The 2026 cybersecurity threat landscape is dominated by social engineering, third-party SaaS compromises, and identity-provider attacks. Scattered Spider and ShinyHunters became the most active groups. The University of Mississippi Medical Center ransomware in February 2026 shut down all 35 clinics statewide. The Telus breach in March 2026 saw ShinyHunters claim 700 terabytes exfiltrated. Jaguar Land Rover lost roughly $2.5 billion in production after a Scattered Spider attack via SAP NetWeaver.
If you work in security, the news matters. The signal-to-noise ratio in cybersecurity media is brutal. Below is the 2026 list of sources that actually move the needle.
Quick comparison: top cybersecurity news sources in 2026
| Source | Type | Best for |
|---|---|---|
| Krebs on Security | Blog | Investigative journalism |
| Bleeping Computer | News site | Incident reports plus remediation |
| Dark Reading | News site | Enterprise security focus |
| The Record (Recorded Future) | News site | Breaking stories first |
| CSO Online | News site | Security leadership audience |
| The Hacker News | News site | Daily security headlines |
| SecurityWeek | News site | Industry and enterprise news |
| CyberScoop | News site | Government and policy security |
| Help Net Security | News site | EU + global daily coverage |
| Schneier on Security | Blog | Strategic and policy perspective |
| TLDR Sec | Newsletter (weekly) | Curated security roundup |
| Risky Business News | Newsletter (daily) | Patrick Gray's daily brief |
| Decipher | Newsletter | Duo Security magazine |
| SANS NewsBites | Newsletter (twice weekly) | Practical SANS perspective |
What sources actually break news first
Three patterns from 2025-2026:
1. The Record by Recorded Future and Risky Business News break stories early: Both have direct researcher relationships and report quickly. Subscribe to both.
2. Krebs on Security goes deeper than headlines: When a story breaks, Krebs often publishes the deepest analysis 48-72 hours later. Worth waiting for the depth.
3. Bleeping Computer is the practical site: Best for "is this affecting us, what do we do" questions. Strong remediation guidance.
The mistake: relying only on Twitter/X for security news. Speed varies. Verification varies. Use newsletter aggregators for signal.
Best newsletters for security pros in 2026
Five worth subscribing to:
TLDR Sec (Clint Gibler, weekly): The strongest curated security roundup. Free. Strong on tooling, breaking stories, and practical insights.
Risky Business News (Patrick Gray, daily): Daily brief from Risky Business podcast team. Free. Strong on incident reporting and breaking news.
Decipher (Duo Security): Magazine-style, free. Strong on identity, authentication, and Cisco security topics.
SANS NewsBites (twice weekly): SANS Institute curated. Free. Strong practitioner perspective.
CISA alerts (free): Direct from CISA. Subscribe for emerging vulnerability alerts. Operationally important for any defender.
For most security pros: TLDR Sec plus Risky Business News plus CISA alerts is the right starting set. Add SANS NewsBites if you want twice-weekly cadence.
Best podcasts for security pros in 2026
Five worth listening to:
Risky Business: Weekly. Patrick Gray and Adam Boileau. Industry standard. The best single security podcast.
Darknet Diaries (Jack Rhysider): Bi-weekly. Story-driven. Strong for understanding attacker mindset.
Smashing Security: Weekly. Graham Cluley and Carole Theriault. More accessible, pop-culture-aware.
Lock and Code (Malwarebytes): Weekly. Consumer and SMB focus.
CyberWire Daily: Daily. Quick news roundup format. Good for commute listening.
For most security pros: Risky Business plus Darknet Diaries cover most needs. Add CyberWire Daily for ambient news.
Notable 2025-2026 incidents to track
Five that defined the threat landscape:
1. Jaguar Land Rover (September 2025): Scattered Spider via SAP NetWeaver. Halted factories for weeks. Roughly £1.9 billion ($2.5B) in losses.
2. 16 billion credentials leaked (2025): One of the largest credential dumps ever. Combined Google, Facebook, Apple, and other breaches. Drove infostealer-to-ransomware chain at scale.
3. Singapore UNC3886 (2025-2026): China-linked group breached all 4 major telcos using zero-days plus rootkits. Systemic infrastructure compromise.
4. University of Mississippi Medical Center (February 2026): Ransomware shut all 35 clinics statewide. Healthcare ransomware remained dominant attack pattern.
5. Telus breach (March 2026): ShinyHunters claimed 700 terabytes exfiltrated (PII, call data, source code). Telecom-as-target trend continued.
A 2025-2026 trend worth tracking from these sources: SEO poisoning campaigns paired with infostealer payloads. Attackers rank malicious sites for software-download keywords, then deliver malware to anyone searching for legitimate tools.
The pattern: third-party SaaS, identity providers, and edge devices became the dominant entry points. Traditional perimeter defenses are insufficient.
Threat intel feeds worth using
Four worth knowing:
Free:
- CISA Known Exploited Vulnerabilities (KEV) Catalog: Production-grade. Use as primary patch prioritization input.
- AlienVault OTX: Open Threat Exchange. Community threat intelligence.
- abuse.ch (URLhaus, MalwareBazaar): Malware and phishing URL feeds.
- MISP: Open source threat intelligence platform.
Paid:
- Recorded Future: Strongest enterprise threat intel platform.
- Mandiant Advantage: Google-owned. Strong on nation-state threats.
- CrowdStrike Falcon Intel: Bundled with Falcon EDR.
- Flashpoint: Strong on dark web and underground forums.
For most SMBs in 2026: CISA KEV plus AlienVault OTX plus abuse.ch covers the core needs at zero cost. Add Recorded Future if you have enterprise threat intel budget.
How to consume security news efficiently
Three patterns that work:
1. Newsletter aggregation over real-time scrolling: TLDR Sec weekly plus Risky Business News daily plus CISA alerts as they fire. Replaces 10x more time on Twitter.
2. Podcast for ambient awareness: 30-minute commute or workout slots. Risky Business weekly plus CyberWire daily covers most needs.
3. Krebs and Schneier for depth: When a major story breaks, wait 48-72 hours for the analysis. Most "security news" in real-time is incomplete.
The mistake I see: subscribing to 30+ security sources and reading none consistently. Pick 3-5 that fit your role.
What changed in 2025-2026
Three real shifts:
Scattered Spider and ShinyHunters dominated: Social-engineering-led ransomware crews targeting third-party SaaS and identity providers replaced traditional perimeter intrusion as the top enterprise threat vector.
Identity provider compromise became standard: Okta, OneLogin, and other IdP breaches drove most major 2025-2026 incidents. Identity is the new perimeter.
Healthcare and telecom remained primary targets: Medical ransomware and telecom data breaches continued at scale. Sectors with high data sensitivity and weak security maturity.
FAQ
What is the best cybersecurity news source in 2026?
Krebs on Security for investigative depth. Bleeping Computer for incident reports plus remediation. The Record for breaking stories. Risky Business News (daily newsletter) for curated practitioner perspective. Subscribe to 3-5, not 30.
What are the best cybersecurity newsletters in 2026?
TLDR Sec (Clint Gibler, weekly), Risky Business News (Patrick Gray, daily), Decipher (Duo Security), SANS NewsBites (twice weekly), CISA alerts. All free. Combined, they cover the core needs.
What was the biggest cyber incident in 2025-2026?
Jaguar Land Rover (September 2025) via Scattered Spider, $2.5B losses. 16 billion credentials leaked (2025). Telus breach (March 2026, 700TB exfiltrated). University of Mississippi Medical Center ransomware (February 2026, all 35 clinics shut).
What threat intel feeds should I subscribe to?
Free: CISA KEV, AlienVault OTX, abuse.ch (URLhaus, MalwareBazaar). Paid: Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intel, Flashpoint. CISA KEV is production-grade and free, useful as primary patch prioritization.
Are security podcasts worth listening to?
Yes for ambient awareness. Risky Business (weekly) is the industry standard. Darknet Diaries for story-driven content. CyberWire Daily for commute news. 30 minutes per day during commute or workouts.
Stop overpaying for AI tools you barely use. See how Dupple X helps your team adopt AI without the bloat.
