Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Attackers are increasingly abusing network misconfigurations to send spoofed phishing emails, according to researchers at Microsoft. This technique isn’t new, but Microsoft has observed a surge in these attacks since May 2025. “Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally,” the researchers write.

As we step into 2026, Bitsight researchers are closely watching key developments across the cyber risk landscape. Their insights reveal a dynamic tension between rising threats and new opportunities to strengthen defenses. Here's what they predict for the year ahead, and what security teams should be prepared to navigate.

As per Verizon’s 2025 DBIR, system intrusion, social engineering, and web application attacks form: This makes web applications one of the most common and important egress points into your business systems and customer data, and that’s why even a single undetected vulnerability here can cascade into revenue-devouring breaches, hefty compliance violations, and reputational damage that may as well take years to repair.

In the last few years, many of the largest data exposures haven’t come from broken pages or leaked databases. They’ve come from APIs. Public reports around large-scale scraping incidents at companies like Meta and LinkedIn showed how exposed APIs, not traditional web flaws, were used to pull massive volumes of user data at scale. This isn’t an edge case anymore. APIs now sit at the center of how enterprises move data between applications, partners, and customers.

What is ADR (Application Detection & Response)? A security tool that monitors application-layer behavior—API calls, function execution, code paths—to detect and respond to threats in real-time. Different from EDR (endpoint-focused) or CDR (cloud infrastructure-focused), ADR sees what’s happening inside your applications. Why do most ADR solutions fail? They only see one layer.

What is a cloud workload protection platform (CWPP)? Security for the workloads actually running in your cloud—VMs, containers, and serverless functions doing real work. Unlike posture management (CSPM) that checks configurations, CWPPs monitor processes, network connections, and application behavior to catch threats as they happen. What’s the difference between CSPM, CWPP, CNAPP, and CADR? CSPM scans cloud settings for misconfigurations. CWPP protects running workloads.

The best security combines configuration controls (TLS, headers, network policies, pod security) with runtime behavioral monitoring that detects anomalies your configuration can’t see. Configuration creates the baseline—it defines what should happen. Runtime protection catches what gets through—it shows what is happening. You need both, but most teams only have the first.

Cato Networks’ SASE certification portfolio has taken a major step forward with Cato’s official recognition as an ISC2 Continuing Professional Education (CPE) Partner. ISC2 is one of the most trusted names in cybersecurity, representing more than 500,000 members worldwide. Their certifications are widely regarded as the benchmark for professional excellence in security.

I spend most of my time thinking like a criminal. Not because I’m edgy, but because that’s literally the job. And lately, everywhere I look, I see the same thing: People are exposing MCP endpoints like they’re REST APIs, and forgetting they’re actually money execution engines. So let’s talk about Token Torching. Yes, I invented another name. This isn’t data theft. It’s not taking your service down.

If your organization uses a private large language model (LLM), then it’s time to start thinking about countermeasures for jailbreaking. A jailbroken LLM can lead to leaked information, compromised devices, or even a large-scale data breach. Even more troubling: Jailbreaking LLMs is often as simple as feeding them a series of clever prompts. If your customers can access your LLM, your potential risk is even higher.