We Made Everything Faster. We Never Defined Better.

Lens Four: Where business, innovation, and messaging come into focus.

By Sean Martin, CISSP  ·  Edition 08  ·  June 30, 2026

The whole floor at Infosecurity Europe agreed on the vocabulary: outcomes, resilience, sovereignty, human-in-the-loop. Almost none of it could tell me what success actually looks like. And the clock is now running in seconds.

Watch  ·  Listen  ·  Read

Listen to this article, read by TAPE9.

I look at the intersection of business, technology, and messaging through three lenses: how organizations run their programs, where the market and its innovations are heading, and how the language we use shapes what gets funded and what gets believed. Then there is the fourth lens, the connective one, where I try to name what the first three keep pointing at.

I spent three days at Infosecurity Europe in London with Studio C60 co-founder Marco Ciappelli, recording conversations with journalists, analysts, former government cyber leaders, policy directors, and the vendors working the floor.1 The first thing you notice is what is missing. After RSAC, where you cannot escape AI, London felt quieter. More tempered. As Forrester’s Madelein van der Hout put it when we caught up, the messaging here is more pragmatic, less flashy, “a bit less to the far extent.”2 AI is in the room, but it is a piece of the conversation rather than the whole maniacal pitch.

That restraint is the good news. It is also the cover story. Underneath the calmer signage, an industry is quietly arguing with itself about what it even is anymore, and doing it while the clock that governs the whole business accelerates past the point where humans can keep up. Three days of conversations kept landing on one uncomfortable question: when everything moves at machine speed and every booth promises an outcome, what are we actually measuring?

The Numbers On The Floor

22 sec

from an attacker’s initial access to the next stage in agentic scenarios, collapsed from eight hours.

Under 1 hr

for some full ransomware attacks, about four hours on average, most often on a Wednesday night.

Under 1%

of 62 million risk findings in one environment were actually executable once tested against the business.

38 → 1,400

underground listings for AI attack tools, in two months. The criminal economy has already productized.

Lens One  ·  Business Operations & Programs

What does a security program measure when the clock runs in seconds?

The honest answer is that most programs do not yet know, and the timeline no longer waits for them to figure it out.

At the OWASP GenAI Security summit, John Sotiropoulos shared a number that should reorganize how every SOC thinks about response: the time from an attacker’s initial access to the next stage has, in agentic scenarios, collapsed from eight hours to twenty-two seconds.3 Cynthia Kaiser, who ran cyber threat intelligence work as a Deputy Assistant Director at the FBI and now tracks ransomware at Halcyon, put the same physics in operational terms. The average ransomware attack she tracks runs about four hours from initial access to encryption, with some completing in under an hour, and the most common time to strike is a Wednesday night.4 Put your phone down at dinner, pick it back up, and the whole event is over. As she said plainly, humans cannot move at that speed.

So the program has to. And here is where the measurement problem starts, because moving at machine speed forces a question most teams have been allowed to defer: what does “working” mean? Matt Middleton-Leal at Qualys was blunt about it. Measuring risk was never the point.5 His team showed me a client environment with 62 million risk findings that collapsed to roughly two million theoretical risks, then to about a million once business context was applied, then to under one percent once they tested which findings could actually be executed. The dashboard was never the deliverable. Remediation was. “If we’ve got to rely on service desk tickets before we make a change,” he said, “we’ve already failed.”

Corelight’s Matt Ellison framed the same tension from the network side. A detection is only the opening question. What matters is whether you can prove what it actually is.6 He is blunt that a black box tells you little: something goes in, something comes out. Corelight keeps the data behind every conclusion in the open, so an analyst can follow the flow and verify it rather than trust it. In one proof of value his team surfaced a smoking gun in thirty minutes, sensitive traffic crossing the network unencrypted that the customer had never seen. And on the compliance tools bought to satisfy NIS2 and DORA, he is unsparing: a box you switch on and never look at, then wave at the auditor, is a cost that returns nothing.

Meanwhile the board has started asking the only question that matters and the one hardest to answer. Ian Schenkel at Intel 471 described the rhetoric shift he is hearing from CISOs: boards have moved from “my IT team has this handled” to “show me proof we’re okay.”7 Madelein framed the engine behind it precisely. AI is moving from experimentation to deployment inside organizations, and that creates boardroom liability. Liability is driving the caution I felt on the floor. James Morris, a former UK Member of Parliament now running a cyber and resilience policy center, made the structural version of the point: resilience has stopped meaning power plants and rail lines and started meaning the entire economy.8 The Marks & Spencer and Jaguar Land Rover breaches paralyzed real businesses, and as he noted, they would not even have been captured by the legislation currently moving through Parliament. The definition is changing faster than the rules that depend on it.

The dashboard was never the deliverable. Remediation was. The clock just took away the option of measuring the value later.

When The Clock Runs In Seconds

Lens Two  ·  Innovation & Market Shifts

If the work moves in-house and the floor can’t prove its claims, what is left to sell?

Less than the floor thinks, and the next twelve to eighteen months will sort out which companies were selling a capability versus a category that AI is about to absorb.

I’ve said this to Marco a few times now, and I’ll put it in writing: I don’t think this environment looks the same in twelve to eighteen months. Not because AI kills startups, though some will run out of runway and a few will get acquired for doing something genuinely unique. It’s that as AI gets adopted inside the security organization, some of what fills today’s expo hall stops being necessary. New roles appear. The orchestration roles, the people Madelein and I kept returning to when we talked about where the security architect even sits now. Those roles need new tools, and someone has to manage them with new systems. It won’t just be networks, endpoints, and a SOC. Teams will also, I suspect, trust their own AI over a vendor’s. They’ll want their own model, fed by their own knowledge base. “My function,” not someone else’s black box.

The market is broadening at the same time it’s thinning. Salesforce had a presence at a security conference; non-security players are moving in because the buyer is now the business, not just the SOC. And then there is the cost of waiting, made concrete. Rik Ferguson reframed post-quantum cryptography as something most procurement conversations leave out entirely: whatever you install today will still be running when the math that protects it breaks.10 Harvest-now, decrypt-later is not theoretical. The infrastructure and the intent already exist. His point wasn’t fear. It was a purchasing decision you are making today whether you realize it or not. Same Y2K logic I worked through decades ago: not “will it survive,” but “what should we replace anyway, and who holds the checkbook.”

Underneath all of it sits the consolidation question. ManageEngine’s VimalRaj Sampathkumar argued the problem isn’t a lack of tools. It’s that 40-plus tools sit in silos refusing to work together, so they sell solutions rather than products.11 Apricorn’s new CEO told me he was hired specifically to connect a niche storage product to the macro security picture.12 When positioning a product as relevant becomes the executive’s primary job, that tells you the market is already sorting survivors from the soon-to-be-absorbed.

The Most Honest Mirror On The Floor

The clearest picture of where defense has to get to came from the people it is defending against. The attackers have already built the operationally mature, productized version of what the floor was still pitching.

Productized Crime  ·  Halcyon

Cynthia Kaiser’s team watched the underground market for AI attack tools go from 38 listings to over 1,400 in two months. Tiered free-and-paid access, redundancy across platforms, an AI-run call center for sale that handles 120 simultaneous calls with simulated keystrokes. As she said, it sounds like what software-as-a-service companies do.

The Defense, Racing To Match It

Sumo Logic’s Bill Peterson showed the defender’s version of the same move.9 His SOC analyst agent and MCP server are not built to remove the analyst; they take the work that has already been proven. Fix one server, prove the solution, then let an agent apply that proven fix to the other 599 identical machines under human oversight, collapsing three weeks of manual effort into a weekend. He frames the payoff the way a board hears it: for a 40-billion-dollar company, cutting mean time to resolve by 20 percent is real money. Proof first, then repeat it at scale. Qualys described a client preparing to roll out 90,000 MCP agents that nobody fully understands yet. The tooling is arriving faster than the understanding of it.

The attackers productized first. The defense is buying capability it cannot yet fully account for. Both sides moved at machine speed. Only one of them agreed on what success looks like.

Lens Three  ·  Language, Messaging & Market Narrative

When the whole floor agrees on the vocabulary, what is the language hiding?

That nobody has agreed on what the words mean, and a word everyone shares is a word that has stopped helping anyone choose.

Listen across the floor and you hear remarkable agreement. Everyone enables. Nobody is the “department of no” anymore. Qualys disowned the phrase, and at the OWASP summit a Deloitte panelist said the quiet part out loud: stop being the Ministry of No, because people will bypass you and do it anyway. Everyone keeps the human in the loop. Intel 471 selling human-led intelligence against AI-only upstarts, Marco noting that nobody believes the pitch where you take the human out. Everyone sells resilience. At RSAC, Madelein and I agreed, the drumbeat was resilience. In London, the word I heard over and over was sovereignty, sharpened by the EU sovereign cloud announcements landing that very week and the Cyber Resilience Act sitting underneath them. Sumo Logic’s booth had the concrete version: joining the AWS European Sovereign Cloud, so a regulated customer can keep incident response running while proving to regulators that the data, and the people watching it, sit in region.

Dan Raywood, who has covered this industry for eighteen years, gave the optimistic read: marketing has moved away from “buy this or everything falls apart” toward “here’s where the failings were.”13 Buyers are discerning; they know when they’re being oversold. That’s real progress. But Dan also asked the question the whole pragmatic, grown-up floor still can’t answer. How does anyone actually know what to buy? Is it the reseller, the analyst’s upper-right quadrant, or something else entirely?

That’s the tell. When every booth converges on the same three or four words, the words stop doing the one job language is supposed to do at a trade show: help a buyer tell two things apart. And the gap between the vocabulary and the outcome is exactly where Sarah Armstrong-Smith, after nearly thirty years in the field, refused to be polite. We have more tools, more people, more AI than ever, she said, and it is still getting worse. How many wake-up calls do you need?14 The narrative says we’re maturing. The data says we’re losing ground. Both cannot be the measure of success.

When Every Booth Says The Same Words

01  ·  “Outcomes”

Everyone repositioned around the outcome. Almost no one paired the word with a definition of success a buyer could verify, or a way to confirm the result holds outside a booth demo. The word advanced; the proof did not.

02  ·  “Human In The Loop”

Everyone keeps one. As a reassurance it is universal, which means it no longer separates anyone. It tells a buyer what a vendor will not do, not what the product reliably produces when the human is busy and the clock is running in seconds.

03  ·  “Resilience” And “Sovereignty”

The drumbeat at RSAC, the chorus in London, sharpened by EU sovereign cloud news and the Cyber Resilience Act. Real pressures, genuine words. But when the entire hall adopts them in the same week, they describe the market’s mood, not a way to choose between two vendors.

The Fourth Lens

What were we actually measuring?

Here is the connective view, and it is not comfortable for the side I have worked on for thirty years: the messaging and go-to-market side of this industry. The vocabulary on that floor moved faster than the products underneath it. The industry learned to say outcomes, resilience, sovereignty, and human-in-the-loop. All the right words, in the more honest European register. But very few of the booths I walked could connect any of those words to a definition of success a buyer could verify. Madelein said it and I agreed in the moment: a large share of what’s down in the expo hall doesn’t address what the analysts and CISOs are actually wrestling with upstairs. The go-to-market caught up to the language. The capability did not. That is a marketing achievement masquerading as a market.

And proving it is the harder half of the job. Naming the outcome a customer gets, the value, the result, the line on the slide, is the easy part. Proving you can produce that outcome again, in a different environment, with a different team, different assumptions, a different budget, a different threat model, different everything, is the part the vocabulary quietly skips. Much of the floor was selling the story and calling it the proof.

A result that lands once, in a controlled booth demo or a friendly reference account, is a story. Proof is the same result holding up again for the next buyer who shares nothing with the first except the problem.

Machine speed is what turns that gap from an annoyance into a reckoning. When the clock ran in days, “we’ll measure the value later” was a survivable answer. When the time from initial access to the next stage is twenty-two seconds, and ransomware finishes in under an hour, there is no later. A market that never agreed on what “working” means is now being asked to prove it in real time, in front of a board that has discovered it is personally liable. The identity crisis isn’t that the industry doesn’t know what to call itself. It’s that it repositioned around outcomes without ever defining the outcome, and the bill for that is what I think comes due over the next twelve to eighteen months, not because AI arrives, but because AI removes the last place to hide the question.

So the questions I’d put to my own side of the table. If you can’t say in one sentence what success looks like for your customer, what exactly is your dashboard counting? If you can say it, can you prove it twice, in two environments that share nothing but the problem? When AI absorbs the function your product performs, what is the line item that survives the budget review? And when the buyer finally asks the only question that was ever real, are we okay?, does your roadmap answer it, or does it just say it faster?

We made everything faster. We got very good at saying so. We still haven’t said what better means. Until we do, speed is just a more efficient way of not knowing.

The Conversations Behind This Edition

Every number and quote above comes from an On Location conversation recorded at Infosecurity Europe 2026. Watch the full coverage here.

Have a different read on what the floor was actually selling? I’d like to hear it. Sean Martin, CISSP is the host of the Redefining CyberSecurity Podcast and the Music Evolves Podcast, and co-founder of ITSPmagazine and Studio C60. He writes Lens Four, a weekly analysis of business, innovation, and messaging through a cyber-informed lens. Connect at seanmartin.com.

Subscribe to Lens Four, where business, innovation, and messaging come into focus.


References

All conversations below were recorded On Location at Infosecurity Europe 2026 by Sean Martin and Marco Ciappelli for ITSPmagazine. Individual episode permalinks are slotted at publish; until then each resolves to the verified coverage hub.

1. Infosecurity Europe 2026, On Location Event Coverage, ITSPmagazine. Coverage hub

2. Madelein van der Hout, Forrester. On Location conversation.

3. John Sotiropoulos and Rock Lambros, OWASP GenAI Security Project. Agentic Security summit, On Location.

4. Cynthia Kaiser, Halcyon (formerly FBI Cyber Division). On Location conversation.

5. Matt Middleton-Leal, Qualys. Brand Spotlight, On Location.

6. Matt Ellison, Corelight. Brand Spotlight, On Location.

7. Ian Schenkel, Intel 471. Brand Spotlight, On Location.

8. James Morris, CSBR (former UK Member of Parliament). On Location conversation.

9. Bill Peterson, Sumo Logic. Brand Spotlight, On Location.

10. Rik Ferguson. On Location conversation (post-quantum cryptography keynote).

11. VimalRaj Sampathkumar, ManageEngine. Brand Highlight, On Location.

12. Jeanclaude Toma, Apricorn. Brand Highlight, On Location.

13. Dan Raywood. On Location conversation.

14. Sarah Armstrong-Smith, Secure Horizons. On Location conversation.


Topics Covered In This Analysis

Infosecurity Europe 2026, cybersecurity go-to-market, security marketing, vendor positioning, market consolidation, machine-speed attacks, agentic AI security, ransomware economics, AI-as-a-service in cybercrime, post-quantum cryptography, harvest-now-decrypt-later, boardroom liability, security program metrics, exposure management, risk operations, proof of repeatable outcomes, resilience, digital sovereignty, EU sovereign cloud, Cyber Resilience Act, UK Cyber Security and Resilience Bill, NIS2, DORA, human-in-the-loop, security architect role, SOC automation, MCP agents, network detection and response, network visibility, mean time to resolve, threat intelligence, supply chain resilience, Madelein van der Hout, Cynthia Kaiser, Rik Ferguson, James Morris, Dan Raywood, Sarah Armstrong-Smith, Ian Schenkel, Matt Middleton-Leal, Matt Ellison, Bill Peterson, OWASP GenAI Security, Forrester, Qualys, Corelight, Intel 471, Sumo Logic, Halcyon, ManageEngine, Apricorn, ITSPmagazine, Studio C60.

Frequently Asked Questions

What was the central theme at Infosecurity Europe 2026?

Compared with RSAC, the messaging was more tempered and pragmatic, in the European register. But underneath the restraint, the market had converged on a shared vocabulary of outcomes, resilience, and sovereignty, while attacks accelerated to machine speed and AI began moving from experimentation into deployment inside organizations.

Why does “machine speed” change how security programs should be measured?

When the time from initial access to the next stage can collapse to roughly twenty-two seconds and ransomware can finish in under an hour, there is no window to assess a tool’s value after the fact. Programs are forced to define what “working” means in advance, the exact definition the market has avoided pinning down.

What is the “go-to-market checks the product can’t cash” argument?

Vendors repositioned around outcomes, resilience, and sovereignty faster than their products could prove those claims with a verifiable, repeatable definition of success. The vocabulary advanced; the capability lagged. That gap becomes a reckoning as AI absorbs functions in-house over the next twelve to eighteen months.

What does it mean to “prove” an outcome here?

Naming the value a customer gets is the easy part. Proof is producing that same outcome again across different environments, teams, assumptions, and budgets, not landing it once in a controlled demo or a friendly reference account. A result that holds only once is a story, not proof.

What is Lens Four?

Lens Four is Sean Martin’s weekly analysis examining business, innovation, and messaging through three lenses, operations and programs, innovation and market, and language and narrative, plus a connective fourth lens that surfaces the implications others miss. Read it at seanmartin.com/lens-four.

Next
Next

Proof of Impact: What Global Citizen NOW 2026 Revealed About Technology, Trust, and Outcomes