Interviews | June 16, 2026
Identity Has Become the Primary Attack Surface
7AI | Fortinet | Sophos | ThreatLocker
Q1. How is agentic AI reshaping the SOC? What new capabilities and organizational changes should security leaders be implementing now to achieve true autonomous defense at scale? (277 words)
For years, security analysts have been drowning in alert volume. More people and more detection tools haven't kept up. Agentic AI changes the equation: 7AI handles investigations, detection optimization, and threat hunting at machine speed so analysts can finally focus on the strategic work most SOCs have never had bandwidth for.
The difference starts with end-to-end investigation. Swarming AI agents act the moment an alert fires — enriching data, querying the environment, correlating across systems, and forming conclusions with reasoning fully visible. Equally important is dynamic reasoning — the ability to investigate novel alerts in real time without a pre-written playbook.
The proof is in production. DXC Technology built the world's largest agentic SOC on 7AI in eight weeks, with CISO Mike Baker reporting an 80% reduction in tier-1 analyst time and 95-99% fewer tickets reaching humans.
Three organizational shifts matter now.
First, rethink the SOC org chart. With agents owning investigations, detection optimization, and threat hunting, L1 and L2 analysts can finally focus on the questions that move the program forward: why are things getting through? Where are the detection gaps? Why are false positives firing? What does response actually need to look like? And with the time left over, what should they proactively be hunting for?
Second, rewrite your metrics around outcomes: mean time to verdict, false positive rate, dwell time, analyst hours recovered.
Third, don't fall for "replace your team." You still need elite expertise — you just don't need it stuck on tier-one triage. The teams getting this right pair the platform with dedicated AI security engineers. Our PLAID Elite team offers a 24/7 expert team for escalations.
Q2. What are the biggest misconceptions or implementation errors that most organizations are making with agentic AI today? How are the companies that are getting it right structuring their teams, processes, and success metrics differently? (258 words)
The biggest misconception is that agentic AI removes humans from security operations. It doesn't. Agents take on the non-human work — triage, enrichment, repetitive investigation, automated hunting — so people can do human work: detection engineering, response strategy, proactive threat hunting, and the root-cause thinking that usually gets buried under triage queues. The teams getting this right pair the platform with dedicated AI security engineers and, for some, an elite 24/7 response team. Analysts stay in charge.
The second is mistaking workflow automation for agentic AI. A lot of vendors wrap a chatbot around a SOAR engine and call it agentic. If your platform only works when someone has pre-written a playbook, you've bought automation. Real agentic AI investigates situations no one scripted for, because it reasons in real time.
The third — and most consequential — is treating investigations as the whole job. Autonomous investigations matter, but they only solve one piece. The teams driving real change run agentic AI across the full operational loop, investigations, detection optimization, threat hunting, so analysts go from triaging tickets to asking the upstream questions (why detections are missing, where logic is misfiring) and the downstream ones (how response actually needs to work).
The companies doing this well share a few patterns. Their processes flow intake, enrichment, correlation, and first-pass investigation through agents; humans engage when judgment is required. They treat agents as teammates — reviewing verdicts, giving feedback on edge cases — so the system gets smarter over time. The result shows up in production at Fortune 500 scale: faster mean time to respond, fewer tickets reaching humans, and security teams operating with multiples of their previous capacity.
Q3. What are 7AI's top priorities at Black Hat USA 2026? What do you want attendees to take away from your company's presence at the event? (292 words)
Black Hat is one of the few rooms where the industry stops marketing and starts talking honestly. For 7AI, that's exactly the conversation we want to have.
Our first priority is showing what autonomous investigation looks like in production today. We'll walk through live investigations on real alert types — phishing, identity compromise, endpoint anomalies, and cloud misconfigurations. The platform has now processed 7M+ alerts across customers, given back over a million analyst hours, and reclaimed nearly $60M in SOC productivity.
The second priority is showing what comes after investigations. Autonomous triage is the unlock — not the whole story. With agents covering detection optimization and threat hunting too, security teams can finally do the upstream and downstream work that traditional SOCs never get to: tuning detections that are misfiring, closing the gaps attackers are slipping through, and running proactive hunts of their own. We'll also showcase our PLAID engagement models, including PLAID Elite Response: a 24/7 expert team handling escalations on customers' behalf.
The third is the CISO conversation. I want to hear what's on their plate right now and what's working versus what isn't. Honest exchange is how the industry moves forward together.
If attendees take one thing away: attackers are already using AI to scale and accelerate, and for the first time, defenders can push ahead instead of fall behind. Agentic AI is deployed, working, and constantly getting stronger.
Q1. From your vantage point, what are the most significant shifts you’re seeing in the threat landscape right now, particularly with nation-state actors and cybercrime syndicates? How should organizations adjust their strategies to keep ahead of the threat?
The biggest shift we're seeing is the speed and scale of attacker activity. The latest FortiGuard Labs Global Threat Landscape Report shows AI-enabled cybercrime accelerating reconnaissance, exploitation, and ransomware activity, with attackers compressing time-to-exploit to as little as 24 hours and ransomware victims increasing 389% year-over-year.
Nation-state actors and cybercrime groups are also increasingly borrowing from the same playbook: automation, credential theft, living-off-the-land techniques, and rapid exploitation of known vulnerabilities. The takeaway for defenders is that security strategies can no longer be reactive. Organizations need to shift toward intelligence-led defense, continuous exposure management, faster patch prioritization, AI-assisted SecOps, zero-trust segmentation, and integrated platforms that can detect, correlate, and respond at machine speed.
Q2. How will Fortinet’s just-announced deeper integration with NVIDIA through FortiAIGate help security teams stay ahead of AI-enabled and AI-related threats like prompt injection, data exfiltration, and AI model compromise?
Fortinet’s deeper integration with NVIDIA builds on the broader innovation happening across the Fortinet Security Fabric and further extends Fortinet’s AI-driven Security Fabric capabilities to help organizations securely operationalize AI at enterprise scale. As AI workloads, autonomous agents, and AI-driven applications rapidly expand, the joint solution combines Fortinet security with NVIDIA’s accelerated AI infrastructure to provide real-time protection for AI workloads, data, and AI agents across cloud, hybrid, edge, and data center environments. By applying inline guardrails, runtime inspection, and zero-trust controls between applications and AI models, FortiAIGate helps organizations address emerging AI-specific risks such as prompt injection, unauthorized model interactions, data leakage, and unsanctioned AI activity, while enabling local, data-sovereign deployment models, and delivering the high-performance, low-latency security with minimal impact on AI model inference and application performance.
Q3. How does Fortinet plan on engaging with stakeholders at Black Hat USA 2026? What themes and technologies does Fortinet plan on highlighting at the event?
At Black Hat USA 2026, Fortinet plans to engage attendees through live demonstrations spanning the full Fortinet Security Fabric, showcasing how integrated security and networking can help organizations defend against increasingly sophisticated AI-enabled threats across hybrid environments.
Attendees will have the opportunity to see how Fortinet solutions work together across secure networking, cloud security, AI-driven SecOps, SASE, OT security, and AI runtime protection to provide unified visibility, faster response, and simplified operations.
In addition to interactive demos, Fortinet will host rolling theater presentations throughout the event featuring Fortinet experts and alliance partners discussing real-world cybersecurity challenges, emerging threats, and integrated security innovations. These sessions will highlight collaborative approaches to securing modern infrastructure, AI deployments, and distributed enterprise environments.
Fortinet will also feature a presentation from Aamir Lakhani, senior director of threat intelligence at Fortinet's FortiGuard Labs, titled "AI-Enabled Adversaries to Autonomous Defense: What Threat Intelligence Is Seeing Next." The session will explore how attackers are accelerating activity across the full intrusion chain by combining commodity exploitation, cloud and identity abuse, automation, and AI-assisted social engineering. Drawing from FortiGuard Labs threat intelligence, Aamir will discuss how defenders should think about evolving adversary tradecraft as AI becomes embedded into both attack and defense workflows, along with practical ways organizations can leverage threat intelligence, AI, and automation to improve detection, prioritize risk faster, and build more resilient response strategies.
Q1. Sophos' State of Identity Security 2026 survey showed that identity has become the new perimeter. Why is that the case? What new challenges does that pose for enterprise organizations and what practical steps should they be taking right now to address the threat?
Identity has become the primary attack surface because poor identity hygiene has made it easier for attackers to log in than to break in. Our State of Identity Security 2026 research found that 71% of organizations suffered at least one identity-related breach in the past year, and two thirds of ransomware victims confirmed their incident started with an identity attack.
What is intensifying that risk is the explosion of non-human identities. Agentic AI systems are spinning up sub-agents, each generating new credentials with broad, persistent access that existing identity frameworks were never designed to govern. Most organizations cannot even see those identities, let alone control them.
The good news is that the practical remedies, while underused, are well understood. Enforce MFA everywhere. Inventory and classify every non-human identity. Replace long-lived credentials with short-lived ones. Deploy identity threat detection and response (ITDR.) And move toward Zero Trust as the default operating posture, not the aspiration.
Q2. If you could fix one systemic problem in how organizations approach cybersecurity today, not a product gap but a cultural or structural problem, what would it be?
The structural problem is this: there are roughly 35,000 CISOs in the world and 359 million organizations. That is one strategic security leader for every 10,000 organizations. The cybersecurity industry was built on the assumption that every organization has a senior leader who can evaluate tools, build strategy, and improve posture over time. For the vast majority of the market, that person does not exist.
That gap, between the continued production of exemplary technology and the lack of strategic capability to operate it, is a 40-year market failure. The industry has produced extraordinary tools, but we have not scaled strategy or the methodical production of an ROI. Lacking a coherent strategy. the defenders cannot close the distance, and the adversaries are pulling further ahead.
Agentic AI is the first lever powerful enough to change that. It is why we are building Sophos CISO Advantage: to bring strategic security guidance to organizations with a CISO and to the millions without one.
Q3. What do you expect will be top of mind issues for your customers and other stakeholders at Black Hat USA 2026? What does Sophos plan to highlight at the event?
Two things will dominate the hallways and the sessions. The first is AI-assisted attacks, which are moving from theoretical to operational faster than most defenders are prepared for. The second is the inverse: how to actually operationalize AI on the defender side without losing human accountability and judgment. Our X-Ops team will be sharing the latest threat research and our own operating data on both fronts.
On the Sophos side, the focus is the Sophos Central Defense System, which launches this summer as the industry's first AI-native defense system, not a platform. Through 2026 we are extending our agentic operating model across the portfolio: XDR and Next-Gen SIEM integrated into a unified context lake, expanded Secure AI capabilities for the new generation of customer AI tooling, and the fall launch of Sophos CISO Advantage. Every capability runs on the same agentic foundation Sophos has calibrated across our hundreds of thousands of customers.
Q1. You were recently quoted as saying four basic controls—blocking untrusted software, disabling Office macros, dual-factor authentication, and restricting account access to trusted devices—could prevent 96% of breaches. How much damage do you think the cybersecurity industry has done by overusing words like ‘sophisticated’? Has that language convinced companies that security is impossibly complex?
A1. I don’t think it’s the cybersecurity industry pushing the “sophisticated” narrative as much as the media wanting attacks to sound scarier to drive readership. When incidents are labeled sophisticated, it can unintentionally create the perception that cybersecurity is impossibly complex or that breaches are unavoidable. In reality, a large percentage of attacks can still be prevented or significantly reduced through strong cybersecurity fundamentals.
Sophisticated attacks certainly exist, but a large majority of breaches still begin with phishing or tricking users into running malware. That hasn’t changed. So, when people describe an attack as sophisticated, even though it started with an employee having credentials stolen through phishing, we create the impression that investing in cybersecurity is futile because these attacks are impossible to stop.
Blocking unapproved software by default, limiting access to trusted devices, using multi-factor authentication (MFA), and disabling Office macros would prevent a huge percentage of attacks. MFA and disabling macros are common, but not nearly enough organizations deploy allowlisting or solutions that limit network and SaaS access to specifically approved hardware.
Take the recent GitHub supply chain attack. It started with stolen credentials that gave attackers access to repositories where they inserted malicious code. Basic credential theft was the entry point. If device and network restrictions had been in place alongside MFA, those stolen credentials would not have granted access.
For the attacks that truly are sophisticated, and there are certainly examples, tools like application containment, storage location restrictions, and privilege management can significantly reduce the chances of a successful attack. In the event an attacker does gain access, these controls can dramatically limit lateral movement and reduce the overall blast radius. In many cases, they can stop even complex attacks outright.
Q2. There’s a growing push toward platform consolidation in cybersecurity, with vendors claiming customers need fewer tools and more integrated protection. Can consolidation genuinely improve security outcomes, or are companies at risk of creating massive single points of failure?
A2. Consolidation doesn’t mean companies need fewer security capabilities. It means bringing those capabilities into a single platform that’s easier to manage.
The ThreatLocker Zero Trust Platform provides 15+ different capabilities to protect endpoints, networks, and cloud environments, all managed through a single, straightforward dashboard. The advantage is that customers spend less time monitoring disconnected systems from separate vendors and more time making sure policies are properly configured.
A single platform can also help reduce alert fatigue by preventing users from receiving overlapping alerts from multiple systems. Another major advantage is the ability to apply user groups consistently across every tool. When organizations must recreate the same groups across multiple platforms, mistakes happen.
Fewer platforms also mean fewer training requirements for security teams and less time spent dealing with renewals and vendor management. That time savings translates directly into better security outcomes because teams can focus on securing their environments instead of managing tools.
If a platform is built properly, it should include layers of redundancy to address concerns around a consolidated point of failure. In a properly deployed Zero Trust environment, if a tool or service becomes unavailable, actions are denied by default. For example, if a server facilitating Zero Trust Network Access (ZTNA) goes down, users may temporarily lose access to the network until the issue is resolved, but connections are blocked rather than left exposed. It may be inconvenient, but it’s not a breach.
Most importantly, when a platform is built properly around Zero Trust principles, the different security capabilities should continue operating independently even if another component is experiencing issues. A good example is Endpoint Detection and Response (EDR), which should still automate responses to suspicious endpoint behavior even without a network connection. ThreatLocker EDR is designed to continue enforcing response policies even when a device is offline.
Q3. What is ThreatLocker’s focus at Black Hat USA 2026? What topics and technologies does your company plan to highlight at the event?
A3. On the AI security front, I’ll be hosting a session titled “Defending Against Hidden Risks of AI Tools in the Workplace.” Our goal is to help companies deploy AI with confidence that their systems remain protected.
A key tool in that effort is Ringfencing™ application containment. While our Allowlisting solution determines which applications are permitted to run, Ringfencing gives security teams control over the behavior of approved applications and AI agents. When agentic AI has access to tools it doesn’t need, such as PowerShell, attackers can use a compromised agent to cause extensive damage.
Beyond AI security, ThreatLocker will be demonstrating our latest controls and services. Over the last year, we’ve released new ZTNA and Zero Trust Cloud Access solutions that add hardware and network restrictions for network and SaaS access. These products are especially important now that attackers regularly bypass MFA through token theft. These controls ensure that even if credentials are stolen, they are useless to attackers without the user’s approved device and authorized network path.
Another solution we’re particularly proud of is Defense Against Configurations (DAC), which we launched at Black Hat last year. This tool helps system administrators identify and correct common misconfigurations that lead to exposure. It also assists with compliance by mapping configuration requirements to standards such as HIPAA, FedRAMP, and NIST. We believe so strongly in the value of DAC that it comes standard, at no additional cost, with any other ThreatLocker solution.
