“`html

Cybersecurity Is Bleeding Out and Nobody Is Talking About It

Eighty deals in two months. That’s how hot the cybersecurity buyout market is right now. Meanwhile, hackers are looting Bitcoin depots, zero-days are eating enterprise software alive, and the U.S. government wants to cut the very agency that scans for those holes. This isn’t a warning sign. It’s a five-alarm fire.

Why This Moment Is Different

March and April 2026 have been brutal. According to SecurityWeek, 38 cybersecurity deals closed in March 2026 alone, following 42 in February. Google Cloud finalized its acquisition of Wiz. OpenAI is buying AI security startup Promptfoo. Zurich Insurance grabbed Beazley for $11 billion to own the cyber insurance market.

Big money is moving fast. That tells you something. When the smartest capital in the room starts consolidating security companies at this pace, it means they know what’s coming is worse than what we’ve already seen.

At the same time, active exploits are piling up. Fortinet pushed an emergency hotfix on April 6, 2026 for a critical FortiClient EMS flaw that was already being used in the wild, according to Fortinet’s own advisory. Citrix NetScaler has new flaws that researchers say could rival the 2023 CitrixBleed disaster. Progress ShareFile has critical bugs enabling remote code execution. Chrome 147 just patched 60 vulnerabilities, including two critical WebML flaws that earned a combined $86,000 in bug bounties, according to Google’s security blog. This is not a slow week. This is a flood.

The Real Story Everyone Is Missing

Here’s what I think most people are getting wrong. They treat each breach, each CVE, each nation-state op as a separate news story. They’re not separate. They’re one story told in chapters.

Chapter one: AI has collapsed the human response window. According to Zscaler’s ThreatLabz 2026 VPN Risk Report, AI now speeds up attacks so fast that remote access has become the single fastest breach path into a corporate network. VPNs aren’t just outdated. They’re a liability. And most companies are still running them because changing infrastructure is hard and expensive.

Chapter two: nation-states aren’t hiding anymore. On April 9, 2026, Google issued a warning about a phishing campaign by a group called UNC6783, targeting business process outsourcing companies to steal corporate data, according to Google’s Threat Intelligence Group. That same week, Iran-linked actors were caught doing password-spraying attacks on cities across the Middle East. A China-linked group planted a Linux backdoor inside telecom networks for espionage. The U.S. disrupted a Russian APT28 operation that was using hacked TP-Link and MikroTik routers to hijack DNS and intercept traffic, according to U.S. federal law enforcement.

These aren’t random. They’re coordinated pressure tests on Western infrastructure.

Chapter three: the U.S. is cutting its own defenses mid-battle. The Trump administration’s proposed budget would slash roughly 900 positions at CISA, the agency responsible for scanning federal and critical infrastructure vulnerabilities, according to reporting from Cybersecurity Dive. Think about that. The building is on fire and someone just laid off half the fire department.

Chapter four: AI is making attackers better faster than it’s making defenders better. According to KPMG’s 2026 survey, cybersecurity is the top priority in AI budgets, but the same AI tools that companies are buying to protect themselves are also being used to write smarter malware, run tighter phishing campaigns, and evade detection tools. The Internet Bug Bounty program actually paused operations because AI submissions were flooding their queue, according to their public announcement. Even the good guys can’t keep up.

I’ve been watching this space for years. The gap between attacker capability and defender readiness has never been wider. If your personal devices or small business machines are running without solid antivirus protection, that’s a mistake you can fix today. Something like TotalAV antivirus protection runs quietly in the background and catches a lot of the commodity malware that’s circulating right now, including new Mac stealer variants that have been spotted in the wild this month.

The $3.6 million Bitcoin Depot crypto heist reported in March 2026 proves that individuals are just as much a target as corporations. You don’t have to be a Fortune 500 company to get hit. You just have to be reachable.

What This Means for You

I’m going to be direct. Most cybersecurity advice is written for IT teams. This is for everyone else.

First, if you’re still using a VPN as your main security layer for remote work, that’s the exact vector Zscaler says attackers are exploiting most. Ask your IT team about zero-trust access. If you run your own business, look at replacing legacy VPN setups this quarter, not next year.

Second, patch everything now. Not next patch Tuesday. Now. FortiClient EMS, Citrix NetScaler, Progress ShareFile, Chrome. If you’re running any of these and you haven’t applied recent updates, you’re running a known open door. Attackers have automation. They scan for unpatched systems within hours of a CVE being published.

Third, stop reusing passwords. The Iran-linked password-spraying campaign that hit Middle Eastern cities worked because people use the same passwords across accounts. A password manager costs less than a cup of coffee per month. Use one.

Fourth, think about your browser. Google Chrome 147 now includes Device Bound Session Credentials, which protect against cookie theft attacks, according to Google’s security team. Make sure your Chrome is updated. Cookie theft is how attackers hijack accounts even after you’ve logged in with two-factor authentication.

Fifth, for personal devices, run a real security suite. Norton security suite covers multiple devices, monitors for identity threats, and has improved its detection of AI-generated phishing attacks. If you have family members who aren’t tech-savvy, set it up for them. One compromised family device can expose your entire home network.

The Stryker cyberattack and the Jones Day hack that both made headlines this spring prove one thing. Nobody is too big, too secure, or too well-resourced to be a target. The only question is whether you make it easy or hard for attackers.

The Bottom Line

Eighty M&A deals in two months tells you where smart money thinks this is going. Up. Worse. Faster. Nation-states are actively inside critical infrastructure. AI is writing malware your current tools can’t recognize. And Washington wants to cut the agency that watches the perimeter. I’m not predicting a catastrophic cyberattack on U.S. infrastructure sometime in 2026. I’m saying the conditions for one have never been more perfectly arranged.

Frequently Asked Questions

What is the biggest cybersecurity threat right now in 2026?

According to Zscaler’s ThreatLabz 2026 VPN Risk Report, AI-accelerated attacks on remote access and VPN infrastructure are the fastest-growing breach vectors. Combined with active zero-day exploits in widely used platforms like Fortinet and Citrix, the threat surface is broader than it’s ever been.

Why are so many cybersecurity companies being acquired right now?

According to SecurityWeek, 80 cybersecurity deals were announced in just February and March 2026 combined. Large companies like Google, OpenAI, and Zurich Insurance are buying up security startups because AI has made cyber threats more complex and more frequent, and they want to own the solutions before competitors do.

How can regular people protect themselves from these cybersecurity trends?

Patch your software immediately when updates drop, use a password manager, enable two-factor authentication on every account, and run updated antivirus software on all devices. The attacks hitting enterprises often trickle down to consumers within weeks through similar techniques and reused malware code.

What is the CISA budget cut and why does it matter for cybersecurity?

The Trump administration’s proposed budget would eliminate roughly 900 CISA positions, according to Cybersecurity Dive. CISA handles vulnerability scanning and field support for critical infrastructure, so cutting those positions reduces the government’s ability to detect and respond to the kind of nation-state attacks currently targeting U.S. networks.

Is AI making cybersecurity better or worse overall?

Both, but right now attackers are gaining more from AI than defenders are. According to KPMG’s 2026 research, cybersecurity is the top AI budget priority for enterprises, but AI is simultaneously being used to build smarter malware and more convincing phishing attacks. The Internet Bug Bounty program even paused because AI-generated submissions overwhelmed their process.

“`