The RSAC 2026 Conference in San Francisco opened today with a notable shift in international cooperation and the dynamics of automated security operations. Following the withdrawal of U.S. federal agencies, including the FBI and NSA, a response to the conference appointing former CISA Director Jen Easterly as CEO—European cybersecurity leaders have assumed a more prominent role. This transition aligns with a critical period where the speed of unauthorized operations is beginning to surpass traditional, manual defense capabilities, driven largely by the broader availability of artificial intelligence.
Discussions this morning prioritized "vibe coding," a term Dr. Richard Horne of the UK’s National Cyber Security Centre used to describe rapid, AI-assisted software generation. While these tools offer an alternative to the historically vulnerable manual coding process, they simultaneously lower the barrier for generating new software that can propagate unintended vulnerabilities at scale. SANS researchers presented supporting data today indicating that AI now forms the foundation of modern threat methodologies. Malicious actors are utilizing AI models to identify zero-day vulnerabilities in production software for as little as $116 in token costs. This economic shift means advanced discovery techniques are no longer exclusive to well-funded nation-states.
The acceleration of automated operations
The technical gap between unauthorized access methods and defensive response is widening. Current estimates indicate that AI-driven operations proceed approximately 47 times faster than manual processes. For example, campaigns attributed to the Chinese state-sponsored group GTG 1002 show reconnaissance and lateral movement running at 90% automation. Under these conditions, a compromised credential can result in full administrative control of a cloud environment in under ten minutes.
This acceleration requires organizations to reevaluate incident handling, particularly in operational technology (OT) environments where visibility is often limited. A recent energy sector disruption in Poland demonstrated that without comprehensive OT logging, investigators cannot reliably determine whether a facility failure resulted from a targeted cyber event or a mechanical issue.
Defenders are also managing reputational risks generated by politically motivated threat actors. Iran-aligned groups, including Nasir Security, have applied sophisticated public relations tactics to overstate their operational impact today. By targeting smaller engineering and construction contractors within the supply chain, these groups exfiltrate legitimate internal documents and present them as evidence of unauthorized access at major energy organizations like Dubai Petroleum. The material impact on the primary targets remains negligible, but the psychological effect creates uncertainty. Similarly, groups like the 313 Team use the ambiguity of denial-of-service claims to maintain visibility in the news cycle.
Alongside high-level geopolitical shifts, senior professionals face targeted recruitment fraud. Threat actors impersonating Palo Alto Networks recruiters have spent the last several months executing highly personalized LinkedIn-based social engineering campaigns against executives. The methodology involves manufacturing a bureaucratic hurdle, informing the candidate that their resume failed an automated applicant tracking system (ATS) check—and directing them to a "third-party expert" who charges up to $800 for resume optimization. This campaign leverages the complexity of modern hiring processes to extract fees, demonstrating that the human element remains a primary vector for manipulation even as technical threats become more automated.
Implementing human-in-the-loop defense
For security teams, these developments necessitate a transition toward proactive, automated validation. In the software supply chain, relying on standard bills of materials (SBOMs) is no longer sufficient. Organizations need to request verifiable proof of how software is built and implement automated patching cycles to match the speed of AI-generated threat methodologies. Regarding AI-assisted defense, experts agreed today that while open-source tools like Protocol SIFT can compress a two-week investigation into 15 minutes, human analysts must remain the final decision makers. Current AI lacks the contextual awareness to reliably interpret evidence, and a confident but incorrect verdict including an AI tool can waste critical hours during an active security incident.
Strategic guidance on public attribution is also evolving. Panelists cautioned against attributing incidents and nation-states as a method of diverting responsibility. While identifying a sophisticated adversary might seem advantageous for public relations, it frequently extends the news cycle and introduces insurance complications, such as "act of war" exclusions. Legal experts advise maintaining a strict "investigation ongoing" stance rather than offering a "no comment." This approach helps the organization control the narrative without making probabilistic claims that could invite secondary actions from the threat actors.
Looking toward the implementation of the EU Cyber Resilience Act in late 2027, the gap between government policy and private sector implementation remains a point of friction. Former NSA directors noted today that the absence of a unified federal data privacy framework or major cyber legislation in the U.S. continues to complicate defensive synchronization. While the thresholds for kinetic military responses to cyber incidents remain at the discretion of the presidency, the day-to-day responsibility for defense rests on private organizations. These entities must secure their data, their supplier ecosystems, and the AI tools utilized to build their infrastructure.
Significant gaps remain in understanding how autonomous agents will interact within OT environments and the full vulnerability footprint of "vibe coding." However, adopting accelerated, human-in-the-loop defensive workflows provides a viable path forward in an environment where the speed of unauthorized operations is no longer limited by manual interaction.