RSAC 2026 recap: Securing the frontier

How cyber attacks are changing

Until recently, AI-enabled threats were primarily contained to activity before the initiation of the cyber attack chain, and anything that followed was accelerated. That was then, but now Microsoft Threat Intelligence has observed the integration of AI into the tradecraft of threat actors across all aspects of the attack lifecycle.

AI is being built into how attacks are carried out. It is making it easier to research targets, generate convincing lures, and adapt quickly once access is gained. The result is not just faster attacks, it’s more attempts, more persistence, and more consistency in how those attacks succeed.

During RSAC, Sherrod DeGrippo, Microsoft’s General Manager of Global Threat Intelligence, delivered a threat briefing that highlighted this shift. The tactics themselves are familiar. Credential theft. Phishing. Session hijacking. What’s changed is how efficiently those tactics can be executed and how they are embedded into their operations.

That efficiency shows up in measurable ways. AI-assisted phishing campaigns are landing at significantly higher rates than traditional approaches. It also shows up in how threat actors operate after compromise, moving through normal business workflows instead of relying on noisy techniques that are easier to detect.

Although this is not a new type or class of cyber threats, it is decidedly more reliable, effective, and efficient.

Why the AI shift breaks traditional security models

When cyber attacks become easier to run, scale becomes the problem. Think back to the days of script kiddies running apps to disrupt your AOL experience, but now they can vibe code the malware itself.

Security models that rely on human review, isolated tools, or delayed response cycles struggle to keep up in that environment. Even strong controls can erode if attackers can test, adapt, and repeat faster than defenders can respond. Threat actors are also better equipped to use advanced models to identify vulnerabilities and zero days to exploit faster, which previously was a costly investment. Ultimately, there is one starting point security teams need to consider: identity.

Identity sits at the center of this shift. Once access is established, attackers can operate as legitimate users, blending into everyday activity. At that point, the difference between normal behavior and malicious behavior becomes harder to separate. This is where the gap shows up most clearly. Not in whether an organization has controls, but in how quickly it can recognize and act on what is happening.

Jakkal’s framing was direct. Security needs to be ambient and autonomous.

Ambient means it is built into the environment. Not added after the fact, but present across identity, endpoints, cloud, and data as part of how those systems operate.

Autonomous means reducing the effort required for defenders to act. Using AI to analyze, prioritize, and respond in ways that keep pace with how attackers are working.

Tactically this means changing how defense operates so it can scale with the environment it is protecting, not just layering in new tools.

The role of intelligence and real-world signal

Technology alone does not close this gap.

The differentiator is how quickly organizations can take what they are seeing and turn it into action. That depends on access to real-world signal/telemetry, and on the ability to connect that signal to detection and response based on what is in your environment.

DeGrippo touched on this through the lens of disruption. Taking action against the infrastructure behind attacks does more than stop a single campaign. It creates insight into how those operations are structured and how they shift tactics.

That insight feeds intelligence. Intelligence improves detection. Detection drives response. And that response generates new signal.

That cycle is what allows security to keep up with an environment that is constantly changing.

Security as the enabler of the Frontier

There is a tendency to treat security as something that slows progress down. In the AI era, that myth has been retired.

If organizations are going to operate as Frontier Firms, security is what allows that to happen. It creates the conditions for agents and humans to work together without introducing unacceptable risk.

Without it, the same systems that drive productivity become the easiest path to compromise.

Security has to operate as part of the system. It has to reduce friction for security teams, not just add controls. And it must be driven by intelligence that reflects what is happening in real environments, not just what has already happened.

That is what security innovation looks like in the agentic era.