MuehlCyberConsulting

Kontakt​

MCSC 2026: Time for Resilience is over

Feb 22, 2026UncategorizedComments (0)

"Time for Resilience is Over" is my provocative summary of the MCSC 2026 (Feb 12–13) - just finished a few hours ago. 

Resilience isn’t enough. Adversaries need a message.

Signaling requires more than press releases. It requires demonstrated capability: faster containment, hardening that removes cheap wins, real consequences (legal, financial, infrastructure-level disruption), and shared operational playbooks between government and industry.

Resilience is what you do after impact. “Sending a message” is about changing the attacker’s expected ROI before impact.

De-risking is the new “security by design.”

The most practical security conversations this year were about dependency risk. When your build pipeline, identity plane, endpoint estate, and critical SaaS stack all depend on a few providers and opaque supply chains, your availability and integrity become a downstream derivative.

The “de-risking” theme landed well because dependencies don’t stay neutral; they become vulnerabilities under pressure.

Concrete “de-risking” includes:

  • Monoculture reduction: avoid single points of failure (IdP, EDR, CI/CD runners, DNS, cloud control plane).
  • Provenance + integrity: signed artifacts, protected pipelines, hardened runners, verified dependencies.
  • Blast-radius design: strict segmentation, least privilege, constrained tool access, strong egress controls.
  • Exit realism: test migrations, not “we could switch vendors” fantasies.
  • Contractual realism: watch for “legal ransom” - licensing negotiations that become coercive under incident pressure.


Ukraine: sustained pressure, no “incident lifecycle.”

Cyberattacks in Ukraine are continuous, not attack → recover → normal. Ongoing combined pressure: psychological, cyber, physical.

Design your program for degraded operation, decision under uncertainty, and continued operation despite fatigue.

That’s “preemptive cybersecurity” in practice: not “more controls,” but an operating model built for persistence.

AI industrializes offense, forcing defense to industrialize response.

 Two data points connect:

  • ENISA notes that by early 2025, AI-supported phishing represented 80%+ of observed social engineering activity. ENISA Threat Landscape
  • Bruce Schneier documents how fast models improve at finding and exploiting vulnerabilities, including in highly scrutinized codebases, without specialized scaffolding. Schneier Blog 02/2026

This strategic shift:

  • Attacks become higher throughput, “good enough,” and persistent.
  • Defense must optimize for containment velocity instead of detection quality.

SOCs may overflow with true positives in H2/2026, not because alerts are noisy, but because the attacker’s parallelism scales faster than human response.

Key KPI changes:

  • Time-to-contain
  • Time-to-revoke
  • Time-to-rotate secrets
  • Time-to-isolate a segment
  • Time-to-disable an automation path


Agentic AI: the attack surface isn’t the model, but the agent.

 It’s:

 1. AI improves classic attacker workflows (phishing, recon, exploit iteration).

 2. Attackers exploit AI endpoints and agent integrations (over-privilege, weak isolation, insecure tool bridges, prompt-injection into action channels).

The “agentic commerce” question is critical:

  • How do you know one agent isn’t malicious and re-establish chain-of-trust after compromise?
  • We lack mature patterns, but early warning signs exist. Agent platforms and marketplaces are already abused for malware distribution.
  • Embedding governance rules inside bots doesn’t work; an independent layer is needed.
  • Agent-security vendors are building observability and enforcement at the agent layer, across build-time and runtime.

Key to do’s: 

Build an agent security baseline by inventorying agents and automations as principals, putting guardrails on the tool layer (secrets, shell, email, finance, ticketing), and adding an independent governance layer (visibility, policy, runtime enforcement).

Treat the supply chain as production infrastructure by reducing monocultures, hardening CI/CD integrity, testing exits, and removing “legal ransom” pressure before incident negotiations.