| SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we examine understanding and managing the External Attack Surface with the purpose of evaluating what is happening now and preparing leaders for what lies ahead in 2026 and beyond. |
Shadows are dark and dangerous places where bad guys attack anything or anyone they find. In 2026, AI will increase the number and size of shadows, together with the entire external attack surface.
External Attack Surface Management (EASM) is the process of finding and managing every asset an organization exposes to the internet. Those assets may be known (and therefore documented and may be secured) or unknown (and therefore invisible and almost certainly insecure). While EASM covers both categories, we are primarily concerned with the invisible assets.
“This includes domains, servers, APIs, and cloud assets that may not be tracked internally,” says Chris Boehm, field CTO at Zero Networks. “It matters because most companies do not have a complete inventory of what is visible from the outside, and attackers often find these gaps before defenders do.”
EASM provides the inventory. “The benefit lies in exposure governance: accepting that not all risk can be removed, but through visibility, measurement and monitoring, there is scope to prioritize and treat risk in a way that supports business alignment and accountability,” explains Dave McGrail, head of business consultancy at Xalient.
The invisible external assets are the easiest avenue for attackers to discover and exploit. “By continuously finding and prioritizing internet-facing services, misconfigurations, expired certificates, dormant assets and third-party exposures, EASM reduces the blind spots that lead to breaches,” adds Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University.
The issue is the basic asymmetry of cybersecurity: cybercriminals need only find one weakness while defenders must be perfect all the time, everywhere. “EASM seeks to be the proverbial finger in the dyke of the organization, continually trying to examine the company defenses and be aware when a system becomes vulnerable to attack; so a mitigation can be applied before the attacker takes advantage of the weakness,” says Dave Tyson, chief intelligence officer at iCOUNTER.
“EASM is simply the habit of knowing what the internet says you’re running, catching the weak [invisible] entry points and closing them before someone else walks in,” says Yaz Bekkar, principal consulting architect XDR at Barracuda Networks. “It’s a case of locking the front door before you guard the vault.”
Continuous expansion the external attack surface
The size of the hidden external attack surface is constantly expanding. The reason can be found in the combined nature of modern business and modern technology. Technology changes rapidly, and business seeks to take advantage rapidly – at least, ahead of its competitors to maintain, improve, or gain a competitive edge.
The result is that new technology is deployed faster than security can react, and these days, often without security’s knowledge.
“The attack surface keeps expanding as cloud and remote work make it easy for teams to deploy new services without central oversight. Developers sometimes create their own environments to test or deploy applications, and these can sit outside security’s visibility,” says Boehm.
“The surface grows because organizations add cloud services, APIs, SaaS apps, IoT devices, developer environments, CI / CD pipelines and third-party integrations faster than they can inventory and secure them,” adds Curran. “Shadow resources (temporary dev / test instances, forgotten domains, contractor access) and the shift to edge and hybrid cloud mean it will keep expanding – especially across multi-cloud endpoints, API ecosystems and partner / TTP integrations.”
But “the single greatest driver to the expanding attack surface of any organization is, ironically, not in their control – it is in the control of their third parties and supply chain partners who have shared two way data connections between them,” warns Tyson.
These trusted pathways have changed the algorithm of risk each defender faces. “Imagine,” he explains, “an organization, connected to 300 companies. Each one of those companies is being scanned, probed, and attacked every day, with the sole goal of finding a connection to your company – through the trusted connection in place, thereby avoiding significant scrutiny.”
Today, he continues, “This is possible because the cyber attacker has embraced the AI advantage of enumerating a target company’s trusted connections and conducting reconnaissance on them in near real time, every day. The adversary AI can find the exact list of companies to attack each day, and they can know exactly which attack methods are mostly likely to succeed.”
Two other areas are worthy of note: acquisitions, and our rapid adoption and deployment of AI. “Acquisitions are notoriously hard to secure. As soon as it’s announced, you’re a target, and companies rarely have the discipline to consolidate duplicate systems quickly. They’re looking to demonstrate financial synergies from the acquisition first,” comments Aimee Cardwell, CISO in residence at Transcend.
She also adds, “It will surprise no one that in 2026, the attack surface will grow mainly around AI. Companies are trying to adopt AI tools without understanding where their data goes or how models are being trained. Each new AI app becomes another entry point, and worse, most organizations have zero visibility into how many employees are uploading data to ChatGPT or similar consumer tools.”
Raj Mallempati, CEO and co-founder at BlueFlag Security, expands on this. “The attack surface is exploding enterprise wide as every department adopts AI agents. Marketing uses AI for content generation, sales for lead qualification, operations for process automation.”
Alex Polyakov, co-founder and CTO at Adversa AI, agrees. “Yes, the attack surface is exploding – and AI agents are the reason. They’ll live everywhere: on workstations, in agentic browsers, in SaaS apps, and eventually as enterprise-wide autonomous agentic AI systems. In this world, the concept of a perimeter disappears entirely.”
Pascal Geenens, VP of cyber threat Intelligence at Radware, continues, “Next year, enterprises will face a new kind of visibility crisis as AI agents start forming their own network of connections. These autonomous integrations will create an agentic ecosystem, a hidden layer of APIs, plug-ins, and context providers operating beyond traditional controls… The agentic services ecosystem is a rapidly expanding constellation of third-party modules, plug-ins, and AI service connectors. It will mirror the software supply chain crisis that emerged with open-source dependency attacks.”
But the critical expansion – and highest risk, says Mallempati, “is in the SDLC, where AI agents aren’t just processing information but actively creating and deploying code. By 2026, we predict autonomous agents will touch 60-70% of enterprise code. Unlike a compromised chatbot that might leak customer data, a compromised development AI agent can inject backdoors into your entire product, modify infrastructure, or expose your complete IP. The development environment is where AI agents have the most privileged access and the least governance.”
While the AI expansion of the external threat surface will be extensive, not everyone thinks it is necessarily uncontrollable. “If the risk is managed appropriately with mature processes and controls – including through identity management, just-in-time access and automated anomaly detection – there’s no reason to conflate a larger attack surface with increased risk,” says McGrail.
The shadowy surface
Shadows are a part of business. Employees will rapidly use new services without corporate oversight or knowledge if they feel it makes their work more efficient. The term most usually refers to the activities of individuals but can also involve the practice of internal teams or the company itself.
“Shadows are a major problem because they bypass governance, logging and patching,” points out Curran. “All shadow platforms are a risk because of their unknown, unmaintained internet exposure,” adds Bekkar. The latest addition to the menagerie is shadow AI.
“Shadow AI exists across the enterprise, but shadow AI in development is uniquely dangerous. While shadow AI in marketing might generate unapproved content, shadow AI in development can access production systems, leak source code, or introduce vulnerabilities that affect millions of users,” warns Mallempati.
“Shadow AI is a bigger risk than shadow IT ever was because it involves sending sensitive data to opaque external APIs with no controls. Someone exports user data to Excel, then uploads it to ChatGPT for analysis. Suddenly you have regulated data in a third-party system, and when a breach happens, you can’t determine scope because you never knew the data was there,” warns Cardwell.
“Shadow AI will likely become a larger issue given the proliferation of AI platforms and the time it will take organizations to get effective AI governance in place. Since pretty much all AI systems leak data, whatever employees load into them is at risk,” adds Tyson.
“Those risks are blind spots of potential security vulnerabilities – they can lead to data breaches through improper handling of sensitive information by unapproved AI models, potentially exposing intellectual property or confidential data,” warns Melissa Ruzzi, director of AI at AppOmni. “Furthermore, unauthorized AI usage where company information was shared can be exploited to craft sophisticated phishing attacks and even generate disinformation campaigns,” she continues.
“Ultimately, this causes a skewed view of risk, putting compliance and business resilience in jeopardy,” adds McGrail.
MCP Risks
Shadow Model Context Protocol (MCP) servers in development environments are particularly insidious. “Developers are spinning up unauthorized MCP servers that connect their IDEs directly to AI models, granting these connections access to entire codebases, credentials, and infrastructure. We’re seeing developers grant AI agents broad permissions ‘temporarily’ for debugging that never get revoked,” says Mallempati.
“Shadow MCPs are a serious problem. Unmonitored or unauthorized MCP servers often emerge as developers experiment with AI agents – they create blind spots where autonomous systems can write, modify and deploy code without security oversight,” warns Shahar Man, co-founder and CEO at Backslash Security.
“MCP can bring even more complex challenges, exposing sensitive data, causing unauthorized automation, and escalating privileges without oversight,” adds Natalie Walker, VP at NCC Group.
Shining a light into the shadows
Managing shadows requires two things, suggests Cardwell. “First, automated discovery – manual surveys don’t work because people either don’t realize what they’re doing is risky, or they’re not incentivized to tell you. You need tools that scan network traffic and API calls to catch unseen AI usage.”
Second, she continues, “Provide better alternatives. When I find shadow AI, I start by asking what gap the users were trying to fill. Then either give them an approved tool that does the same thing, or work with them to bring their system into compliance. Banning tools without offering alternatives just drives behavior further underground. Folks are trying to do the right thing – how can we enable them to do that safely?”
McGrail adds, “There’s a fine balance between the shadow risk and the risk of not allowing a level of business agility.”
Attacks against the external attack surface
In 2026, “Attackers will leverage context poisoning by embedding malicious behavioral patterns or manipulative datasets into AI service configurations that persist across deployments. This will trigger AI-native supply chain breaches, where enterprises unknowingly integrate compromised agentic services that manipulate autonomous decision chains, exfiltrate sensitive information, or subtly bias business logic,” warns Geenens.
Organizations have moved critical business processes to SaaS applications in search of agility, scalability and efficiency. In many cases, appropriate security controls have not followed. “Attackers understand this and are increasingly taking advantage of the opportunity by breaching organizational SaaS tenants. They’ll continue exploiting this shift using techniques such as phishing, credential stuffing / spraying, session hijacking, and token theft to gain unauthorized access to identity providers and SaaS environments,” says Brian Soby, CTO and co-founder at AppOmni.
He adds, “The widespread use of SaaS also introduces risks from misconfigurations and overly permissive access, which attackers will continue to exploit for lateral movement and data theft.”
2026 will also mark the moment when zero click attacks transcend the human layer altogether. “We’ll see the rise of AI-to-AI attacks, in which malicious autonomous agents target legitimate corporate AI systems, exploiting APIs, model context protocols and SDK integrations,” says Rob Juncker, CPO at Mimecast. “The result is an attack surface that multiplies exponentially, often without a single alert or human noticing.”
Shahar Man adds, “Next year, we’ll see the first large-scale breach originating from an MCP. A backdoor or supply chain poisoning attack will quietly embed malicious code into enterprise environments, spreading through AI-driven development workflows before anyone detects it. When this breach comes to light, it will expose how deeply enterprises have trusted these agents without sufficient oversight.”
IPv6 is another area likely to be attacked in 2026 – adoption is advancing faster than the visibility tooling required to secure it. Conner Lines, CTO at SixMap, warns, “In 2026 some of the most severe breaches will originate from assets that exist only in the IPv6 dimension of enterprise infrastructure – services brought online for modernization, compliance, or cost reasons, but never fully integrated into external attack-surface management.”
He adds, “Any visibility stack that fails to treat IPv6 as a first-class external exposure domain will be operating blind where attackers already have line of sight.”
The OSS supply chain should also be considered part of the external attack surface since the initial attack is against repositories outside of security’s purview.
“Adversaries are already playing the long game, contributing legitimate code to open-source software projects, building trust within developer communities and waiting for the right moment to strike,” warns Keith McCammon, co-founder and Chief Security Officer at Red Canary (acquired by Zscaler). “The goal won’t be a single breach, but systemic leverage. One compromise in a widely used dependency could ripple across thousands of organizations overnight.”
Instead of spraying exploits across thousands of targets, adversaries will compromise a single trusted dependency to reach many. With most open-source projects maintained by small teams or individual developers, often without security oversight, the attack surface has never been more exposed – or more tempting.
He adds that trust becomes the most exploited vulnerability in 2026. “Organizations must verify not just who accesses their systems, but what code they run. Knowing the origin, integrity, and build process of every component will become a baseline requirement, because in 2026, trust becomes the exploited vulnerability.”
Martin Reynolds, field CTO at Harness, agrees with this assessment. “Many enterprises will say they have learnt supply chain security lessons after 2023’s SolarWinds breach – but that doesn’t mean their AI has. With AI expanding software supply chain volume and complexity, similar incidents become more likely and severe, as a single compromised component could cascade across thousands of enterprises.”
In 2026, he adds, “scalable supply chain security will become non-negotiable. Software composition analysis must scan every dependency, SBOMs must be maintained in real time, and remediation needs to be automated.”
Managing the external attack surface
The overarching belief is that AI will play a pivotal role in securing the external attack surface in the future – whether that is machine learning today or agentic AI tomorrow.
“AI already adds value by processing large amounts of discovery data and highlighting the assets most likely to pose risk. It helps teams focus faster, not by acting on its own, but by turning thousands of potential issues into a few clear priorities,” says Zero Networks’ Boehm. “Full automation, where AI systems can verify ownership and shut down risky exposures, is still a few years away.”
John Bruggeman, a virtual CISO with CBTS, agrees with the use of AI. “AI, in the form of machine learning, can help detect new external assets – like shadow IT – by constantly scanning your network for new servers – like remote desktop servers – or new SaaS applications with your domain name. There are services that do that now, but there are often false positives – detected assets that the service thinks are yours, but are not. ML can help weed out the false positives and make external discovery of new assets more accurate, so that less manual review is required.”
He also suggests other possible approaches. “One way to detect shadow IT existing in your environment is to monitor corporate email. If departments are using shadow IT, odds are they are using their corporate email account. Another way is to monitor network traffic at the firewall. AI can be used to sift through your network traffic and find SaaS applications that IT doesn’t know about. Once you know how big the problem is, you can start to manage it.”
Tim Chang, VP of application security product management, cybersecurity and digital identity at Thales, warns, “The attack surface isn’t simply ‘growing’, it’s fragmenting into thousands of dynamic entry points. In this landscape, protecting APIs and applications moves from best practice to existential necessity. Through 2026, bot defense will shift from passive detection to active disruption to spot intent, fingerprint behavior, and intercept malicious automation before it ever reaches the application layer.”
He continues, “Organizations will invest heavily in runtime bot analytics, anomaly detection, and AI-against-AI countermeasures as bot-driven fraud, credential abuse, and API exploitation surge. APIs, the convergence point for humans, machines, agents, and devices, will finally receive the scrutiny they’ve long deserved.”
And concludes: “Companies that elevate API security and harden web applications against AI-powered bots will reduce outages, protect sensitive data, and safeguard customer trust and experience. Those that don’t will find themselves facing an adversary that never sleeps, never slows, and learns from every single attempt.”
NCC Group’s Walker sees the rise of agentic AI coming to EASM. “Unlike traditional AI that primarily responds to commands, agentic AI is composed of autonomous agents that can make their own decisions.”
There is an enterprise-wide uptake in agentic AI. It will introduce more automation and require less human intervention. “Emerging autonomous EASM ecosystems will orchestrate discovery, prioritization and patching, complemented by continuous red-teaming and attack simulation,” she says. “But the vast majority of settings will still require human oversight and insight before any real-time remediation.”
Professor Curran supports the use of ML / AI. “It can speed asset discovery, reduce false positives, correlate signals (DNS, certs, telemetry) and predict which exposures are most likely to be exploited. Behavioral models help detect anomalous changes to public-facing assets. AI also helps automate prioritization and generates contextual remediation playbooks, though human validation remains essential where risk decisions are sensitive.”
Barracuda Networks’ Bekkar continues the AI theme. “Defenders need to use AI as the engine of EASM, not as a sidekick. Let it continuously discover internet-facing assets, decide if they belong to the organization, and use pattern-matching to spot look-alike domains. Organizations can leverage AI to remove noise by grouping duplicates and obvious false positives, then ranking what’s left by risk level: how easily the exposed asset could lead to identity or data access.”
He believes the routine stuff can be automated: “Expire test subdomains, close orphaned buckets, revoke stale tokens, but ensure there’s a human in the loop for anything sensitive.”
Sheetal Mehta, head of cyber security at NTT Data, projects beyond ML / AI to the agentic AI. “With the introduction of AI and agentic AI, EASM could soon move to continuous monitoring – mapping and inferring connections between IP, supply chains, domains and cloud instances to find shadow IT that is ordinarily missed – or better still, learning patterns to detect unusual activity and act to quickly mitigate and help security teams better prioritize efforts.”
Not everyone is fully sold on AI. “It can help with automated discovery and classification across your environment, but it’s not a silver bullet. It’s most useful for surfacing where sensitive data lives continuously rather than just during annual audits,” says Transcend’s Cardwell.
“The good news is that there are really great tools being developed to reduce this risk. Can we buy and implement those tools as quickly as the threat actors can use AI to find new chinks in our armor? I’m ‘glass half empty’ on that. But I do think this is a place for CISOs to invest in 2026.”
It is important to remember that what is sauce for the defending goose is also sauce for the attacking gander. If defenders can use AI to locate their exposures, so too can, and will, attackers do the same. It will be a race, but the primary advantage for the defender is greater situational context. Attackers and defenders will both find the exposures, but defenders will better understand the critical exposures to prioritize.
iCOUNTER’s Tyson has an additional recommendation designed to counter third party risk. He suggests widening viewpoints to include the entire enterprise ecosystem, and monitoring every critical organization for active compromise. “This way,” he says, “organizations can understand the risk uniquely related to them from the entirety of their connected partners.”
If you wish to monitor the external attack surface, you need to include your connected partners, he adds. “In today’s world, cybercriminals have simply expanded the attack surface to 3rd and 4th parties, and ecosystem compromise monitoring is the ultimate tool in redefining the new expanded attack surface.”
Final thoughts
“External attack surface management will remain a critical, but increasingly complex, issue in cyber security in the year ahead, largely because organizations have lost control of their environments,” warns Simon Phillips, CTO of Engineering at CybaVerse.
Control has been lost because business pressure and the need for agility to stay ahead of the competition results in new technology being adopted faster than security can apply governance. This includes the rapid adoption of SaaS solutions, the personal use of shadow IT, and the unsanctioned rise of shadow AI by individuals and developers downloading undisclosed copies of MCP.
AI is the double-edged sword in the picture. It will assist companies in finding their external attack surface, but it will also assist bad actors in locating and attacking the weak points.
The likelihood for 2026 is that the battle between attackers and defenders will increase in size, complexity and speed – with no sign of any decrease.
Related: The Wild West of Agentic AI – An Attack Surface CISOs Can’t Afford to Ignore
Related: CSA Unveils SaaS Security Controls Framework to Ease Complexity
Related: The Shadow AI Surge: Study Finds 50% of Workers Use Unapproved AI Tools
