Darren Anstee, chief technology officer for security at NETSCOUT offers some trends for 2026. First, he sees an evolving relationship between global geopolitics and the level of cyberwar.
“Recent research points to a strong relationship between global geopolitics and the level of DDoS attack activity across the Internet. This is nothing new as we have seen echoes of real-world conflict echoed across the Internet for more than 15 years, with attacks against Estonia in 2007, and more recently around Russia, Ukraine, Sweden, Finland and Turkey, to name but a few. What’s changed is that it’s no longer just major geopolitical conflicts that generate attack activity; today, there are DDoS attacks coinciding with regional protests, local elections, and even speeches by key political figures – the relationship between real-world disputes and DDoS has grown much closer.
“What’s clear is that our experience of geopolitical cyberwarfare is likely to get a lot worse in the future, as we’ve already seen DDoS attacks spread much wider than those involved in physical conflict, to those who support one side or the other, and beyond to those associated with those supporters.”
Changes in threat hunting
“We are already seeing some aspects of threat hunting being automated and accelerated, using tools that can identify subtle shifts in activity, intelligently augment and collate data, and have natural language assistants to help more junior analysts with next steps. These platforms allow more senior resources to concentrate on more advanced tasks, investigating and confirming hypotheses, and recognising new attack vectors that may otherwise remain undetected.
“What’s interesting though is how this is evolving. Very large, well-resourced organisations, in the financial sector, for example, seem to be moving forward with their own agentic AI strategies that are tailor-made for their own environments. These platforms are using combinations of AI/ML with LLMs to both interpret, infer, reason and act on potential threats. These projects are driving new requirements for consistent visibility across technology domains, with high-fidelity, curated data sources being key to success.
“It is highly likely, given the $$$s being invested, that these platforms will be very effective – which is both good and bad. It’s good for the organisations that have them, but the likelihood this will drive increased sophistication from adversaries, and that they will target the next tier of organisations who are less well defended.
“Security in enterprises is already stratified, with big variations in capability between the largest organisations and then down through multiple different tiers – hence growth in products and services that package up sophisticated capability, e.g. SASE, and managed detection and response. This stratification may well get worse as we move forward.”
High-volume, complex attacks
“In 2026, we expect to see a continued escalation in infrastructure risk, with botnets capable of generating attacks at 20+ terabits per second threatening not only individual targets, but the subscriber and Internet connectivity within Internet Service Provider networks. Very high volume and throughput attacks create significant collateral damage, where businesses and consumers with no direct link to the target can be impacted, as they are isolated from cloud services and the wider Internet.
“Another concern is the increasing complexity of DDoS attacks, and the democratisation of sophisticated tooling. This has removed the barrier to entry, giving smaller groups the ability to automate reconnaissance, rotate and randomise attack vectors and adapt in real time – in ways previously limited to top-tier actors. This creates a dual challenge of overwhelming volume and machine-driven, intelligent persistence. For defenders, this makes real-time intelligence and adaptive defences more critical than ever.”
