The final bell rang Thursday at Infosecurity Europe 2026 — the 31st edition of Europe's largest annual cybersecurity gathering — as the industry's most uncomfortable thesis moved from theoretical to demonstrated. Across three days at ExCeL London, more than 13,000 security professionals and 380 exhibitors debated how to defend against autonomous AI systems while, in the same week, a University of Toronto research team published proof that a self-propagating AI worm can be built today using free, publicly available large language models, no specialist tradecraft, and no proprietary compute budget — and that it can compromise nearly three-quartes of a simulated enterprise network in seven days.
That convergence — a live research demonstration, a White House AI cybersecurity executive order signed Tuesday, CISA advisories on active attacks against fuel infrastructure, and a critical Cisco vulnerability with public exploit code — gave Infosecurity Europe 2026 an operational edge rarely felt at industry gatherings. The sessions were not describing a future threat environment. They were responding to one already in motion.
Agentic AI: Attack Surface and Defense Engine
No topic commanded more floor time across the three-day event than agentic AI, and the industry's relationship with it remains deeply ambivalent. Where prior years' conversations focused on generative AI's ability to accelerate phishing and social engineering, 2026 elevated the concern to autonomous AI agents capable of conducting multi-step attack chains with minimal human direction.
The University of Toronto AI worm research gave those concerns a concrete reference point the moment it circulated. Published June 2 by researchers at CleverHans Lab — the cybersecurity research group at the University of Toronto led by Professor Nicolas Papernot — in collaboration with the Vector Institute and the University of Cambridge, the paper described a worm that does not operate from a fixed list of exploits. Instead, it analyzes each target it encounters, reasons about its vulnerabilities on the fly, and composes a tailored attack using a free, open-weight large language model running directly on machines it has already compromised. In a 33-machine enterprise simulation across Linux, Windows, and IoT devices, the worm correctly identified an average of 31.3 vulnerabilities per run, exploited 73.8 percent of the network, and propagated to 61.8 percent of hosts over seven days. It found and exploited three vulnerabilities disclosed after the model's own training cutoff — including the CopyFail Linux kernel privilege escalation flaw and a critical pre-authentication remote code execution vulnerability in Marimo Python notebooks — demonstrating an ability to reason about newly disclosed flaws the model had never been trained on.
The economic model is what makes the demonstration alarming. Traditional worms amortize a fixed exploit cost across every infected machine. This worm runs its LLM reasoning on the compute of machines it has already compromised, essentially parasitizing its victims to fund the next wave. "As consumer devices increasingly support LLM inference," the researchers noted in a summary of their work, "every machine connected to the internet is a potential target — if not for the data it holds, then as a launching pad for the next attack."
That observation was not theoretical in the week the conference ran. Sysdig's threat research team had documented the first publicly confirmed real-world intrusion driven by an LLM agent just weeks earlier, on May 10 — an attack that moved from initial access through a vulnerable Python notebook to a fully exfiltrated internal database in under an hour, across four network pivots, with no human operator directing individual steps. The precedent arrived at Infosecurity Europe as established fact, not warning.
For the practitioners attending sessions on AI-powered security operations centers, the demonstration underscored a central tension that vendors and security leaders spent three days trying to resolve. The same agentic architectures being deployed to automate threat detection — compressing what vendors claimed are multi-hour analyst workflows into minutes — can, with modest modification, serve as offensive infrastructure. Cisco's State of AI Security 2026 report found that only 29 percent of organizations reported being prepared to secure agentic AI deployments, even as 83 percent planned to deploy them into business functions. OWASP codified the emerging attack surface in December 2025 with its Top 10 for Agentic Applications — the first peer-reviewed framework dedicated to the risks of autonomous, tool-using AI systems, developed with input from more than 100 experts — identifying prompt injection, memory poisoning, and privilege escalation through over-permissioned agents as the leading attack classes.
The consensus that emerged across multiple Infosecurity Europe keynotes was blunt: organizations must now treat AI agents as attack surfaces in their own right, with full asset inventories, least-privilege access controls, and detection logic built specifically for agent-pattern attack signatures — machine-formatted command streams, parallel session launches from distributed addresses, and adaptive schema enumeration — not the known-malware signatures that traditional security information and event management rules were designed to catch.
Post-Quantum Cryptography: Why 2026 Is the Year to Start
The quantum computing track drew some of its largest audiences in recent conference memory, driven by a compression in the perceived timeline that has moved from background concern to operational planning requirement.
The core technical reason is straightforward. Current RSA and elliptic curve cryptography derive their security from mathematical problems — integer factorization and discrete logarithm computation — that classical computers cannot solve at practical scale. Quantum computers running Shor's algorithm can solve both in polynomial time. Three research papers published between May 2025 and March 2026 reduced estimates of the quantum resources needed to break RSA-2048 by roughly an order of magnitude compared with earlier projections. The Global Risk Institute's 2026 Quantum Threat Timeline assessed a cryptographically relevant quantum computer as "quite possible" within ten years and "likely" within fifteen. The NSA's Commercial National Security Algorithm Suite 2.0 has already mandated that all new national security system acquisitions be quantum-safe by January 2027.
For most organizations at Infosecurity Europe, the immediate operational concern was not a quantum decryption event in the next year. It was the "harvest now, decrypt later" threat: the recognition that well-resourced adversaries, including nation-state actors, are believed to be archiving encrypted traffic today with the intention of decrypting it once quantum capability arrives. Long-lived sensitive data — intellectual property, health records, financial instruments, classified communications — is therefore already at quantum risk even before a capable machine exists.
The practical migration challenge that session speakers returned to repeatedly was not algorithmic. NIST finalized its first three post-quantum cryptography standards in August 2024: FIPS 203, based on ML-KEM; FIPS 204, based on ML-DSA; and FIPS 205, based on SLH-DSA. These replace RSA and elliptic curve functions with algorithms built on structured lattice problems and hash-based signatures that are believed to resist both classical and quantum attacks. In March 2025, NIST added a fourth standard, HQC, as a backup key encapsulation mechanism. The algorithms are ready. The migration is the work.
Speakers at the quantum track described a cryptographic inventory requirement that most organizations have not yet completed: mapping every system, protocol, and embedded device that depends on RSA or ECC, identifying every certificate chain and API that would break during a transition, and building a migration roadmap that accounts for the long tail of operational technology networks and third-party vendors that organizations cannot unilaterally update. For financial services firms and critical national infrastructure operators attending the event, the EU's coordinated post-quantum cryptography roadmap — which calls for member states to begin PQC transitions by end of 2026, with critical infrastructure migration to be completed by 2030 — added regulatory urgency to a timeline already driven by technical risk.
NIS2 and DORA: Compliance Pressure Meets Operational Reality
European regulatory compliance dominated the policy-track agenda, with NIS2 and DORA generating the most sustained debate of the three days.
NIS2's transposition deadline passed in October 2024, but as of June 2026, several EU member states had still not fully transposed the directive into national law. That uneven implementation created compliance complexity for multinational organizations simultaneously satisfying different national versions of the same underlying requirements. The directive's expanded scope — bringing mid-sized enterprises in food production, waste management, and digital infrastructure under mandatory cybersecurity obligations for the first time — continued to present calibration challenges. Practitioners at the event described recurring difficulty translating the directive's "appropriate and proportionate" technical measures standard into specific control decisions, particularly in operational technology environments with different patching cadences and availability constraints from those assumed by IT-centric compliance frameworks.
DORA, which came into full application for financial entities and their ICT third-party providers in January 2025, drew particular attention from the financial services firms present. The ICT third-party risk management requirements — specifically the register of information that documents contractual arrangements with every ICT provider — proved resource-intensive to compile and maintain at large institutions with sprawling vendor ecosystems. DORA's incident reporting obligations are stricter than NIS2's: financial entities must make an initial report within four hours of classifying a major incident, versus twenty-four hours under NIS2. First formal enforcement actions under DORA were expected later in 2026, and several panel discussions noted that the compliance dry-run period regulators had extended to institutions after the January 2025 application date was narrowing.
Recurring themes across both regulatory tracks included the growing expectation from supervisory authorities that organizations demonstrate functional, tested controls rather than documented policies alone; the challenge of applying enterprise compliance frameworks to OT and industrial control environments; and the rising importance of board-level cyber governance as regulators hold senior management personally accountable for material failures.
Trump AI Cybersecurity Order: Transatlantic Signals
The White House executive order signed Tuesday — formally titled "Promoting Advanced Artificial Intelligence Innovation and Security" — generated substantial discussion in policy sessions and on the exhibition floor. The order directed the NSA and CISA to develop a classified benchmark process for evaluating advanced frontier AI models' cybersecurity capabilities within 60 days, and established a voluntary framework under which AI developers can submit frontier models for government review up to 30 days before release. It created an AI cybersecurity clearinghouse, bringing together Treasury, NSA, and CISA to coordinate vulnerability scanning and patch prioritization with private sector participants. Within 30 days of signing, CISA was directed to issue binding operational directives to protect federal civilian systems and expand AI-enabled defensive tools to state and local governments and critical infrastructure operators.
For the predominantly European audience at ExCeL London, the practical significance of the order was indirect but real. U.S. executive orders carry commercial and regulatory weight for transatlantic organizations, particularly those supplying services to U.S. federal agencies or participating in joint cybersecurity frameworks. Several speakers noted that the order's emphasis on securing AI systems used in critical infrastructure, and its direction to CISA and NIST to develop AI-specific security guidance, signaled that the world's largest economy was treating AI security as infrastructure security. The interaction between the order's voluntary frontier model review framework and the EU AI Act's risk-based mandatory approach was flagged as a compliance navigation challenge for organizations operating on both sides of the Atlantic.
Curtain Falls on a Compressed Threat Landscape
As the exhibition floor at ExCeL London cleared Thursday afternoon, the overarching sentiment among attendees was that the threat environment had accelerated in complexity faster than defensive frameworks anticipated even twelve months earlier. The convergence of agentic AI offence and defence, shortened quantum timelines, tightening European regulation, and an increasingly active U.S. policy posture had given the industry's conversations an operational urgency that set the 2026 edition apart.
Security leaders left with four interconnected action items confirmed by the week's events: building AI-agent inventories and treating every deployed agent as an attack surface; accelerating cryptographic inventories and beginning post-quantum migration planning in earnest; mapping NIS2 and DORA obligations against current controls with enforcement deadlines now closing; and evaluating AI-class defensive tooling calibrated to the 29-minute adversary breakout benchmark that CrowdStrike's 2026 Global Threat Report documented. The window for unhurried security strategy, in the assessment of practitioners who spent three days at Europe's largest security gathering, has closed.
Infosecurity Europe 2027 is expected to return to ExCeL London next June. If the trajectory of this year's event offered any guide, the industry will arrive with rather more urgent problems to resolve.
Frequently Asked Questions
What is an AI worm and why does it concern cybersecurity professionals?
An AI worm is a type of self-replicating malware that uses a large language model to reason about and adapt its attacks to each new target, rather than exploiting a single fixed vulnerability. University of Toronto researchers published a proof-of-concept in June 2026 showing such a worm can be built using free, publicly available models and can compromise nearly three-quarters of a simulated enterprise network in one week, including by exploiting vulnerabilities disclosed after the model's training cutoff.
What is "harvest now, decrypt later" in post-quantum cryptography?
"Harvest now, decrypt later" refers to the practice by which adversaries — particularly well-resourced nation-state actors — capture and store encrypted data today with the intention of decrypting it once a cryptographically relevant quantum computer becomes available. Because quantum computers running Shor's algorithm could break RSA and elliptic curve encryption, any long-lived sensitive data encrypted with current standards is already at risk even though the decryption capability does not yet exist. NIST finalized three replacement standards — FIPS 203, 204, and 205 — in August 2024 to address this threat.
What do NIS2 and DORA require from organizations?
NIS2 requires a broad range of sectors across the EU — including energy, healthcare, digital infrastructure, and, since the 2024 transposition deadline, food production and waste management — to implement appropriate cybersecurity risk management measures, report major incidents within 24 hours, and ensure board-level accountability for cyber governance. DORA, which applied to EU financial entities and their ICT third-party providers from January 2025, adds stricter incident reporting (initial notification within four hours), mandatory ICT third-party risk registers, and operational resilience testing requirements including threat-led penetration testing.
What did the White House AI cybersecurity executive order require?
President Trump signed "Promoting Advanced Artificial Intelligence Innovation and Security" on June 2, 2026. It directed NSA and CISA to create a classified benchmark process for evaluating frontier AI models within 60 days and established a voluntary pre-release review framework under which AI developers can submit new models to the government up to 30 days before release. It also created an AI cybersecurity clearinghouse and directed CISA to issue binding operational directives hardening federal systems within 30 days.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
