Complex Threat Environments: Security Prioritization With Threatscape

Pyo Kwon
Jun 3
5 min read

PAGO Gartner Security & Risk Management Summit On Site Report

PAGO is attending the 2026 Gartner Security & Risk Management Summit in National Harbor, Maryland, and publishing a series of reports covering the key security sessions discussed at the event. This second report focuses on how organizations can prioritize their response strategies using Gartner’s 2026–2027 Threatscape.

*Outlook for Cybersecurity Threats: Prioritizing With Gartner’s 2026-2027 Threatscape by John Watts*

Executive Summary

John Watts opened the session by explaining that while previous years focused on the gradual evolution of threats such as ransomware and phishing, this year feels fundamentally different. He stated that “the announcements surrounding Mythos and Glasswing, along with the idea that exploits may soon be generated faster than organizations can patch vulnerabilities, make this year feel different.”

He also referenced the ransomware attack against Jaguar Land Rover, describing it as an attack significant enough to impact the UK’s GDP. Using this example, he explained that attackers are now entering a new phase capable of causing levels of damage that organizations have not experienced in recent years. Throughout the session, Watts focused on helping enterprises distinguish meaningful signals from the overwhelming volume of cybersecurity noise and threat alerts. This report introduces the 9 strategic threats included in Gartner’s 2026–2027 Threatscape and outlines the areas security leaders should pay attention to.

Cybersecurity Threats Are Entering a New Phase: “This Year Feels Different”

John Watts warned that modern cyberattacks are forming interconnected attack chains. Even large scale attacks that disrupted manufacturing infrastructure ultimately began with the theft of initial access credentials targeting service desks. The most notable shift is the rapid rise of AI driven threats. Watts shared that when he presented an AI related session in Frankfurt in 2019, only around 20 people attended due to the market’s limited interest at the time.

Today, however, AI has evolved far beyond vendor marketing terminology or a simple technology trend. Attackers are now using AI to independently design sophisticated attack frameworks without external assistance while dramatically lowering the barrier to entry for intrusion activities. This reflects the same context discussed during the opening keynote report regarding “script kiddies,” where non experts can now execute attacks with capabilities previously associated with highly skilled operators.

2026–2027 Gartner Threatscape: Nine Strategic Threats

Threatscape is a Gartner visualization framework that maps the evolving cybersecurity threat environment based on analysis from Gartner analysts. The framework is intended to help organizations filter large volumes of threat information and transform security noise into actionable priorities.

Watts explained that aside from well established threats such as ransomware or heavily funded nation state actors, Gartner identified 9 strategic threats enterprises should prioritize across 3 major categories.

[Some of the 9 examples of strategic threats: Prompt Injection]

Category & Threats	Key Details and 2025/2026 Statistics
Unpredictable Threats 1. Agentic Automation Hijack 2. AI Application Compromise 3. AI Augmented Attacks	AI related CVEs reached 2,130 cases in 2025, representing a 34.6% increase year over year. Open source AI agents with autonomous capabilities present significant risks of large scale data abuse if compromised. The APT36 group used AI coding assistants to create malware based on “Crystal Reports,” which is typically outside conventional inspection targets, demonstrating increasingly creative methods to evade security detection.
Critical Threats 4. Deepfakes 5. Prompt Injection 6. Software Supply Chain Attacks	62% of organizations experienced at least one deepfake related attack involving social engineering techniques or abuse of automated processes. According to GTI analysis, indirect prompt injection attacks increased by 32% between November 2025 and February 2026. Attackers inserted malicious prompts across internet sources designed to be collected by RAG systems. 62% of applications with third party vulnerabilities contain open source related exposures, while modern worm style attacks distributed through GitHub and npm package targeting campaigns continue to increase.
Structural & Anticipated Threats 7. Perimeter Exploits 8. CPS Compromise 9. AI Infrastructure Attacks	According to Verizon’s Data Breach Investigations Report, vulnerability exploitation surpassed phishing as the leading initial access vector. In 2025, 119 ransomware groups targeted industrial organizations, representing a 64% increase year over year. 13% of organizations reported incidents involving AI models or AI applications, including GPU hijacking for resource theft and unauthorized use of LLM tokens.

[Some of the 9 examples of strategic threats: AI-augmented Attacks]

The Operational Dilemma: Realistic Processes Over Perfect Technology

One reason this session strongly resonated from the perspective of an MDR provider was that it did not simply present the latest technologies. Instead, it directly addressed the practical barriers security teams face inside real organizations.

During incident response engagements, PAGO frequently encounters situations where improving internal awareness becomes one of the most realistic and necessary response measures. Watts described several operational dilemmas where security processes break down in practice and explained realistic ways organizations can respond.

Deepfakes Exploiting Human Weaknesses

Operational dilemma: Even the strongest security policies can fail when employees receive urgent fund transfer requests that appear to come from executives through deepfake impersonation. Fear of organizational consequences often overrides established processes.
Practical response: Before deploying detection tools, organizations must establish clear executive level policies such as “We never approve fund transfers through voice calls alone.” He also emphasized the need to enforce system level dual approval mechanisms and introduce operational friction where necessary, including mandatory in person interviews and offline device handovers to prevent fake IT employee impersonation schemes.

The Gap Between Ideal Security and Operational Reality

Operational dilemma: Referring to the Salesloft Drift incident, Watts explained that at least three security vendors failed to detect the compromise. He noted that advanced logging configurations are essential for cloud threat detection, but implementing them often involves significant costs. He also stated that asking business departments to increase security budgets by 40% is often unrealistic.
Practical response: Rather than demanding blanket budget increases, organizations should first quantify the opportunity cost of system downtime and align those discussions with business stakeholders. Afterward, enhanced telemetry and logging investments should be prioritized for the most business critical SaaS platforms rather than applied universally.

The Conflict Between Security and Enterprise Operations

Operational dilemma: Fast patching remains one of the most fundamental ways to reduce exposure. However, organizations that previously experienced major outages caused by failed patches often become reluctant to apply updates due to operational stability concerns.
Practical response: Organizations should avoid shutting down business operations in pursuit of preventing every possible attack. Instead, organizations should maintain Detection & Response capabilities capable of disrupting the attack kill chain while immediately reducing exposure where patching is difficult. For example, vulnerable legacy services such as traditional SSL VPN platforms should be disabled entirely or replaced with IPsec based alternatives.

How Should Organizations Adapt? Prioritization and the CTEM Framework

Since organizational assets and budgets are limited, enterprises cannot realistically defend against every threat indicator simultaneously. Watts recommended prioritizing threats based on the following criteria:

Relevance, Urgency, Maturity, Opportunity cost, Measurability

To operationalize this approach, Gartner introduced the CTEM framework, or Continuous Threat Exposure Management. Rather than representing endless expansion of security tooling, CTEM is described as a continuous exposure management process designed to help organizations understand how to adapt defensive structures against evolving attacker behavior.

Scoping and Discovery: Identify exposures across IT and OT environments.
Prioritization and Validation: Determine which exposures create the most critical business impact.
Mobilization: Go beyond patch deployment and improve the services and systems creating operational risk.

Conclusion

Gartner’s 2026–2027 Threatscape session delivered a clear message to cybersecurity practitioners: organizations can no longer respond to every emerging threat by urgently introducing isolated technologies. The threat spectrum now spans everything from physical USB attacks to AI augmented attacks and highly sophisticated deepfake fraud.

Rather than pursuing unrealistic concepts of perfect protection, the session emphasized the importance of recognizing organizational limitations and operating within realistic resource constraints. The core message is that organizations must establish threat priorities based on their own business impact using structured frameworks such as CTEM while continuously improving both technical detection capabilities and operational security processes.

This report focuses on how organizations should establish practical threat priorities based on observed attack trends. Upcoming reports in this series will further explore security operations and operational response strategies.