Agentic AI was one of the most discussed concepts in cybersecurity during 2025. It refers to AI systems that do more than execute single tasks: they act autonomously, gather information, make decisions, adapt to circumstances and carry out complete sequences of actions. That capability opens significant opportunities — but also introduces a new generation of cyber threats.
Going into 2026, security experts at Barracuda have identified several trends likely to shape the year.
They foresee a future where:
- An agentic AI operator can execute entire cyberattacks from start to finish, gathering necessary information, creating convincing lures, testing multiple entry paths and continuously adjusting tactics in response to defensive actions. Defenders can expect attack types they have not seen before and that may be difficult to analyze after the fact.
- Agentic AI analyzes large datasets in real time to find vulnerabilities, enabling attackers to automate both the discovery and exploitation of weaknesses.
- AI can conduct voice and text conversations with humans at a level that makes it hard to tell it is not a real person, creating new avenues for social engineering and manipulation.
- Cybersecurity leadership will involve managing both people and AI agents, as leaders must integrate AI into teams to boost productivity and improve decision-making.
Together, these developments point to a landscape where AI is not only a supporting tool but becomes an active participant in both attacks and defenses.
What does agentic AI mean for the threat landscape in 2026 and beyond?
Yaz Bekkar, Principal Consulting Architect, XDR, EMEA:
Next year, attacks will not merely “use AI” — AI will act as an autonomous player making its own choices to achieve its objectives. AI already automates parts of attacks today, such as reconnaissance, phishing and simpler evasion tactics. In 2026, we can expect systems that plan their steps, learn from defenders’ reactions and change attack methods in real time.
An agentic AI operator manages the entire flow: it collects facts, crafts persuasive bait, probes an entry path, observes defensive responses and adjusts tactics and timing until it succeeds. The result will feel like a cohesive attack pattern where each step is automatically adapted and blends into normal activity.
Defenders should prepare for new types of attacks and an increase in operations that exploit previously unknown vulnerabilities.
Eric Russo, Director, SOC Defensive Security:
AI has advanced to the point where it can already hold sophisticated conversations with humans, via voice and text, making it hard to determine whether the other party is a person. A common example is how Android users allow Google’s AI to answer unknown calls, ask questions and judge whether the call is legitimate.
The technology is impressive, but in the wrong hands it changes the nature of social engineering. An agentic AI could, for example, conduct a convincing conversation with a finance employee to obtain corporate banking details. Or it could be used in more complex scenarios — leveraging deepfake voice or chat to trick helpdesk staff into resetting multi-factor authentication and thereby opening the door to a larger intrusion.
Jesus Cordero-Guzman, Director, Solution Architects for Application, Network Security and XDR, EMEA:
Autonomous AI systems are already a reality and will evolve quickly as threats. They can analyze massive data volumes, spot weaknesses in real time and automate their exploitation. In 2025, platforms such as Xanthorox emerged — AI systems built for cybercrime — followed by HexStrike and the even more advanced Venice.AI.
Agentic AI can be used for automated phishing, continuous mapping of defenses and even to bypass CAPTCHA protections to gain unauthorized access.
How can organizations defend against agentic AI-based threats and protect their own AI systems?
Yaz Bekkar:
Many organizations will struggle to detect agentic AI attacks because these attacks can blend into normal operations. Defenses must be built on behavior analytics and AI tailored to the organization’s own environment, not generic tools with default settings.
An effective defense should include:
- a platform that provides visibility across identities, devices, SaaS applications, cloud services, email and networks
- behavior analytics that learn what is normal and detect anomalies without relying on signatures
- human expertise to continuously monitor, tune and improve protections
Jesus Cordero-Guzman:
Traditional defense methods will struggle to keep pace with threats that adapt in real time. Organizations need to invest in modern solutions where AI is used to detect and respond to attacks so they meet threats at the same operational level.
What should organizations do to protect their own agentic AI solutions?
Jesus Cordero-Guzman:
Cybersecurity leadership will increasingly be about managing AI agents as much as people. The next generation of leaders must understand how to integrate and govern AI agents within teams to enhance productivity and decision-making. That will require stronger skills in technology, natural language processing and data analysis so AI agents can assume roles and functions aligned with business needs.
This is not only an operational concern but an ethical one. Organizations must ensure AI agents are used responsibly and that the decisions these systems make align with corporate values and societal norms. As AI continues to evolve, leadership responsibilities will also change, especially when navigating this fast-shifting cybersecurity landscape.
How can agentic AI strengthen security?
Eric Russo:
Agentic AI will become an essential support for security operations centers (SOCs). It can relieve much routine, reactive work and free analysts to focus on proactive tasks such as threat hunting and developing new detection models.
Another opportunity lies in more advanced machine-learning based detection systems. By establishing baselines for user behavior and network traffic and automatically spotting deviations, these systems can detect complex threats while reducing false positives and preventing analysts from being overwhelmed by noisy alerts.