Zaima Lalmahomed Feb 11, 2026 3:09:25 PM

Our 2026 MSP Predictions

Over the past year, we’ve seen some fundamental shifts in AI advancement, how security tools now operate, and how much Microsoft wants to sit in the middle of everything (no surprises there).

In our latest video, our CEO Terry runs through his predictions for 2026, based on what we’re seeing day to day with MSPs trying to balance security, support, margin, and sanity, all at the same time. Please do give this a watch if you haven't already, and let us know your thoughts!

Without further ado - here are some of our insights into the operational, commercial, and strategic considerations that we believe will define MSP success in 2026 and beyond.

Prediction 1: AI Powers More Attacks

We predict that AI-enabled hacking will become far more prevalent in 2026. As Terry explains, LLMs and agentic AI systems have evolved and continue to do so. Attackers are steadily beginning to use these tools to automate reconnaissance, craft highly convincing phishing campaigns, identify vulnerabilities faster, and adjust their attacks in real time. The number of reported AI-enabled attacks saw a rise of 47% globally in 2025, with phishing attacks increasing by 1,265% (DeepStrike, 2026).

ChatGPT Image Jan 29, 2026, 02_02_40 PM-1

Terry also explains that even though cybercriminal adoption in underground channels tends to lag behind mainstream innovation, that gap is narrowing. As these tools continue to circulate through dark web channels and are being refined for malicious use, the barrier to executing more sophisticated attacks continues to drop.

Conversely, an interesting story came out recently reporting early attempts by an underground group to ‘poison’ AI training data, rather than attacking deployed models directly (Forbes, 2026). While it’s framed as ideological resistance rather than a conventional cybercrime campaign, it reflects a broader shift: techniques that were once discussed mainly in academic AI safety research are beginning to surface in real-world experimentation. Even if these efforts ultimately fail, they signal that AI itself is becoming an attack surface, one that people are increasingly motivated to probe.

Why it matters

The practical takeaway from all of this for MSPs is fairly simple: anything relying on “we’re too small to be noticed” is becoming less reliable by the month. In fact, it’s reported that 62% of small businesses faced AI-enabled attacks in 2025 (Gartner Enterprise Study). Security by obscurity wasn’t great before, and 2026 is where it finally runs out of road.

"Security by obscurity is going to be a thing of the past." - Terry Lewis, CEO, RoboShadow

It’s important to note that AI-driven attacks can scale exponentially - once an attack path is automated, it can be reused across thousands of environments with little additional effort.

Naturally, this changes the risk profile, here’s what we need to be aware of:

Attacks will move faster, adapting mid-execution
Social engineering attempts will be a lot more convincing.

How MSPs could respond

This doesn’t mean ripping and replacing everything overnight. But it does mean being honest about which controls still rely on attackers being lazy, and which assume they’re automated, persistent, and annoyingly patient.

The MSPs we see doing this well are focusing less on ‘more tools’ and more on services around early detection, rapid containment, automated remediation.

Prediction 2: Cybersecurity and IT Support will continue to merge

The line between IT support and cybersecurity has been blurring for a while, but in 2026 it will be harder to pretend they’re completely separate disciplines.

Terry explains how ticketing systems, response workflows, and administrative tooling are becoming increasingly similar across the two. Security platforms are easier to manage, while IT support tools are embedding more security functionality by default.

In practice, this means the same teams are now routinely responsible for:

Device and endpoint management
User access issues
Security alerts and incident response
Patch management and remediation.

As security platforms are becoming easier to administer and more tightly integrated into everyday workflows, the traditional separation between ‘IT’ and ‘security’ teams feels less practical, especially for smaller and mid-sized providers.

Why it matters

From an operational standpoint, maintaining separate teams, tools, and processes for IT and security is inefficient. From a commercial perspective, MSPs that can deliver both within a unified service are better positioned to increase revenue per client while also simplifying service delivery.

MSPs that continue to treat cybersecurity as an add-on or separate service line will likely feel pressure to converge. Client expectations have also shifted, and security is no longer viewed as a standalone premium service, but as an embedded component of standard IT support. Clients often don’t distinguish between ‘IT problems’ and ‘security problems’, they expect issues to be resolved quickly.

The shift is already well underway for some MSPs. According to the 2025 Datto State of the MSP Industry report, 97% of MSPs generating over $10 million in annual revenue already deliver managed security as a standard component of their core service offering.

How MSPs could Respond

For many MSPs, this convergence opens the door to new revenue opportunities by delivering fewer hand-offs, faster fixes, and clearer accountability.

The goal isn’t to overwhelm technicians with extra responsibilities. It’s to simplify operations so the same team can manage support and security without having to keep context switching.

Prediction 3: Microsoft Sentinel Adoption Will Grow and Become More Affordable

Most of us have felt that Sentinel, although powerful, has been too expensive and complex for broad MSP adoption, largely due to Azure-based data ingestion costs and a management experience that leaned toward enterprise SOCs. 2026 will change that perception.

As Sentinel is being integrated more deeply into the Microsoft 365 ecosystem, it’s becoming more accessible, more intuitive, and more commercially viable for MSP-managed environments.

As our CEO puts it, Sentinel is "moving out of a slightly clunky" Azure-centric experience, and into the broader 365 stack, lowering its entry barriers.

Source: Microsoft, Microsoft Sentinel—AI-Ready Platform | Microsoft Security

Why It matters

This shift allows MSPs to deliver SIEM-like capabilities at scale, bringing enterprise-grade visibility and threat detection to a much broader customer base.

Overall, lower costs and simplified administration mean:

More predictable pricing models
Faster onboarding for SMB clients
Stronger security posture without disproportionate operational overhead.

How MSPs could respond

Sentinel becoming more mainstream obviously doesn’t mean every MSP suddenly have to behave like a full SOC. It does mean that security visibility once reserved for enterprise environments is becoming far more attainable, if approached sensibly.

The key is positioning Sentinel as part of a broader service outcome, not as a standalone “SIEM bolt-on” that clients don’t understand.

Learn more: Microsoft Sentinel—AI-Ready Platform | Microsoft Security

Prediction 4: Copilot for Security Will Add Real Value in 2026

It’s no secret that Microsoft’s initial Copilot rollout felt rushed. It suffered from overextension, being introduced rapidly across too many products before delivering consistent value. MSPs were rightly sceptical, but in 2026, Microsoft Security Copilot is starting to land in a much more useful place.

With Sentinel becoming more tightly integrated into Microsoft 365, Microsoft Security Copilot will increasingly assist with identifying threats, but more interestingly, with remediation. This marks a significant shift from insight-only AI toward action-oriented automation.

"Microsoft Copilot is on the verge of nailing that... in a more automated fashion." - Terry Lewis, CEO, RoboShadow.

Source: Microsoft, What is Microsoft Security Copilot? | Microsoft Learn

Why it matters

The real operational value comes from shrinking the gap between spotting an issue and actually fixing it.

Security Copilot has the potential to:

Accelerate investigation workflows
Automate response actions
Reduce analyst fatigue
Higher-margin services
Stronger customer retention
Reduced reliance on third-party MSSPs

All of which directly impact cost and scale for MSPs.

We’re not quite at hands-off automation yet, but 2026 feels like the year that Copilot stops being a demo feature and starts earning its keep.

How MSPs could respond

MSPs don’t necessarily need a full SOC to start getting value from Security Copilot. For most MSPs, the value is in using it to speed up investigations and cut down on manual work, especially when paired with Sentinel.

Those getting the most out of it treat Copilot as an assistant, not a replacement.

Learn more: What is Microsoft Security Copilot? | Microsoft Learn

Prediction 5: Many MSPs Will Expand into MSSP Models

As security tools become more accessible and easier to manage, MSPs are more capable of delivering managed security services themselves. At the same time, as Terry mentions in his video, "your standard MSP is already starting not to enjoy losing out business to separate MSSPs" when they can't meet security expectations.

These forces are already pushing the market toward these "hybrid MSP and MSSP" models by default, with the global managed security services market size expecting to reach $87.5 billion by 2030 (Grand View Research, Market Analysis Report).

Why it matters

Clients expect their MSP to provide protection, detection, and response, not just support and uptime. So traditional MSPs that have avoided security responsibility will be facing even more competitive pressure.

Expanding into managed security enables:

Market data shows steady growth in managed security adoption among SMBs, and MSPs are responding accordingly. This doesn’t mean they are becoming full 24/7 SOCs overnight, but they are expanding their security ownership.

How MSPs could respond

The MSPs winning here are investing in skills development and service design that supports both IT operations and security outcomes under a unified delivery model.

Remember: being a hybrid MSP/MSSP doesn’t mean doing everything. It means clearly defining what you protect, how you respond, and where your responsibility starts and ends, and then delivering that consistently.

Prediction 6: Intune Will Continue to Erode RMM Market Share

For prediction number 6, Terry believes that Microsoft "Intune will carry on taking lumps out of the RMM market", having had over a decade to bake device management into subscriptions that customers are already paying for.

Intune has become much more involved, particularly around update rings, device compliance, and baseline security controls. When combined with Microsoft Business Premium, many organisations already have access to a powerful set of endpoint management and security capabilities, without additional per-device licensing.

"What you're going to see a lot more in 2026, is that people may be decreasing their device amounts with their favourite RMM vendor" - Terry Lewis, CEO, RoboShadow

Source: Microsoft, What is Microsoft Intune - Microsoft Intune | Microsoft Learn

In Terry's words, "people are scared that Microsoft is eating even more of their lunch", but we're not saying that this removes the need for traditional RMM platforms, which still offer deeper operational capabilities. Instead, it changes where and how they are used. MSPs are increasingly questioning whether every endpoint requires full RMM coverage when much of the day-to-day management is already handled within the Microsoft stack.

We’re already seeing MSPs reduce device counts in RMM platforms. Not abandoning them entirely, but using them more selectively.

Why it matters

In Business Premium-licensed environments, a large portion of baseline device management, patching, compliance, and security already exists within the Microsoft stack.

So paying twice for overlapping functionality will become harder to justify, particularly at scale. The pressure isn’t just financial; it’s operational. More tools don’t always mean better security, particularly when responsibilities overlap.

For MSPs, this forces a more deliberate conversation about where RMM genuinely adds value, and where native Microsoft capabilities are now the more sensible default.

How MSPs could respond

This all doesn’t mean removing RMM entirely. It simply means being far more intentional about how and where it’s being used.

Many MSPs will start limiting RMM to specific devices, users, or scenarios where it delivers clear additional value, while also relying on Intune and Business Premium for baseline control.

Learn more: What is Microsoft Intune - Microsoft Intune | Microsoft Learn

Bonus Prediction: Quantum Computing Advancements

Source: Google, Meet Willow, our state-of-the-art quantum chip

Until late 2025, quantum computing remained largely theoretical in terms of real-world impact. That changed when Google demonstrated a working quantum algorithm using its Willow chip, completing a task in under a second that would take classical supercomputers an impractical amount of time.

Why it matters

We’re not saying that quantum computing will immediately affect MSPs or SMBs (so there’s no need to panic), but it’s worth noting as the confirmation of real-world capability changes the trajectory entirely. Once proof of concept exists, global competition accelerates, and 2026 is likely to be remembered as the year the race started.

"...you're going to see a lot of competition from the players, all the countries that are working on this. The second that you've got one person that's confirmed proof of concept, you're going to see that race really heat up." - Terry Lewis, CEO, RoboShadow

How MSPs could respond

Awareness is key. MSPs don’t need to act today, but they should track developments in post-quantum cryptography and long-term security planning.

Learn more: Meet Willow, our state-of-the-art quantum chip

Final Thoughts

The common denominator across all these predictions is convergence - of tools, disciplines and expectations, and a clear theme: consolidation, automation, and accessibility. Security tooling is becoming more powerful, integrated, and affordable, which is shifting expectations for what MSPs should deliver by default.

For MSPs that embrace these changes early, 2026 represents an opportunity to increase relevance, strengthen customer trust, and grow revenue, in an increasingly security-driven market.

But as always, remember: MSPs don’t need to do everything at once. There’s no need to chase every new feature either, just stay informed, and make smart decisions to build services that actually scale.

This is the lens we take at RoboShadow. As well as delivering accessible tooling that helps MSPs find and fix security issues, and all that important security stuff, we spend a lot of time tracking industry trends and evolutions. Just as importantly, we know what matters for MSPs day to day.

We’ll be covering many topics in more detail throughout the year across our blog and channels, focusing on the practical takeaways rather than the hype.