Why 2026 is Different
The new threat landscape
What this episode is about
Who benefits more from artificial intelligence in cybersecurity — the attackers or the defenders? This is the question we stretch across the entire season. In episode one we set the frame by placing three reports next to each other that appeared within eighteen months and describe the same situation from three different stages of development.
The three situational reports
Microsoft and OpenAI, February 2024. The two companies publish the first named state actors using commercial LLMs — Forest Blizzard from Russia, Charcoal and Salmon Typhoon from China, Crimson Sandstorm from Iran, Emerald Sleet from North Korea. All accounts are suspended. Microsoft formulates the observation remarkably soberly: we see no attack techniques that wouldn’t have been possible without AI. What we see is pace. In the MITRE ATLAS framework, this lands under Resource Development — the model is a productivity tool, not a weapon. Lukas from research points to the work by Julian Hazell that had already proven this efficiency stage academically: GPT-4 produces personalized spear-phishing emails at cents per recipient with human-comparable conversion rates.
BACS Switzerland, semi-annual report 2025/1. The Swiss Federal Office for Cybersecurity reports 35,727 cyber incidents in the first half of 2025, 58 percent of which are fraud. In parallel, the Swiss Federal Council adopted its own report on the effect of AI on cybersecurity (Postulate 23.3861), whose core message is deliberately calm: AI acts as a catalyst for existing trends but does not change the fundamentals. Robert from practice confirms this observation from the MDR telemetry of his Swiss clients — dramatically more spear-phishing attempts, significantly improved language. Where typical translation errors were still recognizable in 2022, today’s emails read contextually consistent. Linguistic anomaly as a detection feature is dead.
Anthropic, August 2025. The third report describes not just efficiency, but operational takeover. Anthropic documents a campaign called “vibe hacking”: a single actor extorts seventeen organizations with Claude Code as an agentic operator — reconnaissance, credential collection, individual extortion letters per victim, parallelized. On top, two further case classes — North Korean sanctions evasion through fake remote employment, and a Chinese autonomous cyber-espionage campaign that Anthropic calls GTG-1002. Chris frames the difference to Microsoft technically: what has changed is the agentic loop. Tool-use and longer context windows turn the advising model into an operator that works autonomously inside a target system for days.
The thesis of the season
Three reports, three phases, one clear line. What was an efficiency boost two years ago is operational layer today — and the transition is gradient, not abrupt. Anyone building defender architectures in 2026 without pricing in this reality is building defense against 2022.
Three observations condense the thesis. From the research perspective — Lukas — it stands out that Microsoft observes the model side, not the endpoint. Who talks to ChatGPT is visible; what happens at the victim is not. A blind spot remains: an actor running an open-source model like Mixtral or Llama locally is invisible to this telemetry. From the practitioner’s perspective — Robert — the detection problem shifts into the identity and behavioral layer. Classic signature-based SIEM detection no longer catches the new spear-phishing quality. From the AI perspective — Chris — defenders and attackers depend on the same methodology. Frontier models are available via API with sub-cent costs per thousand tokens, open-source models run on two consumer GPUs. The cost curve no longer separates by actor type.
What you take away from this episode
Switzerland is structurally better positioned than the EU average because BACS was mandated early and is closely networked with the private sector. The research density in the DACH region — ETH, EPFL, OST and a leading German information-security research center — is a strategic strength that hasn’t yet fully translated into operational defensive capacity. The gap lies in the mid-market segment. That is exactly where attacks have reached a quality level in the last twelve months where they become economical — also against smaller targets. The core recommendation at the end of the episode: anyone as a CISO thinking AI is still future is already behind today. In the following episodes, we look at the offensive and defensive sides separately — beginning with frontier models that find vulnerabilities.
Sources and references
- Microsoft Threat Intelligence, & OpenAI. (2024, February 14). Staying ahead of threat actors in the age of AI. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
- OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. OpenAI. https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
- Anthropic. (2025, August). Detecting and countering misuse of AI: August 2025. Anthropic. https://www.anthropic.com/news/detecting-countering-misuse-aug-2025
- Bundesamt für Cybersicherheit BACS. (2025). Halbjahresbericht 2025/1. Schweizerische Eidgenossenschaft. https://www.ncsc.admin.ch/ncsc/en/home/dokumentation/berichte/lageberichte/halbjahresbericht-2025-1.html
- Schweizerischer Bundesrat. (2025). Bericht in Erfüllung des Postulats 23.3861 — Wirkung von KI auf die Cybersicherheit. Bundesamt für Cybersicherheit BACS. https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2025/po233861.html
- Bundesamt für Cybersicherheit BACS. (2025, April 1). Reporting cyberattacks on critical infrastructure mandatory from 1 April 2025. Schweizerische Eidgenossenschaft. https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2025/meldepflicht-2025.html
- MITRE Corporation. (n.d.). ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems. https://atlas.mitre.org/
- OWASP Foundation. (2025). OWASP Top 10 for Large Language Model applications (Version 2025). https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-v2025.pdf
- National Institute of Standards and Technology. (2024). AI Risk Management Framework (NIST AI 100-1 and Generative AI Profile NIST AI 600-1). https://www.nist.gov/itl/ai-risk-management-framework
- European Commission. (n.d.). Timeline for the implementation of the EU AI Act. AI Act Service Desk. https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
- Hazell, J. (2023). Spear phishing with large language models (arXiv:2305.06972). arXiv. https://arxiv.org/abs/2305.06972
- Heiding, F., Schneier, B., Vishwanath, A., Bernstein, J., & Park, P. S. (2024). Devising and detecting phishing emails using large language models. IEEE Access, 12, 42131–42146. https://doi.org/10.1109/ACCESS.2024.3375882
- Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., & Fritz, M. (2023). Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection (arXiv:2302.12173). arXiv. https://arxiv.org/abs/2302.12173
- Zou, A., Wang, Z., Carlini, N., Nasr, M., Kolter, J. Z., & Fredrikson, M. (2023). Universal and transferable adversarial attacks on aligned language models (arXiv:2307.15043). arXiv. https://arxiv.org/abs/2307.15043
- Anthropic. (2024). Agentic misalignment: How LLMs could be insider threats. Anthropic Research. https://www.anthropic.com/research/agentic-misalignment
- Wei, A., Haghtalab, N., & Steinhardt, J. (2023). Jailbroken: How does LLM safety training fail? (arXiv:2307.02483). arXiv. https://arxiv.org/abs/2307.02483
- OST – Ostschweizer Fachhochschule. (2026). CAS AI-Driven Cybersecurity and Strategic Defence [Programmseite, 15 ECTS, 14 Präsenztage, Campus Rapperswil-Jona]. https://www.ost.ch/de/weiterbildung/weiterbildungsangebot/informatik/cybersecurity-networks/cas-ai-driven-cybersecurity-and-strategic-defence