AI in Cyber Defence

How AI changes cyber defence across the cyber incident lifecycle

Cyber defence aims to protect systems, networks, and data against infiltration, disruption, or destruction. The cyber incident lifecycle provides a useful way to understand cyber defence, breaking it down into four phases:

Prevention: preventing and reducing the risk of incidents and minimising their potential effects.
Preparedness: developing plans, tools, and capabilities to support effective response.
Response: stemming the incident and preventing further damage.
Recovery: restoring operations quickly and returning to a normal or stronger level of security.

Artificial intelligence (AI) has become relevant across all four phases. Unlike traditional tools that fit neatly into one step, many AI capabilities cut across the lifecycle: the same technique that supports preparedness can also enable faster response or aid recovery. This integration makes AI both powerful and challenging to classify: its value lies not only in improving individual tasks but in linking the phases together more seamlessly.

Prevention

Preparedness

Response

Recovery

Attack surface mapping

Code scanning

Data summarisation

Data classification

Anomaly detection

Writing and analysis

Synthetic data

Identity and access management

Log analysis

Malware analysis

Training and Labs

In the sections that follow, we examine concrete AI applications for cyber defense, showing how they map onto different phases of the incident lifecycle and, in many cases, span several at once.

Attack surface mapping

Attack surface mapping identifies all the assets, entry points, and vulnerabilities an adversary could exploit in an attack. It provides defenders with visibility into their exposure and helps prioritise what to secure.

How AI changes attack surface mapping:

AI transforms attack surface mapping by automating large-scale scans of networks and assets, dramatically reducing manual effort. With advanced pattern recognition, it can detect hidden or forgotten endpoints that traditional methods often miss. AI systems can update maps continuously as infrastructures evolve, reducing blind spots and ensuring defenders maintain an accurate, real-time picture of their environment.

Prevention. Reduces exposures before attackers exploit them.

Preparedness. Maintains an updated view of infrastructure for incident planning.

Case Highlighted: Use of LLMs for asset discovery in critical infrastructure

In 2025, Luigi Coppolino et al published a study showing how large language models (LLMs) can improve the discovery of assets in critical infrastructures. Traditional tools such as Nmap or industrial security platforms either risk disrupting sensitive systems through active scans or fail to detect hidden devices when relying only on passive monitoring.

The researchers proposed an LLM-based “Mixture of Experts” framework that combines data from passive traffic observation, carefully limited active probing and physical signals such as electromagnetic emissions. Specialised LLM agents then interpret this data: one focuses on industrial protocols, another on vulnerabilities in IT/OT networks, and another on system architecture and dependencies.

The system can also draw on external intelligence sources (such as MITRE ATT&CK or CVE databases) to identify weaknesses and recommend security measures. In tests on a simulated industrial network, it successfully classified assets like programmable logic controllers, robotic arms, and printers, while flagging insecure practices such as unencrypted Modbus traffic.

Such an approach turns attack surface mapping into an adaptive and context-aware process that provides real-time visibility and reduces the risks of traditional scanning. By lowering the technical barriers for defenders, it enables more comprehensive monitoring and strengthens the overall security posture of critical infrastructure.

Further readings

Impact of AI for threat detection - "AI for Defense" (Donnie W. Wendt 2024)
The chapter shows how AI has advanced threat detection and triage, where machine learning models process vast amounts of heterogeneous data to identify potential attacks. Results highlight how early applications in the 2000s-2010s focused on malware, intrusion, and spam detection, demonstrating AI's strength in analysing large datasets and improving existing detection systems while incrementally enhancing longstanding cybersecurity functions.
Next-generation threat detection - "Revolutionizing Cybersecurity: Unleashing the Power of Artificial Intelligence and Machine Learning" (Manoharan & Sarker 2022)
The paper shows how AI and machine learning are revolutionising threat detection, enabling organisations to spot anomalies, analyse behavioural patterns, and predict potential attacks. Results highlight how techniques such as NLP for extracting threat intelligence and deep learning for pattern recognition can automate detection and response, while real-world case studies confirm their effectiveness.

Code scanning and evaluation

Code scanning reviews source code to detect vulnerabilities, insecure libraries, or poor security practices before they can be exploited.

How AI changes code scanning and evaluation:

AI accelerates vulnerability detection by highlighting insecure functions and identifying risky coding patterns learned from past exploits. It also offers automated remediation suggestions, supporting developers in writing more secure code and reducing the window of opportunity for attackers.

Prevention. Fixes weaknesses before attackers discover them.

Preparedness. Strengthens baseline security posture for incident readiness.

Case Highlighted: Use of LLMs for code scanning and secure development

In 2025, Belozerov et al investigated how large language models can support secure coding practices. Their study tested ChatGPT against the DevGPT dataset, which contained real developer code alongside known vulnerabilities flagged by static scanners. Out of 32 confirmed vulnerabilities, ChatGPT correctly detected 18 and even suggested fixes for 17 of them.

The results show how AI can reduce manual effort in code review, help triage risky coding patterns and provide automated remediation suggestions. This has the potential to scale secure coding practices and shorten the time window in which vulnerabilities remain exploitable.

At the same time, the study emphasised important limitations: ChatGPT occasionally produced overconfident but incorrect outputs, introduced new flaws when attempting fixes and was less reliable than static analysis or expert human review. A key takeaway from this study is that AI can be a powerful assistant in code evaluation, but only when combined with traditional tools and proper oversight.

Further readings

Automated code review - "A Review of Applying AI for Cybersecurity: Opportunities, Risks, and Mitigation Strategies" (Ndibe & Ufomba 2024)
The paper shows how AI and large language models can support automated code reviews and vulnerability assessments, helping organisations proactively detect weaknesses in source code and reduce response times. Results also highlight risks such as insecure AI-generated code, underscoring the need for human oversight and governance frameworks.
Interpretable deep learning for vulnerability detection - "Vulnerability Detection with Fine-grained Interpretations" (Li et al. 2021)
This paper presents IVDetect, a deep learning model that detects vulnerabilities in codes and pinpoints the specific statements and dependencies responsible. IVDetect improves accuracy over state-of-the-art tools and provides fine-grained explanations. Findings show substantial gains in detection performance and more precise identification of vulnerable code, supporting both automated analysis and developer remediation.
Multilingual code vulnerability detection - "Code Vulnerability Detection Across Different Programming Languages with AI Models" (Humran & Sonmez 2025)
This paper investigates transformer-based models, including CodeBERT and CodeLlama, for detecting vulnerabilities across multiple programming languages. By fine-tuning on diverse datasets, the models capture both syntax and semantics, achieving up to 97% accuracy. The study also incorporates ensemble methods and explainable AI to reduce false positives and improve developer trust. It demonstrates that AI models can outperform traditional static analysers in cross-language settings, though challenges remain in robustness, precision and deployment readiness.

Data summarisation

Data summarisation condenses large volumes of technical data (e.g., logs, reports, and threat intelligence) into accessible insights.

How AI changes data summarisation:

AI reduces cognitive overload by transforming raw and unstructured information into actionable intelligence. It can identify recurring patterns or anomalies across fragmented datasets. It can also generate plain language reports for non-specialists. AI therefore makes information easier to consume, communicate, and act upon.

Preparedness. Helps digest threat intelligence and plan more effectively.

Response. Streamlines situational awareness in real time.

Recovery. Produces summaries and reports for lessons learned.

Case Highlighted: AI for log summarisation and situational awareness

In 2024, Balasubramanian et al introduced CYGENT, a conversational agent powered by GPT-3 that can analyse and summarise system logs. Instead of requiring analysts to sift through thousands of raw log entries, CYGENT condenses them into short, human-readable outputs that highlight key events and anomalies.

In evaluations, CYGENT outperformed other large language models in producing clear and actionable summaries. The system reduced cognitive overload, supported situational awareness during live incidents, and enabled faster decision-making.

This case illustrates how AI can transform raw, technical data into accessible intelligence. By making logs easier to interpret, it helps defenders prepare more effectively, respond more quickly, and recover with better documentation after incidents.

Further readings

CTI summarisation datasets - "CTISum: A New Benchmark Dataset for Cyber Threat Intelligence Summarisation" (Peng et al. 2024)
The paper introduces CTISum, a dataset for summarising cyber threat intelligence (CTI) reports, allowing for the summarisation of complex intelligence reports to help defenders plan and capture lessons learned more effectively.
TTP extraction - "TTPXHunter: Actionable Threat Intelligence Extraction as TTPs from Finished Cyber Threat Reports" (Rani et al. 2024)
The paper proposes TTPXHunter, an NLP-based tool that extracts attacker tactics, techniques and procedures (TTPs) from threat reports to understand their modus operandi, transforming unstructured intelligence into structured, actionable summaries.
NLP for incident analysis - "Natural Language Processing for Cybersecurity Incident Analysis" (Ogundairo & Broklyn, 2024)
The paper surveys NLP applications for analysing unstructured data sources, with NLP techniques (e.g., entity recognition, sentiment analysis, summarisation, chatbot-based triage). The paper finds that NLP can automate incident reporting and threat intelligence summaries, reducing response times and improving post-incident documentation.

Data classification

Data classification organises information according to its sensitivity or compliance requirements, ensuring that critical assets receive appropriate protection.

How AI changes data classification:

AI uses natural language processing to automatically tag sensitive content and detect misclassified or exposed data at scale.

Prevention. Reduces accidental exposure of sensitive data.

Preparedness. Supports compliance.

Case Highlighted: AI for sensitive data classification

In 2024, De Renzis et al investigated how large language models could be used to improve the classification of sensitive information. A central challenge in this area is that real personal data cannot always be used for training because of privacy risks. The authors proposed generating synthetic training data that still reflects the patterns of sensitive categories, such as health, politics, or religion.

Their approach enabled the training of accurate classifiers without exposing actual user data, demonstrating how AI can help organisations comply with regulations such as GDPR while scaling up their ability to detect and protect sensitive information. This case illustrates how AI strengthens both prevention (by reducing accidental data exposure) and preparedness (by supporting compliance frameworks). At the same time, it underlines the importance of governance and validation to ensure synthetic data and resulting models remain representative and reliable.

Further readings

Transformer-based tagging of GDPR categories - "Automatic Detection of Sensitive Data Using Transformer-Based Classifiers" (Petrolini et al. 2022)
This study applies AI models to automatically flag sensitive text, covering areas such as politics, health, religion, and sexuality, within large document collections. It demonstrates that transformer-based approaches can reliably classify such data, supporting GDPR compliance and enabling large-scale and automated labelling for compliance-driven data classification.
Semantic analysis for automated sensitive data detection - "Automated identification of sensitive data from implicit user specification (S3)" (Yang & Liang 2018)
This paper introduces S3, a system that identifies sensitive data in mobile apps by analysing semantics rather than relying on keywords. By learning user privacy preferences, it achieves higher accuracy than traditional tools, illustrating how AI can adapt data classification to real-world contexts. The study emphasises that the sensitivity of information depends on both application context and user preference, and that effective protection in the cloud era requires first being able to identify such data.

Endpoint or network anomaly detection

Anomaly detection monitors endpoints and network traffic for unusual behaviours that may indicate compromise.

How AI changes endpoint and network anomaly detection:

AI learns what normal activity looks like and flags deviations that might signal malicious activity. Unlike signature-based systems, it can detect more subtle intrusions that evade traditional detection. AI enables faster and more effective incident response by prioritising alerts and reducing false positives.

Preparedness. Establishes baselines of normal activity.

Response. Detects anomalies in real time to flag and contain attacks.

Case Highlighted: Using AI for anomaly detection in critical systems

In 2024, Nwoye and Nwagwughiagwu examined how AI-driven anomaly detection could improve cyber defence across endpoints and networks. Using machine learning models trained on normal patterns of system behaviour and network traffic, their approach allowed them to identify subtle deviations that traditional, signature-based systems would miss, including for example early signs of insider threats and data breaches.

The study presented case examples from critical sectors, showing that AI-enabled anomaly detection reduced response times and helped maintain business continuity by flagging suspicious activity before it caused serious damage. The authors also acknowledged challenges, including false positives and the need for transparency in complex AI models. This case demonstrates how AI contributes to both preparedness (by establishing baselines of normal activity) and response (by detecting and prioritising anomalies in real time).

Further readings

GAN-based anomaly detection - "TadGAN: Time Series Anomaly Detection Using Generative Adversarial Networks" (Geiger et al. 2020)
This paper presents TadGAN, an unsupervised framework that applies cycle-consistent GANs to detect anomalies in time series data. By combining reconstruction errors with critical outputs, TadGAN generates reliable anomaly scores and reduces false positives. Tested on 11 benchmark datasets from domains, it consistently outperformed state-of-the-art methods. The study shows how GANs can improve the detection of subtle temporal anomalies across diverse real-world systems.
Machine learning for infrastructure anomaly detection - "AI Defenders: Machine Learning Driven Anomaly Detection in Critical Infrastructures" (Nebebe et al. 2024)
This paper compares machine learning models for detecting anomalies in critical infrastructure, using time-series data from a hydraulic system simulator. It distinguishes point anomalies (single outliers) from contextual anomalies (deviations only apparent in context) and compares simple interpretable models (e.g. logistic regression, decision trees) with more complex black-box models across consistent datasets. The goal is to assess which methods perform best for real-world industrial settings. The paper emphasises that while complex models may yield higher detection rates, simpler methods still offer advantages in interpretability and robustness in sensitive infrastructure domains.

General writing and data gathering/analysis tasks

Defensive operations also involve extensive writing, research, and data analysis to document incidents, inform decisions and train staff.

How AI changes general writing and data gathering or analysis tasks:

AI can draft reports, policies, and incident briefings, easing the administrative burden on analysts. It can automate open-source intelligence gathering for exercises, allowing students and professionals to focus on higher-level analysis and strategy instead of repetitive tasks.

Response. Supports rapid reporting and situational awareness.

Recovery. Enables thorough post incident documentation and lessons learned.

Case Highlighted: Automated intelligence gathering and reporting

In 2024, Gao et al introduced ThreatKG, an AI-powered system that automatically collects cyber threat intelligence from open sources, extracts key entities such as actors and vulnerabilities, and organises them into a structured knowledge graph. Instead of analysts manually reading through long, unstructured reports, the system provides a consolidated and searchable overview. This reduces the administrative burden of defensive operations, supports faster production of incident briefings, and improves situational awareness during active threats. By transforming fragmented information into accessible insights, ThreatKG allows staff to spend more time on interpretation and decision-making. The study illustrates how AI can reshape everyday defensive work by making intelligence gathering more efficient and actionable, while also highlighting the need for oversight to ensure accuracy and relevance.

Further readings

Governance, ethical, legal and social implications of AI in OSINT - "Open Source Intelligence and AI: A Systematic Review" (Ghioni et al. 2023)
The article reviews 571 studies on AI in OSINT, on the use of AI in open-source intelligence (OSINT), examining its governance, ethical, legal, and social implications. The review finds that AI has expanded OSINT capabilities through machine learning, data mining and visual forensics, but has also raised pressing concerns around privacy, accountability, bias, and misuse. The authors highlight gaps in regulation, oversight, and transparency, calling for stronger frameworks to ensure AI-powered OSINT supports intelligence operations without undermining rights, trust or democratic accountability.
Automated report generation - "AGIR: Automating Cyber Threat Intelligence Reporting with Natural Language Generation" (Perrina et al. 2023)
The paper introduces AGIR, a natural language generation system that creates comprehensive CTI reports from formal entity graphs. AGIR reduces report writing time by more than 40% while maintaining high accuracy and fluency, demonstrating how AI can automate report drafting and analysis tasks, freeing analysts to focus on higher-level interpretation and strategy.

Generating synthetic data

Synthetic data generation creates artificial datasets for training, testing, or simulation without exposing sensitive real world information.

How AI changes generating synthetic data:

AI can produce realistic network traffic or malware samples for laboratory use, fill gaps where real-world data is unavailable, and safeguard privacy while enabling experimentation. This helps educators and defenders prepare for real incidents without risking sensitive data exposure.

Prevention. Enables safe experimentation without exposing sensitive information.

Preparedness. Supports training and simulation with realistic datasets.

Recovery. Recreates attack scenarios for post-incident testing and improvement.

Case Highlighted: Use of GANs for producing safe and realistic training data

In 2022, Nukavarapu et al developed MirageNet, a framework that uses generative adversarial networks (GANs) to create realistic synthetic network traffic. The system can replicate patterns of DNS traffic and other protocols in a way that closely resembles real-world data, but without exposing sensitive information from live networks.

This innovation is important because defenders and educators often need realistic data for training, testing, and experimentation, yet cannot always use operational traffic for privacy or security reasons. MirageNet enables safe simulations that prepare analysts for real attacks while avoiding disclosure risks. The use of AI, and in this case of GANs, allows for more secure and scalable experimentation. At the same time, it remains important to validate that synthetic data truly reflects real operational conditions, ensuring that training and testing remain reliable.

Further readings

Deep learning for synthetic network traffic modeling - "STAN: Synthetic Network Traffic Generation with Generative Neural Models" (Xu et al. 2021)
The paper presents STAN (Synthetic network Traffic generation with Autoregressive Neural models), a neural architecture that models both temporal and attribute dependencies in network traffic to generate realistic datasets. Results show that anomaly detection models trained on STAN's synthetic traffic achieved near-comparable accuracy to those trained on real data, demonstrating how deep learning enables high quality synthetic datasets for preparedness training and simulation while preserving privacy.
Evaluation of synthetic traffic generation methods - "Synthetic Network Traffic Data Generation: A Comparative Study" (Ammara et al., 2025)
The study evaluates twelve methods for synthetic traffic generation, including statistical, classical AI and generative AI approaches, using standard datasets. Results show GAN-based models provide superior fidelity and utility, while statistical methods maintain class balance but miss structural complexity.

Identity and access management (IAM)

Identity and access management (IAM) ensures that only authorised users have appropriate access to systems and resources.

How AI changes identity and access management:

AI strengthens IAM by detecting anomalous login patterns that may signal credential misuse, recommending adaptive authentication policies and automating routine checks. During incidents, it can rapidly flag compromised accounts and trigger stronger controls to contain threats.

Prevention. Enforces stronger authentication and reduces unauthorised access.

Response. Adapts in real time during suspected credential misuse.

Case Highlighted: Detection of unusual and inappropriate access

In 2024, Selling conducted a proof-of-concept study on applying AI to IAM systems. By integrating an anomaly detection model into a live IAM platform, the system was able to flag unusual login behaviour and inappropriate access privileges. This approach allows organisations to detect compromised accounts or insider misuse more quickly and to adapt authentication policies dynamically when risks are detected. The study found clear efficiency gains while emphasising the ongoing need for human oversight to interpret flagged anomalies and avoid unnecessary disruption. AI therefore allows to strengthen everyday access control and can turn IAM into a more adaptive and proactive line of defence.

Further readings

Critical infrastructure auditing - "AI-Powered IAM Audit for Anomaly Detection in Critical Infrastructure" (Rodriguez et al. 2025)
The paper proposes an AI-powered IAM audit framework that combines feature engineering, unsupervised anomaly detection and supervised classification to analyse IAM logs. On a synthetic dataset modelled after critical infrastructure, the system achieved a 92% detection rate with a false positive rate below 3%. Findings demonstrate how AI enhances IAM log auditing, enabling proactive detection of insider threats and subtle access anomalies that traditional methods often miss.

Log analysis

Log analysis examines system and security logs to detect, investigate and understand incidents.

How AI changes log analysis:

AI can process massive volumes of logs in real time, highlight unusual sequences of events, and generate concise summaries. This improves detection and allows for faster teaching and incident simulations.

Preparedness. Establishes baselines and identifies potential weak points.

Response. Accelerates investigation and supports incident handling in real time.

Recovery. Informs post-incident reviews and reporting.

Case Highlighted: AI agents for log parsing and threat pattern discovery

In 2025, Karaarslan et al examined how AI agents could support the analysis of the extensive logs generated by Cowrie honeypots. Honeypots deliberately imitate vulnerable systems to attract attackers, but the result is an overwhelming volume of raw data that is challenging for human analysts to interpret.

The researchers showed that AI agents can automatically parse and summarise these logs, extracting recurring attack patterns and generating concise reports. This automation reduces manual effort, enhances situational awareness, and allows defenders to detect trends and adjust security measures more rapidly. The study illustrates how AI can transform unmanageable datasets into actionable intelligence, while also underlining the need to validate outputs carefully so that evolving or deceptive adversarial tactics are not misread.

Further readings

Self-supervised log analysis - "AI-Driven Log Analysis Using Transformer Constructs" (Pan 2023)
This study explores how AI can support log analysis for incident detection and investigation. Using a Transformer model trained on normal log entries, the approach applies log augmentation for self-supervised feature learning and then fine-tunes the model with reinforcement learning on a small labelled dataset. Results indicate that this method can overcome challenges of heterogeneous log sources and scarce labelled data, showing promise for practical and real-world deployment in cybersecurity operations.
Deep learning-based log analysis for intrusion detection - "Cyberattack event logs classification using deep learning with semantic feature analysis" (Alzu'bi et al. 2025)
This study proposes a deep learning–based framework using semantic vectorization and BERT embeddings to analyze event logs for intrusion detection. By categorizing logs by event and attack types with explainable AI, the approach improves detection accuracy, achieving over 99% recall and precision, and outperforms existing models.

Malware analysis

Malware analysis investigates malicious software to understand its behaviour, origin and potential impact.

How AI changes malware analysis:

AI speeds up classification by identifying code similarities across malware families and generating explanations of sandbox execution. It helps analysts quickly grasp how malware works, supporting faster response and more effective mitigations.

Response. Accelerates identification and containment of malware.

Recovery. Contributes to knowledge building for future defenses.

Case Highlighted: AI-assisted malware disassembly

In 2025, Apvrille and Nakov evaluated R2AI, an AI plugin for the Radare2 disassembler, on recent Linux and IoT malware samples. The system integrates LLMs into the reverse engineering process, helping analysts decompile functions, rename variables and identify suspicious behaviours. Their study showed that AI assistance could cut analysis time from several days to roughly half, while maintaining equal or better quality than human-only analysis. For example, in the case of the Linux/Devura malware, the AI correctly inferred argument formats that human analysts had missed. However, limitations remained: the models occasionally produced hallucinations, exaggerations, or omissions, and required constant validation by skilled experts. The findings suggest that AI-assisted disassembly is most effective as a force multiplier, accelerating triage and uncovering details more quickly, while still relying on human oversight to ensure accuracy and avoid misinterpretation.

Further readings

Semantic segmentation for classification - "Deep Learning with Semantic Segmentation for Malware Classification" (Chen et al. 2025)
The study demonstrates that applying AI to selected parts of malware files, rather than entire file sequences, can significantly improve performance. By focusing on the header data of Portable Executable files, their model achieved 99.54% accuracy in classifying malware families. This suggests that targeting the most informative code sections enables faster and more reliable threat detection.
Few-shot learning for novel malware - "A few-shot malware classification approach for unknown family recognition using malware feature visualization" (Conti et al. 2022)
The paper proposes using few-shot learning to classify malware families with only a handful of examples, avoiding the need to re-train models whenever new malware emerges. By visualizing malware binaries as 3-channel images and testing two architectures (CSNN and Shallow-FS), the study shows high accuracy in both traditional and novel malware classification. This demonstrates the potential of few-shot approaches to improve adaptability and speed in detecting emerging threats.

Training and labs

Training and labs provide controlled environments for hands-on cybersecurity exercises and simulations.

How AI changes training and labs:

AI can generate dynamic lab scenarios tailored to learner progress, create adaptive challenges of varying difficulty, and automate feedback and assessment. This supports more realistic and scalable training.

Preparedness. Strengthens readiness through adaptive simulations.

Recovery. Incorporates real incident lessons into training.

Case Highlighted: AI-powered cyber ranges for adaptive training

In 2025, Sisodiya et alintroduced an AI-powered cyber range designed to improve the realism and effectiveness of cybersecurity training. Unlike traditional static labs, the platform uses AI to adjust the difficulty of scenarios according to learner progress, inject realistic attack events, and provide automated feedback.

The study found that students trained in this environment achieved higher detection accuracy and reduced mitigation times compared with conventional approaches. For educators, the system makes it possible to scale exercises, personalise challenges, and incorporate lessons from real incidents into simulations.

Technically, the research also demonstrated that hybrid architectures, combining cloud scalability with the fidelity of physical systems, deliver more realistic and adaptive scenarios. The findings highlight how AI can transform training from fixed exercises into dynamic learning environments that better prepare students and professionals for real cyber threats.

Further readings

Cybersecurity training methods - "A Systematic Review of Current Cybersecurity Training Methods" (Prümmer et al. 2024)
The paper shows that a wide range of cybersecurity training approaches, including game-based methods, improve end-user behaviour and organisational security outcomes. Results highlight the effectiveness of structured training programmes but also reveal challenges such as small sample sizes and non-experimental designs. This underscores the value of integrating AI into training and labs to scale interventions, personalise content and generate adaptive exercises that overcome the limitations of traditional methods.

Discussion Questions

Which phase of the Cyber Incident Lifecycle (prevention, preparedness, response, recovery) is most likely to be transformed by AI in the future, and which phase is AI currently making the biggest difference in? Where does AI seem least effective?
Does AI shift the balance of power in cyberspace toward defenders, or does it mostly help attackers keep the upper hand?
Will open source and widely available AI tools level the playing field for small defenders, or will advanced proprietary systems still give large organisations an overwhelming advantage?
How does AI’s ability to automate detection, triage, and response change the speed and nature of defensive operations? Could this make “traditional SOC models” obsolete?
Could defenders become too dependent on AI, leading to blind spots if models fail, are poisoned, or are deceived by adversarial inputs?
Who bears responsibility if AI systems miss critical threats or make flawed recommendations: developers, deploying organisations, or human analysts who rely on them?
How should policymakers encourage responsible use of AI in defense without stifling innovation or limiting access for educators and smaller organisations?
As both attackers and defenders adopt AI, will cyber conflict evolve into a contest of “autonomous defense vs. autonomous offense”?