Attackers are organised like startups now: from lone hackers to operating models

The reality that cybercrime is being professionalised is clearer to see than ever before. A number of recent threat intelligence reports describe attacker groups operating less like ad-hoc collectives and more like structured enterprises: with specialised roles, automated workflows, and success measured by speed and scale. 

This is no sudden transformation; we all saw it coming. Because it’s the logical outcome of a mature underground economy, cheap automation, and sustained demand for compromised access – all combining to produce something closer to an operating model than a loose criminal network.

Specialisation beats brilliance

One of the most interesting (or worrying, depending on your mood today) shifts is specialisation. 

Rather than single groups doing everything, the cybercrime ecosystem now increasingly relies on distinct roles and services. Access brokers, malware developers, botnet operators, and extortion specialists operate as semi-independent units, connected by underground marketplaces and shared tooling.

In a 2026 report on cyberthreat predictions, Fortinet describes cybercrime as a structured industry supported by specialised roles, automated toolchains, and AI-driven decision-making. The report notes that the most capable actors now optimise for throughput (how efficiently they can execute attacks at scale) rather than bespoke or technically impressive intrusions.

This mirrors how legitimate startups scale: break work into repeatable components, automate wherever possible, and focus relentlessly on output.

For defenders, that means we’re now facing adversaries who don’t need to be exceptional – just consistent.

Automation is the real force multiplier

Specialisation provides structure, then automation provides scale.

In its 2026 security predictions, Trend Micro forecasts that cybercrime is moving away from a service-based model toward fully automated operations. The company predicts AI-enabled campaigns capable of running autonomously across the attack lifecycle – from reconnaissance and vulnerability discovery through exploitation and extortion.

Trend Micro explicitly frames this as a prediction, but the direction is clear: automation reduces cost, removes human pacing constraints, and allows attackers to run multiple campaigns in parallel with minimal oversight.

The result is more predictable, repeatable activity that’s optimised for scale. 

A maturing ransomware economy

That maturity is already visible in ransomware.

According to CyberProof’s 2025 mid-year threat landscape report, ransomware activity increased by 60% in the first half of 2025 compared with the previous period. The report also highlights the emergence of AI-centric ransomware groups and the increasing use of supply-chain techniques by established operators.

CyberProof notes that distinctions between traditional cybercriminals, advanced persistent threats, and hacktivist groups continue to blur – a trend echoed by Fortinet. The implication is an ecosystem where tools, access, and techniques circulate freely, regardless of motivation.

In practical terms, this means defenders are facing adversaries who learn quickly. They reuse what works, and adapt operations based on results. 

Why this breaks traditional defence thinking

Many security programmes are still implicitly built around discrete incidents: detect an intrusion, respond to it, recover from it, and repeat.

Enterprise-style adversaries don’t operate that way. They run continuous operations, test defences iteratively, and measure success in elapsed time between access and impact.

Fortinet repeatedly emphasises attacker velocity – the speed at which attackers move from initial access to meaningful outcomes. If attackers optimise for throughput, then defender success depends more and more on how quickly organisations can contain activity and limit damage once access is achieved.

This shifts the emphasis away from perfect prevention and toward operational resilience.

Practical takeaways for CISOs and cybersecurity practitioners in 2026

You know we don’t like to throw lots of information at you without helping you cut a path through the chaos. 

So, based on the research we’ve mentioned above, here are three practical ways you can integrate this knowledge into your 2026 strategy: 

1. Plan for intrusion, not perfection. Assume access will be gained and focus on limiting blast radius and recovery time.
2. Treat attacker speed as a risk metric. Reducing time-to-impact matters as much as time-to-detect.
3. Simplify where possible. Complex environments create friction attackers are already optimised to exploit.

Attackers didn’t decide to become like startups overnight. They evolved that way because specialisation, automation, and scale work. 

As 2026 unfolds, the organisations that cope best will be those that recognise they’re facing operationally mature adversaries – and design their security programmes accordingly.