“In 2026, we expect to see a continued escalation in infrastructure risk, with botnets capable of generating attacks at 20+ terabits per second threatening not only individual targets, but the subscriber and Internet connectivity within Internet Service Provider networks,” Dareen Anstee, CTO Security at Netscout, shares.

“Very high volume and throughput attacks create significant collateral damage, where businesses and consumers with no direct link to the target can be impacted, as they are isolated from cloud services and the wider Internet.”

Trend 1: The evolving relationship between global geopolitics and the level of cyberwar

Netscout said recent research indicates a strong relationship between global geopolitics and the level of DDoS attack activity across the Internet.

“This is nothing new as we have seen echoes of real-world conflict echoed across the Internet for more than 15 years, with attacks against Estonia in 2007, and more recently around Russia, Ukraine, Sweden, Finland and Turkey, to name but a few,” Anstee noted.

“What’s changed is that it’s no longer just major geopolitical conflicts that generate attack activity; today, there are DDoS attacks coinciding with regional protests, local elections, and even speeches by key political figures – the relationship between real-world disputes and DDoS has grown much closer.”

He added: “What’s clear is that our experience of geopolitical cyberwarfare is likely to get a lot worse in the future, as we’ve already seen DDoS attacks spread much wider than those involved in physical conflict, to those who support one side or the other, and beyond to those associated with those supporters.”

Trend 2: Changes in threat hunting

The industry has already seen some aspects of threat hunting become automated and accelerated. There are now tools that can identify subtle shifts in activity, intelligently augment and collate data and have natural language assistants to help analysts with next steps.

Anstee explained how these platforms allow more senior workers to focus on more advanced tasks and recognise new attack vectors that may have otherwise remained undetected.

“What’s interesting though is how this is evolving. Very large, well-resourced organisations, in the financial sector, for example, seem to be moving forward with their own agentic AI strategies that are tailor-made for their own environments,” he added. “These platforms are using combinations of AI/ML with LLMs to both interpret, infer, reason and act on potential threats. These projects are driving new requirements for consistent visibility across technology domains, with high-fidelity, curated data sources being key to success.”

He added: “It is highly likely these platforms will be very effective – which is both good and bad. It’s good for the organisations that have them, but the likelihood this will drive increased sophistication from adversaries, and that they will target the next tier of organisations who are less well defended.”

Trend 3: High-volume, complex, democratised cyberattacks

Another concern that Anstee shares is the increasing complexity of DDoS attacks and how more sophisticated tools are becoming more readily available, or democratised.

“This has removed the barrier to entry, giving smaller groups the ability to automate reconnaissance, rotate and randomise attack vectors and adapt in real time – in ways previously limited to top-tier actors,” Anstee noted.

This has inevitably created the dual challenge of overwhelming volume and machine-driven, intelligent persistence.

Anstee said: “For defenders, this makes real-time intelligence and adaptive defences more critical than ever.”

Related stories

10 cyber incidents that shook the world in 2025: Cloudflare, Colt, Salesforce

UK security minster unveils ‘business-first’ plan to boost cyber resilience

Colt CEO addresses cyberattack: ‘Customers told us if it wasn’t you, it would be us’