It’s 2026, and every security conversation includes AI, whether it's AI-driven detection, AI co-pilots, AI SOC tools, or AI risk-scoring platforms. I do agree that AI can have massive benefits and can be genuinely useful, while plenty is just pure marketing hype.
That being said, some things never change, and no one ever got fired (I hope) for focusing on the basics. Some many real-world compromises (especially newsworthy breaches) stem from basic security failures, no zero days or wild AI-powered attacks. I am talking about basic things that should have been handled years ago, but often get lost in the noise.
If you build a house and the foundation is poured poorly, you're going to run into issues. The same goes for your security program. If the fundamentals are weak, layering AI on top just sticks a bandage on another bandage, giving you fancy dashboards while still leaving the same doors unlocked. I firmly believe that before investing in advanced tooling, companies must ensure the foundation is solid. If your network still falls during the first 10 minutes of a penetration test due to legacy configurations from well over a decade ago, and your tooling didn't detect it, how will it stand up to a real-world attack?
Some quick tips off the top of my head:
Start with identity
If identity is weak, everything else follows. This means enabling MFA wherever you can, especially on internet-facing services such as VPN, M365, Entra ID, and admin portals. Ensure that admin users have separate accounts for day-to-day work and are not logging in with a Domain Admin account to watch ESPN (seen it!).
Audit and reduce privileged group membership where possible. Does the non-technical CEO really need to be in the Enterprise Admins group? Does your 100-person company need 33 Domain Admins? As Kevin said in Home Alone, "I don't think so".
Review stale accounts and disable former employees. I've had plenty of successful password sprays where I got a hit on a password like Fall2019 in 2025, was able to reset the password for this long-departed user, and went on my merry way. Clean up unused and overly permissive service accounts. Make sure the entire Help Desk cannot become Domain Admins through a single forced password change.
Smash Default Credentials
Default credentials are still very much an issue in 2026, whether it's the default root:calvin on a Dell iDrac that lets me shut down a key server, default creds on Tomcat that give me a domain foothold, or vendor defaults on an edge switch. They've gotta go. I've been in plenty of otherwise well-hardened environments where 1 or 2 instances of admin:admin were all I needed to kick off an epic attack chain. I love default credentials, I dream about them (maybe).
Take it a step further and set in place a written policy and procedure that makes changing default credentials on new applications or hardware consoles the first deployment step. Vendors should not even be shipping tools with defaults that don't require a password to be set at install, but I think my kids will listen to me the first time, long before that changes. This policy should ideally define the process for how new applications are onboarded: who is responsible for reviewing security settings, is there a change control process/capability for detecting new tools to prevent shadow IT from biting you (Bob in IT who set up that Splunk free trial that converted to a version without authentication after 30 days, I'm looking at you). Ensure that MFA is enabled, possibly even disable the default, documented admin user, and set a unique one. Document access levels. Does everyone really need to be an admin? This doesn't have to be a 40-page policy; it can be concise and to the point. The key here is that it's actually enforced and not skirted out of convenience.
Clean Up the External Attack Surface
Do you know what you are exposing to the internet? Many organizations have a decent idea, but still do not have a full inventory. It's still the Wild West out there, now more than ever, and if it's reachable from the internet, it is being scanned. Make sure at the very least:
- Edge devices are patched
- Only the necessary services are exposed (please, no RDP or SMB to the internet)
- Legacy protocols are disabled
- Admin consoles are ideally not widely accessible
- You have some sort of asset inventory and know what domains/IP space you own
Tighten the Internal Network
Many environments we see are overly permissive inside the perimeter and have far too many administrators (Suzy from Accounting does not need local admin, nor do all members of Domain Users), a flat network design, old protocols still enabled with hashes flying around, and legacy Active Directory defaults in place.
Ideally, if one workstation is compromised, it should not trigger an attack chain that escalates to Domain Admin.
Logging and Monitoring
Organizations on a budget do not need an enterprise-grade SIEM to improve here. At the very least, have some sort of visibility into authentication logging, privileged account usage, alerts for repeated failed logins, alerts for suspicious logins (i.e., a user logging in from the other side of the world), and a way to review major configuration changes. You can collect logs all day, but if they are never reviewed, then they're just clutter. I don't like clutter. Logging/alerting on even a few key actions can help you detect anomalies while you continue building out from there, even with well-regarded, widely adopted, free and open source tools.
Keep Up with Patching
Make sure you have a process in place to detect and apply missing patches to edge devices, domain controllers, hypervisors, VPN appliances, and other critical servers. The key here is having a process and checks at regular intervals. I will admit that patching has come a long way, and I am seeing fewer systems with decade+ old missing patches that lead to RCE, but they still crop up.
Test Your Backups
If a ransomware attack hits, can you restore critical business functions from a clean, logically separated copy? Are you just backing things up religiously, or have you actually tested your backups to ensure they are sound? This is easier said than done, but it should be a key focus for any organization.
I'll Leave You with This
AI tools are advancing at an alarming rate and will absolutely help improve defensive capabilities, especially in triage and pattern detection that humans miss. Though these tools should supplement, not replace, human operators, whether on the blue or the red side.
What they can't do is ensure all of these foundational steps are taken care of. The boring things that absolutely still matter in 2026. In all the hype, don't lose sight of the basics, because companies that consistently pay attention to these are the ones that will hold up when something eventually goes wrong, and not be left wondering, "Why did this happen?"