Exploiting Vulnerabilities Using AI at Machine Speed, the Alarming Number of Unpatched Devices, and Anticipating How Adversaries Think

In this interview with Francois Deruty, Chief Intelligence Officer, Sekoia.io, we discussed how advanced technology drives cyberattacks, the expanding attack surface, and the role of Cyber Threat Intelligence (CTI). Deruty spoke about his experiences and how his perspective has evolved with a vision to tackle rising cyber threats.

Deruty emphasized the importance of boosting detection and monitoring capabilities and encouraged closer collaboration within the CERT/CSIRT community. Attackers like keeping their options open by maintaining persistence, exploiting unpatched systems, which is itself a catastrophe. 

There is hope as AI offers immense scaling capabilities, including detection capabilities by improving alert categorization, while speedily offering the creation of detection rules. 

Read further to learn more about meeting DORA’s requirement, collaborating to tackle geopolitical risks, reassessing attacker groups, and more.

Vishwa: You have a distinctive career trajectory, moving from microelectronics to a long tenure with the French Ministry of Defence and then spearheading critical operational roles at the national cybersecurity agency ANSSI. How have those diverse experiences from the defense landscape to leading CERT-FR operations shaped your mindset and vision in general and for cyber threat intelligence at Sekoia?

Francois: As you mentioned, I have worked in IT and emerging technologies since the start of my career in government bodies and agencies—cybersecurity being just one of the challenges I’ve tackled. 

Having a broader background than a strictly cyber-centric one helps me view cyber operations as one tool among many. After all, states and non-state actors often use cyber capabilities within a complex geopolitical landscape, which demands an open-minded approach. 

This helps achieve our ultimate goal as cyber defenders: helping organizations defend themselves more effectively against the cyberthreats they face—or will face—in the real world. 

Vishwa: Considering the relentless pace of innovation in cybercrime, what is the single most pressing intelligence challenge facing a Chief Information Officer (CIO) today? How do you approach leading the intelligence function to proactively navigate this landscape?

Francois: In today’s digital world, cyberthreats aren’t static—they evolve and grow more sophisticated by the second. From a cyber threat intelligence (CTI) standpoint, that means we can’t rest on our laurels; we must reassess attacker groups and their tactics every single day. 

That’s exactly what my team at Sekoia does—over 20 security researchers focus on both APTs and cybercrime gangs—to mirror the real threats our clients face, from large enterprises to SMEs. 

Our ultimate goal is to empower Security Operations Centers (SOCs) to detect and respond to incidents more effectively, even when operating with limited skilled personnel and tight budgets. 

Vishwa: The attack surface of organizations has widely expanded, especially with edge devices. What are your findings on this evolution in the cyber threat landscape from a strategic intelligence perspective? Could you detail architectural and intelligence program adjustments you would recommend for comprehensive defenses?

Francois: Recent investigations indicate that attackers are increasingly targeting edge devices—routers, gateways, surveillance cameras, IoT sensors, and more—to infiltrate and establish pre-positioned access within organizational networks. 

Whether state-sponsored operatives or cybercriminal syndicates, they exploit anonymization networks and honeypots to gain a foothold and keep their options open. This trend is particularly alarming because so many devices remain unpatched and exposed, and because adversaries are now using AI tools to identify and weaponize vulnerabilities at machine speed.

Meeting this challenge means boosting detection and monitoring capabilities, fostering closer collaboration within the CERT/CSIRT community, and insisting on stronger accountability from every software and device vendor. 

Europe’s proposed Cyber Resilience Act exemplifies how regulators can enforce these responsibilities—and its swift deployment of this approach is more crucial than ever.

Vishwa: With an emphasis on the role of operational Cyber Threat Intelligence (CTI) and AI in improving detection capabilities, how do you envision this integration transforming proactive threat identification and neutralization? What advantages do you foresee in terms of threat detection combining CTI and AI?

Francois: AI adoption in cybersecurity isn’t new—machine learning has long been used for threat detection. However, generative AI is a true game-changer. It lets defenders scale their detection capabilities by improving how alerts are categorized and processed, while also speeding up the creation of detection rules. 

In practice, this means deriving new rules that capture the latest attack patterns used by cybercriminals. As a SOC platform developer at Sekoia.io, generative AI also helps us make cybersecurity more instructive and accessible for junior SOC analysts. 

Vishwa: With a focus on cyber resilience and new regulations like EU's DORA mandating threat-led penetration tests, how is CTI expected to impact the resilience testing framework?

Francois: Threat intelligence is central to meeting DORA’s requirement for threat-led penetration tests by ensuring that resilience exercises reflect the real-world tactics, techniques, and procedures used by today’s adversaries rather than outdated checklists. 

By continuously ingesting CTI feeds—encompassing threat actor profiles, IOCs, and emerging attack patterns—organizations can dynamically tailor red-team scenarios to the precise threats they face. 

This alignment not only verifies that existing controls work under realistic conditions but also uncovers critical detection and response gaps, allowing teams to prioritize fixes according to actual risk. Solutions like Sekoia’s AI-SOC platform further accelerate this process by mapping CTI to MITRE ATT&CK, automating the derivation of test cases, and delivering contextualized insights that turn compliance into a proactive, evidence-based cyber resilience strategy.

Vishwa: How do you ensure that threat intelligence strengthens these mandatory assessments, enabling a move beyond compliance to verifiable and quantifiable security enhancements?

Francois: As mentioned, I’m convinced that cyber threat intelligence is a game-changer for meeting these testing requirements, as it enables organizations to conduct resilience tests grounded in real-world threats. After all, solving a problem means truly understanding it—and anticipating how adversaries will target you.

Vishwa: Advanced persistent threat (APT) groups leverage generative AI for realistic social engineering campaigns, including deepfake video calls of executives, and phishing lures. How do these heightened adversarial capabilities influence intelligence efforts?

Francois: Generative AI–powered deepfakes and hyper-realistic phishing lures force CTI teams to move beyond static indicators toward dynamic behavior modeling, continuously updating TTPs and detection playbooks. Yet technology alone won’t close the gap: digital hygiene must be front and center, with every individual adhering to proven best practices.

Cybersecurity professionals carry a special responsibility to educate executive leadership, schools, and the broader public—each of us must play our part in raising awareness of these sophisticated social-engineering tactics. By marrying real-time intelligence with a culture of shared responsibility and ongoing training, we can blunt the impact of AI-driven APT campaigns.

Vishwa: What new intelligence requirements emerge to identify and counter AI-enhanced cybercrime? How are defenses maintained against evolving human-centric attacks like social engineering?

Francois: AI-enhanced cybercrime demands intelligence that can dissect and attribute synthetic content, trace evolving deepfake pipelines, and unmask the real actors behind automated social-engineering campaigns. This level of insight requires unprecedented public-private collaboration, with security teams and law enforcement working together to monitor, takedown, and disrupt underground platforms at their source. 

By dedicating time and expertise to joint task forces—such as those Sekoia supports alongside Europol—we can propose proactive strategies before these threats regenerate like a hydra. Continuous information sharing keeps us one step ahead of adversaries who blend AI with psychological manipulation.

At the same time, human-centric defenses hinge on rigorous digital hygiene, tailored training, and realistic exercises that immunize users against increasingly convincing AI-driven lures.

Vishwa: Considering a scenario where a geopolitical event triggers a surge in state-sponsored cyber espionage, beyond technical indicators, what strategic intelligence would a team focus on to understand the adversary's intent, potential escalations, and the broader geopolitical context?

Francois: In a geopolitically driven espionage surge, our multidisciplinary CTI team at Sekoia TDR moves beyond mere technical indicators to build strategic intelligence by dissecting the regional and national context—political aims, power balances, economic pressures, and potential collateral impacts. 

We analyze open-source diplomatic communiqués, sanctions, and military postures to infer adversary intent and likely escalation paths, then distill those insights into our own CTI reports that inform state response doctrines. 

Simultaneously, we maintain an ongoing dialogue with public authorities—participating in joint working groups—to synchronize priorities and ensure our intelligence underpins both cyber resilience planning and broader government policy.

Vishwa: Could you outline a proactive defense strategy as opposed to a reactive one in such a crisis? How is the effectiveness of CTI measured in informing leadership about an unfolding crisis?

Francois: A proactive defense starts with forward-looking CTI investigations tailored to each crisis scenario—mapping the event’s scope, the directly and indirectly involved actors, and critical timing. Over recent months, Sekoia TDR demonstrated this approach by publishing strategic, horizon-scanning intelligence ahead of the Paris 2024 Olympics and key national elections around the world.

Such an approach allows defenders to synchronize early with stakeholders and implement the right protection architectures. Of course, these assessments may occasionally prove wrong (believe me, I’m super happy that Paris 2024 were not sabotaged by cyber-attacks!), such feedback enables us to refine priorities and fuels targeted awareness campaigns for executives and operational teams.

In the end, CTI’s effectiveness is to be gauged by its measurable impact on leadership: faster decision-making, earlier deployment of countermeasures, and seamless incorporation of threat insights into executive briefings and crisis exercises.

In this way, CTI evolves from a reactive shield into a strategic compass that guides organizations through complex, unfolding threats with agility and confidence.