The technology industry thrives on looking to the future and trying to work out which trends will shape markets and products alike. In the cybersecurity niche, however, this task has become significantly more challenging, to the point that it arguably serves little to no useful purpose.
Letโs be clear, the issue is not inaccuracy per se, but the assumption that cyber risk can be reliably forecast at all. More specifically, it is the belief that complex, rapidly evolving attacker behaviour can be mapped months in advance with meaningful precision. This is not solely because of artificial intelligence, although AI has undoubtedly changed the pace and scale of cyber operations. Rather, it is because the underlying drivers of innovation in attacker behaviour have always been difficult to anticipate, and are now accelerating.
AI has lowered the barrier to entry for advanced techniques, allowing less capable operators to deploy sophisticated capabilities at scale. It has also compressed the time between theoretical research, proof-of-concept and real-world breaches, meaning that new methods can move from idea to operational impact at unprecedented speed.
The pace at which AI capabilities evolve is also making traditional forecasting cycles largely redundant, with defensive and offensive uses of AI developing simultaneously, and often in completely unpredictable ways. But while AI accelerates deployment and adoption, the innovation itself is rarely born from AI alone. In most cases, breakthroughs in attacker technique emerge outside the scope of prevailing threat intelligence and beyond the assumptions built into existing knowledge.
Compared to the pre-AI era, for instance, attackers no longer feel constrained by established techniques or playbooks. Instead, new methods increasingly emerge from experimentation rather than iteration. AI has made these tasks much easier.
As AI-generated content feeds back into AI training pipelines, it becomes even harder to distinguish signal from noise, eroding confidence in trend-based or forward-looking threat models. The challenge, therefore, is no longer identifying what comes next, but accepting that some changes cannot be forecast.
Predictions are ultimately bounded by the quality and scope of the intelligence available at the time they are made. At best, this may provide a short window of relevance. Beyond that, forecasting increasingly relies on extrapolation from past trends and subjective interpretation, rather than demonstrable evidence.
Also Read: CIO Influence Interview Withย Jake Mosey, Chief Product Officer at Recast
Dealing with uncertainty
But how is this manifesting itself? Recent shifts in attacker behaviour illustrate how quickly established assumptions can be invalidated. For example, rather than focusing on a single dominant technique, attack strategies are increasingly diverging, with threat activities moving in multiple directions at once rather than following a linear progression.
Some attackers are operating deeper in the stack, targeting firmware and kernel-level components that were previously considered niche or highly advanced. At the same time, others are shifting away from system exploitation altogether and focusing on identity, credentials and user interaction.
One year the dominant concern may be memory-based exploitation; the next it may be bypassing endpoint detection controls. Then firmware-level compromise. Then identity-centric attacks built around credential abuse or session hijacking. The technique, the target, the vector and even the motivation can all shift within a relatively short period of time.
This could take the form of highly targeted attempts to tamper with low-level system components in one campaign, while a separate campaign bypasses technical controls altogether by compromising user identities through browser sessions or credential abuse.
When attacker behaviour fragments rather than converges, forecasting becomes less useful as a planning tool. This is a problem for security strategies built around anticipating specific techniques, because they make assumptions about scenarios that no longer exist. This is a particular problem for detection-led security models, which are inherently reactive, even when supported by advanced analytics.
The reality is that offensive innovation, whether driven by criminal groups, state actors or individuals, does not follow a set roadmap. We rarely see far enough around the corner to anticipate what form the next major shift will take.
Bring these factors together, and the question security leaders must now answer is no longer โwhat will happen next?โ, but โwhat happens when we are wrong about what we think is coming next?โ.
Embracing zero trust
However uncomfortable it feels, uncertainty should now be treated as the norm. Accepting this premise means that many organisations have a lot of work to do to build greater resilience, so cybersecurity effectiveness becomes less about knowing what is coming and more about eliminating implicit trust.
In this context, Zero Trust principles and processes will become even more important because they donโt attempt to predict attackers’ intent or behaviour. Instead, Zero Trust assumes that, because it is so easily abused, nothing is trusted by default.
This helps make networks, data and trust boundaries better suited to environments where attacker behaviour cannot be reliably predicted. Donโt forget, Zero Trust is not about eliminating risk entirely, but about narrowing what any single security weakness or vulnerability can enable.
Already widely recognised at the highest levels, frameworks such as the US Zero Trust Maturity Model and the UKโs National Cyber Security Centre (NCSC) guidelines help organisations implement best practices and ensure that security strategies align with regulations. In this environment of widening adoption, Zero Trust will drive organisations to embrace uncertainty with confidence.
Catch more CIO Insights: The New Business of QA: How Continuous Delivery and AI Will Reshape 2026
[To share your insights with us, please write toย psen@itechseries.comย ]
