We are currently operating in a global geopolitical powder keg. As regional conflicts fundamentally redraw the cyber threat map, security teams are finding that traditional defensive perimeters are no longer enough to keep out the most sophisticated adversaries. New threats, from nation-states to AI, and the expansive supply chain, are creating a risk environment unlike anything we’ve seen before.
That’s the message coming loud and clear, from our survey of 450 security leaders and professionals, as part of our broader research program for our annual 2026 State of Pentesting Report. Although this survey was conducted just before the recent escalation in Iranian activity, the data reveals that the security fault lines were already beginning to crack.
When we asked security professionals to name their top IT risks for 2026, we found that their security practices have not been keeping up with the changing environment.
Nation-State Threats: An Iceberg Under the Surface
For years, the Iranian cyber playbook was characterized by DDoS attacks and low-skill disruption. We have now transitioned into a reality of high-stakes, asymmetric warfare targeting U.S. tech titans and AI pioneers. In this environment, paper trust, relying on static certifications and annual reports, is a failing strategy.
Nation-state actors are no longer a peripheral concern or a threat strictly reserved for government targets. Today, 20% of all cybersecurity professionals rank nation-states as a top-three IT risk.
The warning is loudest in the financial sector. Among banks and insurance providers, this concern doubles to 40%, making it their number one IT risk, even surpassing the supply chain fears that are universally viewed as a top risk. It’s not surprising that our financial institutions are on the front lines of these targeted attacks, but other sectors have not kept pace with the reality of the wide-ranging threat.
Overall, a dangerous disconnect exists that’s impacting readiness and response to this growing nation-state threat: 26% of security leaders are on high alert for state-sponsored attacks, compared to only 13% of practitioners working in the trenches. When you’re busy plugging holes in the hull day after day, it’s hard to look ahead to see that iceberg lurking on the horizon.
A Perfect Storm in Third-Party Software Weaponization: The Stryker Breach
The attack on American med-tech giant Stryker by the Iranian-affiliated Handala group serves as a grim case study for this new era. This wasn't a standard software breach, it was a masterclass in weaponizing third-party management tools, and a perfect storm of an attack chain that started with stolen credentials and led to devastating data loss.
The attackers exfiltrated 50 terabytes of data before exploiting Microsoft Intune to execute a massive wiper attack. By abusing the built-in remote wipe features of a trusted mobile device management (MDM) platform, the attackers bricked tens of thousands of devices globally. This caused a total manufacturing halt and a critical physical supply chain disruption for life-saving surgical equipment.
The Supply Chain Dilemma
The Stryker breach underscores why security professionals cite third-party software and tools as the number one IT risk in 2026. In our survey, 75% of organizations ranked third-party software as a top-three risk, up from 68% in 2025.
Yet, we are seeing a profound disconnect between how security pros understand risk, and how they are responding: 86% of organizations admit to deploying vendor software without proof of security testing. At a time when AI models are discovering vulnerabilities that have been hidden for years or even decades, and can craft exploits in minutes, this is a risk we can’t afford to take.
Let’s face it, organizations have become dependent on their vendors and suppliers for their security. With so many applications, tools, and devices in your environment, it’s hard to keep up with all of them, patching every vuln, identifying every risk or supply chain breach.
Yet organizations are still relying on static snapshots for security assurance. While 76% of organizations ask for compliance certifications like SOC 2 (a massive 33-point jump from 2025) and 61% ask for a third-party pentest report, these measures offer a false sense of security. The fact of the matter is you can no longer afford to outsource security. You need continuous validation.
AI: The Ultimate Threat Accelerator
The emergence of AI as a dual threat, leveraged by attackers for automated reconnaissance and attacks, and uniquely susceptible to exploitation due to hidden vulnerabilities, has acted as a primary fuel for these geopolitical fires. A staggering 93% of professionals have witnessed threat actors using AI to create more sophisticated threats.
AI represents the newest layer of supply chain attacks. LLMs now have the ability to write malicious code that can be plugged directly into vendor updates, essentially automating the entire attack lifecycle.
Moving to Continuous Validation
The 2026 Stryker breach highlights that annual pentests are outdated. When a vendor's "silent update" or administrative pivot bricks 200,000 devices overnight, paper-based trust fails. To survive, organizations must shift to a continuous penetration testing program to own the validation of their own environment.
New State of Pentesting Report: Our best source of insights on the current landscape of threats, and how organizations are responding, comes from comprehensive data. The 2026 State of Pentesting Report is based on independent analysis of thousands of Cobalt pentests, plus additional insights from our extensive survey of security professionals.
The report offers a framework for benchmarking your performance against thousands of organizations across a dozen industries. I encourage you to download the report to learn more about where your organization stands.
