Moreover, the release anchors its forecasts in 225 million malicious URL blocks and 1.36 million scam takedowns. Independent vendors Flashpoint and F5 Labs echo many themes, underscoring a wider industry consensus. This article unpacks the data, clarifies each risk, and proposes measurable defensive steps. Consequently, teams can benchmark readiness before the next threat spike arrives.

Netcraft Operational Data Highlights

First, numbers set critical context. According to Netcraft, the company removes nearly one-third of global phishing sites. The platform has blocked 225 million malicious URLs since launch. Meanwhile, analysts logged 1.36 million cryptocurrency investment scam sites since March 2020. Additionally, 72,535 of those scams fell during the last twelve months, showing ongoing attacker momentum. Such scale validates the credibility behind this latest set of predictions. Therefore, security executives should treat the findings as hard operational signal, not marketing fluff.

These statistics quantify an enormous, evolving attack surface. However, understanding the five emerging forces matters even more.

Five Core Threats Forecasted

Netcraft condensed the next wave of danger into five themes. Consequently, we summarise each theme before deeper analysis.

• Agentic AI attacks exploiting autonomous workflows.
• Industrialized Phishing-as-a-Service driving scale.
• High-severity web facing vulnerabilities persisting.
• Seasonal or event driven campaign spikes exploiting public interest.
• Targeting downstream suppliers to multiply impact.

Collectively, these vectors will stretch Threat Defense programs across identity, infrastructure, and supply chains. Subsequently, each threat warrants focused inspection. Therefore, we begin with the technology trend shaping many others.

AI Agents Expand Risk

Autonomous agents can plan, decide, and call external APIs without human gates. In contrast, classic bots followed narrow, rule-based scripts. Consequently, attackers are weaponising agentic AI for reconnaissance, phishing, and lateral movement. Prompt injection or workflow hijacking may grant unauthorized actions across SaaS ecosystems. Flashpoint CEO Josh Lefkowitz notes automation has accelerated attack tempo beyond many defenders’ capacity. Moreover, F5 Labs warns that identity now forms the core perimeter for modern applications. Threat Defense tools must monitor agent orchestration layers, instruction provenance, and output destinations. However, existing WAF deployments rarely observe those layers. Agentic risk therefore demands new telemetry and governance models. Next, we examine how industrial phishing services exploit that same automation.

Phishing Services Scale Attacks

Phishing-as-a-Service removes coding hurdles through commercial kits, dashboards, and customer support. In the broader cybersecurity community, PhaaS now resembles a franchised retail model. Netcraft observed significant growth among Chinese PhaaS operators during 2025. Additionally, OAuth phishing bypasses passwords by luring victims into token grants. Such techniques align with the theft of 1.8 billion credentials reported by Flashpoint. Consequently, defenders should treat identity abuse as inevitable and shorten exposure windows. Rapid takedown and brand monitoring remain vital components of comprehensive Threat Defense. Nevertheless, criminals rotate domains quickly, leveraging automation and cloaking to evade signature checks.

Industrialization ensures phishing volume, velocity, and verisimilitude will rise during 2026. However, phishing is only one side of the external attack surface. Unpatched web components offer another attractive entry point.

Web Flaws Stay Critical

Log4Shell reminded practitioners that mass-exploitation can follow disclosure within hours. Meanwhile, Netcraft predicts similarly severe web-facing vulnerabilities will emerge through 2026. Legacy Windows 10 systems reaching end-of-life amplify that exposure. Moreover, third-party libraries and unattended APIs broaden the blast radius. Therefore, Attack Surface Management offers a proactive complement to patch programs. Threat Defense teams should inventory domains, certificates, and cloud assets continuously. Subsequently, rapid takedown can shrink the attacker’s window for weaponized proof-of-concept code.

Continuous discovery limits silent service creep and unknown asset buildup. Yet timing is not the only variable; attackers also optimize campaigns around public attention.

Seasonal Lures Downstream Targets

Tax deadlines, the 2026 Winter Olympics, and U.S. midterm elections create irresistible social-engineering hooks. Furthermore, hospitality, logistics, and insurance providers often handle booking or identity flows during such events. Attackers strike those suppliers to cascade impact across broader ecosystems. Analysts Ginny Spicer and Andrew Brandt underscore this downstream focus in recent commentary. Consequently, supply-chain contracts should now include explicit incident-notification and resilience clauses. Threat Defense must extend beyond organisational walls, embracing vendors and subsidiaries.

Event timing and supplier trust intersections magnify risk. Therefore, defenders require a disciplined, proactive framework.

Proactive Threat Defense Playbook

Developing such a playbook starts with governance. Firstly, map all public assets using Attack Surface Management. Secondly, deploy continuous phishing detection supported by contracted takedown services. Thirdly, establish agentic AI security reviews to evaluate permission scopes and output channels. Moreover, monitor OAuth integrations for abnormal consent flows or token volumes. Additionally, run event-driven tabletop exercises aligned with major 2026 milestones. Consequently, readiness improves ahead of predictable lure waves. Professionals can enhance expertise with the AI Developer certification. Regular drills validate Threat Defense procedures under pressure. That program deepens skills in secure AI build and deployment patterns. Continuous cybersecurity training cements knowledge. Finally, track metric baselines to prove diminishing exposure over time. These steps transform reactive culture into continuous improvement. Meanwhile, leadership gains a defensible return on security investment.

Cyber threats rarely wait for budgets to align. However, evidence from multiple sources and aligned predictions paints an unmistakable trajectory. Agentic AI, industrial phishing, persistent web flaws, seasonal lures, and supply-chain breaches dominate the horizon. Therefore, organisations must advance Threat Defense maturity now, not after the next breach headline. Effective Threat Defense demands persistent measurement and executive sponsorship. Moreover, practical frameworks and targeted training accelerate that journey. Consequently, start building the playbook today and share progress across the partner ecosystem. Visit the certification link to turn insight into lasting capability.