The vision set out in our newly launched report about the trends shaping offensive security aligns with a regulatory shift away from static, reactive compliance towards continuous, dynamic resilience. This direction has been further reinforced by the European Commission’s new proposal for a revised Cybersecurity Act (CSA2). While subject to change as it moves through the legislative process, the proposal would broaden the role of ENISA to support member states in implementing vulnerability disclosure policies (VDPs) and further expanding the EU catalogue of known exploited vulnerabilities. Under the proposed framework, achieving ‘substantial’ or ‘high’ assurance levels within European cybersecurity certification schemes would also require evidence that no publicly known vulnerabilities remain unresolved. Among other things, ICT vendors covered by EU conformity or certification schemes would have to provide a public point of contact for vulnerability reporting, a coordinated VDP and clearly defined end dates for vulnerability handling and security updates. 🛡️
Cyber trends for 2026
Our YesWeHack Report 2026 also highlights the damaging prevalence of fragmented SecOps. Let’s hope that “security teams will consolidate visibility and automate response”, as forecast by a number of experts in CSO’s ‘CISOs’ predictions for 2026’, Commenting on the subject, Ramsay Healthcare CISO Manal Al-Sharif told CSO that “when you bring everything in, it’s easy to triage and prioritize. Having that single point of view means you’re correlating everything at the same time, so you know where you’re exposed most … [and] before those threats become incidents.”
Other anticipated 2026 trends in the piece included how AI agents were poised to “reshape the threat landscape”, that “SMEs will become prime targets amid rising automation”, that complex supply chains were a concern as nation-state activity intensifies, and increasing pressure on vendors to deliver secure-by-design products. ⚠️
The final item in CSO’s list was about the urgency of preparing for post-quantum cryptography. “With quantum-vulnerable encryption set to be phased out by 2030, now is the time to invest in future-ready security infrastructure,” said Zoe Hearn, head of cybersecurity strategy and governance at Insignia Financial. Timothy Youngblood, CISO in residence at Astrix Security, told CSO that the issue was “a slow-moving Y2K”. Here’s a neat tool for checking whether your servers already support post-quantum cryptography. ⚛️
CEOs appear to have greater confidence than CISOs in AI’s ability to strengthen their company’s cyber defences, according to a survey conducted by Axis Capital. The insurer has revealed that around 30% of CEOs think AI will help them with cybersecurity, while 20% of CISOs agreed. Perhaps this is somewhat unsurprising, with CEOs preoccupied by realising the commercial benefits faster and more effectively than competitors, whereas CISOs, as their role demands, tend to focus on risk mitigation. 🤖
“Imagine an AI-powered module on an endpoint trying to figure out how to hack a machine, but without any constraints,” said Heather Adkins, Google vice president of security engineering, in a recent episode of Google’s Cloud Security Podcast about autonomous AI hacking. 🎙️ “It gets bogged down in the depths of CPU vulnerability research. It could have just used a well-known bug that's already on the machine. We see that in some of the vulnerability research that we've been doing: LLMs taking strange thought paths and having to be reined in. Vulnerability researchers, human researchers, and hackers can intuit when to stop pursuing a path that won't be fruitful. But LLMs have no concept of, ‘hey, this isn't useful, I'm changing direction’.” You can also read an edited version of this conversation. 💡
Moving onto our own output now, our aforementioned new report considers the implications of rapidly improving AI for SecOps and offensive security. We also reveal how industry trends supercharged by AI have shaped the evolution of the YesWeHack platform, ensuring it meets the increasingly complex needs of today’s security teams. The second annual edition of our report, which is now available to download, also features: the pivotal role played by triage and customer-success management teams in Bug Bounty outcomes; how the European Commission is expanding its crowdsourced security testing with the help of YesWeHack; a recap of last year’s live hacking events; and key findings from a survey of our hunter community. 📊
“We have compliance obligations in our industry, with recurring mandatory pentesting,” said the Bug Bounty lead for Tokyo-based payments provider KOMOJU in a recently published customer story. “The Bug Bounty Program helps us be better prepared and meet regulatory requirements ahead of time.” In this Q&A, he also discussed how YesWeHack’s platform, responsive support and time-saving triage makes Bug Bounty viable even for organisations with modest security resources. ✅
Another new customer story stars the head of cyber testing at a leading southeast Asian telco. Sharing the lessons of their Bug Bounty Program at a YesWeHack event in Singapore, the security pro discussed how crowdsourced testing dovetails cost-effectively with periodic pentests, how they scaled up rapidly yet carefully, and his six best practices for Bug Bounty success. 📡
Video highlights (watch below) have landed from a live hacking event we held in partnership with the Cyber Security Agency of Singapore (CSA). Following a month-long qualifying phase, the two-day finals of SpiritCyber saw ethical hackers probe physical devices in three categories: military drones, industrial surveillance cameras and smart home/personal devices. Singapore’s cybersecurity agency offered a US$50,000 prize pool to strengthen the security of its ‘Smart Nation’ infrastructure. 🏙️
Another satisfied YesWeHack customer, the French Cyber Command (COMCYBER), has revealed how they were able to secure 150 vulnerabilities thanks to the efforts of participants in its latest Bug Bounty challenge. A blog post (written in French) reviewed the outcome of a nine-month engagement in which COMCYBER personnel tested more than 15 applications belonging to the French Ministry of the Armed Forces. It marks yet another successful COMCYBER initiative managed by YesWeHack since the organisation became a customer in 2019. 🎯
Finally, before we conclude with forthcoming conferences, we scored 954/1000 in our latest cyber maturity assessment via cyber risk management firm CyberVadis – putting us in the highest, Platinum tier for cybersecurity maturity for the second year in a row. In fact, our score climbed by four points year on year! These evidence-based assessments evaluate organisations’ cyber maturity against ISMS conformance criteria, providing independent validation of security posture. ✅
🤘Meet the YesWeHack Team 🤘
The YesWeHack team will, as usual, attend numerous events throughout the year. Our experts will be on hand to discuss your SecOps challenges and demo our unified offensive security and exposure management platform. Here are two on the horizon, with many more to follow:
📍 Disobey | Helsinki, Finland | 13–14 February
📍 Next IT Security | Stockholm, Sweden | 12 March
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.
