Infosecurity Europe

News

Infosecurity Europe 2026: AI turbo-charging cyber crime and response

AI is accelerating cyber attacks by criminals and hostile states, with attackers faster, more persistent and increasingly collaborative, say experts speaking at Infosecurity Europe 2026

Brian McKenna
By
Published: 08 Jun 2026 11:19

The big theme of the keynote programme at this year’s Infosecurity Europe focused on how artificial intelligence (AI) is turbo-charging the activities of cyber attackers, whether criminals or states hostile to the West. 

Paul Chichester, director of operations at the National Cyber Security Centre (NCSC), told attendees that he had moved from a more to a less sceptical position on the salience of artificial intelligence for cyber security over the past year.

We are now at a point of “maximum uncertainty” that might also be the calm before a coming cyber storm, he said, in part because of the sheer “number of variables” now at play. He agreed with the description of the present made by Blaise Metreweli, the head of MI6, that the UK is currently positioned “between peace and war”.

“The combined uncertainty in so many parts of our lives – personal, work, the environment – is something different,” said Chichester. “The world is more dangerous and contested now than in decades, and te greater acceleration of connectedness is increasing. So, when you try to think about what’s next and predict where things are going, it’s hard.”

The rapidity of technology evolution is novel, he said, adding that while his tendency is to be sceptical, “it feels that the technological rate of change…is going to [mean] societal and civilisational change. A lot of what we’re trying to understand is far beyond our adversaries stealing our secrets. States have integrated cyber operations into everything they do.

“We see that integration in the military domain, playing out in Ukraine, Syria, the Middle East. The way that we now see our adversaries integrating to support military outcomes is changing at a vast pace. And we’ve seen Russia, particularly, learning a huge amount.”

Nevertheless, he declared himself “a massive optimist about a lot of the challenges that we face…there are a lot of opportunities”.

In terms of responding to cyber threats, Chichester drew attention to “more aggressive countering” by the state, advocated by security minister Dan Jarvis, as well as building in more resilience, as exemplified by the Cyber Security Resilience Bill.

“The government absolutely recognises that it needs to do more in that space [working with regulators],” said Chichester.

But it is a “collective endeavour”, he added. “I know you’ve heard the NCSC talk before about partnership, and ‘now is the time to act, you must act’. I mean it this time. Now, more than ever, is the time to act. We must work together to get ahead of threats that we face and vulnerabilities that we talk about. Even if the things you ultimately do aren’t 100%, you’re getting match fit. Don’t wait for certainty, because it’s never coming.”

Adversaries accelerating

Stuart McKenzie, managing director of Mandiant Consulting EMEA, part of Google Cloud, gave attendees his “big, fat security update of the year”, which echoed Chichester’s presentation in terms of its stress on the increased speed scale of the adversarial activities with which network defenders are confronted. His session covered lessons learned from Mandiant’s work on the front lines of incident response.

Attackers have gotten faster and become more persistent over the past year, said McKenzie. Cyber criminals are also working more in unison and are merely 18 months behind nation-state actors in capability, whereas previously they were more like years behind. “We see attackers now handing off attacks to other groups, actively collaborating,” he added.

While some actors are incredibly quick, there were others who preferred to maintain a very long dwell time in their target networks. “Attackers are increasingly trying to get in and deny you access to your recovery environment,” said McKenzie. “They’re actively taking down your ability to recover, which makes it difficult to get your organisation back up. We need to think about how to move from the reactive state that we’re in today, where we’re responding to every incident, to a much more proactive state.”

AI is making a big difference, he said, both in his talk and in an interview with Computer Weekly afterwards; “Attackers are very much like us. They use AI in the same way we do and have done. At the start of early 2025, they were, ‘Cool, this is a good chatbot’. And then in mid-2025, as we all began to see how you can use LLMs [large language models] directly, they started integrating the LLMs into their attack chains to handle dynamic tasks.

“There was a step change around about October last year where we all thought, ‘This could be the future’, and went from being AI sceptical to embracing it. At the same time, we saw the attackers integrate [AI] directly into their environments. Then at the start of 2026, we saw attackers collaborate to find a zero day in a content management platform. Luckily, through some Google intel, we were able to see what they were going after, and we worked with the vendor to patch it before it could be actively exploited.”

McKenzie expanded on how the way a defender sees their network is completely different to how an attacker sees it: “When a security person draws their network, they draw a beautiful network architecture of how they think it’s all being segregated. They have these lovely diagrams of where all the workstations are, what the servers are and what the connections look like.

“But the attacker finds all the misconfigurations and systems that aren’t supposed to be connected, they’re supposed to have logical gaps between them. They see this view of network that is a real-world view. That is why we always suggest that defenders use adversarial emulation or red teaming to be able to work out: how does that network exist, does it really have all the logical separation you think it has, are there bits that have changed over time?

“Their network will have grown organically over time and they’re still looking at the network diagram from when it was designed. They’ve forgotten that something’s been layered on top and changed and connected or someone’s made a policy change, and so on.”

Security fundamentals have not changed, he said, but AI has sped up attacks and so sped up required defence.

Cyber criminal ecosystem evolves

On the second day of the event, William Lyne, head of economic and cyber crime at the Metropolitan Police Service, offered a picture of how cyber criminality has been changing as its ecosystem has evolved.

There is now less stove piping of criminality, and cyber criminals are getting involved in a fuller gamut of activity, he said. Lyne said that when he joined the UK National Crime Agency as a trainee investigator 15 years ago, “you had cyber crime, hacktivists and hostile state actors, and everything sat quite nicely in those particular stove pipes. But this has changed quite a lot recently.

“People aren’t just involved in cyber crime, or another type of online offending, they’re involved in many different types of offending, which is something that we never used to see previously,” he added.

Lyne said there is now an evolved cyber adversarial ecosystem, with a commoditisation of cyber crime over the past few years that – among other things – means you can rent malware as a service, just as a business will use software as a service for its customer relationship management. “You can get a service for basically anything in the cyber crime ecosystem now,” he added.

Another step change is that the rise of cryptocurrencies has made cyber crime much more profitable. Cashing out used to be “massive pain in the backside” for cyber criminals, said Lyne. “How do you convert the data you have stolen into money? How do you launder the money you’ve stolen from credit card fraud and other types of identity theft? Cyber criminals were losing between 50% to 75% of their ill-gotten gains due to those kinds of complexity. Cryptocurrencies have changed all of that; now 99.5% is realisable.

“Virtual currencies are also massively helpful because, if you want to commoditise, if you want to run as a service entity, you’ve got to trade with each other. Criminals trading with each other is inherently quite dodgy.” Virtual currencies have been tremendous for ensuring trust among those dedicated to criminality.

Nevertheless, UK law enforcement has had big successes in recent years, said Lyne. Like Chichester, he appealed for collaboration between the security services and civilian business organisations: “Collaboration is critical for every one of our investigations – with multiple organisations, across the UK and local and international partners.

“We want to have meaningful, strategic and tactical integration with industry partners who we know hold keys to the questions and challenges that we have in this space. It’s important for us to build and generate trust. And it can be a challenge, but I’m grateful for those partners.”

Read more about Infosecurity Europe 2026

Read more on Hackers and cybercrime prevention