Defense Cybersecurity in 2026: Enforced Boundaries, Uninspected Content

More than 80% of aerospace and defense organizations experienced a breach in the past twelve months.^[3] The sector absorbs roughly 1,250 cyber incidents every week, ^[4] with a 300% increase in attacks since 2018 and 61% of organizations hit by ransomware in the past year.^[5] The average breach costs $5.46 million before accounting for classified program disruption, counterintelligence exposure, or the contract risk that follows a supplier compromise.^[6]

Google’s Threat Intelligence Group confirmed in February 2026 that China-nexus espionage groups have targeted defense and aerospace more than any other state actor over the past two years,^[7] exploiting edge devices, VPN appliances, and file transfer pathways to establish long-dwell access. Russia, Iran, and North Korea operate across the same industrial base. Hacktivist DDoS campaigns generate over 76% of incident volume in the sector (double the cross-industry average^[8]) but volume is not the measure that matters. The strategic threat is precise and patient. It does not knock. It enters through content that is already trusted.

LOTL (Living Off the Land) techniques, which use legitimate system tools already present on the network, allow adversaries to operate without triggering detection. By the time behavioral analysis fires, a sophisticated actor has often been resident long enough to map the environment, identify high-value targets, and stage for exfiltration. Detection is necessary. It is not sufficient. The leverage is at the entry point, not inside the network.

Zero Trust has become the governing security model across defense and government networks, and for good reason. Continuous authentication, least-privilege access, device posture enforcement, micro-segmentation — these controls are necessary and they belong in every defense architecture. The issue is not with Zero Trust. The issue is with treating it as a complete answer to a problem it was never designed to solve. Zero Trust Access was built to control who gets onto a network. It was not built to verify what is carried across a boundary once they are on it. 

The limitation is specific. Zero Trust verifies who is crossing the boundary. Content verification determines what is permitted to cross. A Zero Trust policy correctly validates that a credentialed user on an authorized device is requesting a legitimate transfer. It has no visibility into whether the file being transferred contains a weaponized macro, a concatenated malicious payload, or a zero-day embedded in a trusted document format. 

The adversary campaigns that open this blog (BRICKSTORM’s 393-day dwell in A&D environments, Volt Typhoon’s five-year foothold in U.S. critical infrastructure) did not defeat access controls. They entered through content that the access controls had no reason to question.  

Identity and access management is the necessary first layer. Content verification at the physical entry point, the classification boundary, and the software supply chain, is the layer that determines what is actually permitted to reach the destination. Together, they are complete. Independently, each leaves the other’s gap unaddressed. 

The most operationally significant change in the file-based threat landscape in 2025–2026 is the application of AI to malware generation and structural evasion. Google’s threat intelligence team has identified malware families that mutate in real time during the attack phase, ^[14] with exploit development costs collapsing from weeks of effort to near zero. ^[15]

OPSWAT’s own research documented a concrete example: the concatenated PDF technique, in which a malicious PDF is structurally appended to a clean one. Tested across 34 scanning engines, detection dropped from 34 to 5 when the files were concatenated. ^[16] Three engines that previously flagged the threat stopped flagging it. The user’s PDF reader rendered the phishing content exactly as the attacker intended. The security infrastructure evaluated a different document than the one the user opened.

There is no malware signature to find. No exploit to detect. Only a structural arrangement of a legitimate file format that causes scanners and readers to see different content. At a classification boundary, a single file using this technique can cross from UNCLASSIFIED to SECRET without triggering an alert. That gap is not theoretical.

CDR (Content Disarm and Reconstruction) addresses this at the mechanism level. CDR does not attempt to identify malicious content; rather, it deconstructs every file to its component elements, removes all active and executable content regardless of file structure, and rebuilds a clean, functionally intact version.

An AI-generated variant with no known signature, a structurally concatenated malicious document, a macro-embedded Office file, a weaponized archive: all are neutralized by the same process, because CDR removes the execution mechanism before the file reaches the destination.

CDR is a file-boundary control. It does not address LOTL activity inside a network, nor adversary presence already resident in the environment.

Cross-domain solution requirements have evolved.^[23] The communities of interest requiring data exchange are more diverse. The data types have expanded from standard productivity files to system workloads, intelligence feeds, and cloud-native formats. Designing a CDS with longevity requires a modular, orchestrated approach, not a static appliance.

MetaDefender Managed File Transfer (MFT) is a cross-domain solution for secure file ingestion and transfer across classified and unclassified networks. It coordinates Metascan™, Deep CDR™ Technology, file-type verification, Proactive DLP™, and vulnerability assessment in a controlled zero-trust workflow — with multi-stage supervisor approval, detailed audit trails supporting accreditation, and deployment flexibility across on-premises, air-gapped, and hybrid cloud environments.

For organizations importing software bundles, mission data, or intelligence feeds into classified environments, MetaDefender Managed File Transfer is the orchestration layer that makes the MetaDefender Core engine a complete, policy-enforced cross-domain solution.

CMMC 2.0 became enforceable in DoD contracts on November 10, 2025. For the first time, defense contractor cybersecurity is verified rather than self-attested. The FY 2026 NDAA Section 866 requires DoD to standardize DIB cybersecurity requirements by June 1, 2026 with fewer contract-specific rules, but stricter and more consistent enforcement.

Both developments matter. Neither closes the gaps described above. CMMC Level 2’s 110 controls were designed to raise the baseline across a broad industrial base rather than mandate the specific controls that address these attack surfaces. The controls do not require physical media inspection at facility entry points, file content verification at cross-domain boundaries, software component visibility at the dependency level, or content inspection inline with hardware-enforced network separation.

A contractor can pass a Level 2 assessment, including C3PAO verification, with every one of those gaps completely unaddressed. Only 21% of defense businesses had selected CMMC-compliant technology as of 2025.^[17] As of December 2025, just 92 C3PAOs had been authorized against an industrial base of more than 80,000 contractors.^[18] The compliance infrastructure has not caught up.

There is a second distinction that matters at the accreditation table. CMMC governs the contractor’s security practices. It does not certify the tools used to implement those practices. Common Criteria certification (mandated by NSTISSP #11 for IA products on National Security Systems) verifies the security properties of a specific product through evaluation by an accredited independent laboratory. A CC-certified product used to satisfy a CMMC control gives a C3PAO assessor lab-verified evidence.

CMMC and Common Criteria are complementary frameworks. One governs what the organization does, the other verifies that the tool does what it claims. Knowing which is which matters.

MetaDefender addresses approximately 20 of the 110 CMMC Level 2 controls — the subset most security stacks were not designed for. Access control, audit logging, incident response, and personnel security are outside scope. The value is precision: the hard controls at boundaries your existing stack cannot reach, verified to an independent laboratory standard.

The organizations best positioned over the next three years are not the ones with the largest security budgets or the most CMMC controls checked. They are the ones that have mapped their actual attack surface — the physical entry points, the classification boundaries, the OT-IT interfaces, the software supply chain — and deployed verified controls at each one.

Detection inside the network will always lag a sophisticated adversary who has already established residency. Prevention at the boundary before a file executes, before a device connects, and before a payload crosses a classification line, is where the leverage is. That is where OPSWAT operates.

Request a briefing to discuss your specific environment and architecture.

Still mapping your CDS architecture? Download the Cross-Domain Solutions Buyer’s Guide for Government & Defense built by CDS experts for program managers, security architects, and procurement teams evaluating modern cross-domain requirements.