InsightsReports
This report examines the cyber resilience priorities shaping 2026, drawing on current threat intelligence, official cyber reporting, and Fortura's advisory experience.
Reports • 4 days ago • 15 min read
Cyber resilience in 2026 means accepting that incidents will happen and being genuinely ready when they do. Prevention still matters. But the organisations that manage incidents well aren't necessarily those with the most controls. They're the ones that know their environment, have tested their response, and can make clear decisions under pressure.
The numbers are unambiguous. ASD's ACSC Annual Cyber Threat Report 2024-25 recorded over 1,200 incidents (up 11%), with critical infrastructure notifications up 111%. CrowdStrike's 2026 Global Threat Report documented an 89% increase in AI-enabled adversary attacks and a 27-second fastest eCrime breakout time. This report examines the six priorities shaping cyber resilience right now, drawing on current threat intelligence and Fortura's advisory experience across financial services, healthcare, critical infrastructure, professional services, and technology.
AI risk and shadow AI: adversaries are using generative AI to scale attacks while employees are using unapproved AI tools in ways most organisations haven't mapped. Ransomware readiness: triple extortion is the norm, identity takeover is the dominant entry path, and Australia's mandatory reporting regime (May 2025) has raised the regulatory stakes. Cloud and identity exposure: 82% of 2025 detections were malware-free, IAM over-privilege is endemic, and cloud environments change faster than manual reviews can track. Supply chain and third-party risk: fourth-party concentration and ecosystem-level dependencies are the real exposure, not individual vendor questionnaires. Threat intelligence and attack surface management: continuous visibility and threat-informed validation provide evidence-based assurance that controls actually work. Board and executive governance: boards need context specific to their organisation's risk position, not general threat briefings.
Cyber resilience is the ability to anticipate, withstand, recover from, and adapt to adverse cyber conditions. It's broader than cyber security. Where security focuses on keeping adversaries out, resilience asks what happens when something gets through: how fast do you detect it, contain it, recover from it, and learn from it? Prevention-only thinking leads to underinvestment in detection and response, which are often the difference between a manageable incident and a catastrophic one. NIST CSF 2.0 captures this well: its six functions (Govern, Identify, Protect, Detect, Respond, Recover) place organisational context and executive accountability at the centre, not as an afterthought.
Think of how a well-run hospital manages clinical risk. It doesn't try to prevent every adverse event. It trains staff under realistic conditions, tests emergency procedures regularly, and ensures that when something goes wrong, the response is coordinated and recovery is swift. Cyber resilience works the same way. And it isn't uniform: your sector, technology footprint, suppliers, identity controls, and cloud maturity all shape what resilience actually looks like for your organisation.
State-sponsored actors remain the most capable and persistent threat to Australian organisations. APT40 (PRC-affiliated) has demonstrated the ability to exploit newly disclosed vulnerabilities within hours of proof-of-concept publication, using living-off-the-land tradecraft to blend into legitimate network activity. Russian GRU-affiliated actors, including APT28, have been actively targeting Western logistics entities and technology companies. These actors are patient, well-resourced, and focused on specific strategic objectives.
Ransomware remains a defining threat. ASD's ACSC recorded 138 ransomware incidents in 2024-25, present in 34% of Category 3 and above incidents. BianLian has targeted Australian critical infrastructure using an exfiltration-based extortion model: no encryption, just the threat of data exposure. Australia's mandatory ransomware reporting regime (introduced May 2025 for businesses with $3M or more in annual turnover) has added regulatory weight to every payment decision. AI-enabled attacks are accelerating the problem further. The 89% increase in attacks by AI-enabled adversaries reflects generative AI being used to produce convincing phishing content, automate social engineering, and accelerate credential harvesting at scale.
Identity-based attacks are now the dominant initial access method. CrowdStrike found that 82% of 2025 detections were malware-free: adversaries are logging in, not breaking in, using stolen credentials, session tokens, and legitimate tools. The 27-second fastest recorded eCrime breakout time shows how quickly lateral movement follows initial access. Edge devices compound the exposure: 40% of China-nexus vulnerabilities targeted VPN gateways, firewalls, and network appliances that often sit outside standard endpoint detection coverage.
AI risk has two distinct dimensions. The first is AI as an attack enabler. Adversaries are using generative AI to produce phishing content that's grammatically polished, contextually relevant, and personalised at scale. Deepfakes are appearing in business email compromise and executive impersonation scenarios. Credential harvesting campaigns are harder to distinguish from legitimate communications. The 89% increase in attacks by AI-enabled adversaries isn't a projection. It's the current operating environment.
The second dimension is shadow AI: employees using unapproved generative AI tools to summarise documents, draft communications, and analyse data, often without any awareness that the data they're pasting into these tools may be leaving the organisation's control. Most organisations don't have a clear picture of which AI tools are in use, by whom, or what data is being processed. Governance frameworks haven't kept pace with adoption. A financial services firm discovered that employees across multiple business units had been pasting client account data into a public AI tool for months before it was detected, triggering a regulatory notification assessment that cost far more than the governance work would have.
AI agents introduce a further category of risk: autonomous systems operating with elevated privileges and access to sensitive systems, where prompt injection attacks can cause unintended actions. Fortura's Shadow AI in the Enterprise article and AI & Emerging Technology Risk Assessment address both dimensions: mapping the actual AI footprint, assessing governance gaps, and establishing policies that reflect how AI is actually being used.
Ransomware is a resilience issue. The question isn't whether you can prevent every attack. It's whether you can detect it early, contain it before it spreads, recover within an acceptable timeframe, and manage the regulatory and reputational consequences. Most organisations have invested in prevention. Far fewer have tested whether their detection, response, and recovery capabilities actually work under realistic conditions.
Modern ransomware groups operate triple extortion models: encrypt systems, exfiltrate data, then threaten to publish it or contact victims' customers directly. BianLian has moved primarily to exfiltration-based extortion, meaning encryption isn't always the weapon. Australia's mandatory ransomware reporting regime (May 2025, $3M or more in annual turnover) means organisations must now report payments to the Australian Signals Directorate, adding a layer of legal and governance complexity to every incident response decision.
Untested backups are like a fire evacuation plan that's never been rehearsed: the exits are marked, the procedures are documented, but when the alarm sounds you discover the stairwell door is locked. A healthcare organisation initiated its backup restoration during a ransomware incident only to find the end-to-end restore had never been tested in a production-equivalent environment. The process took three times longer than the documented recovery time objective. Fortura's Incident & Ransomware Readiness service tests detection, response, and recovery against realistic scenarios and validates backup integrity end-to-end, so recovery time objectives are based on actual results rather than assumptions.
Cloud environments change faster than manual security reviews can keep pace with. Infrastructure is provisioned and modified continuously, often by development teams working at speed without security review in the workflow. The result is configuration drift: the security posture of a cloud environment today may look quite different from what was reviewed last quarter. CrowdStrike documented a 266% increase in cloud-conscious intrusions by state-nexus actors, reflecting both the growing value of cloud environments as targets and adversaries' growing sophistication in exploiting cloud-specific weaknesses.
Misconfiguration is the primary risk, not sophisticated exploits. Overly permissive IAM roles, publicly accessible storage, incomplete logging, and inadequate network segmentation are the predictable result of cloud environments managed at speed without continuous security oversight. IAM over-privilege is particularly endemic: service accounts and human users accumulate permissions over time, and least-privilege is rarely enforced consistently. A technology company discovered an S3 bucket containing customer records had been publicly accessible for several months before a security review caught it, triggering Notifiable Data Breaches obligations. Fortura's Cloud Security Posture Assessment provides continuous assessment across AWS, Azure, and GCP, prioritising IAM privilege reduction, storage exposure, and logging completeness.
Identity is the new perimeter. The traditional network boundary has dissolved across cloud environments, remote work, and third-party integrations. What remains is identity: the credentials, tokens, and trust relationships that determine who can access what. CrowdStrike's finding that 82% of 2025 detections were malware-free says it plainly. Adversaries aren't breaking in. They're logging in, using credentials obtained through info stealers, phishing, and MFA fatigue attacks, then moving laterally with legitimate tools and legitimate access.
MFA adoption has improved, but implementation quality varies. SMS-based MFA is vulnerable to SIM swapping and real-time phishing proxies. Push notification fatigue attacks are a reliable technique. Phishing-resistant MFA (FIDO2 hardware keys or passkeys) provides substantially stronger protection but requires deliberate implementation effort. Machine identity risk is a growing and underappreciated exposure: service accounts, API keys, and AI agents frequently carry elevated privileges, long-lived credentials, and minimal monitoring. Fortura's Machine Identity Risk article covers this in detail, and the Threat & Attack Surface Assessment maps identity exposure across both human and machine identities, including Active Directory compromise paths and cloud identity misconfigurations.
Modern organisations operate within complex digital ecosystems of SaaS platforms, managed service providers, cloud infrastructure, software libraries, and data processors. Each relationship is a potential entry point for an adversary who can't breach your environment directly. The traditional approach of sending questionnaires to individual vendors captures only a fraction of the actual exposure. It focuses on individual nodes rather than the ecosystem, and it's a point-in-time view of a continuously changing risk landscape.
Russian GRU-affiliated actors have been actively targeting Western logistics entities and technology companies, often to gain access to the networks of organisations their targets depend on. Fourth-party concentration is the underappreciated risk: multiple critical suppliers depending on the same underlying infrastructure provider creates systemic exposure that a single upstream compromise can propagate across simultaneously. A professional services firm assessed a critical SaaS vendor and found it satisfactory, but hadn't identified that the vendor's infrastructure ran on a cloud provider operating in a region subject to elevated state-sponsored targeting. Fortura's Supply Chain & Ecosystem Risk Assessment and Third-Party Risk Assessment map ecosystem-level dependencies and fourth-party concentration to identify which third-party compromises would propagate into your environment.
Effective threat intelligence isn't a feed of indicators. It's the connection between the threat landscape and your specific risk position. Generic feeds tell you what adversaries are doing in general. Actionable intelligence tells you which adversaries are relevant to your sector, which techniques apply to your technology stack, and which of your current controls would or wouldn't stop them. The gap between those two things is where most organisations are underinvested. Continuous Threat Exposure Management (CTEM) addresses this by establishing a continuous cycle of scoping, discovery, prioritisation, validation, and mobilisation. Fortura's CTEM article explores the framework in detail.
Threat-informed validation tests your detection and response capabilities against the specific techniques used by threat actors relevant to your organisation. Purple teaming generates evidence-based assurance rather than compliance-based assurance. The difference matters: compliance tells you a control exists; evidence tells you it works against the threats that matter. Fortura's Threat & Attack Surface Assessment provides continuous visibility of your external attack surface, and Threat-Informed Validation tests your controls against those specific techniques.
First: what's our current risk level, and what's changed since we last reviewed it? This isn't a technical question. It's a governance question. The answer should connect your specific technology footprint, supplier relationships, and data assets to the current threat landscape. If the briefing you're receiving doesn't reference your organisation's specific exposure, it's not answering the question.
Second: do we have visibility of our full attack surface? That includes internet-facing assets, cloud resources, identity exposure, and third-party dependencies. Many organisations have reasonable visibility of their internal environment but limited visibility of what's exposed externally, what their suppliers expose on their behalf, and what their cloud environments look like right now.
Third: have we tested our incident response capability under realistic conditions? Not whether a plan exists, but whether it's been exercised in a way that reveals gaps. Communication channels, escalation paths, and recovery procedures all behave differently in a real incident than they do on paper.
Fourth: is our threat intelligence relevant to us specifically? Generic briefings that describe the global threat landscape without connecting it to your sector, your technology stack, and your specific risk position don't support good governance decisions. Boards need to understand which threat actors are relevant to their organisation and whether current controls would detect and contain an attack using those techniques.
Fifth: are we confident in our ability to detect, contain, and recover from a significant incident? That confidence should be based on evidence, not assumption. If the answer relies on the existence of controls rather than their tested performance, it's not a reliable basis for board-level decision-making. Fortura's Board-Ready Cyber Risk Narrative article provides a practical framework for translating technical findings into the governance-level context boards need.
Most organisations lack policies that keep pace with the speed of AI adoption. Employees are using generative AI tools without oversight, creating data leakage risks and regulatory exposure that security teams have not yet mapped.
Prevention controls are in place but detection, response, and recovery capabilities are untested. Backup integrity is assumed rather than verified, and incident response plans have not been exercised under realistic conditions.
Cloud environments change faster than manual reviews can track, while credential theft remains the dominant initial access method. Misconfigured storage, overly permissive IAM roles, and incomplete MFA adoption create compounding exposure that adversaries actively exploit.
Third-party assessments focus on individual vendors but miss ecosystem-level dependencies and fourth-party concentration. A single compromise upstream can propagate across multiple critical systems simultaneously.
Incident response plans that look complete on paper frequently fail under real conditions. Communication channels, escalation paths, and recovery procedures that have never been tested reveal critical gaps only when an incident is already underway.
Boards receive general cyber updates that describe the threat landscape without connecting it to the organisation's specific risk position. This makes it difficult to make informed decisions about investment, risk appetite, and crisis response.
Fortura's approach starts with intelligence before action. The most common mistake organisations make is investing in controls before they have a clear picture of their actual exposure. The result is security spending that addresses assumed risks rather than real ones, with gaps that stay invisible until an incident reveals them. We prioritise clarity: understanding the specific threat actors relevant to your sector, mapping your actual attack surface, and connecting that picture to your risk appetite and business context before recommending anything.
We work across financial services, healthcare, critical infrastructure, professional services, and technology sectors. The threat profile of a healthcare provider managing patient data across a hybrid cloud environment is different from that of a financial services firm with complex third-party dependencies, and the resilience work should reflect that difference. Our services are designed to support this work at each stage, from initial assessment through to ongoing validation.
Cyber resilience isn't a uniform standard that organisations either meet or don't. It's a function of your specific circumstances: your sector, technology footprint, suppliers, identity controls, data sensitivity, cloud maturity, and the quality of your executive decision-making. An organisation with a clear picture of its actual exposure and tested response capabilities is more resilient than one with more controls but less clarity. The goal isn't a perfect security posture. It's understanding your real risk, addressing the gaps that matter most, and being genuinely ready to respond.
Resilience is ongoing work. The threat landscape evolves continuously, and the organisations that maintain it over time treat it as a continuous discipline. If you're ready to move from assumed resilience to demonstrated resilience, Fortura's services provide the starting point: Cyber Risk Assessment, Threat & Attack Surface Assessment, Cloud Security Posture Assessment, Third-Party Risk Assessment, Supply Chain & Ecosystem Risk Assessment, AI & Emerging Technology Risk Assessment, Incident & Ransomware Readiness, Incident & Crisis Tabletop Exercises, and Threat-Informed Validation. Contact Fortura to begin that conversation.
No Sales Scripts. We'll Talk Through Your Situation.
If you're shaping strategy, assessing risk, or preparing for what's next, we'll help you get clear on priorities and act with confidence. Tell us what you're working through - we'll respond quickly.
Get the latest news, research notes, practical guidance, and threat updates written for people making security decisions.
© 2026 Fortura. Operated by Fortura Labs Pty Ltd.
All rights reserved.
