Vulnerability forecast 2026. What organizations can expect

In cybersecurity, years go by but alerts look the same. Vulnerabilities keep piling up, data breaches keep happening, attacks keep moving faster. 2025 only confirmed what many teams already felt on the ground. The pace is accelerating.

2025 Review

• Vulnerabilities published every week, often exploited in the wild almost immediately, sometimes as early as Thursday.
• Well funded organizations compromised by low sophistication attackers due to a lack of visibility into their real exposure.
• Data breaches becoming continuous, settling in as permanent background noise.

2026 Outlook

• An even higher pace of vulnerability disclosure, with rapid exploitation concentrated at the end of the week.
• Increasing industrialization of state sponsored attacks, particularly from Russian actors, aiming for large scale data leaks and confirmed breaches of critical institutions ahead of 2027.
• The end of unrealistic AI promises, giving way to more pragmatic and operational use cases.

In 2025, the overall picture leaves little room for debate.
With 48,448 CVEs published over the year, vulnerability volume reached an unprecedented level. Critical flaws were exploited in the wild almost systematically, sometimes as early as Thursday, sometimes even before official patches were released. This timing turned many weekends into high pressure periods for security teams, with a clear impact on workload and morale.

The contrast remains striking. While some organizations invest thousands of euros in cybersecurity, very young attackers still manage to compromise exposed systems with unsettling ease. Data breaches show no sign of slowing down. They have become constant background noise. While you are reading this, it might be 3:13 pm somewhere in the world, and a new compromise has likely just occurred.

Over the past year, Patrowl strengthened its role in proactive threat detection.
A total of 514 previously unknown vulnerabilities were identified and responsibly reported. Among them, 74 were critical and 87 high severity, enabling teams to act on the most sensitive risks before exploitation.

The year was also marked by the identification of more than 208 Trending Attacks, meaning threats already exploited in the wild. This visibility provides a clear advantage to understand what is actually happening on the ground and which techniques attackers are actively using.

In parallel, nearly 1,000 assets were audited through grey box penetration testing campaigns. These assessments uncovered concrete, exploitable weaknesses, often invisible through purely declarative or compliance driven approaches. The objective remains unchanged. Expose weaknesses before they turn into incidents.

Looking toward 2026, several existing dynamics are expected to intensify. The volume of published vulnerabilities will continue to grow, with near immediate exploitation, often concentrated at the end of the week. The time available for defensive teams to react will keep shrinking.

According to FIRST projections, close to 59,000 CVEs could be published over the year. At this scale, any purely reactive security strategy becomes unrealistic. State sponsored actors, particularly Russian groups, along with opportunistic cybercriminals, are likely to push further a model of offensive reuse. Campaigns inspired by past operations such as WannaCry or NotPetya will no longer be exceptions but repeatable playbooks, reusing tools, infrastructure, and tactics with high efficiency.

For many organizations, the most likely scenario remains large scale data leaks or confirmed breaches of critical institutions. The publication of sensitive data will serve both destabilization goals and demonstrations of power. At the same time, the AI hype is expected to collide with operational reality. High costs, difficult integration, uneven results. Expectations will adjust, making room for more pragmatic and field driven use cases.

As attacks continue to multiply, deploying MFA everywhere is no longer enough. What matters is having a clear and up to date understanding of exposure. This requires accurate asset knowledge supported by a reliable inventory, fast identification of associated vulnerabilities, proper risk qualification, and immediate decisions between remediation and mitigation.

Such an approach significantly reduces the exploitation window and improves control over the supply chain, which has become a preferred indirect target for attackers. Centralizing exposure data, monitoring it continuously, and accelerating decision making fundamentally changes security posture. It becomes clearer, faster, and more aligned with real world conditions.

Cybersecurity is no longer about tools or budgets. It is about realism, prioritization, and the ability to absorb what will eventually happen.
The question is no longer if an incident will occur, but when, and how the response is handled.