances that is legitimate, however the distinction doesn’t match neatly into menace looking.
Menace looking is reactive in looking for proof of an occasion that has already occurred; however is proactive because it doesn’t know what the occasion was, nor even when it actually occurred. It assumes a breach however doesn’t know the breach has occurred till it finds proof.
Understanding how menace looking differs from reactive safety gives a deeper understanding of the position, whereas hinting at the way it will evolve sooner or later.Commercial. Scroll to proceed studying.
“Menace looking is without doubt one of the most proactive actions an analyst can carry out,” claims David Norlin, CTO at Lumifi Cyber. “I additionally argue that free-form menace looking is probably the simplest manner at discovering unknown threats. It’s unlikely the exact technical technique of exploitation will probably be seen by menace looking, however exploits and malicious tampering normally depart artifacts and residual indicators that may be detected.”
Dave Tyson, chief intelligence officer at iCOUNTER, continues, “Menace looking assumes a cyber adversary has already infiltrated your atmosphere and is both hiding within the shadows, has implanted an online shell or backdoor, or deployed malware ready to detonate at a predetermined time. In observe, adversaries usually change into conscious of those discovery efforts and will react defensively, typically executing their payloads akin to ransomware prematurely.”
On this sense, menace looking can reverse the normal position: the defender is proactive, forcing the attacker to change into reactive.
The evolution from reactive menace looking to proactive looking is defined by Scott Miserendino, VP of engineering, superior cybersecurity options at DataBee. “Conventional looking usually depends on identified indicators of compromise (IOCs) and signature-based detection, which suggests groups are all the time one step behind attackers. In a world the place assault methodologies evolve day by day and AI-generated malware can create infinite variants, reactive looking is not sufficient.
“Proactive menace looking,” he continues, “begins with behavioral evaluation, zero-day malware detection and anomaly detection, not simply identified signatures. By leveraging machine studying and superior analytics, safety groups can determine patterns that deviate from regular community conduct – akin to uncommon beaconing, encrypted command-and-control site visitors, or file traits that recommend malicious intent – even when these threats have by no means been seen earlier than.”
Anomalous exercise inside the community is the important thing. This should embody nameless conduct of accredited identities. A background data of present cyber menace intelligence (CTI), championed by Frankie Sclafani, director of cybersecurity enablement at Deepwatch, can also be vital.
“Cyber menace intelligence serves as cybersecurity’s early warning system, aiming to grasp the character and supply of assaults, determine adversaries and targets, acknowledge the presence of current assaults, and assess the chance of imminent assaults. CTI helps defenders put together for and stop assaults, moderately than merely reply to them,” he says.
Director, World Menace Intelligence – Americas Lead at PwC
Behavioral anomaly detection can set off a menace hunter’s curiosity, whereas CTI data can focus consideration extra deeply. Allison Wikoff, director and Americas lead for international menace intelligence at PwC, provides, “Proactive looking is about forming eventualities based mostly on menace actor behaviors and testing them earlier than an alert ever fires.”
AI-assisted assaults are so frequent and stealthy this can’t be achieved with out automated help, and menace looking already depends closely on machine studying anomaly detection. All automation, together with assaults, are being supercharged by AI – and that is the long run for menace looking.
The persevering with rise of automation
Automation in menace looking already exists with machine studying behavioral evaluation each studying the behavioral baseline after which flagging divergence from it. Machine studying is synthetic intelligence now being enhanced by quickly bettering generative AI, which in flip is being enhanced by agentic AI.
A lot of the cyber world (industrial enterprise, cybersecurity, and cyber attackers) are already on this conveyor belt – however menace looking could also be a bit slower. “Some varieties of menace looking could be meaningfully automated, normally inside the context of in search of new indicators of identified threats which have surfaced inside the previous few days,” says Norlin.
Nonetheless, he provides, “There will probably be no changing the unpredictability and idle curiosity of a human analyst. That is arguably one of the best sort of menace looking – a human roaming round a big dataset in quest of one thing fascinating. People love novelty, and good menace hunters are largely occupied by this pursuit, whether or not they consciously realize it or not. It’s going to be a very long time earlier than AI mimics this inquisitive spirit, if it ever does.”
“As an alternative of chasing identified TTPs, next-generation menace hunters will depend on anomaly-based AI techniques educated on historic baselines and person conduct patterns,” says Ariel Parnes, former IDF 8200 cyber unit colonel and COO at Mitiga.
“Profitable groups in 2026 will hunt for deviation, not affirmation,” he continues. “The shift from ‘assume breach’ to ‘assume anomaly’ will outline the subsequent period of proactive protection, particularly throughout cloud and SaaS environments the place logs are fragmented and ephemeral.”
A lot of right now’s menace looking is already automated. “Cybersecurity instruments and anomaly detection techniques are continuously scanning for suspicious patterns,” says Ihar Kliashchou, CTO at Regula.
That is more likely to proceed and broaden via 2026. “Techniques set up behavioral baselines for every identification (human and non-human), detect deviations in real-time, and alert analysts. The automation scales to watch tens of millions of identities repeatedly. Human menace hunters shift from tactical detection to strategic investigation – validating detections, understanding context, figuring out response,” expands Jason Martin, co-founder and co-CEO at Permiso.
Jason Martin, co-founder and co-CEO at Permiso.
The limiting issue, he provides, is the setup time. “Behavioral baselines require 60-90 days of baseline information earlier than anomaly detection turns into dependable. Organizations that set up baselines in Q1 2026 may have mature proactive looking by Q3 2026. These beginning in Q3 is not going to have dependable detection till late 2026 or Q1 2027.”
The implication is evident. Firms that haven’t but began on the automation path are more likely to get burned by dangerous actors adopting AI automation at a quicker charge.
The following shift in automation is more likely to be an adoption of agentic AI-assisted menace looking. Precisely what this implies, the extent to which it will likely be adopted, and the timeline towards it’s, nonetheless, closely debated. However in a single type or one other it’s inevitable. Attackers are already growing and adopting full agentic AI fashions; and the one manner that defenders, together with menace hunters, can sustain will probably be via their very own agentic techniques.
“AI can be utilized each to detect and to generate threats, making it a double-edged sword. We would quickly see AI-powered assaults that regulate techniques in actual time, and defensive techniques might want to match that degree of pace and adaptableness,” warns Kliashchou.
For now, agentic AI in menace looking will probably be restricted to discrete AI brokers tackling particular person duties. In some locations this has already began. The complete agentic functionality has a further AI agent orchestrating and automating the person brokers into one system that won’t merely find behavioral anomalies however will recommend remedial motion and have the power to carry out that remediation with out human intervention. That, nonetheless, is a good distance off for now.
“Agentic AI will enhance automation in reconnaissance, enrichment and even suggestion of hypotheses, however human oversight will stay crucial for context, authorized selections and sophisticated reasoning. Over time, the steadiness might shift however to not full alternative,” feedback Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster College.
“Full automation is extraordinarily unlikely to interchange human hunters. People stay crucial for hypothesis-driven investigation, adversary emulation and deciphering ambiguous behaviors,” says Ashley Jess, senior intelligence analyst at Intel 471.
“As agentic AI continues to advance, AI will tackle routine and data-intensive duties, releasing human analysts as much as give attention to strategic investigations and sophisticated decision-making – a partnership moderately than alternative state of affairs,” provides Devon Kerr, director of menace analysis at Elastic.
“The position of AI is to not exchange hunters however to broaden what they’ll see,” concludes Biswajit De, CTO at CleanStart. “As an alternative of reviewing remoted alerts, groups will depend on AI brokers that repeatedly consider construct integrity, confirm dependencies, and floor patterns that sign early-stage tampering. Over time, this can make proactive menace looking extra automated, extra steady, and extra delicate to indicators that sometimes seem lengthy earlier than an incident.”
The explanation for this nearly complete rejection of totally autonomous agentic AI-instigated automated remediation is the broad perception that present AI, so good for therefore many duties, is so poor at understanding enterprise context. It doesn’t perceive what it finds.
“AI can inform you what’s anomalous; human hunters inform you why it issues. The explanation for this divide is straightforward: AI lacks enterprise context, can’t actually perceive attacker motivation, and struggles with the judgment calls that outline refined menace looking,” explains Mitch Davies, senior information scientist and cyber menace analysis at Arkose Labs.
“Context determines all the things – automated response works fantastically when context is evident, like with identified malware signatures, however fails spectacularly when context is ambiguous,” he continues.
This doesn’t imply that every one autonomous remediation is off the desk. It has been an possibility with normal ML-based anomaly detection techniques for years; however is usually restricted to contained or constrained cases – like isolating an endpoint.
“Automated techniques can take rapid motion,” says Jess, “akin to quarantining hosts or isolating compromised endpoints, when high-confidence threats are detected.” The try is to mitigate fast-moving threats, like ransomware or infostealers, and cut back the necessity for human intervention in time-sensitive eventualities.
Kevin Curran, Professor of Cybersecurity at Ulster College.
“Adversaries are additionally more and more exploring AI to develop and optimize their kits,” he continues, “so defenders might want to leverage some automation alongside intelligence-driven looking to maintain tempo.”
‘Comprise’ is the important thing phrase for automated remediation within the close to future. “Automated responses within the type of computerized containment will develop for high-confidence detections to cut back dwell time,” says Curran. “Organizations will undertake security checks, threat thresholds and rollback procedures to keep away from enterprise disruption whereas enabling swift containment.”
The strain to broaden automated remediation is rising, however the risks are too fierce with present AI. The fixed hazard now we have identified from all detection techniques continues – the price of false positives.
“We see this continuously in fraud prevention,” feedback Davies, “automated blocking should steadiness safety towards buyer friction. Block too aggressively, and also you’re inflicting income loss and person lockout. The answer is tiered automation: low-risk actions like isolating endpoints or blocking suspicious IPs could be automated, however high-risk actions like taking down manufacturing techniques all the time want human oversight.”
That is the conundrum confronted by nearly all defensive use of AI. We’re hampered by AI’s incapability to cater for the intricacies of enterprise environments. If we make one mistake in our use, the results may very well be disastrous for us personally or our firm. Attackers haven’t any such issues. In the event that they make a mistake, it’s of little consequence. They merely study from the error and check out once more.
The results of this lack of consequence for attackers is a fast adoption of AI. The potential severity of consequence for defenders requires the insistence on human oversight inside the AI loop – and that leads to delay. Attackers are quickly changing into too quick for us to detect and cease.
That’s the conundrum. We dare not unleash the total potential of defensive AI whereas in the end we should. And all of this can unravel over the subsequent couple of years.
Visibility gaps
The visibility hole impacts all of cybersecurity. How will you safe what you don’t know? For menace hunters this interprets straight into, How will you monitor and search what you can’t see?
The first culprits within the visibility hole are shadow IT (now more and more shadow AI), unapproved software-as-a-service (SaaS) purposes, and distant working. All are growing.
Melissa Bischoping, director of endpoint safety analysis at Tanium
“Shadows complicate looking by creating blind spots and unauthorized telemetry sources. This can be a rising concern as groups undertake new instruments quickly,” feedback Curran. “Distant work will increase the range of endpoints, community contexts and authentication patterns, making baseline-building more durable and growing false positives.”
Ian Ashworth, safety operations lead at Fortra, provides, “Unapproved SaaS purposes or synthetic intelligence (AI) instruments create visibility gaps and potential information publicity dangers. Environments with distant or hybrid workforces introduce new challenges for menace looking, as gadgets exterior conventional community boundaries can create visibility gaps and inconsistent logging.”
Shadow AI is worsening the lengthy standing shadow IT downside. “Shadow AI is only a new class of Shadow IT to handle – however one with considerably extra complexity and potential penalties,” feedback Melissa Bischoping, director of endpoint safety analysis at Tanium. “Each govt I’ve spoken with has change into more and more involved about an worker copying and pasting delicate firm information, akin to monetary info or mental property, into an AI chat field that isn’t managed by the group itself. This creates a dangerous, muddy alternative for information spillage.”
It’s not a passing concern – it’s accelerating in 2026. “The reason being easy: it’s simpler than ever to spin up SaaS instruments, AI providers, and cloud assets with out IT approval. Generative AI adoption has turbocharged this development. The impression on menace looking is extreme as a result of you possibly can’t hunt threats on infrastructure you don’t know exists. Shadow AI instruments processing delicate information characterize exfiltration vectors you’re not monitoring – large blind spots in your safety posture,” says Arkose Labs’ Davies.
“I believe we’re in a section of utmost acceleration with AI, particularly round misuse. We’re doubtless going to see main compromises related to AI-connected providers in electronic mail, office instruments, and AI-enabled SaaS purposes,” warns Lumifi’s Norlin. “As quickly as we begin connecting brokers that obtain enter from the broader world, we’re creating new assault floor for exploitation.”
It’s no totally different than the waves of SQL injection and different enter or injection sort assaults we’ve seen prior to now, besides, he says, “You now have a semi-intelligent, autonomous system with instruments at its disposal that may obtain enter that might not be filtered by any governing system or exterior gateway. To do their job, they must be related to backend sources of information that feed into context. That is ripe for misconfiguration as directors race them into manufacturing and don’t audit the information sources to which they’re related.”
“The detection method requires attempting to find signs: anomalous information flows, uncommon API calls, unrecognized authentication patterns, workers utilizing private accounts for enterprise functions. However right here’s the essential half – technical controls alone gained’t resolve this. Shadow IT exists for a purpose: official instruments are too sluggish, too restrictive, or don’t meet enterprise wants,” he provides.
“Should you’re solely watching accepted infrastructure, you’re lacking an enormous chunk of your precise assault floor. Shadow AI makes this worse as a result of information exfiltration usually appears reputable (somebody copying a file or utilizing an API),” cautions Aimee Cardwell, CISO in Residence with Transcend.
Most individuals utilizing shadow AI are simply attempting to get work executed quicker and don’t understand the chance. “That is why I work so exhausting to allow the enterprise with simple to make use of accepted options. Should you make the safe path the trail of least resistance, persons are extra doubtless to make use of it,” she provides.
Distant working has been a safety concern since earlier than the pandemic, however the observe expanded due to it. It’s theoretically extra manageable if the group gives firm gadgets, however that may be very costly and doesn’t preclude folks nonetheless utilizing their very own unmanaged gadgets.
Jason Baker, Managing Safety Marketing consultant, Menace Intelligence at GuidePoint Safety
“One of many major ways in which distant work impacts menace looking is by growing the assault floor – distant employees could also be extra more likely to entry enterprise assets through private gadgets, or to make use of enterprise gadgets to entry malicious infrastructure,” explains Jason Baker, managing safety marketing consultant, menace Intelligence at GuidePoint Safety. “Menace looking is much less more likely to be achievable towards personally owned gadgets, however enterprise endpoints akin to company laptops ought to nonetheless be ‘hunt-able’.”
“Distant work can considerably impression menace looking. Relying on geographic jurisdiction and privateness legal guidelines, organizations might have restricted skill to gather and analyze person information when workers work remotely or off community, akin to from dwelling or inns. This makes visibility and context tougher and requires new detection and information governance approaches,” provides iCOUNTER’s Tyson.
The visibility hole can’t be tackled if you happen to don’t know the place it exists. Discovering it’s the first precedence. Shining a light-weight into it will probably make it extra accessible to menace hunters, however not all the time simple. The sunshine might depart some darkish corners, and there could also be new visibility gaps showing that haven’t been discovered. That is one space the place the expertise, curiosity and creativeness of human hunters stays vital.
Remaining Ideas
Menace looking is evolving from network-focused to behavior-focused; from reactive to hypothesis-driven; and from human-only to human-AI hybrid, suggests Davies. “The purpose isn’t to foretell the long run completely – it’s to get higher at recognizing ‘improper’ quicker, even after we don’t know precisely what sort of ‘improper’ we’re going through.”
AI will proceed to reinforce detection, correlation, and response, but it surely’s the human component – understanding conduct, context, and threat – that ensures efficient protection, says PwC’s Wikoff. “Finally, menace looking isn’t just about instruments or expertise, however about folks utilizing these instruments to remain one step forward of adversaries.”
Ashworth provides, “Whereas many elements can and must be automated, the mix of human experience and AI-assisted evaluation will stay the simplest method.”
The overall view is that menace looking will undertake extra instruments and extra automation sooner or later. AI will change into widespread, and using computerized remediation will enhance – however all the time beneath human oversight and last management.
That, nonetheless, is an idealized view based mostly on threats and menace looking right now. The fast evolution of AI is disrupting all the things, and adversaries are adopting and utilizing AI quicker than defenders can defend. A ‘human within the loop’ of protection could also be comforting right now however will change into a legal responsibility sooner or later. Any delay brought on by human triaging may change into disastrous. There could also be a time within the not distant future the place human involvement in remediation will essentially be withdrawn in favor of autonomous agentic AI remediation. At that time, the menace hunter will essentially evolve farther from proactive techniques to predictive technique based mostly on autonomous remediation.
Associated: Creating an Efficient Menace Searching Program with Restricted Sources
Associated: Profile of a Menace Hunter
Associated: The Wild West of Agentic AI – An Assault Floor CISOs Can’t Afford to Ignore
Associated: Past GenAI: Why Agentic AI Was the Actual Dialog at RSA 2025
