2026 Cyber Wave in France: Why Signatures Are No Longer Enough

trafic réseau, détection d'anomalies
29 March 2026

1. Context: France facing an unprecedented wave of cyberattacks

The beginning of 2026 marks a major turning point for cybersecurity in France. Within just a few weeks, large-scale attacks struck key sectors — healthcare, public finances, postal services, and sports federations — exposing the data of tens of millions of citizens and disrupting essential services.


Timeline of major incidents

•22 December 2025 – 5 January 2026: La Poste and Banque Postale – Unprecedented DDoS attack rendering services inaccessible

•January 2026: OFII (French Immigration Office) – Exfiltration of 2.1 million rows of personal data via a compromised subcontractor

•January 2026: Urssaf – Fraudulent access potentially affecting 12 million employees through compromised partner credentials

•Late January 2026: FICOBA file (Bercy) – Illegitimate consultation of 1.2 million bank accounts through impersonation of a civil servant's credentials

•February 2026: Cegedim Santé – Breach of the MLM medical software exposing 15 million patient records, including 169,000 sensitive medical files

•December 2025 – March 2026: French sports federations – Systemic wave (tennis, gymnastics, swimming, sailing, golf, athletics)


Key figures

90M+ French accounts compromised in January 2026 alone (based on certain estimates

1,366 security incidents handled by ANSSI in 2025

200+ days average detection delay for an intrusion in certain sectors (source: IBM Cost of a Data Breach)

24 hours maximum initial notification deadline imposed by the NIS 2 Directive


The conclusion is unambiguous: recent attacks no longer rely on known signatures. They leverage legitimate tools and protocols (living-off-the-land), exploit software supply chains, and use credential stuffing. Traditional signature-based detection models can no longer identify them effectively.


In summary:

• Recent attacks no longer rely on known signatures

• They leverage legitimate tools and protocols

• Traditional detection models can no longer identify them effectively


2. Why signature-based NDR solutions fail against modern threats

A large number of NDR (Network Detection and Response) solutions rely on open-source detection engines such as Suricata. While using a proven tool may seem reassuring, it carries three structural limitations that explain why these solutions failed in the face of 2026 cyberattacks.


Uniform and predictable detection

Suricata detection rules are publicly available, widely reused across vendors. The detection baseline therefore remains fundamentally identical from one vendor to the next. Attackers systematically test their offensive tools against these rules before any operational deployment.


Intrinsically reactive detection

What is a signature in cybersecurity?

A signature is a rule used to identify a known pattern in network traffic. By definition, it cannot detect novel attacks (zero-day).

This detection model is, by nature, reactive: it can only identify what has already been observed and categorised.


Problematic scalability

Suricata applies thousands of signatures to every packet transiting the network. As throughput increases, this approach can become a significant bottleneck, requiring costly hardware infrastructure in a context of exponential network traffic growth.


3. Behavioural detection: an approach free from signatures

Faced with the obsolescence of signatures, next-generation NDR solutions adopt a radically different approach: AI-driven behavioural detection. Jizô AI is among them.

Jizô AI is an advanced observability platform whose detection architecture is entirely proprietary. It was designed from the outset to transcend the inherent limitations of the signature-based model.


Behavioural detection and continuous learning

Unlike signatures that search for known patterns, behavioural detection continuously models the normality of each infrastructure to detect any significant deviation — including zero-day attacks invisible to signature-based approaches.

Anomalous behaviour is defined as a deviation from the local norm, regardless of the industry, geography, or size of the organisation. This approach enables the detection of zero-day attacks that signatures cannot identify.


Coverage aligned with the MITRE ATT&CK framework

Detection covers the entire attack chain: reconnaissance, lateral movement, C2, exfiltration, and OT/ICS impact — leveraging the MITRE ATT&CK IT and ICS frameworks.


Unified coverage of IT, OT, and cloud environments

Jizô AI covers IT infrastructure, OT/ICS environments (Modbus, S7comm, OPC UA, DNP3, PROFINET, BACnet, etc.) and hybrid clouds (AWS, Azure, GCP) via native integration, providing enriched visibility into network flows.


Technological independence

• Detection: developed entirely in-house, without any open-source engine or shared signature base.

• Jizô Advisor (AI-powered investigation assistant): no client data is transmitted to third parties.

• Threat intelligence (CTI): delivered by the dedicated HOSHI research team.

• Native compliance with the NIS 2 Directive and the French Cyber Framework (ReCyF) by ANSSI.

CyF) de l'ANSSI

From the outset, we made a choice that raised eyebrows: not to integrate Suricata. Everyone told us it was a risk. But the real question is: what risk do you take when you detect exactly the same things as everyone else, with rules that attackers can know by heart? We chose to invest in our own models. It takes longer, it demands more, but it is the only path to offering detection that an attacker cannot anticipate.
Antonin Hily
CTO & General Manager


4. Comparative analysis: signature-based NDR vs Jizô AI

The table below summarises the fundamental differences between a conventional NDR solution based on Suricata and Jizô AI (behavioural NDR):


5. Why acting now is inevitable

Three converging forces make behavioural NDR indispensable.


The threat is intensifying: ANSSI handled 1,366 incidents in 2025. AI is amplifying attacks (phishing, deepfakes) and signature-free techniques (supply chain, living-off-the-land) are multiplying, rendering traditional approaches obsolete.

Regulation demands it: NIS 2, currently being transposed through the Resilience Act (Loi Résilience), requires essential entities to maintain continuous monitoring and report incidents within 24 hours. The French Cyber Framework (ReCyF) by ANSSI (March 2026) specifies the expected measures, and several thousand French organisations are now in scope.

The State has made it a strategic priority: The French National Cybersecurity Strategy 2026–2030 (presented in January 2026) places technological sovereignty, proactive detection, and attack attribution at the heart of France's ambitions, a philosophy fully aligned with Jizô AI.


6. Conclusion

The 2026 cyberattack wave should not be treated as an anomaly. It is the foreseeable outcome of an ecosystem in which attackers innovate at a pace that static signature-based defences can no longer match.

Jizô AI embodies a paradigm shift: detection built on observing network behaviour, not on prior knowledge of the threat. With unified IT, OT, and cloud coverage, a fully proprietary artificial intelligence, and real-time operation up to 10 Gbps, the platform meets both the operational and regulatory requirements facing CISOs today.


Key takeaways

• Signatures can no longer detect modern cyberattacks (zero-day, supply chain, living-off-the-land)

• AI-driven behavioural detection has become essential to identify deviations from the established baseline

• French regulatory requirements (NIS 2 Directive, ANSSI French Cyber Framework) reinforce this need

• MTTR can be reduced from several days to under one hour with a behavioural NDR solution


LATEST ARTICLES

23 April 2026

Spring Session of Jizô AI's Advisory Board

An ideal gathering of exceptional talents and outstanding experiences!

22 April 2026