Infosecurity Europe is always a good read on where the industry’s head is at. Not just the sessions — the hallways, the side conversations, the questions people ask. This year, the theme came through in every conversation I had: the reactive model is breaking down, and most organizations know it. What they’re still working out is what comes next.
I spent the week at the ExCeL — on stage as a panelist for the AI and cyber defense discussion alongside my colleagues Joel Tetreault (Chief AI Officer) and Kev Eley (VP of EMEA Sales and moderator), and Sam Clarke (Senior Threat Intelligence Analyst at WTW); in the audience for Joe Slowik’s (Dataminr’s Director of Threat Research and Cyber Engineering) session on intelligence velocity; and at the Dataminr booth.
The Attack Timeline Is Compressing. The Defense Model Hasn’t.
The argument that kept stopping conversations: adversaries are getting to their objectives faster than they ever have, and the gap between “attacker moves” and “defender knows” is widening. Google’s M-Trends 2026 data and Verizon’s 2026 Data Breach Investigations Report (DBIR) both point in the same direction. Joe framed it structurally, and there’s a line from his session I’ve repeated in every conversation since: intelligence workflows must change to align with the increased velocity of adversary operations.
Good intelligence takes time to produce. Raw indicator sharing is fast but shallow. Behavioral analysis is slow but decision-grade. That tradeoff was tolerable when adversaries operated on weekly or monthly cadences — when a team had days to reconstruct context, enrich signals, and build a response. Joe’s conclusion was direct: human-only solutions will fail at the pace modern operations require. The question is whether organizations are building agentic workflows to close that gap now, or planning to catch up later.
The frontier cyber AI announcements of the last six weeks reinforce the same point. These aren’t roadmap previews — they’re evidence that the capability class has already changed, for attackers and defenders alike. The Cisco Catalyst SD-WAN disclosure earlier this year made the stakes concrete: the gap between VulnCheck’s initial KEV designation and CISA’s equivalent was 46 days. Organizations with early-signal visibility had 46 days of remediation runway that others simply didn’t. In modern defense, that margin is everything.
Risk Has to Move at the Speed of the Threat
Every conversation this week eventually arrived at the same structural problem; the way most organizations define and measure risk is built around events that have already happened. The current cyber risk equation is incomplete, as it assumes the attack has emerged: Cyber Risk = Threat x Likelihood x Impact.
MTTD and MTTR both start at breach. The whole model optimizes for response speed rather than the thing that actually matters — whether the attack succeeds at all. For European organizations in particular, NIS2 and DORA have sharpened this into a compliance question: what is your signal-to-action latency, and can you demonstrate it? The regulatory frameworks are implicitly demanding a capability most teams haven’t built.
The reframe we kept coming back to was: replace Likelihood with Exposure, and add Preemption as a denominator: Cyber Risk = (Threat x Exposure x Impact) / Preemption.
Exposure is the weaknesses attackers could exploit, something you can measure and reduce. Operating preemptively means catching adversary activity before it matures, understanding how it maps to your specific environment, and remediating before exploitation. If preemption is working, response becomes the exception.
Most organizations can tell you what the threat is. Fewer can map it to their real exposure. Almost none can tell you in real time which attack paths are open right now and what it would cost if an attack succeeded. Very few can answer all three in real time. That’s the gap that matters.
Closing the Intelligence Gap Has a Human Side
But closing the intelligence gap isn’t purely an architecture problem. The same organizations that are under-invested in agentic workflows are also under-invested in the human capacity to use them well and the panel conversation between Sam and Joel made that tension concrete.
Joel’s point connected directly to the preemption argument: the analysts who will actually close attack paths faster are the ones who can orchestrate agentic workflows, not just query a model. These workflows are being adopted across industries — software engineering, marketing, recruiting — and security is no exception. Better orchestration means faster context assembly, faster exposure mapping, faster remediation. That’s preemption in practice.
Sam’s complication was the right one: most teams aren’t building toward that deliberately. Prompt engineering is the near-term gap, and most organizations aren’t investing in it systematically. But build someone into a skilled prompt engineer without developing their underlying analytical judgment, and you’ve made them dependent on a new interface in the same way they were dependent on the old one.
The thing that doesn’t get engineered away is the capacity to look at what an AI surfaces and decide whether it’s actually right. A model that confidently returns plausible-but-unverified attribution is more dangerous than one that flags insufficient signal. The human judgment layer is what makes preemption real rather than performative — and most organizations aren’t building it deliberately.
What I’m Taking Back
The organizations I came away most optimistic about weren’t the ones with the most sophisticated stack. They were the ones thinking about AI as something that gets more useful the more it’s embedded in how their team actually works, reducing the reconstruction time analysts spend under pressure, building institutional memory that doesn’t walk out the door when someone leaves, closing the loop between signal and action faster than the adversary can move.
The diagnostic question worth taking back from this week: what is your signal-to-action latency, and what would it take to cut it in half? Most organizations don’t have a number. Getting to one is where the program design conversation has to start.
Dataminr for Cyber Defense
Transform intelligence into a preemptive cyber advantage from first signal to risk-prioritized action.
Learn More
